Results 1 ... 183 found in all logged channels for 'heartbleed'
(asciilifeform) asciilifeform: lulzy a la 'heartbleed' tho
(pest) asciilifeform: ( these lulz have worked in precisely same way since e.g. 'heartbleed' )
(asciilifeform) asciilifeform: http://logs.nosuchlabs.com/log/asciilifeform/2022-03-28#1089807 << twofold: pkiism per se is a backdoor; while the implementation itself is deliberately over9000 complex, and neverending source of 'heartbleed'-style 'bugs'
(asciilifeform) asciilifeform: and i aint about to ask folx to build a net on libheartbleed, either.
(asciilifeform) asciilifeform: this is the krebs story all over again, 'history rhymes' : somehow same exact thing 'not a crime' when nsa does it (for all i know, 9/10 patches accepted in lkl are from nsa shills), or whatever 'respectable' heartbleed-introducer. only 'crime' when exposes naked emperor.
(asciilifeform) asciilifeform: verisimilitude: 'insurance' is very much the wrong word, it aint as if anyone ponied up millions to compensate 'heartbleed' victims
(asciilifeform) asciilifeform: flatlinejim: make use of 'search all' button, there are various threads in older chans you may find interesting.
(asciilifeform) asciilifeform: newland0: are you familiar with 'heartbleed' ?
(asciilifeform) asciilifeform: ( observe that none of the above even requires knowledge of whatever 'heartbleeds' present in the garbage coad )
(asciilifeform) asciilifeform: http://logs.nosuchlabs.com/log/asciilifeform/2020-04-25#1010632 << re why gpg and not openssl -- i never have and never will write any program on top of openssl, for reason described here (and observe, this was written ~before~ publication of 'heartbleed' !)
(ossasepia) jfw: heartbleed predated trb if I recall
(ossasepia) BingoBoingo: d41r: What's your understanding of the "Heartbleed" episode
(ossasepia) BingoBoingo: http://logs.nosuchlabs.com/log/ossasepia/2019-08-26#1000640 << The code necessary to get https is likely to contain leaks that allow reading the server's memory. Examples of this have been found numerous times in the past. See "Heartbleed" et al.
(trilema) asciilifeform: !#s heartbleed
(trilema) asciilifeform: BingoBoingo: lol, hearn's old thing , the cocktail where tried to slip heartbleed in
(trilema) asciilifeform: i.e. exact preview of the 2013 'movie', where the nsa radiobugism docs leaked, and yet somehow still 'why wouldja want emshielded comp, paranoiac'. or heartbleed , and then somehow still 'openssl is standard, shuddup and Don't Write Own Crypto(tm)(r), terrorist'
(trilema) asciilifeform: and i'd prefer that the next heartbleed ends up fetching rubbish from ram of dedicated toilet, rather than errywhere.
(trilema) asciilifeform: ( the lib itself is a hairball , not unlike winblowz, i pointed this out even before 'heartbleed' etc., in e.g. http://www.loper-os.org/?p=1299 )
(trilema) mod6: Some of the bytes seem to match this array from this mass scanner thing: https://github.com/robertdavidgraham/masscan/blob/master/src/script-heartbleed.c
(trilema) asciilifeform: zx2c4: well, you seem to see the burden of proof, on asciilifeform , to show that debiankeys , or e.g. heartbleed, was a work of nsa plant
(trilema) mircea_popescu: you KNOW they'll have heartbleed and orc glyphs and so on and so forth, even as the "security tokens" never expire and the gameplay just isn't there.
(trilema) asciilifeform: ( the various heartbleeds )
(trilema) asciilifeform: plus heartbleeds etc.
(trilema) asciilifeform: mircea_popescu: the spot check model is, again, wholly inadequate. if you have ONE debianism or heartbleed etc. it literally does not matter worth a shit how 'clean' the remainder of it may have been.
(trilema) asciilifeform: does, e.g., heartbleed, qualify as 'good toy' ? considering that openssl was known, to everyone who gave half a rat's arse, to be a cistern of liquishit, long prior ?
(trilema) asciilifeform: heartbleed also sat 'without trouble'.
(trilema) a111: Logged on 2017-01-14 01:28 mircea_popescu: aqnyway, the "hive mind" is fucking comedic already. FIVE YEARS with the subverted python, got them nowhere. close to five years pushing rust, nothing to show for it. systemd is still mostly a joke, and the hatred is growing exponentially while the pustule is growing logarithmic at that. meanwhile the republic cracked open the heartbleed in quite the painful fashion, no matter how much effort went into "rehappening" it. not t
(trilema) mircea_popescu: aqnyway, the "hive mind" is fucking comedic already. FIVE YEARS with the subverted python, got them nowhere. close to five years pushing rust, nothing to show for it. systemd is still mostly a joke, and the hatred is growing exponentially while the pustule is growing logarithmic at that. meanwhile the republic cracked open the heartbleed in quite the painful fashion, no matter how much effort went into "rehappening" it. not t
(trilema) asciilifeform: ben_vulpes: 'best' case is if openssl is a heartbleeder
(trilema) asciilifeform: it is textbook heartbleediste misdirection.
(trilema) Framedragger: i think he's just young (https://github.com/FiloSottile). i remember his heartbleed test tool, it wasn't innovative but was useful. (but i hear what mircea_popescu is saying)
(trilema) mircea_popescu: notice how he glued himself to heartbleed (which, unlike the normal hanno bockian crap, was a surprise to the empire).
(trilema) thestringpuller: after heartbleed OpenSSL should have been avoided like the plague
(trilema) asciilifeform: 'Remember Heartbleed? Don’t let that example escape your attention. OpenSSL is open, yet it is so large and poorly designed that it’s a dark mystery. Heartbleed was easily shown to be a deliberate hack, and was even deliberately coded to hide itself from tools that would otherwise have shown the leak. And it was sitting there in ‘open’ sight. Instead of using small, well-reviewed crypto libraries, corporate Linux developers c
(trilema) asciilifeform: hoose to use corporate-maintained tools like OpenSSL, which are deeply compromised. Do you think the people responsible for HeartBleed were held accountable, and fundamental changes were made? Guess again. It’s simply ignored by most of Linux. (You’ll notice real UNIXes like OpenBSD did not ignore it and have begun serious changes. Yet even there, it took such a serious, obvious exploit for them to see the engineering problem.)'
(trilema) asciilifeform: none of it is even 'heartbleed'-grade.
(trilema) hanbot: for the record, it's not just phuctor that your friend Boeck [could have done] did. See also [could have] found Heartbleed: http://www.openwall.com/lists/oss-security/2015/04/07/7
(trilema) BingoBoingo: <davout> for some reason this hoaxtoshi stuff seems very interesting to journos << Heartbleed and the bash vulnerability made radio
(trilema) asciilifeform: the modus operandi of the enemy is to insert 'bugs', e.g., 'heartbleed', and to prevent attribution.
(trilema) asciilifeform: the 'why' of this is best illustrated by the heartbleed incident.
(trilema) asciilifeform: same story as, e.g., heartbleed.
(trilema) assbot: Logged on 06-01-2016 15:46:58; ascii_butugychag: 'Filippo Valsorda. I'm Italian and I work on the CloudFlare Security Team in London. I built the public Heartbleed test and I mess with cryptography. Public speaker. Motorbike rider. Frequent flyer. Hacker School F'13.'
(trilema) ascii_butugychag: 'Filippo Valsorda. I'm Italian and I work on the CloudFlare Security Team in London. I built the public Heartbleed test and I mess with cryptography. Public speaker. Motorbike rider. Frequent flyer. Hacker School F'13.'
(trilema) assbot: Logged on 31-07-2015 03:53:10; asciilifeform: coderwill: on top of the thousand and one other sins, tor linked in ssl at the height of 'heartbleed' - something which pretty much nobody is speaking of today
(trilema) asciilifeform: coderwill: on top of the thousand and one other sins, tor linked in ssl at the height of 'heartbleed' - something which pretty much nobody is speaking of today
(trilema) trinque: your point about heartbleed is well taken
(trilema) asciilifeform: i personally refuse to make any distinction between someone who wrote, e.g., 'heartbleed', into existence - and some other fella who ~knew of it and didn't tell me~
(trilema) asciilifeform: 'Andy confirmed that Coverity does not spot the heartbleed flaw and said that it remained stubborn even when they tweaked various analysis settings.'
(trilema) BingoBoingo: <asciilifeform> 'Andy confirmed that Coverity does not spot the heartbleed flaw and said that it remained stubborn even when they tweaked various analysis settings.' << Can't spot heartbleed because custom OpenSSL malloc
(trilema) thestringpuller: mircea_popescu: do you have the source for the pull request where hearn tried to merge in heartbleed?
(trilema) mircea_popescu: note for instance that the various "emergency problem - update required" stuff is in NEW-ish versions. like, heartbleed ? ubuntu 10.04 was fine. 12.04 ? owned.
(trilema) asciilifeform: heartbleed2-everywhere
(trilema) ascii_field: 'When we tried wget, it detected errors, retried, and finally succeeded. It said the error was a bad length field in a TLS packet. That didn't make sense at first because we thought TLS packets were error corrected by TCP.' << incidentally, i am not certain that i agree with the author's conclusion ('reverse heartbleed'.) it may very well be an attempt to exploit other braindamage in http stack
(trilema) mircea_popescu: "Heartbleed is a read buffer overflow. What that means is that an application is reading outside the boundaries of a buffer. For example, imagine an application has a space in memory that's 10 bytes long. If the software tries to read 20 bytes from that buffer, you have a read buffer overflow."
(trilema) mats: https://blog.hboeck.de/archives/868-How-Heartbleed-couldve-been-found.html << uses afl!
(trilema) mircea_popescu: if there isn't another heartbleed in there, someone's been slacking on their job.
(trilema) BingoBoingo: <thestringpuller> well only OpenSSL had heartbleed << The other big SSL implementations had their own flaws unveiled in the following months that essentially accomplished the same insecurity.
(trilema) thestringpuller: well only OpenSSL had heartbleed
(trilema) assbot: Logged on 29-03-2015 16:49:24; Chillum: most protocols have had a vulnerability at some point. Heartbleed was a bug in openssl, not a bug in ssl
(trilema) mircea_popescu: http://log1.bitcoin-assets.com/?date=29-03-2015#1078817 << heartbleed was a bug in PKI. outright.
(trilema) Chillum: most protocols have had a vulnerability at some point. Heartbleed was a bug in openssl, not a bug in ssl
(trilema) asciilifeform: <Chillum> Routers are a sad state of affair. Something like 70% of consumer wifi routers in the wild are vulnerable to heartbleed << and a fella who knows this, is still fond of ssl ? amazing
(trilema) Chillum: Routers are a sad state of affair. Something like 70% of consumer wifi routers in the wild are vulnerable to heartbleed
(trilema) Chillum: I am aware of heartbleed, an implementation failure
(trilema) asciilifeform: Chillum: if you worked in security, did you sleep through 'heartbleed' ?
(trilema) asciilifeform: mats: if you have philosophical objections to 'behave as if X even if possibly ~X is true' then try to come up with some other syllogism. but it -must- end in 'the people who gave us heartbleed and dual_ec DO NOT GET TO MAKE CRYPTO ANY MORE'
(trilema) assbot: Logged on 27-09-2014 02:35:49; asciilifeform: if you create a 'heartbleed' - you are a вредитель. and whether you did it intentionally, given the impossibility of proof - does not matter.
(trilema) decimation: not that heartbleed really matters for our purposes
(trilema) asciilifeform: i suggest fixing by using a pre-heartbleed openssl
(trilema) pete_dushenski: mr. heartbleed ?
(trilema) thestringpuller: kinda weird how older clients naturally won't have heartbleed
(trilema) asciilifeform did not test with anything other than the shortly post-heartbleed turdball specified in 'portatronic'
(trilema) thestringpuller: asciilifeform: or a lot of malice in the case of heartbleed
(trilema) asciilifeform found it very surprising that tor survived as a going concern after 'heartbleed'
(trilema) mircea_popescu: leaving aside that nobody i ever knew was seriously using the newer debian releases anyway for any purpose, you';d have to be fucking insane to think the way this goes is, we kill their heartbleed and they sit and wait.
(trilema) mircea_popescu: "A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server." << sounds like windows had a replica of heartbleed.
(trilema) asciilifeform: sr1 was, afaik, running heartbleeding tor.
(trilema) assbot: SO YOURE SAYING MY POODLE IS HEARTBLEEDING FROM SHELLSHOCK?WHAT THE FUCK IS EVEN GOING ON
(trilema) mircea_popescu: and that n is pretty fuckingly scary high, what with the heartbleed headshot and all the other outlays generously handed out by la serenissima.
(trilema) thestringpuller: mircea_popescu: what if someone doesn't sign "heartbleed introduction" then no one is accountable and system is moot
(trilema) bounce: you think heartbleed was intentional?
(trilema) asciilifeform: the hidden little shitgnomes like author of heartbleed - they are the ones who needs the lethal sunlight rays the most.
(trilema) asciilifeform: if you create a 'heartbleed' - you are a вредитель. and whether you did it intentionally, given the impossibility of proof - does not matter.
(trilema) asciilifeform: (and yes - we know author of 'heartbleed.' and he's alive and well and still contributing code to public projects, afaik. why? don't ask me)
(trilema) mircea_popescu: this is like saying that heartbleed affected the better ssh implementation.
(trilema) BingoBoingo: Seems Heartbleed gave OpenBSD the full paranoia as well
(trilema) ben_vulpes: this guy helped shut watch-only wallets and addresses out of the core client, while merging in heartbleed.
(trilema) ben_vulpes: <asciilifeform> no heartbleed, no pagerank. << search engines. next frontier of bitcoin.
(trilema) asciilifeform: no heartbleed, no pagerank.
(trilema) mircea_popescu: GinAddict1 mike is the chief enemy plant in bitcoin. he's the guy that merged heartbleed in bitcoin for absolutely no legitimatereason, and he's the guy that forced a hard fork, idem.
(trilema) assbot: The author of the OpenSSL Heartbleed bug also wrote the spec : programming
(trilema) asciilifeform: (what list? the one containing this fellow: http://www.reddit.com/r/programming/comments/22i30k/the_author_of_the_openssl_heartbleed_bug_also)
(trilema) decimation: imagine if you could be publicly executed for distributing heartbleed
(trilema) asciilifeform: everybody can get behind the impalement of author of 'heartbleed' but problem goes deeper.
(trilema) mircea_popescu: he also merged heartbleed into the codebase.
(trilema) mircea_popescu: btw, speaking of the derp foundation : did it yet get around to pointing out that people who had stopped updating bitcoin pre 8.0 were invulnerable to heartbleed, whereas people who hadn't stopped updating lost all their key material in the interval ?
(trilema) mircea_popescu: <asciilifeform> this is also the answer for why 'heartbleed' was necessary, considering that usg has at-will access to root certs << not that simple.
(trilema) asciilifeform: this is also the answer for why 'heartbleed' was necessary, considering that usg has at-will access to root certs
(trilema) dignork: mircea_popescu: might be heartbleed probes
(trilema) BingoBoingo: http://arstechnica.com/security/2014/06/meet-cupid-the-heartbleed-attack-spawns-evil-wi-fi-networks/
(trilema) assbot: Meet Cupid, the Heartbleed attack that spawns evil Wi-Fi networks | Ars Technica
(trilema) HeySteve: they hint it's related to heartbleed, NRPE or Ebury, not that I'd heard of the other 2
(trilema) mircea_popescu: and we wiped their heartbleed.
(trilema) mircea_popescu: ThickAsThieves i dare not think they perhaps haven't reported on heartbleed yet, because well...
(trilema) mircea_popescu: on that note, often manufacturers explicitly forbid to install updates and servicepacks since it might well break the app. << since heartbleed i'm going to forbid any upgrades as part of the contract in all cases, always and forever.
(trilema) fluffypony: HeySteve: it depends - if you're trading with them then they generally have to auth; whilst you can check with nickserv if they have enforce on and are identified Freenode have said that it's possible NS passwords were leaked coz of heartbleed
(trilema) ozbot: Canadians arrest a Heartbleed hacker - Apr. 16, 2014
(trilema) fluffypony: davout: I'll fathom that they had logins etc. scraped when they were Heartbleed vulnerable, and the attackers waited till now to use them
(trilema) ozbot: This reader mocked Heartbleed, posted his passwords online. Guess what happened next.
(trilema) BingoBoingo: http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/15/this-reader-mocked-heartbleed-by-posting-his-passwords-online-youll-never-guess-what-happened-next/
(trilema) mike_c: test its servers for heartbleed?
(trilema) mircea_popescu: ahaha! check out the GRIBBLE HEARTBLEED
(trilema) asciilifeform: wonder if i'm the only one who automatically thought 'diversion' when the heartbleed crap came out.
(trilema) asciilifeform: <robwizz22> complete lie, meant to play on people's recognition of the word "heartbleed bug" without knowing what it is. There is no SSL anywhere within 100 miles of a Cardano, nor did I ever mention it. You seem to be playing off of your audience's ignorance. Is this really want you want to be doing with your life? Selling snake oil? Being a fraud?
(trilema) asciilifeform: <robwizz22> the shelf usb storage to store a private key and pass phrase). You are lying about its benefits. You've come up with something absolutely and utterly useless. If it's a scam, good job. I like how you spread FUD about me trying to "introduce heartbleed" (which doesn't make any sense - the Cardano is a USB device) when I pointed this out. You obviously are smart enough to know that is a simple a
(trilema) ozbot: Heartbleed certificate revocation tsunami yet to arrive | Netcraft
(trilema) asciilifeform: http://news.netcraft.com/archives/2014/04/11/heartbleed-certificate-revocation-tsunami-yet-to-arrive.html
(trilema) asciilifeform: since my original paste on how robwhiz22 tried to persuade me to include heartbleed in cardano has been censored (!), here's a new one, of same: http://pastebin.com/yvhVVs7C
(trilema) gribble: NSA knew about Heartbleed for two years - Bloomberg — RT USA: <http://rt.com/usa/nsa-knew-heartbleed-hacking-years-004/>; DO NOT USE TOR RIGHT NOW. HEARTBLEED IS AFFECTING ALL ...: <http://www.reddit.com/r/DarkNetMarkets/comments/22k76z/do_not_use_tor_right_now_heartbleed_is_affecting/>; If You Want Privacy or Anonymity or Security, Stay Off the Internet ...: (1 more message)
(trilema) asciilifeform: ;;google tor heartbleed
(trilema) bounce: moar heartbleed
(trilema) fluffypony: so CloudFlare's Heartbleed challenge was broken by two researchers
(trilema) bounce: hm. openssl and their own funky freelist thingy. doesn't work without it, which would've had a good chance exposing heartbleed. mitigation is a simple patch. been reported... four years back, nothing happened. (last paragraph) http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
(trilema) ozbot: Twitter / rabite: Jews did #Heartbleed, by the way.
(trilema) fluffypony: http://www.theverge.com/2014/4/11/5605444/the-nsa-has-exploited-heartbleed-bug-for-years-bloomberg-reports
(trilema) ThickAsThieves: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
(trilema) Shakespeare: Cloudflare now saying they cant figure out how to get heartbleed to bleed keys
(trilema) ozbot: xkcd: Heartbleed Explanation
(trilema) ozbot: xkcd: Heartbleed Explanation
(trilema) fluffypony: steven-__: I mean it's not heartbleed vulnerable
(trilema) fluffypony: I've been testing a lot of my devices on my local network for heartbleed
(trilema) fluffypony: https://bitcointalk.org/index.php?topic=287653.msg6159630#msg6159630 <- they're *still* Heartbleed vulnerable
(trilema) fluffypony heartbleedz rithm dry
(trilema) ozbot: Schneier on Security: Heartbleed
(trilema) Shakespeare: facebook lols: I made a post briefing normals on heartbleed and the general concept that internet privacy doesnt really exist. Here's the best response so far: "Is Lifelock an answer?"
(trilema) mircea_popescu: but i wouldn't trust anything coming from the powerfully retarded rangers. they tried to get heartbleed into bitcoin, who knows what else they've baked into there we don't know about.
(trilema) mike_c: i had this thought last night. if i was the nsa, and i had injected this awesome new backdoor into 1.0.1f, and i was really anxious for everyone to upgrade right now.. I would publicize my outdated backdoor called heartbleed.
(trilema) ozbot: Heartbleed Honeypot Script ≈ Packet Storm
(trilema) BingoBoingo: Oh, yahoo is password weak because heartbleed. Figured I'd offer something on Yahoo for people to sign up for
(trilema) mircea_popescu: "I the spirit of #heartbleed is anyone else interested in -assets fantasy baseball on yahoo?"
(trilema) BingoBoingo: I the spirit of #heartbleed is anyone else interested in -assets fantasy baseball on yahoo?
(trilema) BingoBoingo: dexX7: Heartbleed extracts that key
(trilema) dexX7: hey i'm still thinking about the heartbleed stuff and was wondering: how could one - in theory - do something nefarious with this? user sessions aside, but what else is flying around there?
(trilema) BingoBoingo: Apocalyptic: You handled heartbleed yet?
(trilema) BingoBoingo: I wonder how many of these connects/disconnects are attempts at heartbleed probing
(trilema) ozbot: xkcd: Heartbleed
(trilema) BingoBoingo: Apocalyptic: Is x-bt not heartbleeding?
(trilema) bounce: bug introduced in 201112 says heartbleed.com, so in cvs
(trilema) Naphex: mircea_popescu: you can basically sniff whole SSL trafic with Heartbleed.
(trilema) fluffypony: yeah I'm not talking about mitigating the heartbleed attack
(trilema) midnightmagic: mircea_popescu: That is from the heartbleed site. It implies more information is available, but it's information which is sitting in that specific area. It's a busy area, but it's just that specific area.
(trilema) ozbot: Heartbleed Bug
(trilema) ozbot: Heartbleed + Bitstamp API (hash on key only) : Bitcoin
(trilema) benkay: http://www.reddit.com/r/Bitcoin/comments/22ib8o/heartbleed_bitstamp_api_hash_on_key_only/
(trilema) bounce: heartbleed, not beedingheart, and a plurality mismatch in the last paragraph or so
(trilema) MisterE: www.heartbleed.com
(trilema) Namworld: lel, what? "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content."
(trilema) MisterE: www.heartbleed.com
(trilema) Mats_cd03: 'heartbleed', who knew security researchers had a flair for the dramatic
(trilema) bounce: waitwaitwait, bitcoind is vulnerable to heartbleed?
(trilema) BingoBoingo: Well, No SSL == NotHeartBleed
(trilema) ozbot: [Python] heartbleed ssl test - Pastebin.com
(trilema) MisterE: hmm heartbleed is nasty
(trilema) ozbot: Heartbleed Bug
(trilema) truffles: heartbleed?
(trilema) keonne: god dammit my inbox is filled with heartbleed bullshit
(trilema) ozbot: Heartbleed Bug