We've Moved! Visit our NEW FORUM to join the latest discussions. This is an archive of our previous conversations...

You can find the login page for the old forum here.
CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Found vulnerability in OpenSSL 1.0.1 through 1.0.1f Options
 
Vodsel
Senior Member | Skills: Filmmaking and Storytelling, Video and Audio Technology, Teaching, Gardening, Languages (Proficient Spanish, Catalan and English, and some french, italian and russian), Seafood cuisine
#1 Posted : 4/8/2014 2:42:05 PM
To whom it may concern (most likely Trav is aware of this already):

A serious vulnerability in the OpenSSL library was found and reported yesterday, April 7th - The Heartbleed Bug.

Quote:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Fix requires update to OpenSSL 1.0.1g - Statement by OpenSSL project
 
The Traveler
Administrator | Skills: DMT, LSD, Programming
#2 Posted : 4/8/2014 5:55:59 PM
Vodsel wrote:
To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler
 
cyb
Moderator | Skills: Digi-Art, DTP, Optical tester, Mechanic, CarpenterSenior Member | Skills: Digi-Art, DTP, Optical tester, Mechanic, Carpenter
#3 Posted : 4/12/2014 9:10:06 AM
Report: NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

Quote:
The National Security Agency has known about the Heartbleed bug, which has compromised two-third of the world’s websites, for over two years, and has been actively trying to exploit it, according to reports. However, not long after the report surfaced, the NSA denied knowing about the bug before the public did, and called the reports “wrong.”


Source
Please do not PM tek related questions
Reserve the right to change your mind at any given moment.
 
Ufostrahlen
#4 Posted : 4/12/2014 9:41:18 AM
That is why you want Forward Secrecy in your cipher suite. If the key for one session is corrupted, past sessions can't be reconstructed, since with Forward Secrecy the keys are negotiated every single session.

The Nexus uses Forward Secrecy and the Schannel library, not the OpenSSL library. Which may be beneficial, maybe not. OpenSSL is open, Schannel is closed.

The question is: has Schannel a back-door, too? Or are the random number generators in Windows compromised, so reconstruction is easy with huge data centers? Nobody can tell, as the source code isn't open.

Which leads to the ultimate question: has the NSA forced Microsoft to corrupt their random number generators or their cipher library? And sign a non-disclose agreement because of "national security" by "court" order?

The NSA _did_ corrupt RSA, which core business is data security:
http://www.reuters.com/a...a-idUSBREA2U0TY20140331

TL;DR: be careful with your online activity, current events prove that computer security is under attack daily.
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
bindu
#5 Posted : 4/16/2014 1:22:22 AM
The Traveler wrote:
Vodsel wrote:
To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler


As if luck has anything to do with it... Wink

blessed be all forms of intelligence
 
Ufostrahlen
#6 Posted : 11/12/2014 5:19:26 PM
Ufostrahlen wrote:
The question is: has Schannel a back-door, too?

https://technet.microsof...brary/security/ms14-066 Laughing

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
1ce
#7 Posted : 11/13/2014 10:26:02 AM
Ufostrahlen wrote:
Ufostrahlen wrote:
The question is: has Schannel a back-door, too?

https://technet.microsof...brary/security/ms14-066 Laughing

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!


I know of a SoF and remote code exploit that are both unpatched.
 
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.023 seconds.