Pages: [1]
  Print  
Author Topic: Heartbleed  (Read 3122 times)
Offline (Male) Josh @ Dreamland
Posted on: April 11, 2014, 06:23:25 PM

Prince of all Goldfish
Developer
Location: Ohio, United States
Joined: Feb 2008
Posts: 2925

View Profile Email
tl;dr: we run CentOS 5; our software is so out-of-date, we are not affected by Heartbleed. Of course, you probably don't connect to us via SSL, anyway.

Heartbleed is an OpenSSL exploit that enables hackers to listen in on what should be secured connections. It's a terrible vulnerability that can lead to the leak of all sorts of sensitive information; in our case, passwords. Since most users connect over HTTP and are probably therefore not using a very secure password, this isn't an issue for most of our users. For those who do connect to us over HTTPS, you're safe, anyway, because the vulnerability is with a newer OpenSSL than we'll ever have. This has a number of downsides, but the upside is, we didn't even have to patch for this exploit. So your HTTPS passwords have been safe, and our SSH connections have been safe.

And to clarify, yes, I am still alive; I haven't lived for ten consecutive days in the same state for almost the last month, now, but I am finishing getting moved into my current apartment where I am now holding a job at Google. That said, afternoons and weekends are mine unless I break something.
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Offline (Male) Rusky
Reply #1 Posted on: April 11, 2014, 07:08:24 PM

Resident Troll
Joined: Feb 2008
Posts: 960
MSN Messenger - rpjohnst@gmail.com
View Profile WWW Email
Technically what Heartbleed enables is for the attacker to look at the server's OpenSSL heap, which may contain private keys or passwords if they look long and hard enough, which would then enable them to listen in on secured connections.

So yeah, good news. :P
Logged
Offline (Male) Josh @ Dreamland
Reply #2 Posted on: April 11, 2014, 10:02:36 PM

Prince of all Goldfish
Developer
Location: Ohio, United States
Joined: Feb 2008
Posts: 2925

View Profile Email
I tend to simplify when (A) speaking to the public or (B) not giving a shit/not reading up. This happened to be a case of both.

So yeah, sucks about other sites, but we dodged this one (it seems).
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Offline (Unknown gender) The 11th plague of Egypt
Reply #3 Posted on: April 12, 2014, 09:13:06 AM
Member
Joined: Dec 2009
Posts: 284

View Profile
Good to hear you found a place Josh!
Logged
Offline (Unknown gender) Darkstar2
Reply #4 Posted on: April 12, 2014, 10:57:59 AM
Member
Joined: Jan 2014
Posts: 1212

View Profile Email
Oh yeah I have one small gripe against Google, and many might agree....... They totally fucked up with YouTube. (Google+) and YouTube.  They should have just left YT the way it was because now it's highly ret*.
:D
Logged
Offline (Unknown gender) TheExDeus
Reply #5 Posted on: April 12, 2014, 06:11:42 PM

Developer
Joined: Apr 2008
Posts: 1886

View Profile
With was is Josh actually going to work with if it's not a secret? Google is a large company, so just wanted to know what project/product/division you are planned to take part of? Even QA people have many divisions.
Logged
Offline (Male) Josh @ Dreamland
Reply #6 Posted on: April 12, 2014, 06:50:08 PM

Prince of all Goldfish
Developer
Location: Ohio, United States
Joined: Feb 2008
Posts: 2925

View Profile Email
I'm a software engineer. I'll be working under a division of Channel Intelligence called gTech; some info about those is available online. I'm not sure how much of the specifics I'm allowed to mention, because I work on a lot of gutsy things rather than a specific product. You'll probably never personally interact with anything I write, unless you start your own business and want to share information with Google. You still might not come into contact with my code, but you'll at least invoke it. :P
Logged
"That is the single most cryptic piece of code I have ever seen." -Master PobbleWobble
"I disapprove of what you say, but I will defend to the death your right to say it." -Evelyn Beatrice Hall, Friends of Voltaire
Offline (Unknown gender) The 11th plague of Egypt
Reply #7 Posted on: April 13, 2014, 01:38:50 PM
Member
Joined: Dec 2009
Posts: 284

View Profile
Technically what Heartbleed enables is for the attacker to look at the server's OpenSSL heap, which may contain private keys or passwords if they look long and hard enough, which would then enable them to listen in on secured connections.

So yeah, good news. :P
Damn, this is one of the best descriptions around.
Logged
Pages: [1]
  Print