Register - Login
Views: 95766801
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies
11-15-18 10:18:35 AM

Jul - News - Heartbleed New poll - New thread - New reply
Next newer thread | Next older thread
divingkataetheweirdo

Bandit
TCRF Super Editor
Level: 54


Posts: 415/813
EXP: 1201496
For next: 32374

Since: 07-09-11


Since last post: 143 days
Last activity: 2 days

Posted on 04-13-14 02:21:02 PM (last edited by divingkataetheweirdo at 04-13-14 02:24:29 PM) Link | Quote
For those unaware, it's a real pain in the behind. It's an OpenSSL exploit that allows one to read the memory of server using a request to get a server's keys to reveal passwords. You can access up to 64kb at a time, but it can be repeated constantly to get all of the needed info. The current advice is to wait until the bug is fixed, then change your password.

Considering Yahoo is/was using a vulnerable version of OpenSSL...

Also, the NSA is rumored to have been using it to hack accounts, but they are denying they even about its existence.
Kak
heh
Level: 73


Posts: 1170/1815
EXP: 3369730
For next: 116138

Since: 09-03-13

From: ???

Since last post: 8 days
Last activity: 16 hours

Posted on 04-14-14 03:52:13 PM Link | Quote
I felt about linking to a video of the POC Python script just for those who wanted to see a demonstration of the bug

<object width="420" height="315"><embed src="//www.youtube.com/v/UhpqexK2epc?hl=it_IT&version=3&rel=0" type="application/x-shockwave-flash" width="420" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
Rena

Star Mario
Fennel
Level: 129


Posts: 5165/5258
EXP: 24514134
For next: 535520

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 22 days
Last activity: 11 days

Posted on 06-25-14 02:23:38 PM Link | Quote
And this is why we don't:


  • Write horrible ugly shitty code that nobody can read

  • Assume code is safe when you can't read it

  • Try to be clever with syscalls

  • Fail to thoroughly test security-critical code



When people say open source is more secure, the whole reason for that is because you can look at the code and see if it's sane. Writing code that nobody can fucking read isn't much better than not publishing the code at all.
Next newer thread | Next older thread
Jul - News - Heartbleed New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 220d144 [2018-11-04]
©2000-2018 Acmlm, Xkeeper, Inuyasha, et al.

27 database queries.
Query execution time: 0.166815 seconds
Script execution time: 0.006509 seconds
Total render time: 0.173324 seconds