Prism and Verizon surveillance discussion thread

Pæs · April 11, 2014, 02:33:44 AM

Quote from: Junkenstein on April 10, 2014, 08:19:52 AM
It may be paranoia, by when I read about things like this, I have to wonder if the flaw was in fact deliberately designed.

If it was, they got in early, it looks like the bug existed from the start: https://github.com/openssl/openssl/commit/4817504d069b4c5082161b02a22116ad75f822b1

Will be interesting as we think through the implications of this to figure out how people will resolve issues with embedded systems that rely on openssl.

Faust · April 11, 2014, 07:13:10 AM

Quote from: Pæs on April 11, 2014, 02:33:44 AM
Quote from: Junkenstein on April 10, 2014, 08:19:52 AM
It may be paranoia, by when I read about things like this, I have to wonder if the flaw was in fact deliberately designed.

If it was, they got in early, it looks like the bug existed from the start: https://github.com/openssl/openssl/commit/4817504d069b4c5082161b02a22116ad75f822b1

Will be interesting as we think through the implications of this to figure out how people will resolve issues with embedded systems that rely on openssl.

I thought it was only introduced two years ago?

Pæs · April 11, 2014, 07:41:30 AM

Yeah, but I mean it already existed in the original contribution of the TLS/DTLS heartbeat functionality, rather than in the original implementation of the project.

Junkenstein · April 11, 2014, 10:15:44 AM

For anyone who forgot about Greenwald's "The Intercept"

https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/

It's starting to fill up with quality stuff.

LMNO · April 11, 2014, 12:48:48 PM

XKCD had what looks like an easily understood explanation for this. I have no idea if it's accurate, but the guy's got a good track record for knowing this stuff.

Junkenstein · April 11, 2014, 12:54:07 PM

That's probably a better explanation of the issue than any actual news article I've read on the subject.

That guy really needs to get himself syndicated.

Pæs · April 11, 2014, 10:13:45 PM

Yeah, that's pretty much the issue. And not in a "yeah, that's a nice simplification for a comic". That's how it works.

As (something of) a developer, I think Heartbleed is for our sins. Covered in more detail here, but we built a large part of the internet's security on an open source project with one full time employee and a very small band of other contributors. The offending functionality was pushed on New Year's Eve, where instead of partying hard this one dude was trying to improve OpenSSL.

Anyone who donates more than 20k to OpenSSL development gets their logo featured here: http://www.openssl.org/support/donations.html

There are no logos. Nobody is looking after this little team that two thirds of the web rely on.

Pæs · April 11, 2014, 10:15:11 PM

Hopefully now we're going to get people with appropriate knowledge looking at the dependencies for their software and helping to improve those building blocks of the web to help themselves.

Cain · April 12, 2014, 06:22:11 PM

No surprises here

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

QuoteThe U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

QuotePutting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers.

Junkenstein · April 14, 2014, 09:33:10 AM

Quote from: Pæs on April 11, 2014, 10:13:45 PM
Yeah, that's pretty much the issue. And not in a "yeah, that's a nice simplification for a comic". That's how it works.

As (something of) a developer, I think Heartbleed is for our sins. Covered in more detail here, but we built a large part of the internet's security on an open source project with one full time employee and a very small band of other contributors. The offending functionality was pushed on New Year's Eve, where instead of partying hard this one dude was trying to improve OpenSSL.

Anyone who donates more than 20k to OpenSSL development gets their logo featured here: http://www.openssl.org/support/donations.html

There are no logos. Nobody is looking after this little team that two thirds of the web rely on.

I can think of few things more appropriate for the modern era. I'm alternating between that laugh and outright horror again.

Junkenstein · April 15, 2014, 09:42:09 AM

QuoteA leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.

Mumsnet - which says it has 1.5 million registered members - said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.

The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.

These are the first confirmed losses.

BBC Article, Mumsnet in meltdown, others expected to follow suit. I'm guessing 4 months from this to the reveal of another flaw that's even worse. Just seems to be how this one's going.

Junkenstein · April 28, 2014, 08:38:33 AM

Did I say 4 months?
http://www.bbc.co.uk/news/technology-27184188

QuoteMicrosoft has warned consumers that a vulnerability in its Internet Explorer browser could let hackers gain access and user rights to their computer.

The flaw affects Internet Explorer (IE) versions 6 to 11 and Microsoft said it was aware of "limited, targeted attacks" to exploit it.

According to NetMarket Share, the IE versions account for more than 50% of global browser market.

Microsoft says it is investigating the flaw and will take "appropriate" steps.

The firm, which issued a security advisory over the weekend, said the steps "may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs".

XP no longer being updated and subsequently at higher risk. Obviously this is something that was never used and exploited by NSA et all over the years. At all. That's just crazy.

Pæs · April 28, 2014, 09:57:18 AM

I sent that to my boss today because our entire company remains on XP and has software which only works in Internet Explorer.

Lol'd hard.

The Good Reverend Roger · April 28, 2014, 04:55:09 PM

I just assume that my entire system is riddled with spybots and other shit that doesn't belong, and act accordingly.

Reginald Ret · April 28, 2014, 05:59:23 PM

Quote from: The Good Reverend Roger on April 28, 2014, 04:55:09 PM
I just assume that my entire system is riddled with spybots and other shit that doesn't belong, and act accordingly.

Infect it with more bad bugs and viruses hoping they massacre each other?
Remember a lesson we learned from Australia: Nothing kills alligators as fast as a toxic toad introduced to kill rats. (Or something, i am fuzzy on the details.)

Principia Discordia

News:

Prism and Verizon surveillance discussion thread

Pæs

Faust

Pæs

Junkenstein

LMNO

Junkenstein

Pæs

Pæs

Cain

Junkenstein

Junkenstein

Junkenstein

Pæs

The Good Reverend Roger

Reginald Ret