rockylizard wrote:

---

Gday...

Thanks Vic. I had only been reading all I could about this this arvo. It gets more confusing the more I read.

I would ask that any of the "techo pooter gurus" on here give we 'ordinary folk' a 'translation' of the advice being bandying around.

For instance, I provide this from the ABC article posted -

"There is nothing users can do to fix their computers," Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki, said.

"They have to rely on the administrators of the websites they use."

Fox-IT estimates the vulnerability has existed for about two years, since the version of OpenSSL at issue was released.

OpenSSL is used by more than half of all websites, but not all versions have the vulnerability, according to heartbleed.com.

I understand that changing passwords immediately may not be any use either, as it is dependent on whether 'web administrators' have 'updated' OpenSSL to the new 'clean' version. If we change passwords now, we will need to change them again after the web admins update.

Sounds damned annoying and messy. The other confusing thing is this "virus" has been in the OpenSSL software on services for "at least two years". One would assume any 'damage', or 'theft', has already happened. As an ill-informed user of pooters, I just get annoyed.

Hopefully, some well-knowledged pooter guru on this forum can give us some informed advice.

cheers - John 

---

 Because it is such a concern to those on the road John, I thought it was best putting it here where most will see it.

Does make you wonder though as you say it has been around so long already, hope they get it sorted soon for everyone.

Have just listened to an explanation of the OpenSSL problem on a security podcast I subscribe to, although it's still a bit techie for me. Here's what I understand:

1. Any attack on a vulnerable server will leave no trace in the server's logs.
2. It allows an attacker to obtain a 64kb chunk of memory from the server,
which could contain the keys for encryption certificates, logins & passwords,
and other data.
3. Servers running OpenSSL on various flavours of Linux distributions including Debian,
Ubuntu and Fedora, as well as OpenBSD and FreeBSD, are vulnerable. Servers using
Microsoft's IIS are not affected.
4. The Big Four banks are not vulnerable to the exploit (you can test the overall
quality of a server's SSL capabilities by going to https://www.ssllabs.com/ssltest/
and typing in the site's domain name. They've just added a test for this vulnerability.

native pepper wrote:

---

This has been know in the linux community for a long time and was fixed early last year ...

---

 I checked the changelogs for previous releases of OpenSSL, but I can't find (or recognise?) any reference to a related fix in releases prior to 1.1.0.

OpenSSL: News, ChangeLog:

https://www.openssl.org/news/changelog.html
http://webcache.googleusercontent.com/search?strip=1&q=cache:https://www.openssl.org/news/changelog.html


OpenSSL Security Advisory [07 Apr 2014]

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

https://www.openssl.org/news/secadv_20140407.txt
http://webcache.googleusercontent.com/search?strip=1&q=cache:https://www.openssl.org/news/secadv_20140407.txt

Note: I have included Google's cached versions of both web pages.

What the Security Advisory page is saying to me is that the following versions were vulnerable to the "TLS heartbeat read overrun" exploit:

1.0.1f
1.0.2-beta1

The same vulnerability was not present in 1.0.1g and 1.0.2-beta2.

However, ISTM that the absence of the vulnerability in current releases may be coincidental rather than the result of a targeted fix, otherwise why would the advisory state the following:

"Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl at chromium dot org> and Bodo Moeller <bmoeller at acm dot org> for preparing the fix."

dorian wrote:

---

What the Security Advisory page is saying to me is that the following versions were vulnerable to the "TLS heartbeat read overrun" exploit:

1.0.1f
1.0.2-beta1

The same vulnerability was not present in 1.0.1g and 1.0.2-beta2.

However, ISTM that the absence of the vulnerability in current releases may be coincidental rather than the result of a targeted fix, otherwise why would the advisory state the following:

"Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl at chromium dot org> and Bodo Moeller <bmoeller at acm dot org> for preparing the fix."

-- Edited by dorian on Friday 11th of April 2014 10:01:21 AM

---

There is a huge difference between what proprietary software providers do about their security and what others do. Our major banks fixed this last year, because it was known about back then. Our web site (linux servers) provider, notified us last year they had patched it long ago. The forum I moderate on has linux servers and it was the same with them, fixed it long ago.

You only have to look at the track record of proprietary companies and their approach to security to know they only close vulnerabilities when they become a concern to their customers, who start complaining and gets into the social side of the web. Much of their profit growth is derived from supplying users data to other companies, so they can use it to troll customers on line. Then we have the huge profits they make out of anti virus software, when in reality if the system was a modern decent one, the user would have full control and the ability to block any attack.

This is the 21^st century and the only secure systems are open source, windows is wide open as is apple and chrome, they are just a sponges for absorbing peoples data and personal details, which they sell on the open market to any who will pay up. Where do people think all the spam they get comes from, we rarely ever get spam, because we use anonymous proxies and deep web facilities.

Call it scaremongering if you like, as the deniers here certainly will. They've done it in the past, but what I posted earlier about what microsoft will do to force people from earlier versions of windows to last century win8, is happening.

Many others fixed this long ago, only google, apple and microsoft servers have done nothing about it until now when it finally leaked out there was a deliberate vulnerability added, to assist in data mining collection for controlling corporations. That's the situation and always will be as long as profit growth systems are what people lock themselves into, if you read the terms of use, you will soon realise they can take all the data they want from you any time they want and there's nothing you can do about it. No such problems with open course, you own your system and have as much control over it as you want.

rockylizard wrote:

---

rockylizard wrote:

---

Gday...

Thanks Vic. I had only been reading all I could about this this arvo. It gets more confusing the more I read.

I would ask that any of the "techo pooter gurus" on here give we 'ordinary folk' a 'translation' of the advice being bandying around.

~~~

Hopefully, some well-knowledged pooter guru on this forum can give us some informed advice.

cheers - John 

---

Gday...

The back and forth banter and flexing of 'technology muscle' is baffling - rather than helping 'ordinary folk' to know how - or indeed, whether - to respond to this 'virus'.

I retiterate my earlier plea bolded above. 

Perhaps the "red haired quote" applies here ... Please Explain.

Cheers - John

-- Edited by rockylizard on Friday 11th of April 2014 10:17:34 AM

---

 Now after reading all the posts, I'm even more confused than previously, can someone explain in other than techno babble, if we need to do something and don't come back with the answer you should be using Linux.

Cheers

David

Gday...

Some further information on what "we ordinary folk" should perhaps do ...

http://www.startsatsixty.com.au/living/have-you-protected-yourself-against-the-heartbleed-bug

http://www.startsatsixty.com.au/entertainment/technology-entertainment/the-sites-you-need-to-change-your-password-for-now

Not sure if this helps anyone ... Thankfully, personally, I have not had any of my details recorded on any of the sites in the second URL. 

Cheers - John