[email protected] (Mike Schwab) writes: > NSA used the Heartbeat bug for at least the last two years. > http://www.motherjones.com/politics/2014/04/heartbleed-bug-internet-security-ssl
I would claim that this is another instance of length issues not being handled correctly in C programming language ... something that I've pontificated a lot in the past. C language length issues used to be much higher percentage of exploits ... but as other forms of exploits came into their own ... it has declined as percentage of all exploits. old reference to IBM research report looking at length related exploit ... http://www.garlic.com/~lynn/2002l.html#42 Thirty Years Later: Lessons from the Multics Security Evaluation http://www.garlic.com/~lynn/2002l.html#43 another 30 year thing http://www.garlic.com/~lynn/2002l.html#44 Thirty Years Later: Lessons from the Multics Security Evaluation http://www.garlic.com/~lynn/2002l.html#45 Thirty Years Later: Lessons from the Multics Security Evaluation including reference that Multics never had length related exploits. the original mainframe tcp/ip product was implemented in vs/pascal and also was not to known to have any length related exploits. It did have some throughput issues ... but I did the changes to support RFC1044 and got possibly 500 times improvement in bytes moved per instruction executed (3090 got 44kbytes/sec using full 3090 processor, some tuning tests at cray research between cray and 4341, got sustained 4341 channel medita throughput using only modes amount of 4341 processor) ... some past references http://www.garlic.com/~lynn/subnetwork.html#1044 old posts about doing analysis on the full CVE exploit database ... trying to calculate percentage of types of exploits ... and then later NIST coming up with similar results. http://www.garlic.com/~lynn/2004e.html#43 security taxonomy and CVE http://www.garlic.com/~lynn/2004f.html#20 Why does Windows allow Worms? http://www.garlic.com/~lynn/2005b.html#20 Buffer overruns recent post about rise of new kind exploit in the late 90s, resulting in buffer length exploits being smaller percent of total http://www.garlic.com/~lynn/2014e.html#30 Zeus malware found with valid digital certificate recent long-winded discussion in the (linkedin) IETF (internet standards) group http://lnkd.in/dthBCEH discussing TCP/IP Might Have Been Secure From the Start If Not For the NSA http://beta.slashdot.org/story/200323 recent ibm-main posts mentioning above http://www.garlic.com/~lynn/2014e.html#25 Is there any MF shop using AWS service? http://www.garlic.com/~lynn/2014e.html#42 Semi-OT: Government snooping was Re: Is there any MF shop using AWS service? past posts mention c-language epidemic of length related exploits http://www.garlic.com/~lynn/subintegrity.html#buffer I've had other issues with SSL over the years ... some past posts http://www.garlic.com/~lynn/subpubkey.html#sslcert we had been brought into to consult with small client/server startup on payment transactions that they wanted to do on their server, they had also invented this technology called "SSL" they wanted to use, the result is now frequently called "electronic commerce". We got to do mapping of the technology to payment business process ... and also reviews of these new business operations (PKI/CAs) selling SSL digital certificates. some recent posts http://www.garlic.com/~lynn/2014b.html#23 Quixotically on-topic post, still on topic http://www.garlic.com/~lynn/2014b.html#26 Royal Pardon For Turing http://www.garlic.com/~lynn/2014d.html#13 Royal Pardon For Turing http://www.garlic.com/~lynn/2014e.html#7 Last Gasp for Hard Disk Drives http://www.garlic.com/~lynn/2014e.html#25 Is there any MF shop using AWS service? http://www.garlic.com/~lynn/2014e.html#27 TCP/IP Might Have Been Secure From the Start If Not For the NSA http://www.garlic.com/~lynn/2014e.html#30 Zeus malware found with valid digital certificate -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
