Re: OT: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 18, 2014 at 03:47:25PM -0700, Scott Weeks wrote: :: There being no cable between the Hawaiian Islands :: and the mainland at the time Wait...what? https://en.wikipedia.org/wiki/Submarine_communications_cable#Submarine_cables_across_the_Pacific The first trans-pacific

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 10:09:14PM +, Matthew Black wrote: IIRC, the message was sent via courier instead of cable or telephone to prevent interception. Did the military not even trust its own cryptographic methods? Or did they not think withdrawal of the Japanese ambassador was not very

OT: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

:: There being no cable between the Hawaiian Islands :: and the mainland at the time Wait...what? https://en.wikipedia.org/wiki/Submarine_communications_cable#Submarine_cables_across_the_Pacific The first trans-pacific cables were completed in 1902-03, linking the US mainland to Hawaii in

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not zeroed but if there's any attempt to actually access it then read it back as if it were filled with

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/16/2014 4:34 PM, Jason Iannone wrote: I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not zeroed but if there's any attempt to actually access it

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Wed, Apr 16, 2014 at 4:12 PM, Larry Sheldon larryshel...@cox.net wrote: If the hardware (as has been suggested) or the OS does any of this, how do diagnostic routine in or running under the OS work? The OS does it, when allocating memory to userland programs. For memory, before memory is

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Jason Iannone wrote: I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not zeroed but if there's any attempt to actually access it then read it back as

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On April 17, 2014 at 10:03 g...@gdt.id.au (Glen Turner) wrote: Jason Iannone wrote: I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On April 16, 2014 at 15:34 jason.iann...@gmail.com (Jason Iannone) wrote: I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not zeroed but if

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

BAE did this cute poster on the attack model https://image-store.slidesharecdn.com/6f0027d2-c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_5862330295302262788 On 4/16/2014 7:50 PM, Barry Shein wrote: On April 17, 2014 at 10:03 g...@gdt.id.au (Glen Turner) wrote:

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Wed, Apr 16, 2014 at 9:39 PM, TGLASSEY tglas...@earthlink.net wrote: BAE did this cute poster on the attack model https://image-store.slidesharecdn.com/6f0027d2- c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_ 5862330295302262788 I'm guessing accuracy probably

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 6:00 PM, Larry Sheldon larryshel...@cox.net wrote: Is the heartbleed bug not proof positive that it is not being done today? On the contrary. Heartbleed is proof that memory IS cleared before being assigned to a *process*. The data available via the vulnerability is

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

beach -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Monday, April 14, 2014 7:48 PM To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On 04/14/2014 05:50 PM, John Levine wrote: In article 534c68f4@cox.net you

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On 04/14/2014 05:50 PM, John Levine wrote: In article 534c68f4@cox.net you write: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Tue, Apr 15, 2014 at 6:56 AM, Matthew Black matthew.bl...@csulb.eduwrote: Seriously? When files are deleted, their sectors are simply released to the free space pool without erasing their contents. Allocation of disk sectors without clearing them gives users/programs access to file contents

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

I can't cite chapter and verse but I seem to remember this zeroing problem was solved decades ago by just introducing a bit which said this chunk of memory or disk is new (to this process) and not zeroed but if there's any attempt to actually access it then read it back as if it were filled with

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

california state university, long beach -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Sunday, April 13, 2014 7:31 AM To: Bengt Larsson Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] It's quite plausible that they watch

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Le 2014-04-14 10:38, Matthew Black a écrit : Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for passwords and other

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

- From: William Herrin [mailto:b...@herrin.us] Sent: Friday, April 11, 2014 2:06 PM To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker niels=na...@bakker.net wrote: Please go read up on some recent and less

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

: Sunday, April 13, 2014 6:53 PM Aan: nanog@nanog.org Onderwerp: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] * ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]: the point of open source is that the community is supposed to be doing this. we failed. Versus all

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

california state university, long beach -Original Message- From: William Herrin [mailto:b...@herrin.us] Sent: Friday, April 11, 2014 2:06 PM To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Fri, Apr 11, 2014 at 4:10 PM, Niels

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Apr 13, 2014, at 7:52 AM, Randy Bush ra...@psg.com wrote: the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor. this one is owned

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything. the point of open source is that the community is supposed to be doing this. we failed

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Vladis is %100 on the money here. Lets take this a step farther and ask is there a criminal liability for the person who checked that code in - Oh you bet there is... Todd On 4/11/2014 5:49 PM, valdis.kletni...@vt.edu wrote: On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: The

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 9:27 AM, TGLASSEY tglas...@earthlink.net wrote: Vladis is %100 on the money here. Lets take this a step farther and ask is there a criminal liability for the person who checked that code in - Oh you bet there is... Todd Thank you--I needed some humour in my morning,

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote: At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-usersm=139723710923076w=2 I hope other vendors will follow suit. Although it appears they may now be regretting doing so...

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote: On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote: At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-usersm=139723710923076w=2 I hope other vendors will follow suit.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 3:59 PM, Patrick W. Gilmore patr...@ianai.net wrote: I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year. Or we can flame anyone who tries, then wonder

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/14/2014 12:59 PM, Patrick W. Gilmore wrote: On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote: On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote: At least one vendor, Akamai is helping out now: http://marc.info/?l=openssl-usersm=139723710923076w=2

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 03:59:21PM -0400, Patrick W. Gilmore wrote: On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote: On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote: At least one vendor, Akamai is helping out now:

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore patr...@ianai.net wrote: I applaud Akamai for trying, for being courageous enough to post code, and for bucking the trend so many other companies are following by being more secretive every year. Just to be clear, so do I! As I said, the

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

From: Donald Eastlake [mailto:d3e...@gmail.com] Sent: Monday, April 14, 2014 8:28 AM To: Matthew Black Cc: William Herrin; nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] Matthew, On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black matthew.bl

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for passwords and other interesting

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty. is that kind of like jury duty? if only it were more like literature, which we could read for enjoyment.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/14/2014 2:59 PM, Patrick W. Gilmore wrote: Or we can flame anyone who tries, then wonder why no one is trying. Amen. I was just thinking, after reading the umpteenth message here about spam, about the times in the 1990's that I was literally driven away because I was trying to get

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/14/2014 3:05 PM, William Herrin wrote: I thought vendors existed primarily as a place to hang the blame when dealing with a manager or customer who just doesn't get it. Truth value very high. Humor value, less than none. -- Requiescas in pace o email Two identifying

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/14/14 4:06 PM, Randy Bush wrote: for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability of a next one by actively auditing source as our civic duty. is that kind of like jury duty? if only it were more like literature,

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Larry Sheldon writes: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E to look for

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/14/2014 07:14 PM, Michael Thomas wrote: It's much, much worse than that. I can still read code plenty fine, but bugs can be extremely obscure, and triply so with convoluted security code where people are actively going after you to find problems in most inventive ways. Openssl, etc,

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

In article 534c68f4@cox.net you write: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I recall digging through disk sectors on RSTS/E

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/14/2014 7:50 PM, John Levine wrote: In article 534c68f4@cox.net you write: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/14/2014 05:02 PM, Nathan Angelacos wrote: On 04/14/2014 07:14 PM, Michael Thomas wrote: It's much, much worse than that. I can still read code plenty fine, but bugs can be extremely obscure, and triply so with convoluted security code where people are actively going after you to find

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/14/2014 05:50 PM, John Levine wrote: In article 534c68f4@cox.net you write: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes, unless that process enters processor privileged mode and sets a call flag? I

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Mon, Apr 14, 2014 at 7:47 PM, Doug Barton do...@dougbarton.us wrote: On 04/14/2014 05:50 PM, John Levine wrote: In article 534c68f4@cox.net you write: On 4/14/2014 9:38 AM, Matthew Black wrote: Shouldn't a decent OS scrub RAM and disk sectors before allocating them to processes,

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Matt Palmer wrote: * The NSA found it *amazingly* quickly (they're very good at what they do, but I don't believe them have superhuman talents); or It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything. the point of open source is that the community is supposed to be doing this. we failed. randy

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/13/2014 07:30 AM, Randy Bush wrote: It's quite plausible that they watch the changes in open-source projects to find bugs. They could do nice diffs and everything. the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor. this one is owned by the community. it falls on us to try to lower the probability

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 04/13/2014 07:52 AM, Randy Bush wrote: the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor. Or not. this one is owned by the

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]: the point of open source is that the community is supposed to be doing this. we failed. Versus all of the closed source bugs that nobody can know of or do anything about? for those you can blame the vendor. BSAFE is almost worse

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Original message From: Niels Bakker niels=na...@bakker.net Date: 04/13/2014 10:55 AM (GMT-07:00) To: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] * ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]: the point of open

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

And we all know how well civic duty works as a motivator. If we really want to do something constructive, convince the corpro-takers to open their wallets to fund those auditing functions. For once, I agree with Mike. (Twice in one year?) Considering how widely openssl is used, and how

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

: Friday, April 11, 2014 7:50 PM To: Matt Palmer Cc: nanog@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: snip Heck, there's a good chance that automated tools could have spotted it.

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. The NSA's decision to keep the

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

* b...@herrin.us (William Herrin) [Fri 11 Apr 2014, 22:04 CEST]: I call B.S. Do you have any idea how many thousands of impacted NSA servers run by contractors hung out on the Internet with sensitive NSA data? If you told me they used it against the targets of the day while putting out the word

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

I wrote: I'm not saying this has been happening ... but here's the same news from a much more credible source: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html Still anonymously sourced but at least via people whose ability to vet

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

* Niels Bakker (niels=na...@bakker.net) wrote: but here's the same news from a much more credible source: http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html Still anonymously sourced but at least via people whose ability to vet sources

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

Once upon a time, Niels Bakker niels=na...@bakker.net said: but here's the same news from a much more credible source: Actually, that's the same news _from the same source_ as originally posted. That article also has other wonderful bits like: The Heartbleed flaw, introduced in early 2012

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote: If you told me they used it against the targets of the day while putting out the word to patch I could buy it, but intentionally leaving a certain bodily extension hanging in the breeze in the hopes of gaining more valuable data

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker niels=na...@bakker.net wrote: Please go read up on some recent and less recent history before making judgments on what would be unusually gutsy for that group of people. I'm not saying this has been happening but you will have to come up with a

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On 4/11/2014 4:03 PM, William Herrin wrote: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 5:56 PM, Matt Palmer mpal...@hezmatt.org wrote: You're assuming that the NSA is a single monolithic entity. IIRC, the offense team and the defense team don't really talk much, and they *certainly* have very different motivations. It wouldn't surprise me at all if the

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

And their Level 3 to 4 accomplished what exactly?? They were owned the same way the own others, from the inside. On 4/11/14, 4:27 PM, Peter Kristolaitis alte...@alter3d.ca wrote: On 4/11/2014 4:03 PM, William Herrin wrote: The U.S. National Security Agency knew for at least two years about a

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

--- mpal...@hezmatt.org wrote: From: Matt Palmer mpal...@hezmatt.org The interesting thing to me is that the article claims the NSA have been using this for over two years, but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either: * The NSA put it in

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: The interesting thing to me is that the article claims the NSA have been using this for over two years, but 1.0.1 (the first vulnerable version) was only released on 14 Mar 2012. That means that either: * The NSA found it *amazingly*

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

On Fri, Apr 11, 2014 at 6:27 PM, Peter Kristolaitis alte...@alter3d.ca wrote: I would imagine that federal contractors have to adhere to FIPS 140-2 standards (or some similar requirement) for sensitive environments, and none of the affected OpenSSL versions were certified to any FIPS

RE: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

@nanog.org Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years] On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said: snip Heck, there's a good chance that automated tools could have spotted it.