geekhack
geekhack Community => Other Geeky Stuff => Topic started by: Puddsy on Tue, 08 April 2014, 16:01:38
-
http://heartbleed.com/ (http://heartbleed.com/) explains it better than I can.
Be careful out there friends
The biggest software that is affected (AFAIK) is Valve's steam software.
-
ctrlalt.io has already been patched :D
Very serious bug though.
TLDR
"Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the server’s memory."
-
http://heartbleed.com/ (http://heartbleed.com/) explains it better than I can.
Be careful out there friends
The biggest software that is affected (AFAIK) is Valve's steam software.
So the internet has been hacked :eek:
-
Whoops! Someone discovered the NSA's backdoor to everything.
-
My heart bleeds for everyone who is affected.
-
My heart bleeds for everyone who is affected.
That's why it's such a huge problem.
Quite literally almost every internet user is/was affected. If not directly, than indirectly.
-
GitHub's blog post (https://github.com/blog/1818-security-heartbleed-vulnerability) explains a lot of the salient bits as well as what many sites are having to do to mitigate damage. If you notice that you've been signed out of any services over the next few days those services are likely expunging possibly compromised sessions.
EDIT: Full disclosure I work at GitHub but was just a bystander for all the work our operations and infrastructure team did during this whole mess.
-
That's a good read. I'll share that around.
You work at github? That's cool! What percent of employees use mech boards?
-
That's a good read. I'll share that around.
You work at github? That's cool! What percent of employees use mech boards?
Hilariously most of the mech boards are used by non-engineers. Most folks are fine with the Mac keyboard or the bluetooth board. I don't have any hard numbers since most of the company is remote but the Kinesis is quite popular. One of my coworkers had a Unicomp until he borrowed my Realforce 55g and now he has a Hi Pro. There's also the odd Das Keyboard and Monoprice board and one of my remote coworkers uses some kinda Topre something because I printed some Octocat keycaps with WASD and he couldn't use 'em. I need to bring my Matias and Ergodox back to the office for folks to borrow and start campaigning more...
-
http://heartbleed.com/ (http://heartbleed.com/) explains it better than I can.
Be careful out there friends
The biggest software that is affected (AFAIK) is Valve's steam software.
Ya, we have been getting everything updated at work as well...
-
You know what place you're at when a thread discussing one of the most serious bugs the internet has ever seen gets derailed almost instantly into a discussion on mechanical keyboards. :D
-
I lucked out and only had to rekey 3 certificates. And 1 was self-signed. Easy. For once, RedHat's ancient stable copies of software paid off, only Centos 6.4 and 6.5 needed to be updated.
-
This (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html) should not come as a shock to anyone.
-
I mean, it's been around for a while.
I'm not surprised.
-
given the recent disclosures concerning the NSA, it stands to reason that this may have even been put there by them.
of course, this is just speculation until we have hard evidence.
-
Yo, turns out google was affected, change your gmail passwords on Monday.
-
now would be a good time to turn on 2 factor authentication if you aren't using it already
-
now would be a good time to turn on 2 factor authentication if you aren't using it already
Good advice regardless of this heartbleed mess. Turn it on anywhere you can. Places I have 2 factor authentication enabled:
outlook.com
gmail/google apps
Amazon AWS
godaddy
Even turn it on for your gaming accounts, even if you don't care about them. Every account hacked gives away some personal information that can be used to try to get into other accounts you own...
And never use the same password for more than 1 account! Use a password safe. For the accounts that you have to have passwords that you can remember, see this classic XKCD:
http://xkcd.com/936/
If you don't need to know the password by heart, use a very long random string and keep it in a password safe. You're also protected against keyloggers this way since you are never actually typing the password - how could you, it's impossible for any sane person to know :)