ENIGMA Forums

General fluff => Announcements => Topic started by: Josh @ Dreamland on April 11, 2014, 06:23:25 pm

Title: Heartbleed
Post by: Josh @ Dreamland on April 11, 2014, 06:23:25 pm
tl;dr: we run CentOS 5; our software is so out-of-date, we are not affected by Heartbleed. Of course, you probably don't connect to us via SSL, anyway.

Heartbleed is an OpenSSL exploit that enables hackers to listen in on what should be secured connections. It's a terrible vulnerability that can lead to the leak of all sorts of sensitive information; in our case, passwords. Since most users connect over HTTP and are probably therefore not using a very secure password, this isn't an issue for most of our users. For those who do connect to us over HTTPS, you're safe, anyway, because the vulnerability is with a newer OpenSSL than we'll ever have. This has a number of downsides, but the upside is, we didn't even have to patch for this exploit. So your HTTPS passwords have been safe, and our SSH connections have been safe.

And to clarify, yes, I am still alive; I haven't lived for ten consecutive days in the same state for almost the last month, now, but I am finishing getting moved into my current apartment where I am now holding a job at Google. That said, afternoons and weekends are mine unless I break something.
Title: Re: Heartbleed
Post by: Rusky on April 11, 2014, 07:08:24 pm
Technically what Heartbleed enables is for the attacker to look at the server's OpenSSL heap, which may contain private keys or passwords if they look long and hard enough, which would then enable them to listen in on secured connections.

So yeah, good news. :P
Title: Re: Heartbleed
Post by: Josh @ Dreamland on April 11, 2014, 10:02:36 pm
I tend to simplify when (A) speaking to the public or (B) not giving a shit/not reading up. This happened to be a case of both.

So yeah, sucks about other sites, but we dodged this one (it seems).
Title: Re: Heartbleed
Post by: The 11th plague of Egypt on April 12, 2014, 09:13:06 am
Good to hear you found a place Josh!
Title: Re: Heartbleed
Post by: Darkstar2 on April 12, 2014, 10:57:59 am
Oh yeah I have one small gripe against Google, and many might agree....... They totally fucked up with YouTube. (Google+) and YouTube.  They should have just left YT the way it was because now it's highly ret*.
:D
Title: Re: Heartbleed
Post by: TheExDeus on April 12, 2014, 06:11:42 pm
With was is Josh actually going to work with if it's not a secret? Google is a large company, so just wanted to know what project/product/division you are planned to take part of? Even QA people have many divisions.
Title: Re: Heartbleed
Post by: Josh @ Dreamland on April 12, 2014, 06:50:08 pm
I'm a software engineer. I'll be working under a division of Channel Intelligence called gTech; some info about those is available online. I'm not sure how much of the specifics I'm allowed to mention, because I work on a lot of gutsy things rather than a specific product. You'll probably never personally interact with anything I write, unless you start your own business and want to share information with Google. You still might not come into contact with my code, but you'll at least invoke it. :P
Title: Re: Heartbleed
Post by: The 11th plague of Egypt on April 13, 2014, 01:38:50 pm
Technically what Heartbleed enables is for the attacker to look at the server's OpenSSL heap, which may contain private keys or passwords if they look long and hard enough, which would then enable them to listen in on secured connections.

So yeah, good news. :P
Damn, this is one of the best descriptions around.