Wait, is #heartbleed yet another bug that would've been impossible with any language with sane boundary checks like #Ada or #CommonLisp? (And also yet another malloc & equivalents considered harmful, I suppose.)

Why are we still not learning anything?

But as open source projects have learned the hard way, the fact that anyone *can* audit your widely used, high-stakes code doesn't mean that anyone *will*.

The #Heartbleed vulnerability in #OpenSSL was a wake-up call for the open source movement - a bug that endangered every secure webserver connection in the world, which had hidden in plain sight for years.

36/

@dekkzz76 The argument is not that #opensource means 100% secure & proven code.

The argument is that closed source can't be checked by interested parties.

So #FOSS has a chance to be checked. Closed source can't be checked.

The fact that #heartbleed was detected & fixed in a short-term period is actually a great argument for FOSS. If #OpenSSL had been closed source, we probably would still run insecure code all over the world because of this issue without noticing except maybe some bad guys.

In der neusten Folge #Softwarekatastrophen erfahrt ihr an den Beispielen von #Heartbleed und #Jetleak, wie unsere Daten mitgelesen werden können und was Privatnutzer*innen für ihre Sicherheit tun können.

Hört rein:

Freitag, 13. Januar um 9 Uhr auf 104.8 UKW und im Stream.

Come ogni 31 dicembre dedichiamo un post al programmatore che la notte di capodanno 2011/2012 ha introdotto un bug clamoroso in OpenSSL #Heartbleed. Buon anno colleghi e non toccate codice stanotte.

@ian yes, by some managers it is. Like always, upgrades or purely technical changes/improvements are postponed to last possible moment. And since this happens all under the hood, all this work needed (creating an inventory of system/crypto used, testing, planning the change,...) is planned *after* an incident happend. See the chaos what #heartbleed caused.

"Technical stuff never has a business value and therefore it is ignored." /sarcasm off

I was doing some research for an internal presentation and discovered that there is still over 200k Heartbleed vulnerable servers (according to Shodan). I am genuinely surprised. #heartbleed #patching #shodan

S3 Ep107: Eight months to kick out the crooks and you think that’s GOOD? [Audio + Text] - Listen now - latest episode - audio plus full transcript https://nakedsecurity.sophos.com/2022/11/03/s3-ep107-eight-months-to-kick-out-the-crooks-and-you-think-thats-good-audio-text/ #nakedsecuritypodcast #cyberextortion #vulnerability #cybercrime #databreach #heartbleed #law&order #dataloss #malware #podcast #privacy #openssl #patches #google #apple #bust

Sh*t.. #Heartbleed 2.0? #OpenSSL Warns of Second-Ever Critical #security Security Flaw
https://www.esecurityplanet.com/threats/critical-openssl-vulnerability/

OpenSSL 3 patch, once Heartbleed-level “critical,” arrives as a lesser “high” - Enlarge / The fallout of an OpenSSL vulnerability, initially listed as ... - https://arstechnica.com/?p=1894214 #vulnerability #heartbleed #security #openssl #biz&it #patch #tech #ssl

OpenSSL 3 patch, once Heartbleed-level “critical,” arrives as a lesser “high”

https://arstechnica.com/?p=1894214

#vulnerability #heartbleed #security #openssl #Biz&IT #patch #Tech #ssl

@clarkee #heartbleed was particularly bad because many of the appliance vendors (like F5) were vulnerable. This made patching difficult, if patches were even available within a reasonable timeframe.

This list of #openssl versions for Linux distros leads me to believe it's less likely we'll see vulnerable versions of #openssl in Linux-based appliances. But, like everyone else here, I can only speculate. We'll know soon enough 😉.

https://twitter.com/laughing_mantis/status/1586065731623395328?s=21

Important notice for the ones that use OpenSSL 3.x : First Critical Security Issue since #Heartbleed (2016). Be ready to upgrade on November 1st !
The ones using OpenSSL 1.1.1 or LibreSSL should be safe (but always good to keep your system up to date 😇 )

https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

The OpenSSL severity categories were introduced after the #Heartbleed fiasco and this will be the 2nd #OpenSSL release marked as CRITICAL.

The first CRITICAL security-fix release was created to fix some Denial-of-Service and potential Remote-Code-Execution issues introduced in a Heartbleed mitigation patch for OCSP.

GnuTLS patches memory mismanagement bug – update now! - GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn... https://nakedsecurity.sophos.com/2022/08/01/gnutls-patches-memory-mismanagement-bug-update-now/ #vulnerability #cve-2022-2509 #cryptography #double-free #heartbleed #gnutls

Um OpenSSL haben sich nur "zwei Typen namens Steve" gekümmert. Ergebnis: #Heartbleed. Ein Bug durch den aus verschlüsselten Verbindungen private Daten ausgelesen werden können.
Der #SovereignTechFund soll #OpenSource Basistechnologien nachhaltig fördern. https://sovereigntechfund.de/

Some folks who can't bear the hassle of publishing, use Google Drive to share guides or tutorials. Here's one by a Mr. John Walkley on the #OpenSSL #Heartbleed Bug!

https://drive.google.com/file/d/0B6CeyVxyZP2bLVNWSlJfRWZrWFU/edit

#googledrive #countdown
3 days to go until Google locks old Drive links on September 13!

@namark

Ok, now I see your aggressiveness in this thread is just due to confusion.

When you write:

```
The complexity is understood by experts collectively, and if they honestly serve the general public it's not a problem what so ever.
```

it becomes evident you have no clue about programming and software.

Do you know the history of #Heartbleed?

There are thousands of severe security vulnerabilities in software discovered every years because:

1) not even experts, collectively¹ or not, understand the software they code
2) when a system is not fully understood by any single mind, you just need ONE dishonest expert to introduce subtle vulnerabilities.

Indeed this happens continuously in the real world, like it or not (I don't).

Anyway, feel free to keep your loved chains on your mind singing "Don't worry... be happy..." 🎶🎙️🎶

Bye!
___
¹ whatever "collectively" means in the contest of understanding complex and ever-changing systems

@BrodieOnLinux

The guys at UMN demonstrated in an UNDENIABLE way that nothing changed since #Heartbleed DESPITE the #LinuxFoundation.

@BrodieOnLinux

Step 1) prove that #LinuxFoundation didn't solve anything since #Heartbleed.

Step 2) enjoy #Linux kernel developers hate.

https://lore.kernel.org/lkml/20210427145347.00003846@tesio.it/