From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.glorb.com!border3.nntp.dca.giganews.com!backlog3.nntp.dca3.giganews.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail NNTP-Posting-Date: Fri, 18 Apr 2014 12:24:04 -0500 Date: Fri, 18 Apr 2014 13:24:04 -0400 From: Alan Browne User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: Heartbleed - attacks? References: <1ljwj8f.1wqbhvuabsdw1N%csampson@inetworld.net> In-Reply-To: <1ljwj8f.1wqbhvuabsdw1N%csampson@inetworld.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable Message-ID: <57idncuye_IowszOnZ2dnUVZ_hSdnZ2d@giganews.com> X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-CMBzv/zh2tZ4qDz1peDWmpKPsrvQJB64Jp3UrGy58YAltBenA1oaRMqYuUyO6+qlfA9tPjpYyJxp/Ay!sQLZp1Ad/jcIXeS9ahxOwifI6NnsI6McWz3yPB9OY0tDS5bfhhExL9+MfFoR4ZRkaO256PbDZA== X-Complaints-To: abuse@giganews.com X-DMCA-Notifications: http://www.giganews.com/info/dmca.html X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 X-Original-Bytes: 3360 Xref: news.eternal-september.org comp.lang.ada:19373 Date: 2014-04-18T13:24:04-04:00 List-Id: On 2014.04.10, 22:39 , Charles H. Sampson wrote: > According to Wikipedia, the Heartbleed bug in OpenSSL is caused b= y > two errors: Lack of bounds checking and failure to verify that the > heartbeat request was valid. Whom does one express one's indignation to= ? > The insistence of many in our "profession" on using C and its decendent= s > is the reason I qualify the word "profession" when writing about > software developers. Acting on a message without validating it is > equally incomprenhensible to me. The former is a "profession"-wide > problem. For the latter, someone needs a severe rebuke on his next > performance review, at the least. > > It so happens that for the last project I worked on, I was > responsible for TCP/IP communication. Every incoming message was fully > validated, including validating all components of the message body. The= > only response to an invalid message was a negative acknowledgement to > the sender. It never occurred to me to do it any other way. Haven't the= > problems associated with acting on invalid input of any sort been known= > for decades? As far as the above may be (is) true, according to this article: http://bits.blogs.nytimes.com/2014/04/16/study-finds-no-evidence-of-heart= bleed-attacks-before-the-bug-was-exposed/?src=3Dme There were no "attacks" due to heartbleed. OTOH, a 19 year old in London, ON, has been arrested for accessing some=20 900 people's tax info via the Canadian Revenue Agency (aka: taxman) tax=20 filing servers using the HB exploit. Whether this attack was made after HB was announced (and before the CRA=20 closed their web portal) is not clear to me. Looks to me like a=20 "bright" kid screwing around without intended malice is being ground up=20 by the RCMP just so they can say justice is being done. (aka: closing=20 the barn door after the horses have fled). --=20 "Big data can reduce anything to a single number, but you shouldn=92t be fooled by the appearance of exactitude." -Gary Marcus and Ernest Davis, NYT, 2014.04.07