The Revenge of Buffer Overflows

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

The Revenge of Buffer Overflows

Alejandro Tejada
A single line of code:

memcpy(bp, pl, payload);

produced a data breach of
unexpected consequences...

http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se-1561341209/all
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Richard Gaskin
Alejandro Tejada wrote:

> A single line of code:
>
> memcpy(bp, pl, payload);
>
> produced a data breach of
> unexpected consequences...
>
> http://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-se-1561341209/all

Scott Raney's opinion on buffer overflows:
<https://www.mail-archive.com/metacard@.../msg02659.html>

:)

--
  Richard Gaskin
  Fourth World
  LiveCode training and consulting: http://www.fourthworld.com
  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
  Follow me on Twitter:  http://twitter.com/FourthWorldSys

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Alejandro Tejada
Richard Gaskin wrote
Scott Raney's opinion on buffer overflows:
<https://www.mail-archive.com/[hidden email]/msg02659.html>
Many thanks for posting this message from Scott Raney.
From this message, I found the Top 25 software errors:
http://www.sans.org/top25-software-errors/

And Buffer Overflows is at the top in his category:
Risky Resource Management

http://cwe.mitre.org/top25/index.html#CWE-120

This incident just generates more questions:

Who made this specific change in the OpenSSL code?
Did he actually knew the consequences of the
changes that he committed?
Why nobody else noticed, until now?
Who knows what evil lurks in the source of trusted software?

Al


Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Alejandro Tejada
And finally:
http://mashable.com/2014/04/10/heartbleed-programmer/

"Programmer Robin Seggelmann says he wrote the code for
the part of OpenSSL that led to Heartbleed. But it was an accident.
He submitted the code to the OpenSSL project and other members
reviewed it. Seggelmann later added another piece of code for a
new feature, which the members then added. It was this added
feature that introduced the bug."

"It would be better if more people helped improving it," Seggelmann
told Mashable via email. "It doesn’t really matter if companies
benefitting from it provided some support, or if people do it in
their spare time. However, if everybody just keeps using it and
thinks somebody else will eventually take care of it, it won’t work.
The more people look at it, the less likely errors like this occur."
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Richard Gaskin
Alejandro Tejada wrote:
> And finally:
> http://mashable.com/2014/04/10/heartbleed-programmer/
...
> "It would be better if more people helped improving it," Seggelmann
> told Mashable via email. "It doesn’t really matter if companies
> benefitting from it provided some support, or if people do it in
> their spare time. However, if everybody just keeps using it and
> thinks somebody else will eventually take care of it, it won’t work.
> The more people look at it, the less likely errors like this occur."

That applies equally well to testing LiveCode.

--
  Richard Gaskin
  Fourth World
  LiveCode training and consulting: http://www.fourthworld.com
  Webzine for LiveCode developers: http://www.LiveCodeJournal.com
  Follow me on Twitter:  http://twitter.com/FourthWorldSys

_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

mwieder
In reply to this post by Alejandro Tejada
Ha!

http://i.imgur.com/0mbh6xE.jpg

--
 Mark Wieder
 [hidden email]



_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
--
 Mark Wieder
 ahsoftware@gmail.com
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Heather Laine
Thank you for that. I actually did laugh out loud. Having spent the last few days getting everybody new certificates I relate to this on a deep and personal level... ;)

Regards,

Heather

On 11 Apr 2014, at 17:00, Mark Wieder wrote:

> Ha!
>
> http://i.imgur.com/0mbh6xE.jpg
>
> --
> Mark Wieder
> [hidden email]
>
>
>
> _______________________________________________
> use-livecode mailing list
> [hidden email]
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

Heather Laine
Customer Services Manager
http://www.livecode.com/









_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

Ben Rubinstein
While we're on comic responses to Heartbleed, the latest xkcd is the most
concise explanation of the bug I've seen.

http://xkcd.com/1354/

(I can't vouch for its accuracy.)

Ben

On 11/04/2014 17:07, Heather Laine wrote:

> Thank you for that. I actually did laugh out loud. Having spent the last few days getting everybody new certificates I relate to this on a deep and personal level... ;)
>
> Regards,
>
> Heather
>
> On 11 Apr 2014, at 17:00, Mark Wieder wrote:
>
>> Ha!
>>
>> http://i.imgur.com/0mbh6xE.jpg
>>
>> --
>> Mark Wieder
>> [hidden email]


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
Reply | Threaded
Open this post in threaded view
|

Re: The Revenge of Buffer Overflows

mwieder
Ben-

Friday, April 11, 2014, 10:29:12 AM, you wrote:

> While we're on comic responses to Heartbleed, the latest xkcd is the most
> concise explanation of the bug I've seen.

> http://xkcd.com/1354/

> (I can't vouch for its accuracy.)

Exactly. Randall's got it right - here's a short video explaining
what's behind this.

http://info.elastica.net/2014/04/openssl-heartbeat-vulnerability/

--
-Mark Wieder
 [hidden email]

This communication may be unlawfully collected and stored by the National
Security Agency (NSA) in secret. The parties to this email do not
consent to the retrieving or storing of this communication and any
related metadata, as well as printing, copying, re-transmitting,
disseminating, or otherwise using it. If you believe you have received
this communication in error, please delete it immediately.


_______________________________________________
use-livecode mailing list
[hidden email]
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
--
 Mark Wieder
 ahsoftware@gmail.com