IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / I find this comment at Wonkette plausible.
Post #388,545
by Another Scott
4/14/14 8:04:31 AM
Reply
New I find this comment at Wonkette plausible.
http://wonkette.com/...DComment816885653

szielins 1 day ago

Heartbleed was too weak an exploit for NSA to BOTHER to keep to itself. It's impossible to target against an individual, difficult to get anything out of in the first place, and at ~100K - 2.6M requests per private SSL key retrieved (against NGINX on Linux), the attempt to exploit it would stand out like a sore thumb. More importantly, as of 2008, NSA had a laundry list of exploits that don't have these flaws-- and there's no reason to believe they haven't added to the list since. For NSA, going public with Heartbleed would have been a fine propaganda move to make them look more like white hats, while reducing the effectiveness of their surveillance efforts not at all.

Cites to Bruce Schneier, who combines knowing what he's talking about with being a good explainer: Heartbleed's low exploitability demonstrated: More on Heartbleed. NSA had lots of good exploits, and is likely to have better now: Postmortem: NSA Exploits of the Day.


Someone at the NSA may have known about it, but they may not have been in a position to do anything about it. Or they may have known about it and decided to let sleeping dogs lie. Who knows. We all know there are likely similar coding errors out there...

The NSA isn't all powerful. They have limited time and resources, too.

I've been wondering why the IETF or similar group hasn't been more involved in this - e.g. http://www.ietf.org/...asive-monitoring/

FWIW.

Cheers,
Scott.
Post #388,546
by Another Scott
4/14/14 8:56:04 AM
Reply
New Note the followup if you use Chrome.
http://wonkette.com/...DComment817171897

(Tangentially related: I just found out Chrome, by default, doesn't handle certificate revocations correctly. Anyone using Chrome: if you haven't already, go into the advanced preferences and tick "Check for server certificate revocation". See Certificate Revocation and Heartbleed for more information.)


<sigh>

Cheers,
Scott.
Post #388,549
by a6l6e6x
Picture of a6l6e6x
4/14/14 12:18:46 PM
Reply
New So Google doesn't understand the implications of...
its own discovery?

Sigh, indeed.
Alex

“There is a cult of ignorance in the United States, and there has always been. The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that "my ignorance is just as good as your knowledge.”

-- Isaac Asimov
Post #388,592
by scoenye
4/15/14 6:44:12 PM
Reply
New Deliberately turned off as of 2012
https://www.imperial...2/05/crlsets.html

AFAIK, Firefox does not check anymore either. The basic problem is that current infrastructure can't handle the volume to respond in a timely fashion, but there are other problems as well. Some alternatives are being batted around, but so far, they're also full of holes.
Post #388,595
by Another Scott
4/15/14 7:19:35 PM
Reply
New I wonder if "Lifelock" is getting a spike in business... :-(
     Heartbleed and OpenSSL - (folkert) - (27) - April 8, 2014, 10:09:41 AM EDT
         Re: Heartbleed and OpenSSL - (pwhysall) - (6) - April 8, 2014, 05:52:36 PM EDT
             #1353 - (Another Scott) - (1) - April 9, 2014, 08:24:36 AM EDT
                 :0) -NT - (mmoffitt) - April 9, 2014, 08:43:36 AM EDT
             Well dammit -NT - (drook) - April 9, 2014, 11:12:36 AM EDT
             It is even more fun than that - (scoenye) - (1) - April 9, 2014, 06:42:50 PM EDT
                 Look for "pacemaker" as related to heartbleed... - (folkert) - April 10, 2014, 01:53:52 AM EDT
             Amazing... - (folkert) - April 10, 2014, 01:47:49 AM EDT
         It now has its own website.. - (Ashton) - (2) - April 9, 2014, 04:50:04 PM EDT
             Most damning point IMO - (drook) - (1) - April 9, 2014, 05:01:17 PM EDT
                 Yes... this. ^^^ -NT - (folkert) - April 10, 2014, 01:52:43 AM EDT
         XKCD is cool today - (drook) - (1) - April 11, 2014, 01:34:52 PM EDT
             wow - (crazy) - April 11, 2014, 01:50:42 PM EDT
         SJMN: White House and NSA deny they knew about it. - (Another Scott) - (10) - April 11, 2014, 09:31:33 PM EDT
             Re: SJMN: White House and NSA deny they knew about it. - (pwhysall) - (9) - April 14, 2014, 07:29:44 AM EDT
                 I find this comment at Wonkette plausible. - (Another Scott) - (4) - April 14, 2014, 08:04:31 AM EDT
                     Note the followup if you use Chrome. - (Another Scott) - (3) - April 14, 2014, 08:56:04 AM EDT
                         So Google doesn't understand the implications of... - (a6l6e6x) - (2) - April 14, 2014, 12:18:46 PM EDT
                             Deliberately turned off as of 2012 - (scoenye) - (1) - April 15, 2014, 06:44:12 PM EDT
                                 I wonder if "Lifelock" is getting a spike in business... :-( -NT - (Another Scott) - April 15, 2014, 07:19:35 PM EDT
                 Hola Peter.. Query: - (Ashton) - (3) - April 14, 2014, 08:18:39 PM EDT
                     Re: Hola Peter.. Query: - (pwhysall) - (2) - April 15, 2014, 03:42:33 AM EDT
                         hehe. -NT - (Another Scott) - April 15, 2014, 08:27:48 AM EDT
                         No they wouldn't ... they've got Policies -NT - (drook) - April 15, 2014, 08:37:53 AM EDT
         And it's exactly as bad as stated. - (pwhysall) - (2) - April 14, 2014, 07:36:53 AM EDT
             Damn! - (a6l6e6x) - April 14, 2014, 12:33:20 PM EDT
             Irony. - (static) - April 15, 2014, 10:32:00 PM EDT
         Possible nasty side effect on Debian if OpenSWAN is used - (scoenye) - April 15, 2014, 07:05:35 PM EDT

Travelling at the speed of light with the headlights on.
102 ms