Heartbleed bug

Discussion in 'Internet for Musician' started by duskwings, Apr 11, 2014.

  1. duskwings

    duskwings Platinum Record

    Joined:
    Jul 26, 2011
    Messages:
    988
    Likes Received:
    187
    i got a notification from tumblr that there is this vulnerability that is a potentian risk for the security of users on some sites,i read about it and it s highly suggested to change the password expecially on yahoo and other widely used sites,here r the details

    http://heartbleed.com/
     
  2.  
  3. OrganicSpaceRaisedMoonBeef

    OrganicSpaceRaisedMoonBeef Producer

    Joined:
    Dec 10, 2013
    Messages:
    466
    Likes Received:
    94
    Location:
    World 1, Scene 1
    Got a notice from some site about this stuff. I dont know. Sounds weird to me. Some super-bug no one saw, no one knew, and effects the top banking and such sites? All a bit odd. And BOOOM a commercial site pops up? heartbleed.com?

    Its beyond my realm though.
     
  4. duskwings

    duskwings Platinum Record

    Joined:
    Jul 26, 2011
    Messages:
    988
    Likes Received:
    187
    i don t know,but changing password doesn t sound a bad idea,just to feel safe
     
  5. Catalyst

    Catalyst Audiosexual

    Joined:
    May 28, 2012
    Messages:
    5,810
    Likes Received:
    804
    This bug has been linked to guess who?...the NSA because they knew about it for years but did NOTHING to keep us safe since they use these exploits to compromise systems. [​IMG]

    NSA Said to Exploit Heartbleed Bug for Intelligence for Years

    I keep telling you guys, this is a MAJOR problem. *yes*

    Thanks for calling attention to this subject duskwings. :bow:
     
  6. duskwings

    duskwings Platinum Record

    Joined:
    Jul 26, 2011
    Messages:
    988
    Likes Received:
    187
    u can all show your gratitude sending Celtic Woman (including former members,expecially Hayley Westenra) to my home
     
  7. Catalyst

    Catalyst Audiosexual

    Joined:
    May 28, 2012
    Messages:
    5,810
    Likes Received:
    804
    [​IMG]

    Done. [​IMG]
     
  8. OrganicSpaceRaisedMoonBeef

    OrganicSpaceRaisedMoonBeef Producer

    Joined:
    Dec 10, 2013
    Messages:
    466
    Likes Received:
    94
    Location:
    World 1, Scene 1
    Insane. Absolutely insane if true. But not surprising if true.

    NSA will dip their fingers into anything they think will provide even a sliver of 'useful' info. Which 98%+ of the time results in absolutely nothing. I want to see how many terror based arrests or 'plots' they have stopped using this stupid 'NSA' bullshit (they are just a big scam for universal data collection). UDCA is a more fitting name (universal data collection assholes-iation).

    I doubt they have stopped a single incident. If they have all the means of doing so why did the boston incident happen? Like stop with the fucking phone call collections and watch these terror-promotion sites like they were visiting. Bunch of hogs-lickers.



    But i still think this whole 'heartbleed' thing is a bit odd of an occurrence. If its true, someone else somewhere knew and should have patched it or leaked the info. There is ZERO reason to have a problem like that and just let it sit. It literally makes no sense.

    Verizon Rep "hey there bobby, so now what we are going to do is just take your secure cable connection and plug it into Mr. X's computer and then into our service (MITM). He can collection data and see everything you do, but its ok cause its just a bug we never told you about and the government says its ok. We sold them the info on the issue. Did you see we are opening 29,000 new stores universe wide? They actually gave us our own planet and sub-human species to look after. THANKS NSA!"

    Bunch of poop-flickers
     
  9. Catalyst

    Catalyst Audiosexual

    Joined:
    May 28, 2012
    Messages:
    5,810
    Likes Received:
    804
    Organic
    They haven't stopped a single plot. Not one. *no*

    They tried to say that they did but upon further analysis it turned out it was not even one. Well at least we don't have to worry about our freedoms anymore...we have none. [​IMG]
     
  10. fiction

    fiction Audiosexual

    Joined:
    Jun 21, 2011
    Messages:
    1,940
    Likes Received:
    706
    Well, I see that most people don't seem to care about this subject and give away all their privacy for free. They even sign up on social sites to present even more of their privacy than could ever be sniffed on internet connections, sometimes to a frightening extent.
    I really wonder what weight the word privacy has today.

    You can go crazy and complain about the situation, and it's not only the NSA, it's also the governments and companies that deliver, the hackers paying advertisement fees to hack into your machines more easily by means of ads and the spam mailers trying to trick you into all kinds of bs and so on...
    To me, internet is complete anarchy, in no way trustworthy at all, and using widespread, known mechanisms for "securing" your communication (and we all do because we're no programmers nor cipher experts), will only make it secure so much. There will always be a few security experts ahead of the game.

    One comment about the heartbleed bug: Before changing your login and password on site x, make sure the SSL bug is fixed there. It will take a long time until all web servers are fixed, we know that from history. Also, I wonder how many sites will forget to update their SSL certificates :bleh:
     
  11. onhappin

    onhappin Ultrasonic

    Joined:
    Jan 27, 2014
    Messages:
    71
    Likes Received:
    27
    In my paranoid world it is now they're doing smth fishy. Heartbleed site looks suspect. How come they talk of vulnerabilities but no code or more specific info is given on the shit affected in OpenSSL? Well since we're all peasants and children of peasants, we don't need to know, we need to suck a candy and hear a story about a mighty vulnerability eating our pron and pirate life and we get scared.
    Excuse me, that's bs, don't give the slightest f on all this buzz.
     
  12. duskwings

    duskwings Platinum Record

    Joined:
    Jul 26, 2011
    Messages:
    988
    Likes Received:
    187
    i posted the site to give info,but i got the notice of the hearbleed bug from tumblr that reccommened to change the pw,not it s up to u,do it,don t do it,i don t care,then explain me what is so fishy about changing your pw's for your safety.
    That link is the first i found,if u r not braniac just google heartbleed and see how many results u get
     
  13. kearnsy

    kearnsy Banned

    Joined:
    Jun 9, 2011
    Messages:
    370
    Likes Received:
    25
    I don't see the point really, if someone wants to hack/steal your password, there's nothing you can do about it unless you're clued up in that area

    If someone's intentions are to steal your info, and they have the knowledge and resources to do it, what can the average joe do?

    Most pc users are clueless about security, myself included

    I'm far more concerned about the government having my info than i am some 15 year old hacker or whatever
     
  14. Olaf

    Olaf Platinum Record

    Joined:
    Jun 5, 2011
    Messages:
    585
    Likes Received:
    256
    You can check here which sites have been affected (i.e. where you need to change your password) and also the providers' responses.

    Br,
    Olaf
     
  15. eskimoz

    eskimoz Member

    Joined:
    Nov 21, 2012
    Messages:
    58
    Likes Received:
    9
    Location:
    audioz
    oh well, like cata said this thing is going on for years at least 2/3 years its ssl related so no much the end user could do, change pass every week? yes!! but in the end the bug wins, unless the sites admins, staff that use ssl do something about it. not an expert here on this matter just following the logic of things.

    what we could do?
    well like me use a different email for each site, i use about 20 emails just for log in different sites and i use only this pc for net. but i have other operation system in this pc it's a linux with my real identity, bank accounts and so on!

    that means all that is related to my real live is not in this hard drive or system, the email that i use here is not the same email that i use in magesY/proaudiotorrents/audionews.ru and so on.


    if you are lazy, well they are counting on that!!
     
  16. Pm5

    Pm5 Ultrasonic

    Joined:
    Oct 20, 2012
    Messages:
    442
    Likes Received:
    32
    I feel sorry to interrupt this paranoia fest.

    Do you really think NSA (or whatever agencie) is that dumb ?

    Do you know what you're talking about ?


    a. This bug is nasty, it's really stupid coding mistake, this happens sometimes.

    b. This bug allows you to read chunk of memories you're not supposed to access.

    c. ... You CANNOT choose which chunk of memories you'll read.



    This guys (nsa) have the will, and the ability, to do DPI on huge scales, the cpu-power to crack some encryption...
    Would they bother to put some weak code in the most used encryption software, which is open-source ? ...Maybe.

    But why using :
    - such close to impossible to exploit flaw (when you can put some much bigger)
    - such obvious code
    If you wanna stab someone, you just don't use a spoon.

    I don't say NSA is all kind and nice. But accusing them of this is counter-productive in whatever fight you're on.
    A developper forgot a bound-check

    Heartbleed site looks suspect.

    It does look simple. It's THEIR DAMN JOB to bring security solution to masses.
    They still give relevant sources to their message.
    They're not affiliated to government.
    It's a good thing they did this. And a good example of responsible disclosure.
    Not so many peoples reads CVE (apart from sysadmin and developper (and hackers))
    Usually when someone find a security flaw, he doesn't make it public, but leave some time to vendor to correct (or to pirates to sell it and exploit it (google : 0days)). But it stay between computer peoples.
    There was some cases where security flaw remained uncorrected for months (even years) because vendor didn't bother to correct it (but the bug stays on, and someone else can find it) : you disclose only when a patch is ready.
    It's important everybody know :
    - nobody can say they didn't know, or the information was unavailable
    - everybody CAN know : even the bad guys, so the persons in charge HAVE to take action ASAP.

    I think it's the first time I see a public-oriented security advisory on a server side software.
    It gets the websites to communicate to their public about it, which is a good thing.
    They did a pretty good. But their language is not aimed to public : not everybody gets the message right.

    But it's an individual response : fright, complotism, not-giving-a-damn, ..

    How come they talk of vulnerabilities but no code or more specific info is given on the shit affected in OpenSSL?

    Man, ydid you even search? You obviously didn't. Here you go : (read is weak deleted code, green is correction)
    http://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff;f=ssl/d1_both.c;h=2e8cf681ed0976e2b16460170fda27c77cfec6cc;hp=7a5596a6b373aeabbd6d8d674f0e20b1618c5012;hb=96db9023b881d7cd9f379b0c154650d6c108e9a3;hpb=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
     
  17. Catalyst

    Catalyst Audiosexual

    Joined:
    May 28, 2012
    Messages:
    5,810
    Likes Received:
    804
    Yes the government is that dumb. *yes*

    And the point is that they knew about it for years but didn't disclose it.
     
  18. Blister

    Blister Newbie

    Joined:
    Feb 15, 2012
    Messages:
    59
    Likes Received:
    0
    just read the list of infected sites. Facebook, soundcloud, Gmail.

    How on earth is my Fb post of how early i got up this morning of any use to anyone?

    I sometimes use Gmail to send someone an MP3, so now a group of hackers can also listen to my music?

    Same goes for soundcloud. Hackers secretly listening to my Mp3's?

    Excuse me for beeing stupid, but whats the risk here?
    I don't use any of the other infected sites. And share nothing but bs and some MP3's
    (sometimes the MP3's are bs aswell :wink: )

    Oh yeah........still on XP! :bleh:
     
  19. Pm5

    Pm5 Ultrasonic

    Joined:
    Oct 20, 2012
    Messages:
    442
    Likes Received:
    32
    Your gmail or fb account could be used to send spam... You might receives some banking information on gmail... you might receive some password reset mail to some more $$interesting$$ stuffs on gmail...
     
Loading...