1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Heartbleed SSL exploit [CVE-2014-0160]

Discussion in 'Business & Enterprise Computing' started by HeXa, Apr 9, 2014.

  1. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    You can't outsource risk however...

    I mean sure your mitigating control is that the company has an adequate level of review before they deploy code, but at the end of the day experience tells us to never rely on that.

    If this was a microsoft issue, it would be BAU for everyone, but because it's FOSS suddenly the skies are a falling.
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    But you can outsource blame.
     
  3. MR CHILLED

    MR CHILLED D'oh!

    Joined:
    Jan 2, 2002
    Messages:
    162,434
    Location:
    Omicron Persei 8
    Some sites are suggesting not to use the net for a few days...heh
     
  4. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    If you're selecting a product purely based off the merits of being able to blame someone, that's a pretty disappointing mindset.
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    If it was Microsoft issue, There would be an OOB patch issued, we'd all be updating like we are now and we would all be wondering how microsoft could have missed a bounds check in such an important component (and probably accusing them of being on the NSA payroll)

    But because its FOSS, we are wondering how everyone who uses it missed it, and I think its a fair question to ask.

    Look at the list of sites posted a while back. Google hire the smartest people on the planet, and it was not discovered by them until 2 years down the track..

    The fact that it's in OpenSSL, which is used by tonnes of vendors, in security appliances no less... makes me wonder if anyone in the FOSS world does the verify step anymore?

    I'm a PHB... Covering my own Ass is only second to receiving vendor kickbacks when it comes to choosing products.
     
  6. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    And this is the issue with large corps, they dont want to devolpe since they cant blame anyone.
     
  7. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    I had to google that TLA to work out wtf you were on about with PHB for a second :lol:

    Honestly part of the issue IMO is that it worked all together pretty well, so people weren't looking at things as frequently as other packages.

    Saying that people who used it should have seen it isn't a great argument though, the majority of FOSS users, just as virtually all closed source users do not verify their code before they use it.

    Honestly, if it was closed source I don't believe this issue would have been noticed for much longer, and patching would have definitely been a bigger pain than it was.
     
  8. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Really? So none of the other systems you're running have had a security bug before? You don't happen to run Windows 7 on any systems at all? It's not like it's had dozens of exploits with a high severity or anything.

    Only if you have very naive thinking. As per the link above, there have been plenty of exploits discovered without the source code so it completely negates any belief the closed source has any sort of advantage.

    I'm amazed that people still think like this, especially in the IT world.
     
  9. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,805
    Location:
    Brisbane
    Once again, this bug is one fuckup. Nothing is perfect, and fuckups happen.

    Compare and contrast the fuckups of equal impact/magnitude that have come from Microsoft/Adobe/etc over the years.

    Open source does not guarantee perfect security, but thus far it has averaged better security. If your faith in open source on the whole has been rocked by this one event, by all means go back to proprietary vendors for your crypto libraries. I, however, will not be joining you.
     
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    So it turns out that the OpenSSL group turned off a feature of malloc and mmap that was introduced years ago to prevent EXACTLY this kind of bug.

    Theo is well known to be a bit of an outspoken jerk, but it would appear that he's correct in this instance.

    This bullshit that its 3 days old now is exactly that.

    OpenSSL claim google told them on April 1.

    Google no doubt patched the majority of their shit before they told OpenSSL (to do otherwise would be stupid).

    Name one that has affected literally 2/3rd's of the internet.

    We seriously haven't had anything *this* bad on the MS side since we were exploiting the shit out of Win2k-era IIS and SQL. Most of which was down to people putting dev security installs onto webfacing boxes.

    It really depends on who you're trying to defend against. Part of the EAL certification (which is no doubt outdated and replaced by now) was that MS handed over their source for auditing... Bet your ass that the NSA has it.
     
    Last edited: Apr 11, 2014
  11. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    Oracle java comes to mind...
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    How does this logically not shake your faith in FOSS?

    Its a solid example of the model breaking down. (not saying that any of the other options are better, relatively speaking).

    The fallout will be interesting, especially given the links Nsanity posted. If a proprietary system did something similar, (willfully and knowingly disabled security checks) it would be bordering on negligence and someone would take them to task over it.
     
  13. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    It's called statistical significance. If you had one hardware failure with thousands of systems, would you automatically think "I'm never touching that brand again"?

    The "model" didn't break down, in fact it's contributed to having it discovered, patched and rapidly deployed. That's a benefit of FOSS.

    Don't fool yourself, the same type of bug could just as easily occur in any other system.
     
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Yes, the bug itself is statistically insignificant, and yes, FOSS made it easier to find (for both hats), and yes, the bug could easily occur in any other system.

    Again, not drawing any comparison with alternatives... but just looking at FOSS in a nutshell

    You either audit every line of code yourself, or you trust the someone else has done so, and its free of world-ending bugs.

    What this bug has shown, is that NOBODY has taken the first option, and EVERYBODY has taken the second... Either I've got the Model wrong (if so, please correct me) or the Model is broken.
     
  15. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    68,463
    Location:
    brisbane
    software has bugs, more news at 11
     
  16. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    It's effectively what power said mate. You can static code analysis all you want, and manually review things, but the reason they're bugs is because it's human error, and programming errors are notoriously difficult to find.

    If we had a magic bullet tool / methodology to throw at them to fix 100% of bugs and someone else would become a billionaire.

    Also if you think any of your commercial software has had every line of code audited you'd be sorely wrong :) (unless of course that was part of the product features).
     
  17. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Of course no-one else has done it - Including a lot of companies in the game of providing security using the OpenSSL libraries.

    But absolutely zero will change after this.

    You have FOSS Advocates pointing out that "SEE LOOK WE FIXED IT FAST" (I disagree with that - at least 10 days for an exploit that hands an attacker everything upto and including the crown jewels).

    You have FOSS Detractors saying "The key point of FOSS has failed here".

    The end result is, some areas of cryptography are horribly written (or just plain ridiculously hard) and no-one wants to audit that shit (or in some cases is really qualified to).

    I have a mate who works fairly closely with OpenSSL - the codebase is an absolute mess, and the team don't give a shit about fixes submitted to them most of the time. They just have their fixes they need for their uses forked and go about their business.

    The fact that they turned off a feature that could of protected them against this is downright negligence and just another example of how at its core - developers for the most part care about making it work, before they care about security.
     
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    From the link Nsanity Posted

    There was a magic bullet for this particular case, it was explicitly coded around. But for some reason it raised no flags for anyone looking at the code?

    Yes, Software has bugs, I've got no issues with that, I'm just yet to find a satisfactory answer as to How a game-breaking bug sits in one of the most used (in the security field no less) libraries in the Internet world for 2 years, when one of the core strengths of FOSS is that it's supposed to be QA'd by so many different people.
     
  19. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    As an aside - from the real world.

    Friend who writes VPN Client that has some reliance on OpenSSL.

     
  20. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,046
    Location:
    Brisbane
    Because crypto is a niche area that most people don't know jack shit about unfortunately.

    It's the security through obscurity argument in reverse really, where it's security requiring a degree of complexity in solving the programming problem. Because you're looking at complex code to support a complex mathematical process, not a word processor, it's more likely for bugs to slip through like this.

    If the function works, and has no bugs, people are less likely to look at it.

    Same as any old closed source program really.

    Also, whilst that security option may have mitigated this exploit, what about another potential exploit? 20/20 hindsight and all that.
     
    Last edited: Apr 11, 2014

Share This Page

Advertisement: