Matt Simpson <[email protected]> writes: > I think this report is BS. After Heartbleed became public knowledge > due to research by somebody else, Bloomberg's mysterious sources > suddenly said "Old news, NSA has been exploiting that for years, but > we just now decided to tattle on them". > > Of course, I don't trust the NSA's denial either. I'm sure that, if > the NSA had been aware of the bug, that they would have taken > advantage of it and lied about it. I just don't put much faith in the > reports of unknown sources who have not demonstrated that they really > know anything that isn't already public. I'd be more likely to > believe it if somebody (like Snowden) claimed the NSA had found a hole > in SSL before the hole was common knowledge.
openssl http://www.openssl.org/ tls heartbeat read overrun http://www.openssl.org/news/secadv_20140407.txt from above: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. ... snip ... 1.0.1 18jan-2012 ... http://www.openssl.org/news/ slightly over two years ... modulo whenever various applications incorporated versions of openssl with the bug. re: http://www.garlic.com/~lynn/2014e.html#25 Is there any MF shop using AWS service? http://www.garlic.com/~lynn/2014e.html#42 Semi-OT: Government snooping was Re: Is there any MF shop using AWS service? http://www.garlic.com/~lynn/2014e.html#56 "NSA foils much internet encryption" -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
