Heartbleed Bug

[FireFish]

The one thing which worries me is the fact that after years of using it in open source situations and others, it took them so many years to come to a point where such a grave BUG is found.

In this modern internet world where it is becoming a government versus government war and both versus the people it might as well be a severely obfuscated bug left in there on purpose.

I dont know, i do not trust anything like this anymore after everything the media, governments, and intelligence agencies are doing. For all i know they are using 'hearthbleed' like hell now for as long as it lasts.


*somebody else bumped it, so while it is here i used it.

[geo]

I worry since open source is open source it just makes it easier to crack.

Yahoo had a cookie bug that let people in for about a decade before they fixed it.

[Aliotroph?]

Sodaholic said:

I usually keep my phone in another room and wrapped in some kind of cloth out of fear that my password could be compromised by keystroke sound analysis. I realize there's probably plenty of other methods, but I don't want my local machine to be compromised.

What I really want to do is open it up and install a physical passthrough switch to completely disable/enable the microphone/cameras at will, but haven't gotten around do that yet. Some silly putty or something could probably work as a temporary solution.

This is insane. But while we're at it, you've failed to protect yourself from analysis of the EM leakage from your computer. :p

You remind me of the "hacker lady" we used to get when I worked in tech support. She called us 100 times about the various ways she was hacked. These included her answering machine, TV remote, and garage-door opener. The day I got her she was worried about the hackers in her laptop despite not possessing any kind of internet service.

She paid for service, so I spent five hours making things even more outrageously secure (did you know you can turn off the IR thing in your BIOS?) and trying to get rid of her. She even explained the cops and a private eye had given up on her already.

In the end she wanted to reinstall XP and I noticed her CD didn't have SP2, so I sent her a new disc and sold her on that so hard the superiors listening to the call were laughing their asses off. She reappeared a few more times and then vanished completely. Maybe her evil tenants finally got her!

FireFish said:

The one thing which worries me is the fact that after years of using it in open source situations and others, it took them so many years to come to a point where such a grave BUG is found.

It was only about two and a half years iirc. Old versions of OpenSSL don't have the bug.

[FireFish]

still two years is a long time, must have been severely obfuscated or hidden.

[gggmork]

'keystroke sound analysis': I could just search engine that, but if it's some sort of technique to have AI 'study' the click clacking of keys and guessing what is being typed based on the location of asdf jkl; etc and thus usual speed of typing a particular letter or sequence etc, that's quite clever.

[Blastfrog]

Aliotroph? said:

This is insane.

Well, my phone doesn't have a clean or custom ROM installed (I'm a lazy bastard), and my carrier loaded it up with some crap I don't want (oh boy, sports apps I'll never use!). Given that it's certainly not a clean install of Android (I hate how carriers customize stuff like that), there is a risk of a covert surveillance feature.

While I'm paranoid as hell, I at least know how my equipment works, so I'm not sure your comparison to that awful tech support customer is apt. I know my answering machine, TV remote and garage-door opener are too simple and/or specialized to be hacked without someone physically screwing with it, and I'm not so paranoid to think federal invisibility camo ninjas or some shit are messing with stuff like that. It's just that full-blown computers like a PC or smartphone can be volatile to exploits, or worse, deliberate backdoors in the software and/or hardware. Especially those that come preloaded with software from a corporation that cannot be trusted as it is known to work with the NSA.

All I care about is that I have visual-audio privacy in my own home, just for peace of mind. I don't think the government's out to get me or anything, I'm hardly of interest to them. I doubt that any of this will convince you that I'm not of the same mindset as the "hacker lady" or are otherwise extremely whacked out, or why I'm even bothering to defend myself here.

[FireFish]

As long as you and everybody you know lives happily and good, without disturbing anyone, nobody will judge you for that. I am also weary and cynical towards many things on a computer. I dont trust a lot, but i am not mega paranoid about it.

[fraggle]

Sodaholic said:

All I care about is that I have visual-audio privacy in my own home, just for peace of mind. I don't think the government's out to get me or anything, I'm hardly of interest to them. I doubt that any of this will convince you that I'm not of the same mindset as the "hacker lady" or are otherwise extremely whacked out, or why I'm even bothering to defend myself here.

I guess I'm just not sure what your threat model is, who you think you're defending yourself from. Stuff like "keystroke sound analysis" is something you'd only need to worry about if you were being actively targeted by government surveillance. If you "don't think the government's out to get you" then it's pointless to bother with countermeasures like these.

That's why your comment comes across as so ridiculous: there's no sense of proportion or realistic understanding of security or privacy. Rather than "someone who cares about their privacy" it just makes you seem ignorant, wasting your time defending against threats you'll never face while you're probably not even taking more basic precautions to defend against threats that you might face.

Well, my phone doesn't have a clean or custom ROM installed (I'm a lazy bastard), and my carrier loaded it up with some crap I don't want (oh boy, sports apps I'll never use!). Given that it's certainly not a clean install of Android (I hate how carriers customize stuff like that), there is a risk of a covert surveillance feature.

And this is exactly what I'm talking about. Carrier-customized ROMs like these commonly come with literally dozens of apps preinstalled, and have access to your personal data and other information like your GPS location. It's not a "risk" of surveillance - you already are being surveilled by several different companies every time you use your phone and every time you go somewhere and take your phone with you. You claim to care about privacy but you haven't taken the most basic precautions to deal with this, while at the same time you're worrying about ridiculous and unrealistic theoretical threats that you will never face.

Other predictions I'm just going to throw out: I bet you haven't encrypted the hard drive on your laptop, you aren't using the HTTPS everywhere extension or disconnect.me. Maybe you don't even have a screensaver that locks your screen and requires a password to unlock. All of these things are basic security measures that are relatively easy to set up and will do far more practical, real-world good than silly, pointless rituals where you wrap your phone up in cloth.

[gggmork]

There is a panopticon effect, where nobody knows for sure whether they are being watched or not, causing them to police themselves. This makes everyone behave like characters in Treehouse of Horror II where they have to constantly think happy thoughts in case bart is reading their mind.