857 posts • joined 21 Sep 2011
Re: Exaggerated risk?
"CloudFlare have found it impossible to exploit the bug to steal keys"
Bad luck, ducky. It's utterly possible :(
"We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can’t be certain."
Re: Exaggerated risk?
"CloudFlare have found it impossible to exploit the bug to steal keys"
Well, steal keys from a specific Nginx setup, but I take your point - and the Cloudflare blog is linked to in the article. I note that the Cloudflare heartbleed challenge site has updated itself to "Has the challenge been solved yet? MAYBE? (verifying)". Stay tuned.
In general, it is very tricky to steal private SSL keys (going to Vegas to put everything on red 14 seems like a better chance of success), but that doesn't stop the leaking of passwords and whatnot.
Plus, it's a rather fun bug. Code safe, everyone.
Re: More issues with OpenSSL
Thanks for the links - I ran out of time and had other deadlines to hit to drop in Ted's comments. Worthwhile reading.
Re: OpenSSL "blueprints"
It's an old writing habit from my tabloid days - avoid repetition, it improves your writing. So "blueprints" was used to avoid another use of source and/or code in the same sentence. That's all. I've written enough deep dives to expect Reg readers to get techy concepts.
On that note, thanks for the article comments - good discussion all round.
Re: NogginTheNog and Destroy All Monsters
I've tweaked that par – don't forget to email corrections@thereg if you spot any weirdness so things can be quickly fixed.
Re: And yet
Yes, but admittedly with private test servers and a lot of patience. But it's easy enough to just watch people's passwords and other stuff going through the server pop up in the extracted blocks.
OK. Well, hopefully we can move past that and maybe now we can get back to the technicals - such as mitigation. You say you've implemented ASLR, so any thoughts?
Guard pages around individual sensitive allocations, causing this memcpy() to trigger a fault? It burns up virtual address space a bit, but worth it IMHO.
There's also this: http://article.gmane.org/gmane.os.openbsd.misc/211963
Re: Re: Simple script?
"Which I think shows the general IQ level of the posters on this group. Doubtless these knuckle dragging mouth breathers will mark this down too."
I think you're being downvoted because you're coming across as a bit fighty.
"dropped acronyms into a post in an attempt to gain gravitas"
No, that wasn't my intention.
Re: Simple script?
Bingo. And by simple, I meant there's no screwing around with race conditions, crafting complicated structures, dodging ASLR, building ROP chains and what not. Just simply lie in a length header. Take the rest of the year off.
Re: I don't get it..
"Is the leaked data simply the junk that was in de-assigned memory?"
Yeah, it appears to be dead or alive blocks of memory allocated via some malloc()-like magic. If dead, one wonders why it wasn't zeroed on release.
"just suggesting, perhaps we could be a bit less crap at everything?"
This is why I'm learning Rust for its better pointer and array bounds handling, tho I'm not sure it could have helped here.
Re: Re: @David W.
"Bin Laden was at least evil, but you - you're just a hole in the air."
All right, chum, we get the point: is there really any need for this?
Re: Whose signature?
Correct - Comodo alleges the signing key belongs to Isonet AG, based in Switzerland.
Re: Too many acronym repeats
I know what you mean - but I'm quite cheered that we have readers and writers spanning systems hardware engineering to database software development.
Re: Lots more than that -
Andrew wrote this piece about an hour before the Roslyn announcement. We've got something about that coming up.
Re: Was! Wondering! The! Same! Thing! Myself!
Re: Insert subtitle here
Nah, I'll allow it. Throb is an obvious cliche.
Re: "but the 64-bit x86 Atoms"
Username is relevant.
Re: Stop your crying
"Never had a problem with getting support at the store and having a jailbroken device. So just shaddup with the 'jaikbroken? Then your screwed' crap already."
Ahem. From support.apple.com:
"Apple strongly cautions against installing any software that hacks iOS ... Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software."
PS: We're just reporting what the iFixit guy said. We don't have a strong opinion either way.
Yes, OK. AMD claimed it and we weren't awake enough at the time to think it through, but now we've tweaked that sentence.
Please, don't forget to email corrections@thereg is you spot something odd - we see those emails, but we can't read every comment.
Re: Refresh on early PCs
I understand that's true for various PC things out there. But the docs I'm looking at say the RAM was refreshed by the video electronics in the PCjr: that circuitry governed the first 128KB. From the IBM tech manual:
"Memory refresh is provided by the 6845 CRT Controller and gate array. The gate array cycles the RAM and resolves contention between the CRT and processor cycles."
I'm not aware of a DMA controller in the PCjr.
Re: Enough with the exclamation points already
So! Why! Is! There! an! Exclamation! Point! On! The! Company! Logo! on! Yahoo! Dot! Com!?
Re: Old Handle
"So he's saying wired ethernet is slower than wireless?"
No, and I'm sorry if I wasn't able to make that clear enough. The broadband speed and the Wi-Fi are two separate things. He's upset that all this money is going into wired networks when students and staff prefer to use wireless devices wherever they want.
Then, even once they're connected, getting out to the internet is a PITA anyway.
I'm sorry this isn't clear enough.
Re: Final Seattle vote was unanimous
Edit: We got an earlier non-binding sub-committee meeting mixed up with the binding full city council meeting, although the overall gist of the story is correct (thankfully). Hopefully now the article is accurate - thanks and my apologies.
PS: Please, email corrections@thereg next time you spot something wrong. I may not see your complaint in the comments.
Re: "expansion of space briefly exceeded the speed of light "
"Not really a good way of describing"
How would you describe it?
"an observation of distant possible effects that very closely match theoretical predictions"
That won't fit in a headline, mate.
Also, our prof says: "It's the first detection of gravitational waves."
Re: Commentards Ball
Perhaps, what happens at Commentard Club stays in Commentard Club? :-)
But I understand a good time was had by all.
Re: And this is filed under Security?
Finger trouble. Security and Science look so similar in our publishing system.
Re: Yet another paper made meaningless in popular science coverage...
Please for the love of all you hold dear, please email email@example.com with any problems you spot. We get those emails immediately whereas here I am, a day after publication, catching up with comments and finding a disagreement.
Re: Cloud Overlords
This barely deserves a response. The Register is independently owned (see Companies House), and there is never, never any pressure on editorial to write one way or another. Come on, man, look at these articles:
These are in the first few search results for "cloud", a mix of coverage. You're accusing editorial of corruption. That's really nice. Please post here your name, address and workplace so I can turn up and accuse you of corruption to your boss and customers :-/
Re: Local content?
Pretty sure the Streaming Stick is a pure over-the-internet streaming device. You'll need the more expensive Roku 3 to do something like local streaming (or possibly a lot of fiddling with the Stick).
We've asked Roku for some more info; I'll update the story if that comes in.
Re: Bandwidth starved
"Even if the Reg has misquoted"
Edit: Yes, it should be 40GB/s not 40Gb/s total throughput at full scale. That's been fixed. Please, please, guys, email corrections@thereg with any problems you spot. I can't read every comment for typos :(
Re: Upworthy-style click-bait
Ah, that was my fault. I couldn't help myself. You know we hate UpWorthy headlines, so I'm going to play the it-was-an-ironic-gesture-on-a-friday-afternoon-after-a-week-of-RSA-conference-hangovers card.
"You fucking dick."
C'mon, man. You can do better than that.
Re: Font Change?
I've pinged our front-end web guys in the UK. As someone else said, I think we just have to replace the toner...
Re: Is El Reg running out of e-ink?
I've flagged this up with our front-end web guys, who are in the UK. I believe this is a bug. Do not adjust your set. Please stand by.
Re: Re: This is funny
"it mentions the drama headlines by the Register"
Have you got a link? I can't see it on their website. This should be fun.
Re: Piss poor reporting
"Indeed the reporting of this issue was so poor"
Your understanding is wrong, I'm afraid.
1. Any router between you and your website can take advantage.
2. No, that was a curl bug unrelated to the grave SSL cert issue; all network connections boil down to IP addresses anyway.
3. It was reported on Friday after Apple dropped a 0-day on everyone with no fix available and with no fix delivery date.
Keep it coming. I'm loving it.
Re: Must have been impressive....
We couldn't help ourselves.
(Sometimes, these things happen.)
Re: Re: So in summary
"segments vs. flat address space"
All modern OSes on Intel x86 use flat address spaces. Segmentation is flattened.
Re: Does this affect versions earlier than 10.9?
No. If you're running 10.8 or lower, you're good. The change was introduced in OS X Mavericks.
FWIW Safari 7.0.1 using the default config on a Reg Mac running 10.9.1 can reach gotofail.com, and is flagged up as insecure. I included the link in the article because it's a simple test. YMMV.
Re: Re: IP address say whotttt?
Scratch that - it appears to be even worse. I've updated the story.
Re: IP address say whotttt?
"And if they've just simply turned off CN validation (which is what everything's pointing to at the moment) for all iOS handled SSL connections [...]"
Yes, that appears to be it.
Re: John Tserkezis
Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.
Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.
Re: Re: Not steganography
"Paah, the articles qualification was an edit made after I posted"
I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.
IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).
Re: Obviously not
Arghghg - that was my fault :-( Slip of the keys. It's been fixed. Please - next time, email corrections@thereg so these can be fixed asap.
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?