Register - Login
Views: 91506180
Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies
05-27-18 02:09:58 PM

Jul - News - Heartbleed New poll - New thread - New reply
Next newer thread | Next older thread
divingkataetheweirdo

Bandit
TCRF Super Editor
Level: 54


Posts: 415/811
EXP: 1158137
For next: 75733

Since: 07-09-11


Since last post: 1 day
Last activity: 1 min.

Posted on 04-13-14 02:21:02 PM (last edited by divingkataetheweirdo at 04-13-14 02:24:29 PM) Link | Quote
For those unaware, it's a real pain in the behind. It's an OpenSSL exploit that allows one to read the memory of server using a request to get a server's keys to reveal passwords. You can access up to 64kb at a time, but it can be repeated constantly to get all of the needed info. The current advice is to wait until the bug is fixed, then change your password.

Considering Yahoo is/was using a vulnerable version of OpenSSL...

Also, the NSA is rumored to have been using it to hack accounts, but they are denying they even about its existence.
Kak
heh
Level: 71


Posts: 1170/1779
EXP: 3118491
For next: 48623

Since: 09-03-13

From: ???

Since last post: 3 days
Last activity: 22 min.

Posted on 04-14-14 03:52:13 PM Link | Quote
I felt about linking to a video of the POC Python script just for those who wanted to see a demonstration of the bug

<object width="420" height="315"><embed src="//www.youtube.com/v/UhpqexK2epc?hl=it_IT&version=3&rel=0" type="application/x-shockwave-flash" width="420" height="315" allowscriptaccess="always" allowfullscreen="true"></embed></object>
Rena

Star Mario
Fennel
Level: 128


Posts: 5165/5249
EXP: 23937517
For next: 444183

Since: 07-22-07

Pronouns: he/him/whatever
From: RSP Segment 6

Since last post: 25 days
Last activity: 24 days

Posted on 06-25-14 02:23:38 PM Link | Quote
And this is why we don't:


  • Write horrible ugly shitty code that nobody can read

  • Assume code is safe when you can't read it

  • Try to be clever with syscalls

  • Fail to thoroughly test security-critical code



When people say open source is more secure, the whole reason for that is because you can look at the code and see if it's sane. Writing code that nobody can fucking read isn't much better than not publishing the code at all.
Next newer thread | Next older thread
Jul - News - Heartbleed New poll - New thread - New reply




Rusted Logic

Acmlmboard - commit 5d36857 [2018-03-03]
©2000-2018 Acmlm, Xkeeper, Inuyasha, et al.

27 database queries.
Query execution time: 0.150395 seconds
Script execution time: 0.007896 seconds
Total render time: 0.158291 seconds
Memory used: 524288