acoindr (OP)
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 12, 2014, 11:13:31 PM |
|
By now the community is aware of the OpenSSL Heartbleed vulnerability one of the biggest flaws in the Internet's history, affecting the basic security of as many as two-thirds of the world's websites. Patch implementations for this vulnerability are ongoing including an advisory now to upgrade Bitcoin-Qt/Bitcoin Core. I just watched the SXSW video featuring Ed Snowden. If you haven't seen it it's worth viewing: https://www.youtube.com/watch?v=NGD2t2iegSYOne question asked to Snowden was he seemed to keep coming back to using encryption as good standard defense against abusive unconstitutional surveillance, and was encryption really effective? He replied matter-of-factly yes saying the govt instead of trying to brute force through it (probably impossible anyway) would look for other less expensive ways to acquire information, making broad dragnet data collection infeasible (though targeted acquisition is usually successful). Instead of being able to simply sit on the network and scoop up everything they would need to go to companies like Yahoo, Google, Facebook etc. for data at encryption endpoints. Then out of nowhere this Heartbleed vulnerability comes up. Bloomberg just published a story saying the NSA knew about and used the Heartbleed bug for two years, though the agency denies it. That jogged my memory about something from Snowden revelations about them intentionally participating in software communities, proposing standards like potentially weak random number generators for encryption etc. Snowden emphasizes encryption being effective against NSA/govt surveillance. Suddenly the Hearbleed issue comes out, leaking user credentials like passwords and the encryption keys themselves and the NSA denies knowledge? Our community is building the infrastructure to the new digital economy and security plays a big part of that. At the same time we all rely on a lot of open source technology not the least of which is Bitcoin itself. I'd say it's wise to remain vigilant going forward as Bitcoin gains more prominent mainstream acceptance and is increasingly on the radar of big governments.
|
|
|
|
franky1
Legendary
Offline
Activity: 4340
Merit: 4667
|
|
April 12, 2014, 11:52:46 PM |
|
By now the community is aware of the OpenSSL Heartbleed vulnerability one of the biggest flaws in the Internet's history, affecting the basic security of as many as two-thirds of the world's websites. Patch implementations for this vulnerability are ongoing including an advisory now to upgrade Bitcoin-Qt/Bitcoin Core. I just watched the SXSW video featuring Ed Snowden. If you haven't seen it it's worth viewing: https://www.youtube.com/watch?v=NGD2t2iegSYOne question asked to Snowden was he seemed to keep coming back to using encryption as good standard defense against abusive unconstitutional surveillance, and was encryption really effective? He replied matter-of-factly yes saying the govt instead of trying to brute force through it (probably impossible anyway) would look for other less expensive ways to acquire information, making broad dragnet data collection infeasible (though targeted acquisition is usually successful). Instead of being able to simply sit on the network and scoop up everything they would need to go to companies like Yahoo, Google, Facebook etc. for data at encryption endpoints. Then out of nowhere this Heartbleed vulnerability comes up. Bloomberg just published a story saying the NSA knew about and used the Heartbleed bug for two years, though the agency denies it. That jogged my memory about something from Snowden revelations about them intentionally participating in software communities, proposing standards like potentially weak random number generators for encryption etc. Snowden emphasizes encryption being effective against NSA/govt surveillance. Suddenly the Hearbleed issue comes out, leaking user credentials like passwords and the encryption keys themselves and the NSA denies knowledge? Our community is building the infrastructure to the new digital economy and security plays a big part of that. At the same time we all rely on a lot of open source technology not the least of which is Bitcoin itself. I'd say it's wise to remain vigilant going forward as Bitcoin gains more prominent mainstream acceptance and is increasingly on the radar of big governments. NSA dont have that much skill as you think. 1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest. 2) they employed the UK's GCHQ to brute force DPR's passwords. (thats what i gathered from the evidence notes of the DPR case)
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
foggyb
Legendary
Offline
Activity: 1736
Merit: 1006
|
|
April 13, 2014, 12:54:31 AM |
|
NSA dont have that much skill as you think. 1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest. 2) they employed the UK's GCHQ to brute force DPR's passwords. (thats what i gathered from the evidence notes of the DPR case)
If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road. If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness. For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets.
|
Hey everyone! 🎉 Dive into the excitement with the Gamble Games Eggdrop game! Not only is it a fun and easy-to-play mobile experience, you can now stake your winnings and accumulate $WinG token, which has a finite supply of 200 million tokens. Sign up now using this exclusive referral link! Start staking, playing, and winning today! 🎲🐣
|
|
|
Bit_Happy
Legendary
Offline
Activity: 2114
Merit: 1040
A Great Time to Start Something!
|
|
April 13, 2014, 01:23:11 AM |
|
We Need to be Careful Remember to change all your passwords if you haven't already.
|
|
|
|
acoindr (OP)
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 13, 2014, 01:36:04 AM |
|
We Need to be Careful Remember to change all your passwords if you haven't already.
This bears repeating. If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.
This reminded me of the image below which I'm sure will be lost on 50% of this forum
|
|
|
|
grahvity
|
|
April 13, 2014, 02:09:50 AM |
|
This bears repeating This reminded me of the image below which I'm sure will be lost on 50% of this forum Is that a friend of my dad's? jk
|
|
|
|
acoindr (OP)
Legendary
Offline
Activity: 1050
Merit: 1002
|
|
April 13, 2014, 02:26:21 AM |
|
This bears repeating This reminded me of the image below which I'm sure will be lost on 50% of this forum Is that a friend of my dad's? jk Back in my day Sonny we watched something called teeevee and that provided entertainment! Nothin' like these newfangled tablets and netgear gizmos all you youngsters are glued to today! Nosir!
|
|
|
|
Radar
Full Member
Offline
Activity: 154
Merit: 100
Pm me if you're a casino developer!
|
|
April 13, 2014, 10:41:12 AM |
|
And now it's a bad time Windows XP won't receive updates
|
|
|
|
kik1977
|
|
April 13, 2014, 10:58:13 AM |
|
NSA dont have that much skill as you think. 1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest. 2) they employed the UK's GCHQ to brute force DPR's passwords. (thats what i gathered from the evidence notes of the DPR case)
If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road. If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness. For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets. Very much agreed.. you would not really reveal your nr.1 investigative technique if this would compromise its future utilisation.
|
We are like butterflies who flutter for a day and think it is forever
|
|
|
pening
|
|
April 13, 2014, 12:14:51 PM |
|
NSA dont have that much skill as you think. 1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest. 2) they employed the UK's GCHQ to brute force DPR's passwords. (thats what i gathered from the evidence notes of the DPR case) As a Brit myself, I'm the first to fly the flag, but lets be honest and clear about this: GCHQ was employed by the US authorities to keep it nice and legal, bypassing laws around spying on own citizens. As for the OP, the story from Bloomberg is awful journalism, there isn't even an unattributed third party making the claim the NSA knew about the bug, its pure speculation. It's certainly probable they did know, just Bloomberg is making the assumption they must know because they have resources available. So do thousands of open source volunteers. If there's one thing Heartbleed has taught us is open source is *not* secure by default, and require audit and reviews to show systems are secure.
|
|
|
|
Tzupy
Legendary
Offline
Activity: 2156
Merit: 1094
|
|
April 13, 2014, 01:11:55 PM |
|
|
Sometimes, if it looks too bullish, it's actually bearish
|
|
|
franky1
Legendary
Offline
Activity: 4340
Merit: 4667
|
|
April 13, 2014, 01:57:32 PM |
|
new information coming to light, thanks. and thanks again for showing a link with actual viable information, rather then speculation. now the next point, the article mentions that by stealing keys, exploiters can then set up dummy websites to phish the genuine website, so that users log in thinking its genuine. my question is: if heartbleed can be used not only to get the private key (certificate), but to also get users unencrypted log-in data... why need to then make a phishing site to get users to log into exploiters cloned websites.. to basically gather peoples usernames and passwords. my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
empowering
Legendary
Offline
Activity: 1078
Merit: 1441
|
|
April 13, 2014, 03:53:33 PM |
|
We Need to be Careful Remember to change all your passwords if you haven't already.
This bears repeating. If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness.
This reminded me of the image below which I'm sure will be lost on 50% of this forum oh ah... and just one more thing Mr .....
|
"A foolish consistency is the hobgoblin of little minds"
|
|
|
jparsley
|
|
April 14, 2014, 11:26:24 AM |
|
Where do i find more info on this bug
|
please unban me.
|
|
|
HappMacDonald
Newbie
Offline
Activity: 26
Merit: 0
|
|
April 14, 2014, 09:25:10 PM |
|
my speculative theory is that the heartbleed can only gather the sites private key(certificate) but cannot decrypt user data. thus needing to make a phishing site to get user data. the only user data they can decrypt is their own. which is why fillipio can only see "yellow submarine" in cleartext and the rest is jibberish. apart from the websites own certificate soon after a reboot.
This is incorrect. I used the tool offered by fillipio, and I was most certainly able to get cleartext HTTP sessions from other users out of the memory dumps. The really important thing to keep in mind with Heartbleed, is that the entire goal of SSL is to encrypt traffic packets so that eavesdroppers of said packets (like the NSA!) cannot see what is inside of them. However, having the private keys most certainly allows an attacker to decrypt that traffic data, if they are able to get it (which the NSA almost always can). So heartbleed can allow k1dd13s a mirror into other people's user sessions, I've seen it. Whatever is in RAM (in the heap) has a chance of being exposed directly. Indirectly, it can also allow anyone with OOB access to encrypted transit packets to decrypt them assuming they put in the trivial amount of effort to finagle the private keys out of the primary leak.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
April 14, 2014, 10:52:08 PM |
|
NSA dont have that much skill as you think. 1) they only got to silkroad via asking google for DPR's IP to locate him. then getting the data AFTER confiscating his computer at th time of his arrest. 2) they employed the UK's GCHQ to brute force DPR's passwords. (thats what i gathered from the evidence notes of the DPR case)
If you're the NSA, you don't use / expose your secret methods for a shitty score like silk road. If you're a clever spy, pretending to be less clever than you really are is a crucial strategy for retaining your effectiveness. For example: in WWII, the Allies knew of impending German attacks, having broken Germany's Enigma, an advanced encryption engine. However, very often Allied forces could not be warned in advance of these known impending attacks because doing so would reveal the compromised encryption, which would be immediately corrected. The Allies were after the big secrets. Shitty score? Not sure that's true. There was major attention , interest from dea obviously ...even congress members were putting pressure to crack that case.
|
|
|
|
kingscrown
|
|
April 15, 2014, 01:23:28 AM |
|
one of best exploits found ever!
|
|
|
|
|