bit-tech.net

Go Back   bit-tech.net Forums > bit-tech.net > Article Discussion

Reply
 
Thread Tools
Old 8th Apr 2014, 10:29   #1
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 4,098
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Web hit by OpenSSL 'Heartbleed' vulnerability

Serious security flaw in crypto library.
http://www.bit-tech.net/news/bits/20...l-heartbleed/1
__________________
Author, Raspberry Pi User Guide Third Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is offline   Reply With Quote
Old 8th Apr 2014, 15:37   #2
bigc90210
Teh C
 
bigc90210's Avatar
 
Join Date: Oct 2003
Location: Newcastle
Posts: 947
bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.
This is the reason the minecraft login servers are down :/
__________________
Asus Maximus VI Extreme, i7 4770k @ 4.7GHz, EK Supremacy, 32GB (4x8gb) Crucial Ballistix Tracer 1600Mhz 1.5v, 3 x W/C Titans in SLI, 500gb Samsung 840, 3x128GB Corsair SATA 3 SSD's in Raid 5, 2x2TB WD Greens in RAID 1, Corsair 540, Logitech G19, Razer Naga Molten, Razer Vaspula, Razer Kraken, Leap Motion, Triple 27" 2560x1440p,
bigc90210 is offline   Reply With Quote
Old 8th Apr 2014, 15:59   #3
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 4,098
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Quote:
Originally Posted by bigc90210 View Post
This is the reason the minecraft login servers are down :/
Any company that doesn't take its vulnerable servers down until they're patched (yes, like you, Yahoo, you naughty little company you) is doing its customers a distinct disservice; I can't stress enough how serious this vulnerability is. We're talking the keys to the kingdom, here; total and unfettered (read-only, I'll grant you) access to the contents of RAM. The sysadmin in me is puckering up just thinking about it.
__________________
Author, Raspberry Pi User Guide Third Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is offline   Reply With Quote
Old 8th Apr 2014, 16:07   #4
bigc90210
Teh C
 
bigc90210's Avatar
 
Join Date: Oct 2003
Location: Newcastle
Posts: 947
bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.bigc90210 is the Cheesecake. Relix smiles down upon them.
Absolutely agree, they've just announced on Twitter that the servers are coming back up now

Sent from my GT-I9505 using Tapatalk
__________________
Asus Maximus VI Extreme, i7 4770k @ 4.7GHz, EK Supremacy, 32GB (4x8gb) Crucial Ballistix Tracer 1600Mhz 1.5v, 3 x W/C Titans in SLI, 500gb Samsung 840, 3x128GB Corsair SATA 3 SSD's in Raid 5, 2x2TB WD Greens in RAID 1, Corsair 540, Logitech G19, Razer Naga Molten, Razer Vaspula, Razer Kraken, Leap Motion, Triple 27" 2560x1440p,
bigc90210 is offline   Reply With Quote
Old 8th Apr 2014, 19:14   #5
Umbra
Supermodder
 
Umbra's Avatar
 
Join Date: Nov 2013
Location: Beneath a steel sky
Posts: 504
Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.Umbra is definitely a rep cheat.
Would NSA/GCHQ tell anyone if they knew?
__________________
“Success is 99 percent failure” Soichiro Honda

Skulduggery - case mod

Motorcycle Action Group. The Right to Ride.
Umbra is offline   Reply With Quote
Old 8th Apr 2014, 23:53   #6
mi1ez
Game Boy Modder
 
Join Date: Jun 2009
Location: Sydney, Australia
Posts: 1,137
mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!mi1ez - it's over 9000!!!!!!!!1!1!1!!!
Oh, wow.
__________________
The Angel Delights?
mi1ez is offline   Reply With Quote
Old 9th Apr 2014, 11:34   #7
r3loaded
Ultramodder
 
r3loaded's Avatar
 
Join Date: Jul 2010
Location: Manchester, UK
Posts: 1,080
r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.r3loaded is definitely a rep cheat.
Quote:
Originally Posted by Umbra
Would NSA/GCHQ tell anyone if they knew?
Definitely not. It's impossible to know whether they knew about this bug beforehand, but at least we're lucky now that a security researcher discovered this one.
__________________
Main: Silverstone FT03 | Asus P8P67-M Pro | i5 2500K @ 4.6Ghz | CM 212+ | 16GB Corsair Vengeance 1600Mhz | XFX Radeon 7970 DD | 500GB Samsung 840 Evo | Samsung XL2270HD | KBT Race | Sidewinder X8
Mac: 13 inch MacBook Pro 2014 | 16GB RAM | Filco Minila Air | Magic Trackpad
Server: Asus M3N78-AM | Athlon II X3 400e | 4GB Corsair XMS2 | 4x 2TB Samsung F4EG (RAID-5) | LSI MegaRAID 8708EM2 | Corsair CX400 | Arch Linux
r3loaded is offline   Reply With Quote
Old 11th Apr 2014, 11:59   #8
will_123
Small childs brain in a big body
 
will_123's Avatar
 
Join Date: Feb 2011
Location: Edinburgh
Posts: 1,046
will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.
As im aware OpenBSD was not actually affected due to the way they have implemented memory allocation in BSD. Instead of leaking the memory it initiates a dump file or crash I think. In my very first job at NHS as a student sys admin my manager swore by BSD. Maybe he was right!

Very interesting link below mail thread with openBSD founder replying.

Mail Thread
__________________
i5 3570k @ 4.5GhZ | H100i | Twin Frorz 7870 | Pure Pro MX Blue

Web Hosting - http://www.goforthhosting.com
will_123 is offline   Reply With Quote
Old 11th Apr 2014, 12:12   #9
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 4,098
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Quote:
Originally Posted by will_123 View Post
As im aware OpenBSD was not actually affected due to the way they have implemented memory allocation in BSD. Instead of leaking the memory it initiates a dump file or crash I think. In my very first job at NHS as a student sys admin my manager swore by BSD. Maybe he was right!
Sadly, if you re-read the link, you'll see that OpenBSD (and all other BSDs shipping affected OpenSSL variants) was affected. Basically, there is exploit mitigation in malloc which means that OpenSSL should crash instead of revealing its secrets; unfortunately, there's exploit mitigation mitigation in OpenSSL that means malloc doesn't get a look-in. (Basically, for performance reasons on one unnamed platform, a coder added internal caching to OpenSSL which bypasses malloc - meaning that the crash-instead-of-leaking feature never gets used, and the data is leaked instead.)
__________________
Author, Raspberry Pi User Guide Third Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me!
Gareth Halfacree is offline   Reply With Quote
Old 11th Apr 2014, 12:26   #10
will_123
Small childs brain in a big body
 
will_123's Avatar
 
Join Date: Feb 2011
Location: Edinburgh
Posts: 1,046
will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.will_123 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Gareth Halfacree View Post
Sadly, if you re-read the link, you'll see that OpenBSD (and all other BSDs shipping affected OpenSSL variants) was affected. Basically, there is exploit mitigation in malloc which means that OpenSSL should crash instead of revealing its secrets; unfortunately, there's exploit mitigation mitigation in OpenSSL that means malloc doesn't get a look-in. (Basically, for performance reasons on one unnamed platform, a coder added internal caching to OpenSSL which bypasses malloc - meaning that the crash-instead-of-leaking feature never gets used, and the data is leaked instead.)
ah I misinterpreted it!

Cheers.
__________________
i5 3570k @ 4.5GhZ | H100i | Twin Frorz 7870 | Pure Pro MX Blue

Web Hosting - http://www.goforthhosting.com
will_123 is offline   Reply With Quote
Old 11th Apr 2014, 13:53   #11
RTT
#parp
 
RTT's Avatar
 
Join Date: Mar 2001
Location: London
Posts: 14,025
RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.RTT is the Cheesecake. Relix smiles down upon them.
What's crap is that it's widely understood and considered that OpenSSL is a bit of a mess - and the team who run it aren't exactly open to accepting any help. A choice quotes from a thread on r/programming:

Quote:
The OpenSSL team has a strong NIH syndrome in their spirit though. I (the author of the LibTom projects) have actually talked to Ben Laurie (one of the main developers) about code quality and he scoffed at the notion that things like the math library in OpenSSL could be re-written to be much simpler and easier to audit.
... which is a shame, because while you probably wouldn't want any old joe submitting patches to such sensitive software, you absolutely could have less-qualified/trusted/whatever engineers start to unit test & fuzz-test the heck out of it
__________________
This post is non-negotiable. All terms and conditions apply.
Free UK Motorcycle classifieds - Buy a Motorbike
RTT is offline   Reply With Quote
Reply

Tags
dtls, exploit, heartbleed, information disclosure, insecurity, open source, openssl, security, ssl, tls, vulnerability, web server

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 03:19.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.