back to article Silly sysadmins ADDING Heartbleed to servers

At least 2,500 website administrators have made their previously secure sites vulnerable to Heartbleed more than a month after the bug sent the world into a hacker-fearing frenzy. Former Opera software developer Yngve Pettersen discovered the bungle while probing for Heartbleed vulnerable systems in the weeks after the bug was …

COMMENTS

This topic is closed for new posts.
  1. codebeard

    Remaining servers need extra pressure from users

    Web browsers need to start reporting known security flaws to users visiting a site, by default.

    I know there are extensions you can install for this kind of thing in Firefox or Chrome, but I think this shows the need for a installed-by-default warning system. Just like your browser warns you when you visit a site with an invalid/self-signed/expired certificate, it should check a database and warn when you visit a site with a possibly compromised certificate.

    If enough users get a warning bar appear when they visit unpatched.com, some of them are going to complain to the administrator of the site, hopefully resulting in getting it fixed.

    1. Uncle Siggy

      Re: Remaining servers need extra pressure from users

      "If enough users get a warning bar appear when they visit unpatched.com, some of them are going to complain to the administrator of the site, hopefully resulting in getting it fixed."

      You're not a Windows user I take it.

    2. Tomato42
      Thumb Up

      Re: Remaining servers need extra pressure from users

      well, even if it doesn't result in users complaining (they want their cat macros and want them now, those pesky warnings are just in the way), it still causes bad PR and obviour error to the _admin_ that runs the site.

  2. Ambivalous Crowboard

    holy fuck, three hours?

    One line of CLI and a reboot is all it took for me. Who makes these estimates?

    1. DanDanDan

      Re: holy fuck, three hours?

      You're forgetting about research, diagnostics, documentation and testing, revoking and reissuing of certificates, forcing the reset of user passwords, etc etc yadayada...

      The fix itself is a 5 minute (if that) job. It's the rest of the stuff that sorts the wheat from the chaff (and is exactly what this article is highlighting).

    2. Simone

      Re: holy fuck, three hours?

      On one line of CLI... to patch the software, revoke the certificates, install new certificates and reset passwords (and possibly notify all users or add a comment to the login page)... wow!

    3. NogginTheNog
      FAIL

      Re: holy fuck, three hours?

      No offence, but some companies do have more than just ONE server in their farm you know.

      1. LordHighFixer

        Re: holy fuck, three hours?

        @ NogginTheNog

        I have a great deal more than one server, and luckily none of mine are public facing so patching the vulnerable ones was mainly an administrative exercise. However, any sysadmin worth hiring should be able to patch one or 100 servers in the same amount of time. For me, I loaded the patch into the repository, selected the patch, the targets, and pushed the "do it" button.

    4. Wensleydale Cheese
      WTF?

      holy fuck, lack of reading comprehension

      The article says: "assuming it took the three admins four hours of work at $40 an hour, multiplied by the 2500 affected servers in question"

      I make that 12 man hours.

      But yes, it's a flawed calculation.

      Three people for four hours apiece for the first server maybe, but each additional server managed by that team should only take a fraction of that time.

      What? Three admins per server? I doubt that.

      And that $40 per hour looks dodgy. The rule of thumb is that it costs the company about double the hourly pay rate when you include admin, office space, infrastructure etc., so are we saying that the typical admin only gets $20 per hour?

  3. Anonymous Coward
    Anonymous Coward

    He'd best be careful. Scanning other peoples servers may be a chargeable offense. Plus, revealing corporations are stupid and know nothing about protecting their customers info can lead to severe jail terms when they go after him.

    1. Tomato42
      Trollface

      Opera inc. is Norwegian company. And while they do have oil, it doesn't look like US wants to bring Freedom®™ to them just yet.

      1. Euripides Pants
        Unhappy

        Re: it doesn't look like US wants to bring Freedom®™ to them just yet

        The fjords confuse us...

This topic is closed for new posts.

Other stories you might like