Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[palsch]

To be fair they are talking about a strongly encrypted vault file that may or may not (but should if you are sharing over the net) require a second key file alongside a (hopefully) strong password to decrypt.

[MorleyDev]

To be fair they are talking about a strongly encrypted vault file that may or may not (but should if you are sharing over the net) require a second key file alongside a (hopefully) strong password to decrypt.

Yeah, but sending it over FTP means your FTP password is still naked. It's like hiding the key inside a jar of acid in the garage, and leaving the garage key underneath the welcome mat. There's other stuff inside the garage that's important too!

[Levi]

You can sync it via FTP.

sync it via FTP

via FTP.

FTP.

I trust you mean SFTP? FTP is as insecure as a....really really insecure thing. You send all your credentials and the files completely naked and visible to anybody in-between you and the server.

Yeah I think so.  Although the file itself should be safe anyway, it needs the master password to unlock it, which is 24 long in my case.

Edit:  Hmm, actually it IS regular FTP.  Well, I'm still not too concerned.

Edit2:  Wait, are FTP passwords really sent as plain text?  That is ridiculous!  It could compromise my whole webserver.   

[Sheb]

PTW

[Neonivek]

Frankly, there's just too freaking many, though. . . I'm going to have to start keeping a piece of paper in my purse or something, because I definitely can't remember a different password for so many different places : /

I have saved all my passwords on my computer.

[Levi]

Just remembered one of my server apps I wrote at work was using ssl(the bad one) for something.  At least it wasn't hard to upgrade.

[LoSboccacc]

Seems like most of the big companies out there are ok though, the checker tool says that steam, amazon, google, github, and paypal all come out clean.

they are safe now, but not back then

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

the exploit has been found in logs since november.

also, while most bank seems unaffected, remember that if you ever had a cc shared to a website which was compromised (they say steam, i.e.) the safest route is to change that as well.

internet truly seems in flame right now.

[miauw62]

Certain clients are affected too.

So, if I'm reading this correctly, certain clients can also leak memory the same way that the server leaks memory.

[alway]

And then XKCD does a pretty good job of explaining generally how it worked:


Or in more technical detail, the code had a speed optimization which included some stuff related to pulling out a page of memory. Usual protocols for doing this involve pre-cleaning the page by just zeroing it out or similar. Instead of using typical methods for doing so, they had their own implementation which did not do so; likely the result of someone not being familiar with the reasons for doing so. In a low-level language, when you deallocate memory, the contents of that memory are not wiped, but rather 'undefined.' Which is to say, you're telling the OS that the chunk of memory in question can be used by other programs and such. The contents of that memory exist until either the OS wipes it (specifically to prevent security exploits like Heartbleed) or until it is otherwise altered. My understanding is that the heartbeat code explicitly wrote their own implementation for grabbing memory which did not wipe it. This makes sense if you aren't familiar with Heartbleed-like exploits, as pre-cleaning that memory does have a small time cost. And thus the newly allocated memory the program has access to has whatever data was recently in that particular place in memory.

And then you compound that with an issue related to bounds checking, as shown in that image above. So when you send the request, you would sent some sort of array of data, and essentially tell the server to repeat it back to you. You also tell the server how long that array of data is. If there is a mismatch, the server should detect that and simply ignore the request entirely, as it is malformed. Instead, the server would load that array into its memory allocated for the incoming packet, then attempt to read back as many characters as you had told it the message was. Which would include whatever data happened to be in that array of data. Since it wasn't wiped before being used for the array, that would include actual fragments of information from sources external to the request itself.

So in essence, it's the result of not following best practices in combination with a simple variant of the classic buffer overflow cracking method. If either allocation best-practices or request bounds checking had occurred, the exploit would not have existed.

[Vector]

THOSE NSA BASTARDS

[palsch]

This is one of the minor flaws of open source software. Reminds me of the Debian RNG fuckup. In that case someone commented out a line that generated errors when using a validator program. The person running the checks was obviously not familiar enough with the code or cryptography in general to understand why you might want to read uninitialized data (as a source of true randomness to feed to your pseudo-random number generators). He successfully made every OpenSSL generated key vulnerable to brute force analysis for around 20 months.

The people who write the code are usually excellent at it, but people don't usually pay attention to every edit of their code down the line and every programmer has their own ideas of what good code is. So you are likely to see dozens of edits that 'fix' good code or that 'correct' 'mistakes' that were critical to the functioning of the program. In two cases this has been devastating for security.

I'd say the fix is having more OS programmers who are more intimately familiar with cryptography and security issues, alongside far, far greater documentation of such critical functions. A substantial workload and wishful thinking maybe, but given I'd generally consider OS more secure than closed source software it's something that might well be worthwhile. Trying to shore up the last flaws of a systems strengths makes sense to me, even at considerable effort.

[Aqizzar]

It's like they toy with people for entertainment, and when people call them out, say 'National security. Are you a terrorist? DO YOU HAVE SOMETHING TO HIDE!?'

If something is in the NSA's best interests, then it outweighs the interests of the entire rest of the world.  Which is, y'know, horrible and all.

[alway]

THOSE NSA BASTARDS

HOW!?

HOW ARE THESE GUYS STILL AROUND!?

It's like they toy with people for entertainment, and when people call them out, say 'National security. Are you a terrorist? DO YOU HAVE SOMETHING TO HIDE!?'

No they don't. They surreptitiously leak info about your sex life to shut you up or discredit you. They even have a program for that.

[Greiger]

Thread is relevant to my interests (and career) and this is as good a place as any to keep up on it.

In short, posting to watch.  Sorry to the folks who thought this was a legitimate thread update.

[Sergarr]

THOSE NSA BASTARDS

HOW!?

HOW ARE THESE GUYS STILL AROUND!?

It's like they toy with people for entertainment, and when people call them out, say 'National security. Are you a terrorist? DO YOU HAVE SOMETHING TO HIDE!?'

Where is KGB when you need it?