Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 02:20:17PM +0300, Sorana Fraier wrote: > There is now a fork by openbsd people for openssl. It's called libressl. > > http://www.libressl.org/ > > They crave for more people to help. Not really. If they wanted more people they wouldn't use the OpenBSD CVS. This is the only example I can think of of a project switching from Git to CVS. Though we had OpenOffice switching from Mercurial to Subversion when moving to Apache. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best tzaf...@debian.org|| friend ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier wrote: > There is now a fork by openbsd people for openssl. It's called libressl. > > http://www.libressl.org/ > Why a fork ?! There are bugs, some of them are set to be security risks, but you can never avoid bugs. And when C and C++ are your main programming language, the number of bugs raises, due to so many reasons such as: 1. memory management (with all of it's issues) 2. In-proper data input 3. hard code to read and understand etc... I do think that the heartbleed issue was anything else but a bug, and rewriting code will not make things less vulnerable for the next big bug that might exists. So why do they fork it ?! > > They crave for more people to help. > > > On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev wrote: > >> If any of you guys and gals think this isn's serious, think twice. The >> CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours >> of being announced. There is a wave of security compromises all over the >> world and sane CAs are offering free renewals of SSL certificates. >> >> >> On 04/11/2014 08:35 AM, Eli Billauer wrote: >> >> Hi all, >> >> I suppose that the security freaks already know about this, and still, >> this seems important enough for an alert. >> >> In a nutshell, a bug in the mechanism that allows keepalive messages to >> be sent to maintain an SSL link, also allows, accidentally, a remote >> attacker to read a segment of up to 64 kBytes from the server's memory. >> It's doesn't give access to any chunk of 64 kBytes, but it's a segment >> which is likely to be dirty with data that belongs to the process >> running openSSL. So there's a chance that data related to private keys >> and passwords is revealed this way. >> >> See http://en.wikipedia.org/wiki/Heartbleed >> >> I haven't found any tool checking a local SSH server, say as source code >> in C. I suppose it's being avoided for the sake of not supplying the >> almost-finished attack to script kiddies. >> >> Hag Sameah, >> >> Eli >> >> >> >> >> ___ >> Haifux mailing list >> Haifux@haifux.org >> http://haifux.org/mailman/listinfo/haifux >> >> > > ___ > Haifux mailing list > Haifux@haifux.org > http://haifux.org/mailman/listinfo/haifux > > ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
[Haifux] [HAIFUX LECTURE] VSwapper, a guest-agnostic memory swapper for virtual environments -- Nadav Amit
On Monday, April 28th at 18:30, Haifux will gather to hear a talk by Nadav Amit: VSwapper, a guest-agnostic memory swapper for virtual environments Abstract The number of guest virtual machines that can be consolidated on one physical host is typically limited by the memory size, motivating memory overcommitment. Guests are given a choice to either install a "balloon" driver to coordinate the overcommitment activity, or to experience degraded performance due to uncooperative swapping. Ballooning, however, is not a complete solution, as hosts must still fall back on uncooperative swapping in various circumstances. Additionally, ballooning takes time to accommodate change, and so guests might experience degraded performance under changing conditions. Our goal is to improve the performance of hosts when they fall back on uncooperative swapping and/or operate under changing load conditions. We carefully isolate and characterize the causes for the associated poor performance, which include various types of superfluous swap operations, decayed swap file sequentiality, and ineffective prefetch decisions upon page faults. We address these problems by implementing VSwapper, a guest-agnostic memory swapper for virtual environments that allows efficient, uncooperative overcommitment. With inactive ballooning, VSwapper yields up to an order of magnitude performance improvement. Combined with ballooning, VSwapper can achieve up to double the performance under changing load conditions. = We meet in Taub building, room 6. For instructions see: http://www.haifux.org/where.html Attendance is free, and you are all invited! == Future lectures: There are no scheduled lectures. == We are always interested in hearing your talks and ideas. If you wish to give a talk, hold a discussion, or just plan some event haifux might be interested in, please contact us at webmas...@haifux.org -- Web: http://www.billauer.co.il ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux
Re: [Haifux] The Heartbeat vulnerability in OpenSSL (and hence ssh/https)
There is now a fork by openbsd people for openssl. It's called libressl. http://www.libressl.org/ They crave for more people to help. On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev wrote: > If any of you guys and gals think this isn's serious, think twice. The > CloudFlare SSL Heartbleed challenge site's SSL key was stolen within hours > of being announced. There is a wave of security compromises all over the > world and sane CAs are offering free renewals of SSL certificates. > > > On 04/11/2014 08:35 AM, Eli Billauer wrote: > > Hi all, > > I suppose that the security freaks already know about this, and still, > this seems important enough for an alert. > > In a nutshell, a bug in the mechanism that allows keepalive messages to > be sent to maintain an SSL link, also allows, accidentally, a remote > attacker to read a segment of up to 64 kBytes from the server's memory. > It's doesn't give access to any chunk of 64 kBytes, but it's a segment > which is likely to be dirty with data that belongs to the process > running openSSL. So there's a chance that data related to private keys > and passwords is revealed this way. > > See http://en.wikipedia.org/wiki/Heartbleed > > I haven't found any tool checking a local SSH server, say as source code > in C. I suppose it's being avoided for the sake of not supplying the > almost-finished attack to script kiddies. > > Hag Sameah, > > Eli > > > > > ___ > Haifux mailing list > Haifux@haifux.org > http://haifux.org/mailman/listinfo/haifux > > ___ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux