Re: Heartbleed
on 2014-04-10 16:31 Bob W-PDML wrote It is the technically literate who have been the most trusting, swallowing whole and without supporting evidence the idea that open source software is inherently secure because so many eyes are supposedly examining it. i wonder which "technically literate" you mean having worked closely with folks who were top security nerds (one literally wrote the book) in a segment of open source software, i am very familiar with the security process that community uses; the whole community (Drupal) is constantly reminded how tenuous their security might be by weekly security advisories, as well as by a review process for all submitted code which often admonishes poor security practices; there is no perfect security; ultimately, there is no security -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Mickeysoft stuff is routinely disassembled to provide the baddies with something closer to whitebox abilities. And the number of vulnerabilities lacing MS products is so large, just about anyone with a fuzzer and some time can find something useful, or at least damaging to use in a DoS attack. But don't think that it's only unpaid enthusiasts out there examining open source code. I, for instance, was paid handsomely to work with open source. Borderware's firewall products were based on FreeBSD for the OS (though we hardened it much further) and we used all the usual suspects like Apache, PostgreSQL, Postfix, OpenSSL, OpenSSH, etc. We examined that code very closely. I spent a couple of years modifying Postfix and adding custom code and extensions (like an inline antivirus filter) to it as well as hardening features and throughput optimizing. Other companies like Cisco, Juniper and big carriers and backhaul firms employ teams to work with and audit this code. The blackhats may or may not outnumber the whitehats but it's more of a level playing field than you suggest. On Thu, Apr 10, 2014 at 7:06 PM, Bob W-PDML wrote: > The other side of openness is that it's not just the good guys who can read > the code and find bugs to exploit. The bad guys also have arguably a stronger > motivation, money, to find them than the good guys who are rewarded by a warm > fuzzy feeling. > > If the code is not published then you can only use black box testing to find > the bugs, along with the nous that comes from experience of the types of > mistakes that programmers routinely make. It's far easier in my experience to > find bugs using white box as well as black box testing, but it works the same > way for the goodies and the baddies. > > B > >> On 10 Apr 2014, at 23:40, "Bruce Walker" wrote: >> >> We're really talking averages here. Yes, this is a nasty bug that >> leads to a serious vulnerability, but in general and over time the >> more eyes that can see code the more likely that errors will be >> caught. And if you examine the OpenBSD record you'll see that it has >> worked well. >> >> Microsoft's closed-source model has a very poor record. There's >> nothing to crow about there. Windows and its vulnerability of the week >> club is the poster child for what happens when a badly designed system >> is deployed so widely. The only people that lay eyes on that code are >> Microsoft engineers, and I wouldn't give them the time of day when it >> comes to secure code. Most of the spam and malware that arrives every >> second is hosted on and delivered from infected Windows boxes, both >> clients and servers, well organized (by miscreants) into botnets. >> >> Having spent a number of years designing, writing, auditing and >> analyzing secure code I can tell you that it's hard and very >> stressful. With either model -- open or closed -- you are always one >> small blunder away from introducing an exploitable vulnerability into >> your product. >> >> >>> On Thu, Apr 10, 2014 at 2:51 PM, Gerrit Visser wrote: >>> Sometimes you get what you pay for. Certainly puts a dent in the >>> peer-reviewed code is more secure mantra. >>> >>> Gerrit >>> >>> -Original Message- >>> From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy >>> Sent: Thursday, April 10, 2014 1:50 PM >>> To: Pentax-Discuss Mail List >>> Subject: Re: Heartbleed >>> >>> I found a local internet service provider (and web host) that was vulnerable >>> and alerted them. >>> >>> Interesting that this DOES NOT affect the Windows web server (IIS). >>> Probably the first time in history that IIS web admins are happy that they >>> manage a Microsoft product. >>> >>>> On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy >>>> wrote: >>>> That's a very good point Steve. (I generally consider anything that I >>>> haven't already thought of as a Good Point). >>>> : ) >>>> >>>> Now who in the world do we think might have the resources to store >>>> huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] >>>> http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh >>>> ind-the-heartbleed-security >>>> >>>> >>>> >>>>> On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >>>>> on 2014-04-10 10:29 Darren Addy wrote >>>>> >>>>>> What the HeartBleed Attack Really Means: >>>>>> &
Re: Heartbleed
The other side of openness is that it's not just the good guys who can read the code and find bugs to exploit. The bad guys also have arguably a stronger motivation, money, to find them than the good guys who are rewarded by a warm fuzzy feeling. If the code is not published then you can only use black box testing to find the bugs, along with the nous that comes from experience of the types of mistakes that programmers routinely make. It's far easier in my experience to find bugs using white box as well as black box testing, but it works the same way for the goodies and the baddies. B > On 10 Apr 2014, at 23:40, "Bruce Walker" wrote: > > We're really talking averages here. Yes, this is a nasty bug that > leads to a serious vulnerability, but in general and over time the > more eyes that can see code the more likely that errors will be > caught. And if you examine the OpenBSD record you'll see that it has > worked well. > > Microsoft's closed-source model has a very poor record. There's > nothing to crow about there. Windows and its vulnerability of the week > club is the poster child for what happens when a badly designed system > is deployed so widely. The only people that lay eyes on that code are > Microsoft engineers, and I wouldn't give them the time of day when it > comes to secure code. Most of the spam and malware that arrives every > second is hosted on and delivered from infected Windows boxes, both > clients and servers, well organized (by miscreants) into botnets. > > Having spent a number of years designing, writing, auditing and > analyzing secure code I can tell you that it's hard and very > stressful. With either model -- open or closed -- you are always one > small blunder away from introducing an exploitable vulnerability into > your product. > > >> On Thu, Apr 10, 2014 at 2:51 PM, Gerrit Visser wrote: >> Sometimes you get what you pay for. Certainly puts a dent in the >> peer-reviewed code is more secure mantra. >> >> Gerrit >> >> -Original Message----- >> From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy >> Sent: Thursday, April 10, 2014 1:50 PM >> To: Pentax-Discuss Mail List >> Subject: Re: Heartbleed >> >> I found a local internet service provider (and web host) that was vulnerable >> and alerted them. >> >> Interesting that this DOES NOT affect the Windows web server (IIS). >> Probably the first time in history that IIS web admins are happy that they >> manage a Microsoft product. >> >>> On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: >>> That's a very good point Steve. (I generally consider anything that I >>> haven't already thought of as a Good Point). >>> : ) >>> >>> Now who in the world do we think might have the resources to store >>> huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] >>> http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh >>> ind-the-heartbleed-security >>> >>> >>> >>>> On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >>>> on 2014-04-10 10:29 Darren Addy wrote >>>> >>>>> What the HeartBleed Attack Really Means: >>>>> >>>>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets >>>>> -telltale-heartbleed.html >>>> >>>> >>>> it's amusing to see the media rush to explain Heartbleed; perhaps it >>>> will increase technical literacy and cause an appropriate correction >>>> in the trust we have for internet services >>>> >>>> that article is surprisingly good, but it misses slightly on what it >>>> calls a "worst-case scenario" -- the worst case is that some entities >>>> stored huge amounts of encrypted internet traffic, even from before >>>> the date the bug was introduced into OpenSSL, and now Heartbleed has >>>> been used to get the keys to unlock that trove >>>> >>>> also unstated is how Heartbleed will encourage more entities to store >>>> as much encrypted traffic as possible on the expectation that there >>>> will be other bugs to get the newer keys >>>> >>>> >>>> >>>> >>>> -- >>>> PDML Pentax-Discuss Mail List >>>> PDML@pdml.net >>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>> to UNSUBSCRIBE from the PDML, please visit the link directly above >>>> and follow the directions. >&
Re: Heartbleed
We're really talking averages here. Yes, this is a nasty bug that leads to a serious vulnerability, but in general and over time the more eyes that can see code the more likely that errors will be caught. And if you examine the OpenBSD record you'll see that it has worked well. Microsoft's closed-source model has a very poor record. There's nothing to crow about there. Windows and its vulnerability of the week club is the poster child for what happens when a badly designed system is deployed so widely. The only people that lay eyes on that code are Microsoft engineers, and I wouldn't give them the time of day when it comes to secure code. Most of the spam and malware that arrives every second is hosted on and delivered from infected Windows boxes, both clients and servers, well organized (by miscreants) into botnets. Having spent a number of years designing, writing, auditing and analyzing secure code I can tell you that it's hard and very stressful. With either model -- open or closed -- you are always one small blunder away from introducing an exploitable vulnerability into your product. On Thu, Apr 10, 2014 at 2:51 PM, Gerrit Visser wrote: > Sometimes you get what you pay for. Certainly puts a dent in the > peer-reviewed code is more secure mantra. > > Gerrit > > -Original Message- > From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy > Sent: Thursday, April 10, 2014 1:50 PM > To: Pentax-Discuss Mail List > Subject: Re: Heartbleed > > I found a local internet service provider (and web host) that was vulnerable > and alerted them. > > Interesting that this DOES NOT affect the Windows web server (IIS). > Probably the first time in history that IIS web admins are happy that they > manage a Microsoft product. > > On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: >> That's a very good point Steve. (I generally consider anything that I >> haven't already thought of as a Good Point). >> : ) >> >> Now who in the world do we think might have the resources to store >> huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] >> http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh >> ind-the-heartbleed-security >> >> >> >> On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >>> on 2014-04-10 10:29 Darren Addy wrote >>> >>>> What the HeartBleed Attack Really Means: >>>> >>>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets >>>> -telltale-heartbleed.html >>> >>> >>> it's amusing to see the media rush to explain Heartbleed; perhaps it >>> will increase technical literacy and cause an appropriate correction >>> in the trust we have for internet services >>> >>> that article is surprisingly good, but it misses slightly on what it >>> calls a "worst-case scenario" -- the worst case is that some entities >>> stored huge amounts of encrypted internet traffic, even from before >>> the date the bug was introduced into OpenSSL, and now Heartbleed has >>> been used to get the keys to unlock that trove >>> >>> also unstated is how Heartbleed will encourage more entities to store >>> as much encrypted traffic as possible on the expectation that there >>> will be other bugs to get the newer keys >>> >>> >>> >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above >>> and follow the directions. >> >> >> >> -- >> Photographers must learn not to be ashamed to have their photographs >> look like photographs. >> ~ Alfred Stieglitz > > > > -- > Photographers must learn not to be ashamed to have their photographs look > like photographs. > ~ Alfred Stieglitz > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. > > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- -bmw -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
On 10 Apr 2014, at 17:55, "steve harley" wrote: > > on 2014-04-10 10:29 Darren Addy wrote >> What the HeartBleed Attack Really Means: >> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html > > it's amusing to see the media rush to explain Heartbleed; perhaps it will > increase technical literacy and cause an appropriate correction in the trust > we have for internet services It is the technically literate who have been the most trusting, swallowing whole and without supporting evidence the idea that open source software is inherently secure because so many eyes are supposedly examining it. B -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
on 2014-04-10 14:27 John Sessoms wrote It's four guys who don't get paid for it. They're all volunteers. i suspect they are paid, as time to contribute to community software is often a standard part of a developer's compensation; sometimes employees are recruited specifically because of the open-source work they do, and they are expected to continue with that work One of them made a mistake in revising a section of code that didn't cause crashes or even hiccups, so no one was prompted to look specifically at that bit of code. i don't know specifically about openssl, but if it were truly peer-reviewed, all the code would be scrutinized whether it crashed or not; not that every bug is ever caught; it's possible the bug was inserted intentionally; i've seen no evidence for this, but it would be hard to rule out -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
It's four guys who don't get paid for it. They're all volunteers. One of them made a mistake in revising a section of code that didn't cause crashes or even hiccups, so no one was prompted to look specifically at that bit of code. You don't fix something if you don't know it's broke. Another thing I read is that Google, Red Hat and other major players were already trying to get patches in place before the bad guys could find out about the bug & exploit it. But someone had be a blabbermouth & tell all the script-kiddies in the whole world "HEY GUYS! LOOKY HERE WHAT I FOUND!!" before the patches were ready. On 4/10/2014 3:43 PM, Darren Addy wrote: I agree Gerrit (on the dent in the reputation of the Open Source peer-reviewed code movement). I think that this is the part of this story that I haven't SEEN yet? Who/where did the insecure code addition COME FROM and why was there the failure to catch it at the time of its being rolled into the official release? On the other hand, one could successfully argue that the only reason it was CAUGHT AT ALL was because it was Open Source code. How many security problems are there in "get what you pay for" proprietary code that are THERE but simply haven't been discovered or exploited yet (or at least the exploitation has not been discovered yet). Even after this "failure" I feel more secure, at the end of the day, with the Open Source code than the proprietary. On Thu, Apr 10, 2014 at 1:51 PM, Gerrit Visser wrote: Sometimes you get what you pay for. Certainly puts a dent in the peer-reviewed code is more secure mantra. Gerrit -Original Message- From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy Sent: Thursday, April 10, 2014 1:50 PM To: Pentax-Discuss Mail List Subject: Re: Heartbleed I found a local internet service provider (and web host) that was vulnerable and alerted them. Interesting that this DOES NOT affect the Windows web server (IIS). Probably the first time in history that IIS web admins are happy that they manage a Microsoft product. On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: That's a very good point Steve. (I generally consider anything that I haven't already thought of as a Good Point). : ) Now who in the world do we think might have the resources to store huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh ind-the-heartbleed-security On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: on 2014-04-10 10:29 Darren Addy wrote What the HeartBleed Attack Really Means: http://www.newyorker.com/online/blogs/elements/2014/04/the-internets -telltale-heartbleed.html it's amusing to see the media rush to explain Heartbleed; perhaps it will increase technical literacy and cause an appropriate correction in the trust we have for internet services that article is surprisingly good, but it misses slightly on what it calls a "worst-case scenario" -- the worst case is that some entities stored huge amounts of encrypted internet traffic, even from before the date the bug was introduced into OpenSSL, and now Heartbleed has been used to get the keys to unlock that trove also unstated is how Heartbleed will encourage more entities to store as much encrypted traffic as possible on the expectation that there will be other bugs to get the newer keys -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
I agree Gerrit (on the dent in the reputation of the Open Source peer-reviewed code movement). I think that this is the part of this story that I haven't SEEN yet? Who/where did the insecure code addition COME FROM and why was there the failure to catch it at the time of its being rolled into the official release? On the other hand, one could successfully argue that the only reason it was CAUGHT AT ALL was because it was Open Source code. How many security problems are there in "get what you pay for" proprietary code that are THERE but simply haven't been discovered or exploited yet (or at least the exploitation has not been discovered yet). Even after this "failure" I feel more secure, at the end of the day, with the Open Source code than the proprietary. On Thu, Apr 10, 2014 at 1:51 PM, Gerrit Visser wrote: > Sometimes you get what you pay for. Certainly puts a dent in the > peer-reviewed code is more secure mantra. > > Gerrit > > -Original Message- > From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy > Sent: Thursday, April 10, 2014 1:50 PM > To: Pentax-Discuss Mail List > Subject: Re: Heartbleed > > I found a local internet service provider (and web host) that was vulnerable > and alerted them. > > Interesting that this DOES NOT affect the Windows web server (IIS). > Probably the first time in history that IIS web admins are happy that they > manage a Microsoft product. > > On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: >> That's a very good point Steve. (I generally consider anything that I >> haven't already thought of as a Good Point). >> : ) >> >> Now who in the world do we think might have the resources to store >> huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] >> http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh >> ind-the-heartbleed-security >> >> >> >> On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >>> on 2014-04-10 10:29 Darren Addy wrote >>> >>>> What the HeartBleed Attack Really Means: >>>> >>>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets >>>> -telltale-heartbleed.html >>> >>> >>> it's amusing to see the media rush to explain Heartbleed; perhaps it >>> will increase technical literacy and cause an appropriate correction >>> in the trust we have for internet services >>> >>> that article is surprisingly good, but it misses slightly on what it >>> calls a "worst-case scenario" -- the worst case is that some entities >>> stored huge amounts of encrypted internet traffic, even from before >>> the date the bug was introduced into OpenSSL, and now Heartbleed has >>> been used to get the keys to unlock that trove >>> >>> also unstated is how Heartbleed will encourage more entities to store >>> as much encrypted traffic as possible on the expectation that there >>> will be other bugs to get the newer keys >>> >>> >>> >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above >>> and follow the directions. >> >> >> >> -- >> Photographers must learn not to be ashamed to have their photographs >> look like photographs. >> ~ Alfred Stieglitz > > > > -- > Photographers must learn not to be ashamed to have their photographs look > like photographs. > ~ Alfred Stieglitz > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. > > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
RE: Heartbleed
Sometimes you get what you pay for. Certainly puts a dent in the peer-reviewed code is more secure mantra. Gerrit -Original Message- From: PDML [mailto:pdml-boun...@pdml.net] On Behalf Of Darren Addy Sent: Thursday, April 10, 2014 1:50 PM To: Pentax-Discuss Mail List Subject: Re: Heartbleed I found a local internet service provider (and web host) that was vulnerable and alerted them. Interesting that this DOES NOT affect the Windows web server (IIS). Probably the first time in history that IIS web admins are happy that they manage a Microsoft product. On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: > That's a very good point Steve. (I generally consider anything that I > haven't already thought of as a Good Point). > : ) > > Now who in the world do we think might have the resources to store > huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] > http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-beh > ind-the-heartbleed-security > > > > On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >> on 2014-04-10 10:29 Darren Addy wrote >> >>> What the HeartBleed Attack Really Means: >>> >>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets >>> -telltale-heartbleed.html >> >> >> it's amusing to see the media rush to explain Heartbleed; perhaps it >> will increase technical literacy and cause an appropriate correction >> in the trust we have for internet services >> >> that article is surprisingly good, but it misses slightly on what it >> calls a "worst-case scenario" -- the worst case is that some entities >> stored huge amounts of encrypted internet traffic, even from before >> the date the bug was introduced into OpenSSL, and now Heartbleed has >> been used to get the keys to unlock that trove >> >> also unstated is how Heartbleed will encourage more entities to store >> as much encrypted traffic as possible on the expectation that there >> will be other bugs to get the newer keys >> >> >> >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above >> and follow the directions. > > > > -- > Photographers must learn not to be ashamed to have their photographs > look like photographs. > ~ Alfred Stieglitz -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
I found a local internet service provider (and web host) that was vulnerable and alerted them. Interesting that this DOES NOT affect the Windows web server (IIS). Probably the first time in history that IIS web admins are happy that they manage a Microsoft product. On Thu, Apr 10, 2014 at 12:02 PM, Darren Addy wrote: > That's a very good point Steve. (I generally consider anything that I > haven't already thought of as a Good Point). > : ) > > Now who in the world do we think might have the resources to store > huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] > http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-behind-the-heartbleed-security > > > > On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: >> on 2014-04-10 10:29 Darren Addy wrote >> >>> What the HeartBleed Attack Really Means: >>> >>> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html >> >> >> it's amusing to see the media rush to explain Heartbleed; perhaps it will >> increase technical literacy and cause an appropriate correction in the trust >> we have for internet services >> >> that article is surprisingly good, but it misses slightly on what it calls a >> "worst-case scenario" -- the worst case is that some entities stored huge >> amounts of encrypted internet traffic, even from before the date the bug was >> introduced into OpenSSL, and now Heartbleed has been used to get the keys to >> unlock that trove >> >> also unstated is how Heartbleed will encourage more entities to store as >> much encrypted traffic as possible on the expectation that there will be >> other bugs to get the newer keys >> >> >> >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > > > -- > Photographers must learn not to be ashamed to have their photographs > look like photographs. > ~ Alfred Stieglitz -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
That's a very good point Steve. (I generally consider anything that I haven't already thought of as a Good Point). : ) Now who in the world do we think might have the resources to store huge amounts of encrypted internet traffic? [COUGH! nsa COUGH!] http://www.buzzfeed.com/charliewarzel/the-nsa-and-the-real-problem-behind-the-heartbleed-security On Thu, Apr 10, 2014 at 11:54 AM, steve harley wrote: > on 2014-04-10 10:29 Darren Addy wrote > >> What the HeartBleed Attack Really Means: >> >> http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html > > > it's amusing to see the media rush to explain Heartbleed; perhaps it will > increase technical literacy and cause an appropriate correction in the trust > we have for internet services > > that article is surprisingly good, but it misses slightly on what it calls a > "worst-case scenario" -- the worst case is that some entities stored huge > amounts of encrypted internet traffic, even from before the date the bug was > introduced into OpenSSL, and now Heartbleed has been used to get the keys to > unlock that trove > > also unstated is how Heartbleed will encourage more entities to store as > much encrypted traffic as possible on the expectation that there will be > other bugs to get the newer keys > > > > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
on 2014-04-10 10:29 Darren Addy wrote What the HeartBleed Attack Really Means: http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html it's amusing to see the media rush to explain Heartbleed; perhaps it will increase technical literacy and cause an appropriate correction in the trust we have for internet services that article is surprisingly good, but it misses slightly on what it calls a "worst-case scenario" — the worst case is that some entities stored huge amounts of encrypted internet traffic, even from before the date the bug was introduced into OpenSSL, and now Heartbleed has been used to get the keys to unlock that trove also unstated is how Heartbleed will encourage more entities to store as much encrypted traffic as possible on the expectation that there will be other bugs to get the newer keys -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
I'm not using Chrome. I was already disturbed with how intrusive Google has become before the whole thing started. On 4/10/2014 12:31 PM, steve harley wrote: on 2014-04-10 7:55 Bruce Walker wrote That site has been swamped with requests and times-out before returning an answer. But this articles lists common sites and their vulnerability or not: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ if you use Chrome you can add this extension, which will put up a small alert when you visit sites that are still Heartbleed-vulnerable: <https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic> i can't vouch that it's perfect, but some of the negative reviews are misguided; the extension *only* pops up a notice if there's a vulnerability; also, on some sites navigation may take you to different subdomains (such as the comment about logging off), so you need to be conscious of whether you are actually doing a "secure activity" on the domain that you are warned about -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
on 2014-04-10 7:55 Bruce Walker wrote That site has been swamped with requests and times-out before returning an answer. But this articles lists common sites and their vulnerability or not: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ if you use Chrome you can add this extension, which will put up a small alert when you visit sites that are still Heartbleed-vulnerable: <https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic> i can't vouch that it's perfect, but some of the negative reviews are misguided; the extension *only* pops up a notice if there's a vulnerability; also, on some sites navigation may take you to different subdomains (such as the comment about logging off), so you need to be conscious of whether you are actually doing a "secure activity" on the domain that you are warned about -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
What the HeartBleed Attack Really Means: http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html On Thu, Apr 10, 2014 at 11:24 AM, John Sessoms wrote: > Be nice if that was in a printable format. > > I am *NOT* happy with *ANY* computers, computer companies or software of > any way shape or form this morning. > > > On 4/10/2014 9:55 AM, Bruce Walker wrote: >> >> That site has been swamped with requests and times-out before >> returning an answer. But this articles lists common sites and their >> vulnerability or not: >> >> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ >> >> >> On Wed, Apr 9, 2014 at 11:11 AM, Darren Addy >> wrote: >>> >>> If you want to test your bank's web site (for example), just replace >>> the domain name here: >>> http://filippo.io/Heartbleed/ >>> >>> I believe you either need to begin the URL with https: OR leave the >>> :443 (port number) in that field. Assuming they are running SSL on >>> standard port. >>> >>> >>> >>> On Wed, Apr 9, 2014 at 12:08 AM, David Mann wrote: >>>> >>>> My server is fine as well. Glad I had been procrastinating with an >>>> upgrade, now I have an excuse to wait a bit longer :D >>>> >>>> Cheers, >>>> Dave >>>> >>>> On Apr 9, 2014, at 3:20 am, Tim Bray wrote: >>>> >>>>> Yeah, you're right; e.g. my own tbray.org server is fine because it's >>>>> been up for 1080 days and has openssl 0.9.8. My estimation of NSA's >>>>> cleverness is a little lower than yours, I bet it was a surprise to >>>>> them too. Someone should ask Snowden ;) >>>>> >>>>> On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: >>>>>> >>>>>> >>>>>> Tim, >>>>>> >>>>>> Thanks a lot for the heads-up. >>>>>> Apparently, I saw it here before I saw it through the "proper" >>>>>> channels. >>>>>> >>>>>> Strictly speaking it is not a "zero-day", as it was introduced in the >>>>>> version 1.0.1, and the earlier versions are not vulnerable. >>>>>> (I haven't seen any discussion of this yet, but I wouldn't be too >>>>>> surprised if the NSA had known about this bug way before the >>>>>> disclosure.) >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Igor >>>>>> >>>>>> >>>>>> On 4/7/2014 8:13 PM, Tim Bray wrote: >>>>>>> >>>>>>> In the unlikely event that any of you run https-enabled web sites and >>>>>>> haven't visited heartbleed.com today, get thee over there post-haste >>>>>>> and find out what version of OpenSSL you're running and consider >>>>>>> replacing your certs, stat. >>>>>>> >>>>>>> I'm not sure I've ever seen a more damaging zero-day. >>>>>>> >>>>>> >>>>>> -- >>>>>> PDML Pentax-Discuss Mail List >>>>>> PDML@pdml.net >>>>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>>>> follow the directions. >>>>> >>>>> >>>>> -- >>>>> PDML Pentax-Discuss Mail List >>>>> PDML@pdml.net >>>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>>> follow the directions. >>>> >>>> >>>> >>>> -- >>>> PDML Pentax-Discuss Mail List >>>> PDML@pdml.net >>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>> follow the directions. >>> >>> >>> >>> >>> -- >>> Photographers must learn not to be ashamed to have their photographs >>> look like photographs. >>> ~ Alfred Stieglitz >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>> follow the directions. >> >> >> >> > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Be nice if that was in a printable format. I am *NOT* happy with *ANY* computers, computer companies or software of any way shape or form this morning. On 4/10/2014 9:55 AM, Bruce Walker wrote: That site has been swamped with requests and times-out before returning an answer. But this articles lists common sites and their vulnerability or not: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ On Wed, Apr 9, 2014 at 11:11 AM, Darren Addy wrote: If you want to test your bank's web site (for example), just replace the domain name here: http://filippo.io/Heartbleed/ I believe you either need to begin the URL with https: OR leave the :443 (port number) in that field. Assuming they are running SSL on standard port. On Wed, Apr 9, 2014 at 12:08 AM, David Mann wrote: My server is fine as well. Glad I had been procrastinating with an upgrade, now I have an excuse to wait a bit longer :D Cheers, Dave On Apr 9, 2014, at 3:20 am, Tim Bray wrote: Yeah, you're right; e.g. my own tbray.org server is fine because it's been up for 1080 days and has openssl 0.9.8. My estimation of NSA's cleverness is a little lower than yours, I bet it was a surprise to them too. Someone should ask Snowden ;) On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: Tim, Thanks a lot for the heads-up. Apparently, I saw it here before I saw it through the "proper" channels. Strictly speaking it is not a "zero-day", as it was introduced in the version 1.0.1, and the earlier versions are not vulnerable. (I haven't seen any discussion of this yet, but I wouldn't be too surprised if the NSA had known about this bug way before the disclosure.) Cheers, Igor On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven't visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you're running and consider replacing your certs, stat. I'm not sure I've ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
It appears that way if you put the whole URL in there. REMOVE the "http://"; or the "https://"; add the ":443" after the domain if you want to be sure to test the SSL (which is the whole point of this exercise) I think you'll find response is quite quick if you leave off the https:// On Thu, Apr 10, 2014 at 8:55 AM, Bruce Walker wrote: > That site has been swamped with requests and times-out before > returning an answer. But this articles lists common sites and their > vulnerability or not: > > http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ > > > On Wed, Apr 9, 2014 at 11:11 AM, Darren Addy wrote: >> If you want to test your bank's web site (for example), just replace >> the domain name here: >> http://filippo.io/Heartbleed/ >> >> I believe you either need to begin the URL with https: OR leave the >> :443 (port number) in that field. Assuming they are running SSL on >> standard port. >> >> >> >> On Wed, Apr 9, 2014 at 12:08 AM, David Mann wrote: >>> My server is fine as well. Glad I had been procrastinating with an >>> upgrade, now I have an excuse to wait a bit longer :D >>> >>> Cheers, >>> Dave >>> >>> On Apr 9, 2014, at 3:20 am, Tim Bray wrote: >>> >>>> Yeah, you're right; e.g. my own tbray.org server is fine because it's >>>> been up for 1080 days and has openssl 0.9.8. My estimation of NSA's >>>> cleverness is a little lower than yours, I bet it was a surprise to >>>> them too. Someone should ask Snowden ;) >>>> >>>> On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: >>>>> >>>>> Tim, >>>>> >>>>> Thanks a lot for the heads-up. >>>>> Apparently, I saw it here before I saw it through the "proper" channels. >>>>> >>>>> Strictly speaking it is not a "zero-day", as it was introduced in the >>>>> version 1.0.1, and the earlier versions are not vulnerable. >>>>> (I haven't seen any discussion of this yet, but I wouldn't be too >>>>> surprised if the NSA had known about this bug way before the disclosure.) >>>>> >>>>> Cheers, >>>>> >>>>> Igor >>>>> >>>>> >>>>> On 4/7/2014 8:13 PM, Tim Bray wrote: >>>>>> In the unlikely event that any of you run https-enabled web sites and >>>>>> haven't visited heartbleed.com today, get thee over there post-haste >>>>>> and find out what version of OpenSSL you're running and consider >>>>>> replacing your certs, stat. >>>>>> >>>>>> I'm not sure I've ever seen a more damaging zero-day. >>>>>> >>>>> >>>>> -- >>>>> PDML Pentax-Discuss Mail List >>>>> PDML@pdml.net >>>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>>> follow the directions. >>>> >>>> -- >>>> PDML Pentax-Discuss Mail List >>>> PDML@pdml.net >>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>> follow the directions. >>> >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>> follow the directions. >> >> >> >> -- >> Photographers must learn not to be ashamed to have their photographs >> look like photographs. >> ~ Alfred Stieglitz >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > > > -- > -bmw > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
That site has been swamped with requests and times-out before returning an answer. But this articles lists common sites and their vulnerability or not: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ On Wed, Apr 9, 2014 at 11:11 AM, Darren Addy wrote: > If you want to test your bank's web site (for example), just replace > the domain name here: > http://filippo.io/Heartbleed/ > > I believe you either need to begin the URL with https: OR leave the > :443 (port number) in that field. Assuming they are running SSL on > standard port. > > > > On Wed, Apr 9, 2014 at 12:08 AM, David Mann wrote: >> My server is fine as well. Glad I had been procrastinating with an upgrade, >> now I have an excuse to wait a bit longer :D >> >> Cheers, >> Dave >> >> On Apr 9, 2014, at 3:20 am, Tim Bray wrote: >> >>> Yeah, you're right; e.g. my own tbray.org server is fine because it's >>> been up for 1080 days and has openssl 0.9.8. My estimation of NSA's >>> cleverness is a little lower than yours, I bet it was a surprise to >>> them too. Someone should ask Snowden ;) >>> >>> On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: >>>> >>>> Tim, >>>> >>>> Thanks a lot for the heads-up. >>>> Apparently, I saw it here before I saw it through the "proper" channels. >>>> >>>> Strictly speaking it is not a "zero-day", as it was introduced in the >>>> version 1.0.1, and the earlier versions are not vulnerable. >>>> (I haven't seen any discussion of this yet, but I wouldn't be too >>>> surprised if the NSA had known about this bug way before the disclosure.) >>>> >>>> Cheers, >>>> >>>> Igor >>>> >>>> >>>> On 4/7/2014 8:13 PM, Tim Bray wrote: >>>>> In the unlikely event that any of you run https-enabled web sites and >>>>> haven't visited heartbleed.com today, get thee over there post-haste >>>>> and find out what version of OpenSSL you're running and consider >>>>> replacing your certs, stat. >>>>> >>>>> I'm not sure I've ever seen a more damaging zero-day. >>>>> >>>> >>>> -- >>>> PDML Pentax-Discuss Mail List >>>> PDML@pdml.net >>>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>>> follow the directions. >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>> follow the directions. >> >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > > > -- > Photographers must learn not to be ashamed to have their photographs > look like photographs. > ~ Alfred Stieglitz > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- -bmw -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
If you want to test your bank's web site (for example), just replace the domain name here: http://filippo.io/Heartbleed/ I believe you either need to begin the URL with https: OR leave the :443 (port number) in that field. Assuming they are running SSL on standard port. On Wed, Apr 9, 2014 at 12:08 AM, David Mann wrote: > My server is fine as well. Glad I had been procrastinating with an upgrade, > now I have an excuse to wait a bit longer :D > > Cheers, > Dave > > On Apr 9, 2014, at 3:20 am, Tim Bray wrote: > >> Yeah, you're right; e.g. my own tbray.org server is fine because it's >> been up for 1080 days and has openssl 0.9.8. My estimation of NSA's >> cleverness is a little lower than yours, I bet it was a surprise to >> them too. Someone should ask Snowden ;) >> >> On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: >>> >>> Tim, >>> >>> Thanks a lot for the heads-up. >>> Apparently, I saw it here before I saw it through the "proper" channels. >>> >>> Strictly speaking it is not a "zero-day", as it was introduced in the >>> version 1.0.1, and the earlier versions are not vulnerable. >>> (I haven't seen any discussion of this yet, but I wouldn't be too >>> surprised if the NSA had known about this bug way before the disclosure.) >>> >>> Cheers, >>> >>> Igor >>> >>> >>> On 4/7/2014 8:13 PM, Tim Bray wrote: >>>> In the unlikely event that any of you run https-enabled web sites and >>>> haven't visited heartbleed.com today, get thee over there post-haste >>>> and find out what version of OpenSSL you're running and consider >>>> replacing your certs, stat. >>>> >>>> I'm not sure I've ever seen a more damaging zero-day. >>>> >>> >>> -- >>> PDML Pentax-Discuss Mail List >>> PDML@pdml.net >>> http://pdml.net/mailman/listinfo/pdml_pdml.net >>> to UNSUBSCRIBE from the PDML, please visit the link directly above and >>> follow the directions. >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- Photographers must learn not to be ashamed to have their photographs look like photographs. ~ Alfred Stieglitz -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
My server is fine as well. Glad I had been procrastinating with an upgrade, now I have an excuse to wait a bit longer :D Cheers, Dave On Apr 9, 2014, at 3:20 am, Tim Bray wrote: > Yeah, you’re right; e.g. my own tbray.org server is fine because it’s > been up for 1080 days and has openssl 0.9.8. My estimation of NSA’s > cleverness is a little lower than yours, I bet it was a surprise to > them too. Someone should ask Snowden ;) > > On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: >> >> Tim, >> >> Thanks a lot for the heads-up. >> Apparently, I saw it here before I saw it through the "proper" channels. >> >> Strictly speaking it is not a "zero-day", as it was introduced in the >> version 1.0.1, and the earlier versions are not vulnerable. >> (I haven't seen any discussion of this yet, but I wouldn't be too >> surprised if the NSA had known about this bug way before the disclosure.) >> >> Cheers, >> >> Igor >> >> >> On 4/7/2014 8:13 PM, Tim Bray wrote: >>> In the unlikely event that any of you run https-enabled web sites and >>> haven't visited heartbleed.com today, get thee over there post-haste >>> and find out what version of OpenSSL you're running and consider >>> replacing your certs, stat. >>> >>> I'm not sure I've ever seen a more damaging zero-day. >>> >> >> -- >> PDML Pentax-Discuss Mail List >> PDML@pdml.net >> http://pdml.net/mailman/listinfo/pdml_pdml.net >> to UNSUBSCRIBE from the PDML, please visit the link directly above and >> follow the directions. > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Looks like this has hit the mainstream news and is a pretty big deal. We heard it here first - thanks Tim! My own website has some sort of SSL cert but I don't use it... I'm more worried about my bank's website! Mark On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Bob W-PDML wrote: >Should have gone with http://www.houyhnhnm.com. Seems obvious really. Their original choice, I'll admit, was none too swift. -- Mark Roberts - Photography & Multimedia www.robertstech.com -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Should have gone with http://www.houyhnhnm.com. Seems obvious really. B > On 8 Apr 2014, at 20:23, "Mark Roberts" wrote: > > http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/ > > Apparently some damage already done with the leaking of passwords. > Unsurprisingly, they're the passwords from a large Internet company > whose name rhymes with "wahoo". > > -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/ Apparently some damage already done with the leaking of passwords. Unsurprisingly, they're the passwords from a large Internet company whose name rhymes with "wahoo". -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Tue Apr 8 11:20:38 EDT 2014 Tim Bray wrote: > My estimation of NSA's cleverness is a little lower than yours, ... you mean they are even more stupid than I? ;-) Cheers, Igor -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Tue Apr 8 13:39:40 EDT 2014 steve harley > on 2014-04-08 8:51 Igor Roshchin wrote > > Strictly speaking it is not a "zero-day", as it was introduced in the > > version 1.0.1, and the earlier versions are not vulnerable. > > it does seem to be a zero-day threat; zero-day refers to the timing of > the > announcement rather than to what versions of software are vulnerable Upon careful consideration of the multiple definitions of what "zero-day" means, I think you are correct. I had a wrong definition of the term in my mind. (I always assumed "zero day vulnerability" [not zero-day attack] is something that existed in the software undiscovered for long time, essentially since the early stages of the software) I stand corrected. Thank you, Steve. My apology, Tim! Igor -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
on 2014-04-08 8:51 Igor Roshchin wrote Strictly speaking it is not a "zero-day", as it was introduced in the version 1.0.1, and the earlier versions are not vulnerable. it does seem to be a zero-day threat; zero-day refers to the timing of the announcement rather than to what versions of software are vulnerable -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
I ask about the credit cards, because I went on-line yesterday to buy repair parts for one of my lawn-care power tools & paid for the parts with a credit card. That was before I saw your original post. On 4/8/2014 11:40 AM, Tim Bray wrote: It’s potentially much, much worse than that. They include the signing keys that web sites use to make "https:" addresses work. So the bad guys can in principle pretend to be https://your-bank.com and steal not just your credit card number but everything. Note that not every bank would have been affected; weirdly enough, if you hadn’t got around to updating your crypto libraries recently, you’re OK (but some would, for sure). So what happened was, geeks everywhere worked all night last night to replace the old keys with new keys. So what we’re hoping is that no really bad bad guy noticed the problem before the good guys did and got in there and stole some keys and stole some credit card numbers and wreaked havoc, before the good guys re-locked the barn door last night. But we won’t know for a while. On Tue, Apr 8, 2014 at 8:22 AM, John Sessoms wrote: Do those secrets include CREDIT CARD DATA from on-line purchases? On 4/8/2014 1:53 AM, Tim Bray wrote: Summary: A programming error allows bad guys to steal secrets on a HUGE number of websites; geeks are working late all over the internet closing the barn doors. We won’t know for a while how bad the damage has been. On Mon, Apr 7, 2014 at 7:14 PM, John Sessoms wrote: Just out of curiosity for the rest of us ... WTF? On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
The NSA ain't all that clever, but some of the contractors they hire might be. On 4/8/2014 11:20 AM, Tim Bray wrote: Yeah, you’re right; e.g. my own tbray.org server is fine because it’s been up for 1080 days and has openssl 0.9.8. My estimation of NSA’s cleverness is a little lower than yours, I bet it was a surprise to them too. Someone should ask Snowden ;) On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: Tim, Thanks a lot for the heads-up. Apparently, I saw it here before I saw it through the "proper" channels. Strictly speaking it is not a "zero-day", as it was introduced in the version 1.0.1, and the earlier versions are not vulnerable. (I haven't seen any discussion of this yet, but I wouldn't be too surprised if the NSA had known about this bug way before the disclosure.) Cheers, Igor On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven't visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you're running and consider replacing your certs, stat. I'm not sure I've ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
David J Brooks wrote: >how to you know what version one has. My firefox is SSL 3 This is for web servers, Dave, not web browsers. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
how to you know what version one has. My firefox is SSL 3 Dave On Mon, Apr 7, 2014 at 8:13 PM, Tim Bray wrote: > In the unlikely event that any of you run https-enabled web sites and > haven't visited heartbleed.com today, get thee over there post-haste > and find out what version of OpenSSL you're running and consider > replacing your certs, stat. > > I'm not sure I've ever seen a more damaging zero-day. > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- Documenting Life in Rural Ontario. www.caughtinmotion.com http://brooksinthecountry.blogspot.com/ York Region, Ontario, Canada -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
It’s potentially much, much worse than that. They include the signing keys that web sites use to make "https:" addresses work. So the bad guys can in principle pretend to be https://your-bank.com and steal not just your credit card number but everything. Note that not every bank would have been affected; weirdly enough, if you hadn’t got around to updating your crypto libraries recently, you’re OK (but some would, for sure). So what happened was, geeks everywhere worked all night last night to replace the old keys with new keys. So what we’re hoping is that no really bad bad guy noticed the problem before the good guys did and got in there and stole some keys and stole some credit card numbers and wreaked havoc, before the good guys re-locked the barn door last night. But we won’t know for a while. On Tue, Apr 8, 2014 at 8:22 AM, John Sessoms wrote: > Do those secrets include CREDIT CARD DATA from on-line purchases? > > > On 4/8/2014 1:53 AM, Tim Bray wrote: >> >> Summary: A programming error allows bad guys to steal secrets on a >> HUGE number of websites; geeks are working late all over the internet >> closing the barn doors. We won’t know for a while how bad the damage >> has been. >> >> On Mon, Apr 7, 2014 at 7:14 PM, John Sessoms >> wrote: >>> >>> Just out of curiosity for the rest of us ... WTF? >>> >>> >>> On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Do those secrets include CREDIT CARD DATA from on-line purchases? On 4/8/2014 1:53 AM, Tim Bray wrote: Summary: A programming error allows bad guys to steal secrets on a HUGE number of websites; geeks are working late all over the internet closing the barn doors. We won’t know for a while how bad the damage has been. On Mon, Apr 7, 2014 at 7:14 PM, John Sessoms wrote: Just out of curiosity for the rest of us ... WTF? On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Yeah, you’re right; e.g. my own tbray.org server is fine because it’s been up for 1080 days and has openssl 0.9.8. My estimation of NSA’s cleverness is a little lower than yours, I bet it was a surprise to them too. Someone should ask Snowden ;) On Tue, Apr 8, 2014 at 7:51 AM, Igor Roshchin wrote: > > Tim, > > Thanks a lot for the heads-up. > Apparently, I saw it here before I saw it through the "proper" channels. > > Strictly speaking it is not a "zero-day", as it was introduced in the > version 1.0.1, and the earlier versions are not vulnerable. > (I haven't seen any discussion of this yet, but I wouldn't be too > surprised if the NSA had known about this bug way before the disclosure.) > > Cheers, > > Igor > > > On 4/7/2014 8:13 PM, Tim Bray wrote: >> In the unlikely event that any of you run https-enabled web sites and >> haven't visited heartbleed.com today, get thee over there post-haste >> and find out what version of OpenSSL you're running and consider >> replacing your certs, stat. >> >> I'm not sure I've ever seen a more damaging zero-day. >> > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and follow > the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Tim, Thanks a lot for the heads-up. Apparently, I saw it here before I saw it through the "proper" channels. Strictly speaking it is not a "zero-day", as it was introduced in the version 1.0.1, and the earlier versions are not vulnerable. (I haven't seen any discussion of this yet, but I wouldn't be too surprised if the NSA had known about this bug way before the disclosure.) Cheers, Igor On 4/7/2014 8:13 PM, Tim Bray wrote: > In the unlikely event that any of you run https-enabled web sites and > haven't visited heartbleed.com today, get thee over there post-haste > and find out what version of OpenSSL you're running and consider > replacing your certs, stat. > > I'm not sure I've ever seen a more damaging zero-day. > -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Summary: A programming error allows bad guys to steal secrets on a HUGE number of websites; geeks are working late all over the internet closing the barn doors. We won’t know for a while how bad the damage has been. On Mon, Apr 7, 2014 at 7:14 PM, John Sessoms wrote: > Just out of curiosity for the rest of us ... WTF? > > > On 4/7/2014 8:13 PM, Tim Bray wrote: >> >> In the unlikely event that any of you run https-enabled web sites and >> haven’t visited heartbleed.com today, get thee over there post-haste >> and find out what version of OpenSSL you’re running and consider >> replacing your certs, stat. >> >> I’m not sure I’ve ever seen a more damaging zero-day. >> > > -- > PDML Pentax-Discuss Mail List > PDML@pdml.net > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Re: Heartbleed
Just out of curiosity for the rest of us ... WTF? On 4/7/2014 8:13 PM, Tim Bray wrote: In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
Heartbleed
In the unlikely event that any of you run https-enabled web sites and haven’t visited heartbleed.com today, get thee over there post-haste and find out what version of OpenSSL you’re running and consider replacing your certs, stat. I’m not sure I’ve ever seen a more damaging zero-day. -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.