[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKLh_qw_89s=YDaaWQg2VVbh_yx0WJYnBzxQKuhz-NUDG=733Q@mail.gmail.com>
Date: Fri, 11 Apr 2014 19:20:52 +1000
From: "Ivan .Heca" <ivanhec@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
to be fair to Bruce, here is his entire post on the subject
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
On Fri, Apr 11, 2014 at 4:32 PM, Paul Vixie <paul@...barn.org> wrote:
>
>
> Paul Vixie wrote:
> > Michal Zalewski wrote:
> >>>
> http://m.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
> >>>
> >
> > when the internet moved out of academia and into the larger population,
> > we got tabloids and ambulance chasers in the deal. ick.
>
> speaking of ambulance chasers, in the above-referenced article, THIS
> little gem:
>
> "On a scale of one to 10, it is an 11," renowned security expert Bruce
> Schneier said of the bug.
>
> really bruce? on a scale of doesn't-matter-at-all to
> worst-thing-you-could-have-previously-imagined, a read only exploit is
> even worse than that? no remote file modification, no root shell, no
> non-root shell, no data-modification, no arbitrary file system reads...
> just a read only heap exploit, and it's worse than anything you could
> have previously fucking imagined?
>
> gentlemen and ladies, we have met the enemy, and they are our egos.
>
> vixie
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists