Widgets Magazine
Results 1 to 6 of 6

Thread: Heartbleed Hack, NSA and openSSL

  1. Default Heartbleed Hack, NSA and openSSL

    "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said..."
    Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data
    By Danny Yadron Updated April 8, 2014 7:29 p.m. ET

    Security Advisory: Heartbeat overflow issue

    NSA Said to Exploit Heartbleed Bug for Intelligence for Years - Bloomberg
    By Michael Riley Apr 11, 2014 6:14 PM CT

    U.S. Denies Knowledge of Heartbleed Bug on the Web
    By DAVID E. SANGER and NICOLE PERLROTHAPRIL 11, 2014

  2. #2

    Default Re: Heartbleed Hack, NSA and openSSL

    Well, we're seeing here the first real, tangible downsides of what's been described over the last, what, ten years (?) of "open source" software with disconnected, decentralized group development. Many good things have come from open source, but perhaps we're seeing some of the downside now.

  3. Default Re: Heartbleed Hack, NSA and openSSL

    I'll state my bias first, I am an OpenSource advocate and have been since 1999.

    With the advancement in technology there is no need to be physically located in a centralized group. The problem that happened with OpenSSL (btw, a free alternative to expensive 3rd Party SSL Certificates, if you're in your own self-hosted environment) is an exploit. The only time a "hacker/NSA agent" could potentially collect your data (data possibly being a username/password even CC number) out of the memory of a client connected to a server running OpenSSL or a server running OpenSSL is when you communicate with the server. This exploit allows up to 64Kb of that data to be extracted, in text form, that is A LOT.

    There are TONS of sites currently running OpenSSL, even the "big guys" are running OpenSSL, not all of them mind you. Some of the other "big guys" are running proprietary SSL or a proprietary 3rd party SSL. Just because those other guys are running a proprietary SSL doesn't mean there isn't a different exploit that could be found if one existed or could be created with an update.

    The only problem with OpenSource is the openness, but it's also one of it's greatest assets. We saw a community come together to create a free alternative to an expensive proprietary software, that is seen used and updated by hundreds of thousands of people and companies.

    To fix this problem from happening in the future, more rigorous security checks need to happen before a release.

  4. #4

    Default Re: Heartbleed Hack, NSA and openSSL

    Quote Originally Posted by SoonerDave View Post
    Well, we're seeing here the first real, tangible downsides of what's been described over the last, what, ten years (?) of "open source" software with disconnected, decentralized group development. Many good things have come from open source, but perhaps we're seeing some of the downside now.
    The roots of open source software goes back to at least the 60's, while they may not technically been the same licensing or used the same organization structures, had similar ideals and/or practices. Security is something a lot of organizations/individuals using any method have done badly with, there are open source groups that have quite good reputations for security practices. What surprised me about this was for how important this project is to many people, it has only a few people involved in it's development and a pretty small budget.

  5. #5
    Prunepicker Guest

    Default Re: Heartbleed Hack, NSA and openSSL

    Quote Originally Posted by SoonerDave View Post
    Well, we're seeing here the first real, tangible downsides of what's been
    described over the last, what, ten years (?) of "open source" software
    with disconnected, decentralized group development. Many good things
    have come from open source, but perhaps we're seeing some of the
    downside now.
    Dude! I'm totally pro open source, i.e. Open Office and Firefox. I hope
    this isn't as serious as it appears to be.

  6. #6
    Prunepicker Guest

    Default Re: Heartbleed Hack, NSA and openSSL

    Quote Originally Posted by mmonroe View Post
    I'll state my bias first, I am an Open Source advocate and have been
    since 1999.

    With the advancement in technology there is no need to be physically
    located in a centralized group...
    I feel better. I've often been worried that my Commodore 64 might be
    compromised.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. iPhone-Sized Device Can Hack A Car?
    By Plutonic Panda in forum Current Events & Open Topic
    Replies: 15
    Last Post: 02-09-2014, 02:39 PM
  2. Gmail Account Hack
    By ThomPaine in forum Current Events & Open Topic
    Replies: 17
    Last Post: 09-12-2012, 11:27 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Single Sign On provided by vBSSO