Re: heartbleed OpenSSL bug CVE-2014-0160

[Paul Vixie <paul () redbarn org>]

Paul Vixie wrote:
> Michal Zalewski wrote:
> > > http://m.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
>
> when the internet moved out of academia and into the larger population,
> we got tabloids and ambulance chasers in the deal. ick.

speaking of ambulance chasers, in the above-referenced article, THIS
little gem:

"On a scale of one to 10, it is an 11," renowned security expert Bruce
Schneier said of the bug.

really bruce? on a scale of doesn't-matter-at-all to
worst-thing-you-could-have-previously-imagined, a read only exploit is
even worse than that? no remote file modification, no root shell, no
non-root shell, no data-modification, no arbitrary file system reads...
just a read only heap exploit, and it's worse than anything you could
have previously fucking imagined?

gentlemen and ladies, we have met the enemy, and they are our egos.

vixie


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/