Re: What about this post?
And we've linked to it in the article. This 'ere is a closer look at the Secure Transport fix. But thanks for reading every thing we publish :-)
C.
3495 publicly visible posts • joined 21 Sep 2011
"it'd probably behoove the author to read it"
Hi new reader - Tim wrote about Flash Boys here, on the Reg, a couple of weeks ago.
C.
Cripes. Quick - someone! What do we do now? Smash up some laptops in the basement?
C ;-)
"CloudFlare have found it impossible to exploit the bug to steal keys"
Bad luck, ducky. It's utterly possible :(
"We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can’t be certain."
C.
"CloudFlare have found it impossible to exploit the bug to steal keys"
Well, steal keys from a specific Nginx setup, but I take your point - and the Cloudflare blog is linked to in the article. I note that the Cloudflare heartbleed challenge site has updated itself to "Has the challenge been solved yet? MAYBE? (verifying)". Stay tuned.
In general, it is very tricky to steal private SSL keys (going to Vegas to put everything on red 14 seems like a better chance of success), but that doesn't stop the leaking of passwords and whatnot.
Plus, it's a rather fun bug. Code safe, everyone.
C.
It's an old writing habit from my tabloid days - avoid repetition, it improves your writing. So "blueprints" was used to avoid another use of source and/or code in the same sentence. That's all. I've written enough deep dives to expect Reg readers to get techy concepts.
On that note, thanks for the article comments - good discussion all round.
C.
OK. Well, hopefully we can move past that and maybe now we can get back to the technicals - such as mitigation. You say you've implemented ASLR, so any thoughts?
Guard pages around individual sensitive allocations, causing this memcpy() to trigger a fault? It burns up virtual address space a bit, but worth it IMHO.
There's also this: http://article.gmane.org/gmane.os.openbsd.misc/211963
C.
"Is the leaked data simply the junk that was in de-assigned memory?"
Yeah, it appears to be dead or alive blocks of memory allocated via some malloc()-like magic. If dead, one wonders why it wasn't zeroed on release.
"just suggesting, perhaps we could be a bit less crap at everything?"
This is why I'm learning Rust for its better pointer and array bounds handling, tho I'm not sure it could have helped here.
C.
"Never had a problem with getting support at the store and having a jailbroken device. So just shaddup with the 'jaikbroken? Then your screwed' crap already."
Ahem. From support.apple.com:
"Apple strongly cautions against installing any software that hacks iOS ... Apple may deny service for an iPhone, iPad, or iPod touch that has installed any unauthorized software."
PS: We're just reporting what the iFixit guy said. We don't have a strong opinion either way.
C.
I understand that's true for various PC things out there. But the docs I'm looking at say the RAM was refreshed by the video electronics in the PCjr: that circuitry governed the first 128KB. From the IBM tech manual:
"Memory refresh is provided by the 6845 CRT Controller and gate array. The gate array cycles the RAM and resolves contention between the CRT and processor cycles."
I'm not aware of a DMA controller in the PCjr.
C.
"So he's saying wired ethernet is slower than wireless?"
No, and I'm sorry if I wasn't able to make that clear enough. The broadband speed and the Wi-Fi are two separate things. He's upset that all this money is going into wired networks when students and staff prefer to use wireless devices wherever they want.
Then, even once they're connected, getting out to the internet is a PITA anyway.
I'm sorry this isn't clear enough.
C.
Edit: We got an earlier non-binding sub-committee meeting mixed up with the binding full city council meeting, although the overall gist of the story is correct (thankfully). Hopefully now the article is accurate - thanks and my apologies.
PS: Please, email corrections@thereg next time you spot something wrong. I may not see your complaint in the comments.
C.
That's the $64,000 question. We can only hope there's enough oversight built into ICANN to keep it steady.
C.
Please for the love of all you hold dear, please email corrections@theregister.co.uk with any problems you spot. We get those emails immediately whereas here I am, a day after publication, catching up with comments and finding a disagreement.
C.
This barely deserves a response. The Register is independently owned (see Companies House), and there is never, never any pressure on editorial to write one way or another. Come on, man, look at these articles:
http://www.theregister.co.uk/2013/06/08/what_about_a_us_tech_boycott/
http://www.theregister.co.uk/2014/02/24/richard_clarke_csa_comments/
http://www.theregister.co.uk/2013/12/17/cios_still_cloud_wary/
http://www.theregister.co.uk/2013/08/06/prism_revenue_wobble_worries/
http://www.theregister.co.uk/2013/10/17/european_commission_no_fortress_europe_for_cloud_but_if_prism_scared_you/
These are in the first few search results for "cloud", a mix of coverage. You're accusing editorial of corruption. That's really nice. Please post here your name, address and workplace so I can turn up and accuse you of corruption to your boss and customers :-/
C.
Pretty sure the Streaming Stick is a pure over-the-internet streaming device. You'll need the more expensive Roku 3 to do something like local streaming (or possibly a lot of fiddling with the Stick).
We've asked Roku for some more info; I'll update the story if that comes in.
C.
"Indeed the reporting of this issue was so poor"
Your understanding is wrong, I'm afraid.
1. Any router between you and your website can take advantage.
2. No, that was a curl bug unrelated to the grave SSL cert issue; all network connections boil down to IP addresses anyway.
3. It was reported on Friday after Apple dropped a 0-day on everyone with no fix available and with no fix delivery date.
Keep it coming. I'm loving it.
C.
Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.
Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.
C.
"Paah, the articles qualification was an edit made after I posted"
I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.
IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).
C.