Operation Heartbleed: A different view

Hey guys/gals,

So I'm sure a lot of you are aware of Operation Heartbleed which has come to surface this week (Although I thought it would have made breaking news). If you don't know what it is, it's a serious vulnerability in the OpenSSL Internet encryption protocol and has potentially left the information of most Internet users vulnerable to hackers - according too Google's security adviser researcher Neel Mehta and a team of codenomicon researchers.

Quote from this source: Article on OP Heartbleed

That’s according to a team of Codenomicon researchers, as well as Google Security researcher Neel Mehta. Codenomicon is a Web security firm whose clients include Microsoft, Verizon, and Cisco Systems. The Heartbleed bug reportedly affects as much as 66 percent of the world’s active websites, and has existed for roughly two years.

OpenSSL is a method of encryption employed by many websites that safeguard the data you type into your Web browser. OpenSSL contains a function known as a heartbeat option. With it, while a person is visiting a website that encrypts data using OpenSSL, his computer periodically sends and receives messages to check whether both his PC and the server on the other end are both still connected. The Heartbleed bug means hackers can send fake heartbeat messages, which can trick a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more.

In short, our passwords, usernames, bank details, anything we've typed into a website has potentially been stored and this has been going on for two years.

A couple of days after this news came out there was another article, in which the NSA has known about the heartbleed bug for the 2 years and have even exploited it to gather sensitive information which is no surprise considering their ideology and what we've heard about them in the past couple of years.

A short bit and the full article here:NSA article

According to a report by Bloomberg, USA's National Security Agency had been aware of the Heartbleed bug long before it was made public on Monday. It also went on to add that the agency exploited the bug on a regular basis so as to gather critical intelligence.

Bloomberg says that the agency declined to comment on the report, before going on to deny that it was aware of Heartbleed.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong," according to an e-mailed statement from the Office of the Director of National Intelligence.

It comes as no surprise that the NSA found the bug early, since it has many powerful resources at its disposal, including budgets that allow it to spend over a billion every year on data processing and exploitation, according to TheVerge.

What has this got to do with a different view and how is this different to any thread explaining about the heartbleed bug? Well I'd like to offer my theory on what this is.

We've been asked and prompted to change our passwords on anything we're logged into online; Social media sites, internet banking etc. That got me thinking, what if the whole story on this operation is just a fake and the 'real' bug will be used in the future? It would be so easy for them to make us panic about this, and in that time plant a real bug/key logger type of thing so then they have everybodys new passwords, hey presto you have the entire internets passwords and information with almost no hassle at all.

Just my thoughts, I don't think I've worded it correctly (forgive me I've had a tiring week) so anything you're unclear about just ask. What's your 2 cents?

Thanks

reply to post by conz1992


SSL was flawed from the beginning from back doors to zero padding. There is no real transactional security, only situational awareness.

Even offline data can be accessed in certain cases and get ready for 'smart' AC.

reply to post by conz1992

what if the whole story on this operation is just a fake and the 'real' bug will be used in the future? It would be so easy for them to make us panic about this, and in that time plant a real bug/key logger type of thing so then they have everybodys new passwords, hey presto you have the entire internets passwords and information with almost no hassle at all.

I get that you're thinking out of the box, but...

" operation is just a fake and the 'real' bug will be used in the future" how would they be getting everybody's new passwords now?

I may just be misunderstanding what you are actually saying. (I've been known to be wrong before )

reply to post by Chamberf=6


Ill try and re-word it

Basically there is no 'heartbleed' or there is but it just isn't as bad as the articles make it out to be, internet providers and websites are prompting us to change our passwords so in that time the NSA could use a keylogging bug to get the new passwords and then they've got a database of the new information etc.

Although I doubt the bug has been fixed so what's stopping them from obtaining the new passwords made?

Hope that makes more sense

lol I am sorry to say I think you are kindly overthinking this on mate. The NSA already has a total serveillence state. There is no need for this new bug to get everybodys 'new' passwords because they already have all the current passwords and other information.

More likely than not itll come out the NSA themselves had this heartbleed 'bug' ahem. backdoor. designed and built in since the start....there is also backdoors built in to the hardware itself. You can maybe try to hide info from hackers but not the government.

reply to post by conz1992


Gotcha.

but until a site has implemented a fix or patch, it is pointless to change passwords yet anyway.

--I understand what you were saying now --sorry.

In two other threads on this i have given a link to check and see if one has..,

here it is; lastpass.com... .

reply to post by lightedhype

More likely than not itll come out the NSA themselves had this heartbleed 'bug' ahem. backdoor. designed and built in since the start....there is also backdoors built in to the hardware itself. You can maybe try to hide info from hackers but not the government.

If not designed, then taken full advantage of by NSA.
along with all their other surveillance.

But patching/fixing heartbleed could at least put a (perhaps temporary roadblock) for private individuals or groups from hacking/stealing data.

Until the next...probably in a couple of weeks if not sooner. (slightly sarcastic with that line, but most likely fairly accurate)

Just saw an article on io9 io9.com... (where a lot of ATS threads seem to birth from) a link to a pretty cool real time cyber attacks across the globe cybermap.kaspersky.com....

Just thought it was kind of neat and eye-opening.

reply to post by conz1992


Keep ni mind whatever they collect also has to be decrypted, so for instance if you have easy to understand PS/UNs then it would just come out in decryption format(option-showpassword), however if your info is more sophisticated and less easy to figure out say alphanumeric/symbol/codework/numberscheme, they would have to use software not unlike vault decryption gadgets. They may collect #, but doesnt mean you have to make it easy for them to read. And even if they did, like i ask about government secrets: what is so important that is has to stay secret, what is a person hiding that no one can know about? Remember they already have Xbox One, cell phones, emails etc that they record and analyze. Plus side note: This bug stuff and tech and surveillance is nothing new, the NSA has been surveilling americans for over a decade using the Patriot Act as authority to screen everything, so whatever your worried about, they prolly already have. 2 If your paranoid worried about them getting your #, there are a number of ways you can scramble your info including IP hiding. Dont let fear overtake your sense of personal security, half the time the feds let you make the mistake so they just have to gather the info. More NSA office seats than congress and mainstream intelligence jobs put together lol big brothers been watching much longer than americans been payin attention, just now becoming a common public interest.

greencmp
reply to post by conz1992

 

SSL was flawed from the beginning from back doors to zero padding.

Heartbleed isn't due to a SSL flaw, it's due to an implementation flaw.

heartbleed.com...

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

reply to post by conz1992


The NSA don't need your passwords. They say to the holders "Give us conz1992's data" and the providers hand it to them.

Heartbleed is an implementation bug, it's easy to verify its existence by looking at the implementation source code (which AKAIK is opensource).

As others have stated Heartbleed is an issue with the (open source) code.
It is very real (have seen the flaw demonstrated locally to me) and probably wasn't used as a widescale intercept/surveillance tool by the Alphabet Agencies.

Alphabet agencies dont want/need individual passwords at the client level unless you are on a surveillance list (think criminals and terrorists- not suitable for general internet users unless they have previous form).

Instead they focus on "exploiting" -sometimes in collusion with the carriers, network switches, hubs and routers within ISP networks and collect EVERYTHING for later retrieval if/when needed.

On tonight, live from 10PM Eastern time!

Show thread with listening information