[Novalug] The Washington Post: Major bug called 'Heartbleed' exposes Internet data

Joe Klein jsklein@gmail.com
Wed Apr 9 21:34:10 EDT 2014


Top information I have found on heartbleed.,,

Presentation slides for management:
http://malwarejake.blogspot.com/2014/04/heartbleed-slides.html

Test site:
http://filippo.io/Heartbleed/

Github Code and tracking who changed the code:
https://github.com/openssl/openssl/commit/4817504d069b4c5082161b02a22116ad75f822b1

https://github.com/openssl/openssl/blob/4817504d069b4c5082161b02a22116ad75f822b1/CHANGES

RFC6520 - the justification for the vulnerability
http://www.rfc-editor.org/pdfrfc/rfc6520.txt.pdf

Joe Klein
"Inveniam viam aut faciam"


On Wed, Apr 9, 2014 at 5:34 PM, Joshua Ellsworth <jrellsworth@gmail.com>wrote:

> This vulnerability is a very bad thing. It has been in OpenSSL for about 2
> years, and we really don't know how long ago malicious actors may have
> found it. Clever/lucky hackers have possibly had access to usernames and
> passwords for most of that time.
>
> tux.org doesn't show much on that test site because it doesn't appear to
> support SSL.
>
>
>
>
> On Wed, Apr 9, 2014 at 5:26 PM, Bonnie Dalzell <bdalzell@qis.net> wrote:
>
>> On Wed, 9 Apr 2014, Alex Smith (K4RNT) wrote:
>>
>> > Patched my Linux and OpenSolaris machines for this. Thanks for the heads
>> > up. I've heard it already, but good to hear that people are heeding the
>> > warning. :)
>>
>> My understanding of this is not profound as internet connectivity
>> knowledge has been at the edge of my computer learning universe.
>>
>> So how bad is it? Some sites (ars technica, for example) say very
>> bad.
>>
>> will this have a major negative effect on open source software and OS's.
>>
>> Here is a link to a website that claims it will test a url for
>> vulnerability to heartbleed.
>>
>> http://filippo.io/Heartbleed/
>>
>> some of the articles i have read are claiming that all secure
>> certificates will have to be re-issued at great expense in some cases and
>> once the certificates are re-issued the organizations should contact
>> clients and tell them to redo their passwords.
>>
>> have not heard anything from my bank.
>>
>> what a mess.
>>
>> incidently tux.org comes up with a ambivalent response to the
>> heartbleed test above. my local e-mail hoster qis.net passes.
>>
>>
>>
>> > On Wed, Apr 9, 2014 at 6:56 AM, jerry w <jerrywone@gmail.com> wrote:
>> >
>> >> I thought you might like this article from The Washington Post's
>> Android
>> >> tablet app.
>> >>
>> >> Major bug called 'Heartbleed' exposes Internet data
>> >>
>> >> http://wapo.st/1hAIyr1
>> >>
>> >> _______________________________________________
>> >> Novalug mailing list
>> >> Novalug@calypso.tux.org
>> >> http://calypso.tux.org/mailman/listinfo/novalug
>> >>
>> >
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>                         Bonnie Dalzell, MA
>> mail:PO box 9767 Baldwin, MD, USA 21013  |  EMAIL:bdalzell@qis.net
>> shipping address:5100 Hydes Rd 21082 (Hydes Post Office closed Jan 2012)
>> Freelance anatomist, vertebrate paleontologist, writer, illustrator, dog
>> breeder, computer nerd & iconoclast... Borzoi info at www.borzois.com.
>> HOME www.batw.net    ART bdalzellart.batw.net  BUSINESS
>> www.boardingatwedge.com
>>
>> _______________________________________________
>> Novalug mailing list
>> Novalug@calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>>
>
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20140409/eebf849a/attachment.htm>


More information about the Novalug mailing list