On Fri, Apr 18, 2014 at 03:47:25PM -0700, Scott Weeks wrote:
:: There being no cable between the Hawaiian Islands
:: and the mainland at the time
Wait...what?
https://en.wikipedia.org/wiki/Submarine_communications_cable#Submarine_cables_across_the_Pacific
The first trans-pacific
On Mon, Apr 14, 2014 at 10:09:14PM +, Matthew Black wrote:
IIRC, the message was sent via courier instead of cable or telephone to
prevent interception. Did the military not even trust its own cryptographic
methods? Or did they not think withdrawal of the Japanese ambassador was not
very
:: There being no cable between the Hawaiian Islands
:: and the mainland at the time
Wait...what?
https://en.wikipedia.org/wiki/Submarine_communications_cable#Submarine_cables_across_the_Pacific
The first trans-pacific cables were completed in 1902-03, linking the
US mainland to Hawaii in
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not zeroed
but if there's any attempt to actually access it then read it back as
if it were filled with
On 4/16/2014 4:34 PM, Jason Iannone wrote:
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not zeroed
but if there's any attempt to actually access it
On Wed, Apr 16, 2014 at 4:12 PM, Larry Sheldon larryshel...@cox.net wrote:
If the hardware (as has been suggested) or the OS does any of this, how do
diagnostic routine in or running under the OS work?
The OS does it, when allocating memory to userland programs.
For memory, before memory is
Jason Iannone wrote:
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not zeroed
but if there's any attempt to actually access it then read it back as
On April 17, 2014 at 10:03 g...@gdt.id.au (Glen Turner) wrote:
Jason Iannone wrote:
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not
On April 16, 2014 at 15:34 jason.iann...@gmail.com (Jason Iannone) wrote:
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not zeroed
but if
BAE did this cute poster on the attack model
https://image-store.slidesharecdn.com/6f0027d2-c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_5862330295302262788
On 4/16/2014 7:50 PM, Barry Shein wrote:
On April 17, 2014 at 10:03 g...@gdt.id.au (Glen Turner) wrote:
On Wed, Apr 16, 2014 at 9:39 PM, TGLASSEY tglas...@earthlink.net wrote:
BAE did this cute poster on the attack model
https://image-store.slidesharecdn.com/6f0027d2-
c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_
5862330295302262788
I'm guessing accuracy probably
On Mon, Apr 14, 2014 at 6:00 PM, Larry Sheldon larryshel...@cox.net wrote:
Is the heartbleed bug not proof positive that it is not being done today?
On the contrary. Heartbleed is proof that memory IS cleared before being
assigned to a *process*. The data available via the vulnerability is
beach
-Original Message-
From: Doug Barton [mailto:do...@dougbarton.us]
Sent: Monday, April 14, 2014 7:48 PM
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
On 04/14/2014 05:50 PM, John Levine wrote:
In article 534c68f4@cox.net you
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
On 04/14/2014 05:50 PM, John Levine wrote:
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
On Tue, Apr 15, 2014 at 6:56 AM, Matthew Black matthew.bl...@csulb.eduwrote:
Seriously? When files are deleted, their sectors are simply released to
the free space pool without erasing their contents. Allocation of disk
sectors without clearing them gives users/programs access to file contents
I can't cite chapter and verse but I seem to remember this zeroing
problem was solved decades ago by just introducing a bit which said
this chunk of memory or disk is new (to this process) and not zeroed
but if there's any attempt to actually access it then read it back as
if it were filled with
california state university, long beach
-Original Message-
From: Randy Bush [mailto:ra...@psg.com]
Sent: Sunday, April 13, 2014 7:31 AM
To: Bengt Larsson
Cc: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
It's quite plausible that they watch
Le 2014-04-14 10:38, Matthew Black a écrit :
Shouldn't a decent OS scrub RAM and disk sectors before allocating them to
processes, unless that process enters processor privileged mode and sets a
call flag? I recall digging through disk sectors on RSTS/E to look for
passwords and other
-
From: William Herrin [mailto:b...@herrin.us]
Sent: Friday, April 11, 2014 2:06 PM
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker niels=na...@bakker.net wrote:
Please go read up on some recent and less
: Sunday, April 13, 2014 6:53 PM
Aan: nanog@nanog.org
Onderwerp: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be
doing this. we failed.
Versus all
california state university, long beach
-Original Message-
From: William Herrin [mailto:b...@herrin.us]
Sent: Friday, April 11, 2014 2:06 PM
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for
Years]
On Fri, Apr 11, 2014 at 4:10 PM, Niels
On Apr 13, 2014, at 7:52 AM, Randy Bush ra...@psg.com wrote:
the point of open source is that the community is supposed to be doing
this. we failed.
Versus all of the closed source bugs that nobody can know of or do
anything about?
for those you can blame the vendor. this one is owned
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.
the point of open source is that the community is supposed to be doing this.
we failed
Vladis is %100 on the money here. Lets take this a step farther and ask
is there a criminal liability for the person who checked that code in -
Oh you bet there is...
Todd
On 4/11/2014 5:49 PM, valdis.kletni...@vt.edu wrote:
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
The
On Mon, Apr 14, 2014 at 9:27 AM, TGLASSEY tglas...@earthlink.net wrote:
Vladis is %100 on the money here. Lets take this a step farther and ask is
there a criminal liability for the person who checked that code in - Oh you
bet there is...
Todd
Thank you--I needed some humour in my
morning,
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:
At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-usersm=139723710923076w=2
I hope other vendors will follow suit.
Although it appears they may now be regretting doing so...
On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:
At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-usersm=139723710923076w=2
I hope other vendors will follow suit.
On Mon, Apr 14, 2014 at 3:59 PM, Patrick W. Gilmore patr...@ianai.net wrote:
I applaud Akamai for trying, for being courageous enough to post
code, and for bucking the trend so many other companies are
following by being more secretive every year.
Or we can flame anyone who tries, then wonder
On 04/14/2014 12:59 PM, Patrick W. Gilmore wrote:
On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker niels=na...@bakker.netwrote:
At least one vendor, Akamai is helping out now:
http://marc.info/?l=openssl-usersm=139723710923076w=2
On Mon, Apr 14, 2014 at 03:59:21PM -0400, Patrick W. Gilmore wrote:
On Apr 14, 2014, at 15:47 , Scott Howard sc...@doc.net.au wrote:
On Sun, Apr 13, 2014 at 9:52 AM, Niels Bakker
niels=na...@bakker.netwrote:
At least one vendor, Akamai is helping out now:
On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore patr...@ianai.net
wrote:
I applaud Akamai for trying, for being courageous enough to post code, and
for bucking the trend so many other companies are following by being more
secretive every year.
Just to be clear, so do I! As I said, the
From: Donald Eastlake [mailto:d3e...@gmail.com]
Sent: Monday, April 14, 2014 8:28 AM
To: Matthew Black
Cc: William Herrin; nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
Matthew,
On Mon, Apr 14, 2014 at 10:48 AM, Matthew Black
matthew.bl
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E to look for passwords and other interesting
for those you can blame the vendor. this one is owned by the
community. it falls on us to try to lower the probability of a next
one by actively auditing source as our civic duty.
is that kind of like jury duty? if only it were more like literature,
which we could read for enjoyment.
On 4/14/2014 2:59 PM, Patrick W. Gilmore wrote:
Or we can flame anyone who tries, then wonder why no one is trying.
Amen.
I was just thinking, after reading the umpteenth message here about
spam, about the times in the 1990's that I was literally driven away
because I was trying to get
On 4/14/2014 3:05 PM, William Herrin wrote:
I thought vendors existed primarily as a place to hang the blame when
dealing with a manager or customer who just doesn't get it.
Truth value very high. Humor value, less than none.
--
Requiescas in pace o email Two identifying
On 4/14/14 4:06 PM, Randy Bush wrote:
for those you can blame the vendor. this one is owned by the
community. it falls on us to try to lower the probability of a next
one by actively auditing source as our civic duty.
is that kind of like jury duty? if only it were more like literature,
Larry Sheldon writes:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E to look for
On 04/14/2014 07:14 PM, Michael Thomas wrote:
It's much, much worse than that. I can still read code plenty fine, but
bugs can be
extremely obscure, and triply so with convoluted security code where
people are
actively going after you to find problems in most inventive ways.
Openssl, etc,
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I recall digging through disk sectors on
RSTS/E
On 4/14/2014 7:50 PM, John Levine wrote:
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I
On 04/14/2014 05:02 PM, Nathan Angelacos wrote:
On 04/14/2014 07:14 PM, Michael Thomas wrote:
It's much, much worse than that. I can still read code plenty fine, but
bugs can be
extremely obscure, and triply so with convoluted security code where
people are
actively going after you to find
On 04/14/2014 05:50 PM, John Levine wrote:
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes, unless that process enters processor privileged
mode and sets a call flag? I
On Mon, Apr 14, 2014 at 7:47 PM, Doug Barton do...@dougbarton.us wrote:
On 04/14/2014 05:50 PM, John Levine wrote:
In article 534c68f4@cox.net you write:
On 4/14/2014 9:38 AM, Matthew Black wrote:
Shouldn't a decent OS scrub RAM and disk sectors before allocating
them to processes,
Matt Palmer wrote:
* The NSA found it *amazingly* quickly (they're very good at what they do,
but I don't believe them have superhuman talents); or
It's quite plausible that they watch the changes in open-source projects
to find bugs. They could do nice diffs and everything.
It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.
the point of open source is that the community is supposed to be doing
this. we failed.
randy
On 04/13/2014 07:30 AM, Randy Bush wrote:
It's quite plausible that they watch the changes in open-source
projects to find bugs. They could do nice diffs and everything.
the point of open source is that the community is supposed to be doing
this. we failed.
Versus all of the closed source
the point of open source is that the community is supposed to be doing
this. we failed.
Versus all of the closed source bugs that nobody can know of or do
anything about?
for those you can blame the vendor. this one is owned by the community.
it falls on us to try to lower the probability
On 04/13/2014 07:52 AM, Randy Bush wrote:
the point of open source is that the community is supposed to be doing
this. we failed.
Versus all of the closed source bugs that nobody can know of or do
anything about?
for those you can blame the vendor.
Or not.
this one is owned by the
* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open source is that the community is supposed to be
doing this. we failed.
Versus all of the closed source bugs that nobody can know of or do
anything about?
for those you can blame the vendor.
BSAFE is almost worse
Original message
From: Niels Bakker niels=na...@bakker.net
Date: 04/13/2014 10:55 AM (GMT-07:00)
To: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]
* ra...@psg.com (Randy Bush) [Sun 13 Apr 2014, 16:52 CEST]:
the point of open
And we all know how well civic duty works as a motivator. If we really
want to do something
constructive, convince the corpro-takers to open their wallets to fund
those auditing functions.
For once, I agree with Mike. (Twice in one year?)
Considering how widely openssl is used, and how
: Friday, April 11, 2014 7:50 PM
To: Matt Palmer
Cc: nanog@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for
Years]
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
snip
Heck, there's a good chance that automated tools could have spotted it.
The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the matter said.
The NSA's decision to keep the
* b...@herrin.us (William Herrin) [Fri 11 Apr 2014, 22:04 CEST]:
I call B.S. Do you have any idea how many thousands of impacted NSA
servers run by contractors hung out on the Internet with sensitive NSA
data? If you told me they used it against the targets of the day while
putting out the word
I wrote:
I'm not saying this has been happening ...
but here's the same news from a much more credible source:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Still anonymously sourced but at least via people whose ability to vet
* Niels Bakker (niels=na...@bakker.net) wrote:
but here's the same news from a much more credible source:
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Still anonymously sourced but at least via people whose ability to
vet sources
Once upon a time, Niels Bakker niels=na...@bakker.net said:
but here's the same news from a much more credible source:
Actually, that's the same news _from the same source_ as originally
posted.
That article also has other wonderful bits like:
The Heartbleed flaw, introduced in early 2012
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
If you told me they used it against the targets of the day while
putting out the word to patch I could buy it, but intentionally
leaving a certain bodily extension hanging in the breeze in the hopes
of gaining more valuable data
On Fri, Apr 11, 2014 at 4:10 PM, Niels Bakker niels=na...@bakker.net wrote:
Please go read up on some recent and less recent history before making
judgments on what would be unusually gutsy for that group of people.
I'm not saying this has been happening but you will have to come up with a
On Fri, Apr 11, 2014 at 04:03:36PM -0400, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two
On 4/11/2014 4:03 PM, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a flaw
in the way that many websites send sensitive information, now dubbed the
Heartbleed bug, and regularly used it to gather critical intelligence,
two people familiar with the
On Fri, Apr 11, 2014 at 5:56 PM, Matt Palmer mpal...@hezmatt.org wrote:
You're assuming that the NSA is a single monolithic entity. IIRC, the
offense team and the defense team don't really talk much, and they
*certainly* have very different motivations. It wouldn't surprise me at all
if the
And their Level 3 to 4 accomplished what exactly?? They were owned the
same way the own others, from the inside.
On 4/11/14, 4:27 PM, Peter Kristolaitis alte...@alter3d.ca wrote:
On 4/11/2014 4:03 PM, William Herrin wrote:
The U.S. National Security Agency knew for at least two years about a
--- mpal...@hezmatt.org wrote:
From: Matt Palmer mpal...@hezmatt.org
The interesting thing to me is that the article claims the NSA have been
using this for over two years, but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012. That means that either:
* The NSA put it in
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
The interesting thing to me is that the article claims the NSA have been
using this for over two years, but 1.0.1 (the first vulnerable version)
was only released on 14 Mar 2012. That means that either:
* The NSA found it *amazingly*
On Fri, Apr 11, 2014 at 6:27 PM, Peter Kristolaitis alte...@alter3d.ca wrote:
I would imagine that federal contractors have to adhere to FIPS 140-2
standards (or some similar requirement) for sensitive environments, and none
of the affected OpenSSL versions were certified to any FIPS
@nanog.org
Subject: Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for
Years]
On Sat, 12 Apr 2014 07:56:01 +1000, Matt Palmer said:
snip
Heck, there's a good chance that automated tools could have spotted it.
68 matches
Mail list logo