Wednesday, April 09

Geek

Dodging Bullets

First Apple's SSL library had a serious security flaw, but that's okay because I don't use Apple's SSL.  (I have an iPad, but it mostly just sits there.)

Then GnuTLS had a worse security flaw, but that's okay because I use OpenSSL.

Then OpenSSL had the worst security flaw of them all...  But that's okay because the version of OpenSSL we're using here is older than the bug.

I will wipe and reinstall a couple of virtual machines that don't have user data on them yet, just in case.

Of course, while mee.nu was secure* Amazon, Google, and any number of other providers have been exposed to this bug to varying degrees for two years.**  And the nature of the bug is such that attacks would not show up in normal server logs; it's a silent, pseudo-random data leak.

* Entirely because I've been too busy to migrate to a newer version of Linux and install proper certificates, not because of any specific virtue.

** It's been a busy two years.  Seriously.  I don't want to talk about it.

Posted by: Pixy Misa at 02:50 PM | Comments (13) | Add Comment | Trackbacks (Suck)
Post contains 181 words, total size 2 kb.

1 Isn't it the case that this wasn't so much a bug as it was a deliberately-inserted exploit?

Posted by: Steven Den Beste at Wednesday, April 09 2014 03:57 PM (+rSRq)

2 No clear evidence of that.  For GnuTLS and OpenSSL, it's open source and the changes are tracked, so we know exactly who introduced the bug and when.

The Apple bug is a bit dubious, since the specific bug should have been detected immediately by any code analysis tool or even the programmer's IDE (it left unreachable code), but again, no clear evidence that it was deliberate.

Posted by: Pixy Misa at Wednesday, April 09 2014 04:04 PM (PiXy!)

3 I wonder how long NSA has known about it.

Posted by: Steven Den Beste at Thursday, April 10 2014 01:42 AM (+rSRq)

4 Thanks for that Pixy...I'm always skeptical of sites that claim to test ones Mac...having one recommended by you was a big relief. 

Posted by: The Brickmuppet at Thursday, April 10 2014 10:47 AM (DnAJl)

5

Apparently NSA knew about it a couple of years ago.

Posted by: Steven Den Beste at Saturday, April 12 2014 06:11 AM (+rSRq)

6 Well, who are you going to believe, a mainstream media outlet citing anonymous sources, or the NSA?

Tough call.  If it's possible for them to both be lying, that's the way to bet.

Posted by: Pixy Misa at Saturday, April 12 2014 03:24 PM (PiXy!)

7

It turns out that the bug was included in Android 4.1.1.

I'm relieved to see that my phone is Android 4.2.2.

Posted by: Steven Den Beste at Tuesday, April 15 2014 01:57 AM (+rSRq)

8 BTW, just fended off a massive spam attack last night. But now my comments sidebar is wrong.

Posted by: Mauser at Tuesday, April 15 2014 06:55 AM (TJ7ih)

9 Usually it gets straightened out on the first new comment.

Posted by: Steven Den Beste at Tuesday, April 15 2014 10:20 AM (+rSRq)

10 I'll run my fixup script.

Posted by: Pixy Misa at Tuesday, April 15 2014 06:15 PM (PiXy!)

11 Thanks, making new comments wasn't working. Nor was deleting them.

Wondering if it's safe to open up commenting again....  They really stomped on my page HARD for hours.

Posted by: Mauser at Tuesday, April 15 2014 08:27 PM (TJ7ih)

12 I just blocked an entire hosting company (OVH) at the firewall for persistent spam from their customers. Hoping that will help.

Posted by: Pixy Misa at Wednesday, April 16 2014 01:15 PM (PiXy!)

13 I don't know how to tell.  Although it looks like Brickmuppet just got hit.

Posted by: Mauser at Wednesday, April 16 2014 08:12 PM (TJ7ih)

Hide Comments | Add Comment

Comments are disabled. Post is locked.
50kb generated in CPU 0.0147, elapsed 0.1058 seconds.
56 queries taking 0.0964 seconds, 339 records returned.
Powered by Minx 1.1.6c-pink.

Praise for Ambient Irony

  • The bestest!Susie
  • Just wow!Mookie
  • Impressive.Bill Whittle
  • You have a granddaughter? What did you do, have children when you were in preschool? LeeAnn

Contact Support

Contact Pixy

  • Mail pixy@mu.nu
  • Gab @pixymisa
  • Gettr @pixymisa
  • MeWe @pixymisa
  • Minds @pixymisa
  • Parler @pixymisa
  • Twitter @banned

Business News

Art by Chelsea Rose.


Search Thingy



Recent Comments

  • Rick C Stellar Blade--I guess she's kinda cute if you like the modern version of pointy-chinned whatever th... entry
  • Rick C I like my Beelink mini pc, although I wish the 1340P had been available instead of the 1235U. It's ... entry
  • Mauser And the TikTok bill doesn't take effect until AFTER the election. And maybe not then if they help pu... entry
  • Friday Night Funkin The availability of these components at MSRP signals a positive trend in the hardware market, Friday... entry
  • normal I don't know that it's a case of them not "swallowing" it, so much as the Great Bidenpression making... entry
  • Pixy Misa Paper ballots counted by hand. There is some nonsense going on with regards to Australian electio... entry
  • buy k2 spray online usa legit online dispensary shipping worldwide legit colorado dispensary shipping worldwide buy k2 spray... entry
  • buy k2 spray online usa Buy Painkillers Online Overnight Delivery buy ibogaine online buy k2 spray online cavapoo puppies ... entry
  • buy k2 spray online buy k2 liquid spray online buy diablo liquid k2 on paper buy k2 spice spray on paper buy k2 spray on... entry
  • Lucas At Resin Drives Newcastle, our team will carry out the complete installation from planning to the fi... entry

Topics

Monthly Traffic

  • Pages: 370113
  • Files: 55339
  • Bytes: 11.6G
  • CPU Time: 188:27
  • Queries: 17282826

Content

  • Posts: 6588
  • Comments: 22409

    • Categories

    Archives

    A Fine Selection of Aldebaran Liqueurs

    That Ol' Janx Spirit

    Mostly Harmless

    MuNu Blogroll

    Dish of the Day

    Feeds


    RSS 2.0 Atom 1.0