We've Moved! Visit our NEW FORUM to join the latest discussions. This is an archive of our previous conversations...

You can find the login page for the old forum here.
CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Found vulnerability in OpenSSL 1.0.1 through 1.0.1f Options
 
Vodsel
#1 Posted : 4/8/2014 2:42:05 PM

DMT-Nexus member

Senior Member | Skills: Filmmaking and Storytelling, Video and Audio Technology, Teaching, Gardening, Languages (Proficient Spanish, Catalan and English, and some french, italian and russian), Seafood cuisine

Posts: 1711
Joined: 03-Oct-2011
Last visit: 20-Apr-2021
To whom it may concern (most likely Trav is aware of this already):

A serious vulnerability in the OpenSSL library was found and reported yesterday, April 7th - The Heartbleed Bug.

Quote:
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Fix requires update to OpenSSL 1.0.1g - Statement by OpenSSL project
 

STS is a community for people interested in growing, preserving and researching botanical species, particularly those with remarkable therapeutic and/or psychoactive properties.
 
The Traveler
#2 Posted : 4/8/2014 5:55:59 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Vodsel wrote:
To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler
 
cyb
#3 Posted : 4/12/2014 9:10:06 AM

DMT-Nexus member

Moderator | Skills: Digi-Art, DTP, Optical tester, Mechanic, CarpenterSenior Member | Skills: Digi-Art, DTP, Optical tester, Mechanic, Carpenter

Posts: 3574
Joined: 18-Apr-2012
Last visit: 05-Feb-2024
Report: NSA knew about Heartbleed bug and took advantage of it, but the NSA denies the charge.

Quote:
The National Security Agency has known about the Heartbleed bug, which has compromised two-third of the world’s websites, for over two years, and has been actively trying to exploit it, according to reports. However, not long after the report surfaced, the NSA denied knowing about the bug before the public did, and called the reports “wrong.”


Source
Please do not PM tek related questions
Reserve the right to change your mind at any given moment.
 
Ufostrahlen
#4 Posted : 4/12/2014 9:41:18 AM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
That is why you want Forward Secrecy in your cipher suite. If the key for one session is corrupted, past sessions can't be reconstructed, since with Forward Secrecy the keys are negotiated every single session.

The Nexus uses Forward Secrecy and the Schannel library, not the OpenSSL library. Which may be beneficial, maybe not. OpenSSL is open, Schannel is closed.

The question is: has Schannel a back-door, too? Or are the random number generators in Windows compromised, so reconstruction is easy with huge data centers? Nobody can tell, as the source code isn't open.

Which leads to the ultimate question: has the NSA forced Microsoft to corrupt their random number generators or their cipher library? And sign a non-disclose agreement because of "national security" by "court" order?

The NSA _did_ corrupt RSA, which core business is data security:
http://www.reuters.com/a...sa-idUSBREA2U0TY20140331

TL;DR: be careful with your online activity, current events prove that computer security is under attack daily.
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
bindu
#5 Posted : 4/16/2014 1:22:22 AM

*


Posts: 367
Joined: 16-Feb-2011
Last visit: 18-Sep-2017
Location: in your Mind
The Traveler wrote:
Vodsel wrote:
To whom it may concern (most likely Trav is aware of this already):

Luckily we do not do anything with the OpenSSL library.


Kind regards,

The Traveler


As if luck has anything to do with it... Wink

blessed be all forms of intelligence
 
Ufostrahlen
#6 Posted : 11/12/2014 5:19:26 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
Ufostrahlen wrote:
The question is: has Schannel a back-door, too?

https://technet.microsof...ibrary/security/ms14-066 Laughing

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
1ce
#7 Posted : 11/13/2014 10:26:02 AM

Communications-Security Analyst


Posts: 1280
Joined: 17-Aug-2014
Last visit: 05-Feb-2024
Location: Nirvana
Ufostrahlen wrote:
Ufostrahlen wrote:
The question is: has Schannel a back-door, too?

https://technet.microsof...ibrary/security/ms14-066 Laughing

The good news: no big headlines in the mainstream media!1! Folks, nothing to see here, move along!


I know of a SoF and remote code exploit that are both unpatched.
 
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.022 seconds.