heartbleed bug

Professional Engineer & PE Exam Forum

Help Support Professional Engineer & PE Exam Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
engineergurl

engineergurl

Resident Sweet Cheeks
Joined
Apr 30, 2008
Messages
13,258
Reaction score
945
Location
somewhere between a rock and a hard place...
not even cool. this link has a virus attached.

EDIT: My desktop scanner went off

 
Last edited by a moderator:
It would appear the funny man from NJ has returned. No detrimental effects that I can see.

2njadnd.png


 
I don't know. I was serious. I'm running Malwarebytes. I def got a notification

 
We're giving it a few days before we change our passwords. I always find these things fascinating, how a single line of code can have one parameter changed and result in serious unintended consequences.

 
NJmike PE said:
I don't know. I was serious. I'm running Malwarebytes. I def got a notification
Click to expand...
Seems consequential to me. What kind of sites do you look at on your lunch break anyway? :eek:hmy:

And I don't see how changing on online password is going to alleviate the issue. It's still an online password. LOL

 
knight1fox3 said:
And I don't see how changing on online password is going to alleviate the issue. It's still an online password. LOL
Click to expand...


It's not going to alleviate the issue; the servers running OpenSSL will fix the code on their end. This is just to protect against any unknown prior exploitation of this bug. I don't think that's a stupid line of reasoning so please don't LOL at silly me.

 
Last edited by a moderator:
YMZ PE said:
knight1fox3 said:
And I don't see how changing on online password is going to alleviate the issue. It's still an online password. LOL
Click to expand...


It's not going to alleviate the issue; the servers running OpenSSL will fix the code on their end. This is just to protect against any unknown prior exploitation of this bug. I don't think that's a stupid line of reasoning so please don't LOL at silly me.
Click to expand...


I came to the same conclusion...

...then again, I forget my passwords so often, I'm usually changing them every time I log on, so chances are if someone got my password previously, it's already been changed

 
YMZ PE said:
knight1fox3 said:
And I don't see how changing an online password is going to alleviate the issue. It's still an online password. LOL
Click to expand...
It's not going to alleviate the issue; the servers running OpenSSL will fix the code on their end. This is just to protect against any unknown prior exploitation of this bug. I don't think that's a stupid line of reasoning so please don't LOL at silly me.
Click to expand...
I by no means was LOL'ing at you. If you read the comments section, that's what they're telling people to do. I was LOL'ing at their resolve. I would go the encryption/firewall route more over just simply changing a password. Now get me a cookie! ;)

 
Last edited by a moderator:
knight1fox3 said:
YMZ PE said:
knight1fox3 said:
And I don't see how changing an online password is going to alleviate the issue. It's still an online password. LOL
Click to expand...
It's not going to alleviate the issue; the servers running OpenSSL will fix the code on their end. This is just to protect against any unknown prior exploitation of this bug. I don't think that's a stupid line of reasoning so please don't LOL at silly me.
Click to expand...
I by no means was LOL'ing at you. If you read the comments section, that's what they're telling people to do. I was LOL'ing at their resolve. I would go the encryption/firewall route more over just simply changing a password. Now get me a cookie! ;)
Click to expand...
is this the thing we have to stick our cards into in order to get on any of the Army websites at home with

 
Yes that is one form of encryption, but that would be a bit extreme in my opinion. 2-step authentication would probably be a better, easier alternative to implement.

 
NJmike PE said:
knight1fox3 said:
NJmike PE said:
.....and fb
Click to expand...
Which has TONS of external links to other malware ridden sites and games. ;)
Click to expand...
I agree. However I got the notification while working. I open EGs link, boss came over so I minimized. Boss walked away and then I got the notification.
Click to expand...
Well either way, the MBAM log file (scan or probably activity) should contain info on where the malware originated. If you wanted to know for certain.

 
This seems to be the most solid remedy I've seen yet:

Some of our infrastructure uses custom-compiled Nginx, which utilized the flawed OpenSSL library. Other services use the binaries provided by the OS (for example, CentOS or Ubuntu). That fixed the critical issue of random-bits being displayed to an attacking user, which could then be used to steal session information or reveal our private certificate from which we encrypt SSL traffic. In theory, that means if someone has that certificate and has collected our traffic, they could decrypt it to see what was transmitted. This is an unlikely situation, but due to the length of time this bug was active within OpenSSL, it is a concern (especially considering the latest revelations of mass data surveillance.)
Click to expand...
 
knight1fox3 said:
This seems to be the most solid remedy I've seen yet:

Some of our infrastructure uses custom-compiled Nginx, which utilized the flawed OpenSSL library. Other services use the binaries provided by the OS (for example, CentOS or Ubuntu). That fixed the critical issue of random-bits being displayed to an attacking user, which could then be used to steal session information or reveal our private certificate from which we encrypt SSL traffic. In theory, that means if someone has that certificate and has collected our traffic, they could decrypt it to see what was transmitted. This is an unlikely situation, but due to the length of time this bug was active within OpenSSL, it is a concern (especially considering the latest revelations of mass data surveillance.)
Click to expand...
Click to expand...


That isn't a remedy, that is just an explanation... and it tells me that even if I were encrypting it in addition to THEIR encryption stuff, since the hacker dude has the certificate, it can all be decrypted because technically it has reached the intended recipient (or thinks it has)... The quote makes absolutely no sense. I think it's computer geeks thinking they are smart and trying to fool everyone, not realizing that in spite of the lack of terminology usage, we aren't dumb....

 
I believe you missed the facts here sweet cheeks. It IS a remedy.

Infrastructures need to start migrating from the Nginx system that uses OpenSSL. There are 2 (among others) systems that use different binaries where they would be immune to this exploit (i.e. CentOS or Ubuntu). Further protection measures would include firewalls and encryption.

The REALLY smart computer geeks, do not give explanations like this to the general public. LOL They just implement their solution and don't talk about it when everyone learns the problem has been fixed. :thumbs:

 
Last edited by a moderator:

Similar threads

S
Passed the Power PE Exam on my first try!!
Replies
2
Views
6K
main197
M
A
Would like some studying advice
2
Replies
38
Views
9K
akyip
A
B
Rolls Royce is hiring a Hydrodynamics Specialist (Walpole, MA)
Replies
0
Views
1K
btbsilent
B
E
Engineering Jobs in the USA
Replies
0
Views
1K
Engineeringselection
E
Road Guy
Report: Armed contractor with criminal record was on elevator with Obama at CDC
Replies
16
Views
2K
Road Guy
Road Guy
N.S. Nandagopal, P E

Latest posts

Back
Top