Loading ...
Sorry, an error occurred while loading the content.

[Fwd: Re: HeartBleed OpenSSL security flaw exposes millions of passwords]

Expand Messages
  • Thad Floryan
    FYI ... Subject: Re: HeartBleed OpenSSL security flaw exposes millions of passwords Date: Tue, 08 Apr 2014 21:56:03 -0700 From: Thad Floryan
    Message 1 of 3 , Apr 8 10:17 PM
    • 0 Attachment
      FYI

      -------- Original Message --------
      Subject: Re: HeartBleed OpenSSL security flaw exposes millions of passwords
      Date: Tue, 08 Apr 2014 21:56:03 -0700
      From: Thad Floryan <thad@...>
      Organization: ThadLABS
      Newsgroups: ba.internet
      References: <5344AE95.6070101@...>

      On 4/8/2014 7:21 PM, Thad Floryan wrote:
      > http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php
      >
      > By MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers
      > 7:01 pm, Tuesday, April 8, 2014
      >
      > SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposed
      > millions of passwords, credit card numbers and other sensitive bits of
      > information to potential theft by computer hackers who may have been
      > secretly exploiting the problem before its discovery.
      > [...]

      Additional article with more information, none of it good even after
      the vulnerability is fixed:

      http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

      Thad
    • Thad Floryan
      FYI ... Subject: Re: HeartBleed OpenSSL security flaw exposes millions of passwords Date: Tue, 08 Apr 2014 22:02:38 -0700 From: Thad Floryan
      Message 2 of 3 , Apr 8 10:18 PM
      • 0 Attachment
        FYI

        -------- Original Message --------
        Subject: Re: HeartBleed OpenSSL security flaw exposes millions of passwords
        Date: Tue, 08 Apr 2014 22:02:38 -0700
        From: Thad Floryan <thad@...>
        Organization: ThadLABS
        Newsgroups: ba.internet
        References: <5344AE95.6070101@...> <li2jq2$mf3$1@...>

        On 4/8/2014 9:54 PM, David Kaye wrote:
        > "Thad Floryan" <thad@...> wrote
        >
        >> Security researchers who uncovered the threat, known as "Heartbleed,"
        >> are particularly worried about the breach because it went undetected for
        >> more than two years.
        >
        > So much for open source being a panacea.

        Bingo!

        Anyone who believes there are millions of extra eyes perusing
        and poring over every line of open source code are dreaming
        and deluding themselves.

        If anyone, it's the criminal hackers who are reading the code
        to determine how it can be exploited for financial gain and/or
        for fun -- I doubt the exploits are the result of an errant
        mouse click on a GUI.

        Thad
      • Scott
        ... FreeBSD has released an update. Unfortunately, it requires a reboot. This is one time where the one complete system is a bit of a disadvantage. One can
        Message 3 of 3 , Apr 9 5:08 AM
        • 0 Attachment
          On Tue, Apr 08, 2014 at 10:17:39PM -0700, Thad Floryan wrote:
          > FYI
          >
          > -------- Original Message --------
          > Subject: Re: HeartBleed OpenSSL security flaw exposes millions of passwords
          > Date: Tue, 08 Apr 2014 21:56:03 -0700
          > From: Thad Floryan <thad@...>
          > Organization: ThadLABS
          > Newsgroups: ba.internet
          > References: <5344AE95.6070101@...>
          >
          > On 4/8/2014 7:21 PM, Thad Floryan wrote:
          > > http://www.sfgate.com/business/technology/article/Passwords-vulnerable-after-security-flaw-found-5386933.php
          > >
          > > By MICHAEL LIEDTKE and ANICK JESDANUN, AP Technology Writers
          > > 7:01 pm, Tuesday, April 8, 2014
          > >
          > > SAN FRANCISCO (AP) — An alarming lapse in Internet security has exposed
          > > millions of passwords, credit card numbers and other sensitive bits of
          > > information to potential theft by computer hackers who may have been
          > > secretly exploiting the problem before its discovery.

          FreeBSD has released an update. Unfortunately, it requires a reboot. This
          is one time where the "one complete system" is a bit of a disadvantage.

          One can also install the port, (not the package, which still seems to use
          the old version) but, it seems the only way to get apache to use the port
          rather than the system one is to then recompile apache. (I haven't tested
          this thoroughly yet).

          --
          Scott Robbins
          PGP keyID EB3467D6
          ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
          gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
        Your message has been successfully submitted and would be delivered to recipients shortly.