Author Topic: Heartbleed (Read 3321 times)

Puddsy · « **on:** Tue, 08 April 2014, 16:01:38 »

http://heartbleed.com/ explains it better than I can.

Be careful out there friends

The biggest software that is affected (AFAIK) is Valve's steam software.

codyeatworld · « **Reply #1 on:** Tue, 08 April 2014, 16:05:39 »

ctrlalt.io has already been patched

Very serious bug though.

TLDR
"Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the server’s memory."

SpAmRaY · « **Reply #2 on:** Tue, 08 April 2014, 16:11:12 »

Quote from: TacticalStache on Tue, 08 April 2014, 16:01:38

http://heartbleed.com/ explains it better than I can.

Be careful out there friends

The biggest software that is affected (AFAIK) is Valve's steam software.

So the internet has been hacked

IvanIvanovich · « **Reply #3 on:** Tue, 08 April 2014, 16:57:06 »

Whoops! Someone discovered the NSA's backdoor to everything.

rowdy · « **Reply #4 on:** Tue, 08 April 2014, 17:35:19 »

My heart bleeds for everyone who is affected.

Puddsy · « **Reply #5 on:** Tue, 08 April 2014, 19:02:52 »

Quote from: rowdy on Tue, 08 April 2014, 17:35:19

My heart bleeds for everyone who is affected.

That's why it's such a huge problem.

Quite literally almost every internet user is/was affected. If not directly, than indirectly.

nuclearsandwich · « **Reply #6 on:** Tue, 08 April 2014, 19:05:50 »

GitHub's blog post explains a lot of the salient bits as well as what many sites are having to do to mitigate damage. If you notice that you've been signed out of any services over the next few days those services are likely expunging possibly compromised sessions.

EDIT: Full disclosure I work at GitHub but was just a bystander for all the work our operations and infrastructure team did during this whole mess.

Puddsy · « **Reply #7 on:** Tue, 08 April 2014, 20:00:59 »

That's a good read. I'll share that around.

You work at github? That's cool! What percent of employees use mech boards?

nuclearsandwich · « **Reply #8 on:** Tue, 08 April 2014, 20:18:56 »

Quote from: TacticalStache on Tue, 08 April 2014, 20:00:59

That's a good read. I'll share that around.

You work at github? That's cool! What percent of employees use mech boards?

Hilariously most of the mech boards are used by non-engineers. Most folks are fine with the Mac keyboard or the bluetooth board. I don't have any hard numbers since most of the company is remote but the Kinesis is quite popular. One of my coworkers had a Unicomp until he borrowed my Realforce 55g and now he has a Hi Pro. There's also the odd Das Keyboard and Monoprice board and one of my remote coworkers uses some kinda Topre something because I printed some Octocat keycaps with WASD and he couldn't use 'em. I need to bring my Matias and Ergodox back to the office for folks to borrow and start campaigning more...

swill · « **Reply #9 on:** Tue, 08 April 2014, 21:12:48 »

Quote from: TacticalStache on Tue, 08 April 2014, 16:01:38

http://heartbleed.com/ explains it better than I can.

Be careful out there friends

The biggest software that is affected (AFAIK) is Valve's steam software.

Ya, we have been getting everything updated at work as well...

dagdrivaren · « **Reply #10 on:** Wed, 09 April 2014, 01:00:00 »

You know what place you're at when a thread discussing one of the most serious bugs the internet has ever seen gets derailed almost instantly into a discussion on mechanical keyboards.

cultofjosh · « **Reply #11 on:** Thu, 10 April 2014, 19:30:00 »

I lucked out and only had to rekey 3 certificates. And 1 was self-signed. Easy. For once, RedHat's ancient stable copies of software paid off, only Centos 6.4 and 6.5 needed to be updated.

chibishin · « **Reply #12 on:** Fri, 11 April 2014, 15:46:27 »

This should not come as a shock to anyone.

Puddsy · « **Reply #13 on:** Fri, 11 April 2014, 15:47:40 »

I mean, it's been around for a while.

I'm not surprised.

chibishin · « **Reply #14 on:** Fri, 11 April 2014, 21:43:04 »

given the recent disclosures concerning the NSA, it stands to reason that this may have even been put there by them.

of course, this is just speculation until we have hard evidence.

Puddsy · « **Reply #15 on:** Fri, 11 April 2014, 21:45:05 »

Yo, turns out google was affected, change your gmail passwords on Monday.

chibishin · « **Reply #16 on:** Fri, 11 April 2014, 21:46:13 »

now would be a good time to turn on 2 factor authentication if you aren't using it already

cultofjosh · « **Reply #17 on:** Sat, 12 April 2014, 13:51:15 »

Quote from: chibishin on Fri, 11 April 2014, 21:46:13

now would be a good time to turn on 2 factor authentication if you aren't using it already

Good advice regardless of this heartbleed mess. Turn it on anywhere you can. Places I have 2 factor authentication enabled:

outlook.com
gmail/google apps
Amazon AWS
godaddy

Even turn it on for your gaming accounts, even if you don't care about them. Every account hacked gives away some personal information that can be used to try to get into other accounts you own...

And never use the same password for more than 1 account! Use a password safe. For the accounts that you have to have passwords that you can remember, see this classic XKCD:

http://xkcd.com/936/

If you don't need to know the password by heart, use a very long random string and keep it in a password safe. You're also protected against keyloggers this way since you are never actually typing the password - how could you, it's impossible for any sane person to know

News:

Author Topic: Heartbleed (Read 3321 times)

Puddsy

Heartbleed

codyeatworld

Re: Heartbleed

SpAmRaY

Re: Heartbleed

IvanIvanovich

Re: Heartbleed

rowdy

Re: Heartbleed

Puddsy

Re: Heartbleed

nuclearsandwich

Re: Heartbleed

Puddsy

Re: Heartbleed

nuclearsandwich

Re: Heartbleed

swill

Re: Heartbleed

dagdrivaren

Re: Heartbleed

cultofjosh

Re: Heartbleed

chibishin

Re: Heartbleed

Puddsy

Re: Heartbleed

chibishin

Re: Heartbleed

Puddsy

Re: Heartbleed

chibishin

Re: Heartbleed

cultofjosh

Re: Heartbleed