HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Need to know which passwords to change right now? Mashable has posted The Heartbleed Hit List, a guide to affected sites and how they are dealing with the exploit.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
The Heartbleed Hit List
- Thread starter HardOCP News
- Start date
bucketlist
Gawd
- Joined
- Oct 8, 2013
- Messages
- 1,019
Surprised Target didn't wait a few months. lol
Guess they only do it if they were.
Guess they only do it if they were.
An affected site could have had both the private and public keys for SSL compromised.
If that's compromised, they could effectively read all the encrypted data; they have the keys, they could decrypt it.
They could then get the username and passwords for all users, since they would be able to decrypt the SSL-encrypted packets/data.
Since the issue has effectively been alive for 2 years, although I'm unsure as to how long it's been "known" (not just publicized), this could have been getting exploited for the last 2 years on the affected sites.
Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
If one is open to a vulnerability, why would they admit it? 
Some of the responses also make me think that they may have been semi-generic responses from a non-tech savvy receptionist who isn't appropriate to respond for comment.
Some of the responses also make me think that they may have been semi-generic responses from a non-tech savvy receptionist who isn't appropriate to respond for comment.
jojo69
[H]F Junkie
- Joined
- Sep 13, 2009
- Messages
- 11,267
what about steam?
It would be a mistake to access an affected site that isn't patched. Now that the bug is known the information if more vulnerable until its patched. Rushing out and changing passwords is that last thing you should do unless you know the site is fixed.
This is much ado about nothing. The media is simply trumpeting this up to prop up their pathetic ratings. The chances of your password getting stolen are miniscule at best since an attacker would :
A.Have had to have known about the exploit beforehand
B.Been listening in at the exact moment you logged in
In fact, advising people to change their passwords is a bad idea since now that the exploit is public, the chances of people listening are increased and you have no way of knowing if a site has been patched or not.
Oh and C, they can only grab 64k of memory at a time so you're login would have to be in that 64k of memory at the exact time you are logging in.
collegeboy69us
Supreme [H]ardness
- Joined
- Jul 27, 2003
- Messages
- 5,255
Everytime something like this comes along, I get a frantic call from my mom because she sits around watching FOX news all day long... she knows I do a lot of "online" stuff and was worried about me.
Even if someone did gain access -- what are they going to do? pay off my mortgage early for me? Take some money that's easily traceable and returnable?
It seems to be about once every 2 months I will get one of these frantic calls, I mostly just ignore them because c'mon it's Fox news, usually whatever they are talking about I read about 2 weeks earlier.
Even if someone did gain access -- what are they going to do? pay off my mortgage early for me? Take some money that's easily traceable and returnable?
It seems to be about once every 2 months I will get one of these frantic calls, I mostly just ignore them because c'mon it's Fox news, usually whatever they are talking about I read about 2 weeks earlier.
I highly suspect that gmail was compromised at least a couple times because of this vulnerability.
Either that or they have people on the inside working with spammers as my gmail account has been compromised twice that I know of, and the password was unique and very long.
Just glad they have implemented two factor authentication now (authorized computer/device) + password.
Either that or they have people on the inside working with spammers as my gmail account has been compromised twice that I know of, and the password was unique and very long.
Just glad they have implemented two factor authentication now (authorized computer/device) + password.
Grebuloner
[H]ard|Gawd
- Joined
- Jul 31, 2009
- Messages
- 2,046
True, this may be a locking the barn door after the horse has been stolen problem, but it's a perfect time to just go through and evaluate your password situation. I have so many bloody passwords that it's hard to track them all sometimes. It's good to make password updates for the stuff that matters once in awhile if you aren't forced to already.
Does it matter if my [H] password is compromised? No.
Does it matter if my Gmail password had a chance of being compromised? Yes, changed.
joblo37pam
2[H]4U
- Joined
- Jun 28, 2002
- Messages
- 2,211
It did for me, too. Slightly ironic.
I had a fairly intelligent person (CEO of a bank) tell me yesterday after they heard about this: "I'm going to throw away my pc and buy a MacBook. I'm sick of all of this infection stuff".....
If one is open to a vulnerability, why would they admit it?
Some of the responses also make me think that they may have been semi-generic responses from a non-tech savvy receptionist who isn't appropriate to respond for comment.
Depending on the server they might have been able to compile that list themselves by just running queries against the servers and seeing what they get back.
Existing for 2 years and being know for 2 years are two different things.
It did for me, too. Slightly ironic.
I had a fairly intelligent person (CEO of a bank) tell me yesterday after they heard about this: "I'm going to throw away my pc and buy a MacBook. I'm sick of all of this infection stuff".....
And THAT is why you and I are not CEO,COO,CFO.
Just smile, nod and back away slowly.
The thing is, you don't know what's in that 64k. So what if the server certificate happens to be in that 64k? And what if someone found this out two years ago and have been randomly grabbing 64k since? It's not something that typically is logged, so no one can tell you if it's been exploited or not.
The only thing I fault the media for is claiming that it's 2/3s of the net, it's more like 17% but yes people need to know, to hold companies accountable for taking it seriously. I know several would just let it ride because they wouldn't want to pay the $50.
Even with the server certificate, they'd still need your encrypted password which means it would have to be in the exact same 64k block and they'd have to pull it down at the exact time you are logging in and they would have to have both the username and the password to be in the same 64k block (and hope that it is contiguous since there is no guarantee that whatever block they pull will have the entire thing; it could be truncated).
On a related note, I would like to call out the stupidity of the OpenSSL programmers for writing the thing in C. Program design decisions should be based on practical concerns, not what programming language makes you the most macho. In 2014, we should not be writing high-level internet-enabled software in an unsafe language like C. This kind of nonsense would absolutely have been prevented by using a managed language where you don't have to worry about bounds checking and buffer overflows.
C/C++ is good for speed, and just fine if written properly.
The general attitude of a lot of modern day programmers from what crappy code i have had to work with is: "If it works, who cares how slow it is, how hard it is to maintain, and how unreadable it is."
Code should be easily maintainable, readable, and optimized.
This crap that people spew out now days just makes me angry.
The speed advantage of C/C++ is vastly overstated (other than for useless microbenchmarks that have no bearing on the real world).
Yes, C++ can be faster if you take the time to hand optimize it. But that kind of optimization is simply not economical (machine time is cheaper than programmer time so it doesn't make sense to spend $300,000 in software development costs to get a 5% performance boost by recoding everything in inline assembler when the bottleneck can be offset by a $200 processor upgrade) and the end result is that the vast majority of such code is unoptimized beyond the minimum performance target. Given unoptimized C++ code vs unoptimized C# or Java code, the latter will win because it has the benefit of just-in-time compilation which allows it to recompile code on the fly to work around bottlenecks.
In addition, there are other, native alternatives to C/C++ that are safer such as D, Delphi, and FreePascal.
C has its uses for low-level systems and embedded programming. But writing high-level software in it in this day and age is just silly.
http://www.theverge.com/us-world/20...-heartbleed-to-retrieve-private-security-keys
It's now been proven that you can get the private key. So is it still a overreaction?
It's now been proven that you can get the private key. So is it still a overreaction?
they dont, its in overhype mode.
I would say the only time a password would need changing is if there is evidence of an account compromise.
Basically a insecure ssl protocol is at worst the same as been unecrypted, so basically eg. hardforum.com is not encrypted does this mean I have to now change my password? ridiculous.
PornoSatan
2[H]4U
- Joined
- Sep 3, 2004
- Messages
- 3,493
Yes it does mean you should change your password. First off, hardforum doesn't spit out contents from its server memory when you send it a special crafted packet like the heartbleed issue does. That's the first thing. How are you going to grab hardforum info if you're not sniffing someones network who is actively visiting the site? Heartbleed lets someone in China see login info from someone in the USA who's using Gmail. Hardforum lets the guy at Starbucks see the other guy at Starbucks who's visiting hardforum. Big difference.
Second, anyone (ie NSA) that's been farming encrypted data for months/years just waiting to find the key through some method (ieHEARTBLEED) can now see that data.
There was a window of opportunity for many sites where they were vulnerable and anyone that was fast enough to exploit it could have gotten tons of info.
Just change your passwords, or atleast rotate them if you're lazy.
I rotate passwords/keys where data is valuable.
Forums and the like are not, when I get asked to force change passowrd I tend to just abandon the site. When having to register on 100s of sites, rotating passwords for 100s of sites for minor vulnerabilities that are blown out of proportion is ridiculous.
I guess google are idiots then as they are stating for their service password change isnt needed.
Forums and the like are not, when I get asked to force change passowrd I tend to just abandon the site. When having to register on 100s of sites, rotating passwords for 100s of sites for minor vulnerabilities that are blown out of proportion is ridiculous.
I guess google are idiots then as they are stating for their service password change isnt needed.
Actually they didn't say that. Read their official post. They applied patches to key services, and were working on the minor ones, so it made no sense to change your password until they finished. Blogs are the ones that took it that they meant that you didn't have to change it at all.