Heartbleed Security Flaw Catches Internet Off Guard

15

Comments

+ Add a Comment
avatar

vrmlbasic

The idea that open source software is more secure because everyone can review the code just took yet another punch to the face.

2/3rds of the world's "secured" websites use this software and despite both that and all of the people supposedly poring over the source code, an error this grievous was allowed to be created and last for TWO YEARS.

*The next time a security flaw is discovered, a creative firm should be consulted for coining the name for it as "heartbleed" is fail-tastic.

avatar

tristone

MacOS had been using ROT13 for password 'encryption' for even longer. And that is more secure?

With open source, at least everybody has a chance to check the code. With closed source, only the vendor may know what's wrong, if they even check for problems. Looks like you prefer the latter?

The issue is said to be fixed in Debian in 30 minutes. With Microsoft, some issues last much longer than 6 months.

avatar

Bullwinkle J Moose

You are so right

This should have been closed source so it would never be found

Wouldn't that be hilarious?

avatar

bpstone

<< lol

avatar

C9870

Steve Gibson does a good job explaining these security Exploits.

http://twit.tv/show/security-now/450

avatar

Bullwinkle J Moose

Good Video

If you would like to hear just about the security problem, let it stream for a while and then advance to 44 min and 20 sec

It gets really good at around 1:02:45

Several min later.....
1:09:50
there are no server logs to tell you if the server has ever been exploited and once the problem is patched AND (1:10:50) no way to know if the certificates are still vulnerable due to the fact that ALL certificates that "may" have been compromised can no longer be trusted

1. All vulnerable software must be patched
2. All vulnerable certificates must be reissued
3. Then and only then, ALL USERS must be notified and forced to change ALL their Passwords with a new secure password

Changing your password before BOTH #1 and #2 have been corrected will still leave you vulnerable

Use the Heartbleed test to check a site for this vulnerability

http://filippo.io/Heartbleed/

avatar

Neufeldt2002

Thanks for the link Bullwinkle.

avatar

Bullwinkle J Moose

Why would the NSA do such a thing?

WHY?

Once this this is "fixed", I better buy Windows Spyware Platform 8 so the NSA can still get all my data

For "MY" protection of course

That must be why we can no longer block certain Microsoft components from accessing the Internet in the Windows 8 firewall

or why 3rd party app's can still send data without warning you in the new Windows Spyware Platforms

It's for OUR Protection!

I'm still using XP-SP2 without any updates in read only mode with Driveshield, but Microsoft says I need to update my OS to something more secure, and I know for a FACT that Microsoft would never lie, but I still can't figure out how that new OS will protect me from Heartbleed, redirectors, social manipulation and other problems that only exist on the Internet

It sure is a mystery

Oh well, if Microsoft thinks that simply rebooting to eliminate viruses with a read only OS is BAD, who am I to disagree?

They wouldn't lie just to sell me more broken crap to keep me on the never-ending treadmill would they?

Would They?

avatar

Bullwinkle J Moose

I stand corrected~!

http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/

After all, the NSA would never lie to us.....

WOULD THEY?

Oh wait, it was anonymous sources who are saying the NSA did not use heartbleed

http://arstechnica.com/security/2014/04/nsa-used-heartbleed-nearly-from-the-start-report-claims/

Never mind!

I'd rather have someone accountable and using their own name when they make statements to the effect that they know for a fact that every single person in the NSA never used heartbleed for the past 2 years

Tell me, how could ANYONE, including the Director of the NSA know for sure what every single person in the NSA is up to?

Hey, Let's ask Snowden!

Oh wait, now Obama denies that the US or any Gov't Agency knew of the Heartbleed bug???

http://www.nytimes.com/2014/04/12/us/us-denies-knowledge-of-heartbleed-bug-on-the-web.html?_r=0

But wait again,.....wasn't it the NSA's job to find these vulnerabilities??

http://www.zdnet.com/institutional-failure-led-to-nsa-missing-the-heartbleed-flaw-7000028366/

FIRE THEM ALL!

avatar

vrmlbasic

How trustworthy is Driveshield?

avatar

Bullwinkle J Moose

Perfect record for several years

Used by Governments, Libraries, Schools and Corporations that simply cannot have any changes made to their OS by users or malware

It has never been defeated (even once) as far as I am aware

Easiest to use product of it's type (for me anyway)

It's a bit tricky to set up if I use XP-SP2 however, as Internet Explorer 6 is immediatly compromised if my firewall tries to activate itself using Explorer before my computer is locked down

So, I just go through the activation process with wi-fi unplugged and set everything to ask or block in the firewall before I am sure what I want to allow online

NEVER allow Explorer 6 online even once!

avatar

Neufeldt2002

So what does MPC use? and is it safe? or do I have to change my password?

avatar

Mikey109105

Another good reason for me to not get rid of my lastpass account, LOL!

avatar

Evan Evans

An excellent reason to have lifelock.

avatar

thedesmodes

The Canadian government had to shut down the part of their tax website that you can log into because of this.