Re: SJMN: White House and NSA deny they knew about it.

Post #388,540 by pwhysall 4/14/14 7:29:44 AM Reply	Re: SJMN: White House and NSA deny they knew about it. As I wrote elsewhere: I find it inconceivable, given the potential for exploitation in the event of a vulnerability, that, in the secret underground lair of the evil hackers, an excruciatingly comprehensive pen test isn't conducted on every published version of OpenSSL. And by "comprehensive" I mean "every possible client/server message is tested for buffer overflows, for starters". The NSA didn't know anything about it? Yeah, right. In fact, I reckon they probably found the flaw in the at-the-time-new Heartbeat feature within days if not hours of it being committed to version control. And Clapper spoke, so we know he was lying. Y'know. He's got a "tell". His lips move.
Post #388,545 by Another Scott 4/14/14 8:04:31 AM Reply	I find this comment at Wonkette plausible. http://wonkette.com/...DComment816885653 szielins 1 day ago Heartbleed was too weak an exploit for NSA to BOTHER to keep to itself. It's impossible to target against an individual, difficult to get anything out of in the first place, and at ~100K - 2.6M requests per private SSL key retrieved (against NGINX on Linux), the attempt to exploit it would stand out like a sore thumb. More importantly, as of 2008, NSA had a laundry list of exploits that don't have these flaws-- and there's no reason to believe they haven't added to the list since. For NSA, going public with Heartbleed would have been a fine propaganda move to make them look more like white hats, while reducing the effectiveness of their surveillance efforts not at all. Cites to Bruce Schneier, who combines knowing what he's talking about with being a good explainer: Heartbleed's low exploitability demonstrated: More on Heartbleed. NSA had lots of good exploits, and is likely to have better now: Postmortem: NSA Exploits of the Day. Someone at the NSA may have known about it, but they may not have been in a position to do anything about it. Or they may have known about it and decided to let sleeping dogs lie. Who knows. We all know there are likely similar coding errors out there... The NSA isn't all powerful. They have limited time and resources, too. I've been wondering why the IETF or similar group hasn't been more involved in this - e.g. http://www.ietf.org/...asive-monitoring/ FWIW. Cheers, Scott.
Post #388,546 by Another Scott 4/14/14 8:56:04 AM Reply	Note the followup if you use Chrome. http://wonkette.com/...DComment817171897 (Tangentially related: I just found out Chrome, by default, doesn't handle certificate revocations correctly. Anyone using Chrome: if you haven't already, go into the advanced preferences and tick "Check for server certificate revocation". See Certificate Revocation and Heartbleed for more information.) <sigh> Cheers, Scott.
Post #388,549 by a6l6e6x 4/14/14 12:18:46 PM Reply	So Google doesn't understand the implications of... its own discovery? Sigh, indeed. Alex ÂThere is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge.Â -- Isaac Asimov
Post #388,592 by scoenye 4/15/14 6:44:12 PM Reply	Deliberately turned off as of 2012 https://www.imperial...2/05/crlsets.html AFAIK, Firefox does not check anymore either. The basic problem is that current infrastructure can't handle the volume to respond in a timely fashion, but there are other problems as well. Some alternatives are being batted around, but so far, they're also full of holes.
Post #388,595 by Another Scott 4/15/14 7:19:35 PM Reply	I wonder if "Lifelock" is getting a spike in business... :-(
Post #388,559 by Ashton 4/14/14 8:18:39 PM Reply	Hola Peter.. Query: [First, OT] Some recent fodder on that old bugaboo, about which we civilly-agreed to disagree: Cell-fones (for just one EMI example) and looong-term discernible(?) Effects: http://catalog.seven...u-can-do-about-it (Haven't vetted this screed for n second-opinions, yet.) On THIS topic: Appreciating (as I do) your apparent knack for sanely distilling these various Ooops-grade Gotchas, as they occur: My 'comprehension' of this one can only be shallow, as the code deals with instantaneous hand-shakes which Need to be machine-language coded for that speed (I presume) --and doubtless truth-tables were Supposed-to cover All eventualities at-all possible. Ever. And here: they didn't. But from snippets everywhere, what I naturally wonder is: for those of you who've been immersed, in a variety of gigs, with many bizness-levels of IT competence, from ugly --> Clever Lads: Is the whole worldwide IT infrastructure actually riddled with comparable-scale oversights? (???) (ie Many such: merely not-yet Noticed (also Reported.) I mean: is everyone just crossing-fingers daily?) Thus, are we ripe--when full-cyberwarfare Does Happen: for something like full-Chaos, ensuing within hours or a few days after ... the first massive International root-kits are lobbed? Maybe it's too early to make such a guesstimate? But it sure looks scary to us neophytes at the peripheries. Instant-blackout could do.. [Nobody could possibly predict-What, with any credibility.] (Even I could list 100 crucial/Critical matters rendered inoperable. Deaths would ensue. 'Hardened'/Military agencies would be in unprecedented Control. Cats/Dogs! would be harmed.) Just askin.. we're all becoming inured to regularly-impending Apocalypse, anyway; Right?
Post #388,569 by pwhysall 4/15/14 3:42:33 AM Reply	Re: Hola Peter.. Query: First: EMI hazards - no change, when there's any credible research that draws any significant conclusions regarding the risk of phones to health (and the experimental cohort is now literally billions of people for literally decades; if there were a signal in that noise, someone would have noticed by now - it's not as if they haven't been looking). Bloke with drum to beat and axe to grind writes book. Not a new story. Anyhoo. I don't think that the worldwide IT infrastructure is riddled with problems like Heartbleed, although I'd bet a pint that it's not the last dreadful bug of its kind, due to the lack of actual "engineering" that goes into most software "engineering" (seriously, writing this stuff in C is like a builder making your house out of bricks and girders he made himself in his back yard). I think it's naïve to think that these bugs are unknown to the big intelligence agencies or the black hat community, despite the protestations of the former. If I were a black hat and I had a sploit that could extract server private keys without leaving a trace, I'd be using it in a way that wouldn't attract attention (i.e. I wouldn't just hook up the biggerest and fasterest computer I had and all-but-DDOS the server, I'd make one 64KB request every other second or something, and let it run for a week, possibly coming from random IP addresses) like a BOSS. I would then use the spoils of my efforts to extort moolah from the kinds of people who absolutely positively cannot afford any publicity (+ve or -ve) on the subject of security. The spooks, of course, would use the spoils of their efforts to read ASCott's email, and lie about doing so.
Post #388,570 by Another Scott 4/15/14 8:27:48 AM Reply	hehe.
Post #388,571 by drook 4/15/14 8:37:53 AM Reply	No they wouldn't ... they've got Policies -- Drew

Welcome to IWETHEY!