I know some of you are probably tired of hearing this today, but for the benefits of those who may be out of the loop:

http://www.bbc.com/news/technology-26954540

Basically, a serious exploit called Heartbleed has been discovered in the OpenSSL (Secure Socket Layer), a protocol that is commonly used for transmitting sensitive data online. Many services, especially those where money or private information might be stored, have suggested changing your passwords - Canada's tax agency even shut their sites for the moment to ensure no data leaks. So, better safe than sorry! Good excuse to do a routine password change anyway, which is nice to do every once in a while.

Thanks, first time I've heard about it. :)

It's going to take time to change every password. :doh:

Potentially very worrying.

Potentially the worst bug in the entire history of the world wide web :D

If you want the details:
http://heartbleed.com/
(this web page was made by the guys of Codenomicon)

Btw, it is better to wait for the release of a patched implementation, otherwise changing your password is perfectly useless...
And for password managment I strongly raccomand the use of a dedicated software (a password manager) like KeePass ;)
Besides remembering your password it has a very useful password generator tool so you can generate strong password.

Worst security event ever in the internet's history so far.

Currently changing passwords do nothing if they have not previously changed their SSL software and certificates, your new passwords would be corrupted, too then.

There is a list somewhere of sites that showed which one were safe or not safe yesterday, around noon time. Maybe it gets updated. For adminstrators and server operators there also are one or two sites where you could let your servers check .

Its pretty bad, exceeding the scale. Be advised that changing passwords does nothing if they have not updated their SSL software and certificates before. You want to be certain they did, before dwelling in the illusion of being safe again just because you changed those codes of yours.

It's funny somehow how little note the world has taken, shows how little common people understand about the web, and how exposed they are to their ignorance' inherent dangers. If in California the Big One would have flattened LA, people would have taken note, wouldn't they?

Ah, banryu was a bit faster than me... :)

The "new" Internet is the old ARPANET.
Certificates are of no use if the NSA can publish those itself, or just interceot or read out those from any personal PC.

So if you want any security against breaches or eavesdropping, we need another net, and other protocols.

Up to then all you do is already compromised.

Windows Cloud, anyone!? :ping:

The bugs are now placed in the OS itself. No firewall and virus scanner can get them there. He who thinks he is safe when using an antivirus or firewall, lives on the moon.

I personally am convinced that they already have started to sink bugs into the hardware, into ROMs and BIOS. They would be incompetent if they had not done so by now.

Don't trust chips made by somebody else. Only trust chips you made yourself. :shucks:

This is the list I mentioned.

https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

Note that it was valid Wednesday.

Also note, since there are many gamers here, amongst the sites still vulnerable yesterday, was Steam.

Also note this: risks remain even after servers have been patched and passwords have been chnaged, because criminals could use the old exploit to decypher old data traffic that they have collected before. You may want to think about whether or not you are at risk from that direction.

I start to hate the internet...

At the time of writing this, the subsim.com website IS NOT affected:

The Internet is safe and your stuff is secure and safe trust the Internet. :har:

I trust the Internet as about much as I trust a politician...ZERO.

Steam or subsim... seriously I'm a bit more worried about my online bank account, you know! :haha:

It could very well be that it is no criminal gangsters behind this, or an unintended error during programming of source code, but that intelligence agencies, namely the NSA, are behind this, in an effort to generally weaken security standards in the web and install backdoors that are hidden as "criminal" attacks or "software bugs" to allow what is called "plausible denial". That certain intelligence services are explicitly trying to overhear and control ALL the internet and enforce access to EVERY system there is, is no longer a secret by now, is it.

It could very well be that it is no criminal gangsters behind this, or an unintended error during programming of source code, but that intelligence agencies, namely the NSA, are behind this, in an effort to generally weaken security standards in the web and install backdoors that are hidden as "criminal" attacks or "software bugs" to allow what is called "plausible denial". That certain intelligence services are explicitly trying to overhear and control ALL the internet and enforce access to EVERY system there is, is no longer a secret by now, is it.

It's the side benefit that DARPA had planned from the get go. Easy access for intelligence gathering and information control purposes.
Orwell was only off by what, thirty years?:shifty:

It's the side benefit that DARPA had planned from the get go. Easy access for intelligence gathering and information control purposes.
Orwell was only off by what, thirty years?:shifty:
Nothing like that, I suppose.
In fact, the bug is a bug of a specific implementation of OpenSSL (aka: source code bug) not a bug in the design of the protocol itself.
To be more precise, AFAIK the bug is in portion of a source code wrote to implement the RFC Heartbeat Extension around Decemeber 2011.
So server using older version of OpenSSL were not affected by the bug (only about 1/3 of all servers, from what I red).

In fact, the bug is a bug of a specific implementation of OpenSSL (aka: source code bug) not a bug in the design of the protocol itself.
To be more precise, AFAIK the bug is in portion of a source code wrote to implement the RFC Heartbeat Extension around Decemeber 2011

Yep, and as just leaked out it was a german programmer, who wrote the wrong code :know:

http://www.spiegel.de/netzwelt/web/heartbleed-programmierer-deutscher-schrieb-den-fehlerhaften-code-a-963774.html

:D ... :hmm2: ... :nope:





B.t.w. this just in:

Condoleeza Rice joins the Dropbox company :huh:
You just can't make these things up.

Since yesterday ten thousands of users have cancelled their dropbox accounts, and i am sure more will follow.
In Germany the people are a bit concerned about laws still being in existence which make freedom of speech look like a joke.

" ... Since the USA did not sign the Geneva convention from 1999 on Mrs Rice is not a war criminal in the USA and will thus never be accused, but this government's and her deeds are still very present, in the thoughts and minds of billions of people. ..."

Be it as it may, I really doubt she will be the holy protector of data abuse :haha:

Yep, and as just leaked out it was a german programmer, who wrote the wrong code :know:

Skybird really! Of all people you...:stare:

:D

And guess who payed me:

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

^ Oh yes, only the word 'liar' is probably not strong enough:

http://www.spiegel.de/netzwelt/netzpolitik/heartbleed-nsa-soll-sicherheitsluecke-seit-zwei-jahren-nutzen-a-964032.html

(NSA officially uses heartbleed security breach since two years)
(edit: ok Bloomberg already published it too)


"This government takes serious responsibility in sustaining an open, secure and trustworthy Internet."
:rotfl2::rotfl2::rotfl2:

Information is the new currency people, the more info they get on you the more money they can make. £CHING$ :03:

^Right, it is about money, power and preservation of power.

The USA and their allies of 2nd, 3rd or whatever grade are not interested in security, but in power and preservation of power.
As they put it in the university papers: "The so-called total war is still going on without a break, but in wide parts below the threshold of public information."