×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Over 300,000 Servers Remain Vulnerable To Heartbleed

samzenpus posted about 5 months ago | from the protect-ya-neck dept.

Security 74

An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."

Sorry! There are no comments related to the filter you selected.

Better Career Path (4, Funny)

Austrian Anarchy (3010653) | about 5 months ago | (#47294361)

If those servers would have studied engineering instead of history, they probably would not be servers and not be suffering from broken hearts.

Re:Better Career Path (3, Funny)

plover (150551) | about 5 months ago | (#47294371)

You bleeding heart liberals never know when to change.

Re:Better Career Path (0)

Anonymous Coward | about 5 months ago | (#47294537)

bleeding heart, heartbleed...? inception.

Re:Better Career Path (3, Insightful)

jellomizer (103300) | about 5 months ago | (#47297495)

300,000 seems like a small number, if you stop and consider how many sub amateurs setup web servers.
You were told that Linux is very secure and you don't have to worry about hacks and viruses. You installed your favorite distribution, and got what ever web stuff you wanted and then you left the server running ranking up Uptime and not touching the server ever again. Heck I am willing to bet for some of these systems the Hard Drive failed years ago, and they are running off of ram alone.
Web Page still works, everything is A-OK.

Re:Better Career Path (0)

Anonymous Coward | about 5 months ago | (#47298585)

Goose-schtepping morons like yourselves ought to try reading books inshtead of burning them!

Hosting? (4, Insightful)

houstonbofh (602064) | about 5 months ago | (#47294369)

I wonder how many of these are dirt cheap hosting servers, and no one who should care even knows the hosting company is asleep at the switch...

Hosting? (1)

Anonymous Coward | about 5 months ago | (#47294607)

Maybe some of them are patched but nobody restarted apache/nginx/lighttpd/whatever so they still use old and vulnerable openssl version

Re:Hosting? (0)

Anonymous Coward | about 5 months ago | (#47294709)

Maybe some of them are patched but nobody restarted apache/nginx/lighttpd/whatever so they still use old and vulnerable openssl version

Oh god. The number of times I've seen this.

I almost wish package managers would throw forced restarts into packages, and damn the (very real) consequences.

Re:Hosting? (1)

ruir (2709173) | about 5 months ago | (#47296413)

Actually Debian forced restarts after the 3rd or 4th upgrade cycle due to update corrections due to SSL. Maybe a week or two after the original problem. Probably for a good reason...

Re:Hosting? (0)

Anonymous Coward | about 5 months ago | (#47294821)

My question is how to these "security researchers" not run afoul of the law for massive network scans over the Internet as they attempt to identity vulnerable servers? I thought there were laws against such activity, at least in the United States of Amerika.

Re: Hosting? (0)

Anonymous Coward | about 5 months ago | (#47296077)

It's not illegal to request information from a web server. You may be surprised how much info you can get over simple requests.

Re: Hosting? (1)

Torp (199297) | about 5 months ago | (#47296191)

Also, the laws are a bit idiotic. It's not like the ones actually exploiting the vulnerability will care that it's illegal.
They need a whistleblower exception :)

Re:Hosting? (0)

Anonymous Coward | about 5 months ago | (#47297491)

I have a vulnerable server hosted on Amazon EC2 because the Ubuntu VM that they provided for me was not a long-term support version and therefore an updated openssl is not in apt. It's not worth the effort to fix it because it will be shut down and destroyed after this current project is done in a couple months, and there's absolutely nothing of importance on the server. Maybe someone could get lucky and find a remote git password in memory and I'd have to recreate the repo?

and yet cryptocurrencies remain immune...! (0, Troll)

jaeztheangel (2644535) | about 5 months ago | (#47294379)

good architecture => good security

Re:and yet cryptocurrencies remain immune...! (4, Insightful)

plover (150551) | about 5 months ago | (#47294499)

You've packed a lot of wrong into such a short post. If a system is insecure a "good" architecture is irrelevant - you're still screwed. And either way, neither architecture nor cryptocurrencies have anything to do with this problem, which is unpatched OpenSSL.

Re:and yet cryptocurrencies remain immune...! (1, Insightful)

jaeztheangel (2644535) | about 5 months ago | (#47294517)

If a system is insecure a "good" architecture is irrelevant - you're still screwed.

Dear John

Please can you explain how BitCoin is vulnerable to Heartbleed?

I think good architecture is essential to good security. That's why I posted.

Many Thanks

Jawad Yaqub

Online wallet (2)

tepples (727027) | about 5 months ago | (#47294533)

Bitcoin itself is not vulnerable, as I understand it. But an online wallet using HTTPS with certain heartbeat-enabled TLS stacks may be vulnerable.

Re:and yet cryptocurrencies remain immune...! (4, Informative)

tysonedwards (969693) | about 5 months ago | (#47294899)

Bitcoin used a vulnerable version of OpenSSL and required an update to Bitcoin Core to stop it from revealing the contents of it's memory to a remote attacker. That is why 0.9.1 came out in such short order after the disclosure of the Heartbleed vulnerability. See the Bitcoin Foundation's website: Heartbleed [bitcoin.org]

Re:and yet cryptocurrencies remain immune...! (1)

Copid (137416) | about 5 months ago | (#47298525)

On a similar note, my coffee machine is not vulnerable to HeartBleed. Another point for the engineers over at Saeco over the morons at OpenSSL, right?

Yeah, unfortunate reality of infosec (1)

astralagos (740055) | about 5 months ago | (#47294383)

This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.

what about the Bob and Joe's Bait Shop (1)

Joe_Dragon (2206452) | about 5 months ago | (#47294731)

who does not want to pay the X3 rate to get some out there now to fix it and will just wait for the next visit in there plan with there Outsourced IT plan.

Re:Yeah, unfortunate reality of infosec (1)

tlhIngan (30335) | about 5 months ago | (#47296037)

This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.

Or the "smart" software developer who sees Apples and Googles and Microsfots charging 30% for their app store, and thinking they can just "save the money" and "do it themselves".

After all, it's just a few web servers, HTML and anyone can download Ubuntu and get it working. And after you set it up once, it's all you need. Right?

Why pay Apple/Google/Microsoft 30% when you can do it yourself? After all, it's just a one-time set up cost and then the devs can get back to developing the product, the site doesn't need maintenance or anything.

Different websites, different passwords (1)

Anonymous Coward | about 5 months ago | (#47294391)

This is why at different websites, you need different passwords. This way, it minimizes damage when it's not patched.

Just watch the video at http://www.komonews.com/news/consumer/Getting-passwords-under-control-261725121.html

A more secure password has at least nine characters and has a combination of letters, numbers, and symbols. You can use a core password that's easy to remember, then put characters ahead of it and after it to vary it for different websites. So, for example, your core could be B@seball9, then for Amazon your password could be B@seball9AZ and for Facebook your password could be B@seball9FB.

In the video, they show as a more secure password for Amazon.com to be B@aseball9amazon

I don't think we should trust the video.

Re:Different websites, different passwords (0)

Anonymous Coward | about 5 months ago | (#47296379)

B@seball9 would certainly be cracked in less than a second using a dictionary attack. And you can bet they'll stick "amazon" or "AZ" behind it when trying to crack amazon passwords. And if enough people start using this scheme, you can bet the attackers will write software that, once it finds a password for Amazon ending in AZ, it will immediately try the same one with FB behind it for FaceBook.

Let's put teenagers in jails (3, Insightful)

Jorge666 (3709467) | about 5 months ago | (#47294403)

Why would someone patch the web server?
We don't like smart and taking initiative teenagers, here in the USA

1. Teenager sends email to administrators advising them about unpatched server.
2. SWAT raids the home of the kid.
3. DA sends the kid to private jail for life and announces running for another term.
4. ?
5. Profit or reality of life in the USA

Heartbleed is a bad vulnerability (0)

Anonymous Coward | about 5 months ago | (#47294437)

It does not allow for a "patching virus" that uses the exploit to fix it.

This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47294457)

Some folks are using IDS+IPS and other mitigation to prevent the problem, vs. patching.

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47294621)

"intrusion detection and intrusion protection"?

Isn't that like saying "here at First Slashdot Bank, we use the security technique of a daily review of how much money is in our wide-open unsecured vault to ensure your money is never stolen?"

If you haven't patched, and you are still vulnerable - IDS and IPS just tells you you're fucked, it doesn't PREVENT you from being fucked by closing the hole you're being fucked through.

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47294641)

"IDS and IPS just tells you you're fucked, it doesn't PREVENT you from being fucked by closing the hole you're being fucked through.

Doesn't the "prevent" in IPS prevent the problem? I think it does....

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47294669)

So rather than closing the hole, you'll leave it open in the futile hope that some other third party hasn't fucked up as bad as the OpenSSL team?

You're going to rely on the fact that the engineers at Cisco (for ex.) have accurately predicted all possible signatures this exploit would exhibit in their IPS system, that your idiotic IT drone-bots in India have all deployed & activated the latest signature packs correctly to detect all those signatures, AND leave the fucking hole open, rather than just *patch the motherfucking software*?

Sir, I pray you never ascend to the rank of CTO / CIO at anywhere of any actual import and meaning in the real world.

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47295031)

So rather than closing the hole, you'll leave it open in the futile hope that some other third party hasn't fucked up as bad as the OpenSSL team?

You're going to rely on the fact that the engineers at Cisco (for ex.) have accurately predicted all possible signatures this exploit would exhibit in their IPS system, that your idiotic IT drone-bots in India have all deployed & activated the latest signature packs correctly to detect all those signatures, AND leave the fucking hole open, rather than just *patch the motherfucking software*?

I don't trust Cisco any more than I trust the OpenSSL developers. But this is about layered defense. OpenSSL wasn't good enough by itself, so like most organizations, run firewalls, IDS and IDP.

Sir, I pray you never ascend to the rank of CTO / CIO at anywhere of any actual import and meaning in the real world.

I guess uncreative foul-mouthed Trolls can be honorable gentlemen! And BTW, while you are striving to become the head-cheese, remember that CIO stands for something else... Career Is Over.

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47295687)

>> Sir, I pray you never ascend to the rank of CTO / CIO at anywhere of any actual import and meaning in the real world.

I'm a ma'am, you goddamn son of bitch cock-sucking motherfucker!

Re:This number might be too high..... (0)

Anonymous Coward | about 5 months ago | (#47295609)

I don't understand how an IPS can stop heartbleed when the detection can't be done against the encrypted stream? The only way for an IPS to detect heartbleed is to be an HTTPS proxy, at which point the proxy is already doing the HTTPS, so it's moot.

If the IPS is not inline, but is instead passively listening to the traffic via port mirroring some how, then it's still possible for a race condition to occur where the IPS can not react in time to notify the firewall to drop the connection. Because heartbleed is all done in memory, it's extremely quick to respond. You have microseconds from the time the packet hits the firewall to the time OpenSSL responds with a memory payload, and the IPS needs to kill the connection before then.

Re:This number might be too high..... (1)

philip.paradis (2580427) | about 5 months ago | (#47296759)

It seems you don't actually understand the topic you're speaking on here. Various bridged (inline) WAFs are capable of blocking Heartbleed attacks; Imperva [imperva.com] offers one such solution. It is not necessary for the WAF to operate in a conventional proxy mode to accomplish this task, and there is no race condition involved. Why are you posting in an authoritative tone when you have no idea what you're talking about?

Re:This number might be too high..... (0)

philip.paradis (2580427) | about 5 months ago | (#47296789)

To be perfectly clear, I am making the assertion that you're completely unqualified to speak on network security in general. You started off with "I don't understand how ..." and then trailed off into a series of statements which demonstrated a complete lack of understanding of fundamentals in this field. Please stop posting. Thanks.

And that's what you get! (0)

Anonymous Coward | about 5 months ago | (#47294495)

For using open sores! Go with Windows and be safe! Be secure! Microsoft protects and serves!

Re:And that's what you get! (1)

rubycodez (864176) | about 5 months ago | (#47294525)

they should have been using mac servers! they come with X and remote desktop and art so you don't have to break a nail doing command line like a neanderthal!

Re:And that's what you get! (0)

Anonymous Coward | about 5 months ago | (#47294605)

In US America, Microsoft serves you! to NSA!

servers of what? (1)

rubycodez (864176) | about 5 months ago | (#47294515)

most servers on the internet don't do anything important. this is sensationalist tripe.

Re:servers of what? (0)

Anonymous Coward | about 5 months ago | (#47294953)

If a site has implemented SSL it is usually to protect passwords or usernames at the very least. Even if all the site is, is a forum like Slashdot that login data has massive value as a very large percentage of people reuse user logins and passwords.

Re:servers of what? (1)

rubycodez (864176) | about 5 months ago | (#47295093)

does slashdot even kick into https for passwords?

any slashdotter who uses the same password as for banking or auction or bitcoin site deserves what they get

Re:servers of what? (0)

Anonymous Coward | about 5 months ago | (#47295689)

They may "deserve" what they get, BUT you are opening yourself up for huge amounts of potential legal pain. Try telling a court it wasn't your fault that the users are stupid. The reality is the world is full of stupid people that don't know and don't care about IT and Security and as such sites have a responsibility if they are processing ANY identity information to ensure it is handled securely, leaving known vulnerabilities in place is a lawsuit waiting to happen.

AND YES even Slashdot goes to SSL for login.

Re:servers of what? (1)

rubycodez (864176) | about 5 months ago | (#47296003)

aw too bad, I was hoping my account would be hijacked by mean spirited trolling sociopath, and no one would notice

Re:servers of what? (1)

ruir (2709173) | about 5 months ago | (#47296433)

And why nobody would notice, because you are one, and the comments would not change? ;) I cant get tough I people think SSL is enough. I am using google two factor authentication, and even then who knows. Pity slashdot does not support it yet. There are a lot of avenues to get your password. Your mother could be watching you type it, or that babe in Starbucks. Your Windows can be hijacked by a malware capturing passwords. The NSA can use their standard backdoor in Windows and probably OSX and get in. Your keyboard maybe compromised. They can film you while you type your password. Your employeer can be running a SSL middle in the man attack with their firewall just for the sake of security. You can answer to that fine emails about lost passwords, that really arent coming to the place that would be the proper one (dont laugh, some of our executive secretaries already fell for it...more than once). Your network can be compromised, for instance by a disgruntled employee or an hacked machine. Your DNS is poisoned... people always forget SSL is just a leaf on the forest.

Re:servers of what? (1)

tlhIngan (30335) | about 5 months ago | (#47298209)

does slashdot even kick into https for passwords?

any slashdotter who uses the same password as for banking or auction or bitcoin site deserves what they get

Nope, and to be honest, they even have a handy "auto login" link that puts your password in the URL.

To be certain, well, there's nothing at risk for /. - so what - someone can post as yourself? I've been to worse sites that demanded way more stringent policies for far less than what /. offers.

And they'll never be patched (0)

Anonymous Coward | about 5 months ago | (#47294549)

For some places they won't patch because they don't understand their systems.
They don't understand because they assumed, like a fridge or an oven, you plug it in and it goes.
These places didn't retain their staff so now no-one maintains them.

It's bit rot. These servers need taking out of the DNS and putting on poxnet. If you can't learn to stay squeaky clean and behave yourselves then you don't deserve to mingle with the general populace.

Unpossible! (-1)

Anonymous Coward | about 5 months ago | (#47294609)

This is clearly unpossible, bros.

Everybody knows that Open Source is more secure than closed source garbage like Apple and Microsoft. When a security issue is detected, it's patched instantly, nobody's stuck waiting for an OS vendor to issue a patch!

So much FUD! Heartbleed is patched. NOBODY could possibly be vulnerable using this winning combination of Open Source, it's the most secure thing possible, ever, in the world!

Maybe (0)

Anonymous Coward | about 5 months ago | (#47294615)

Maybe the remaining servers aren't affected

- because they implement another layer of security on top of SSL
- because their data doesn't actually need to be secure
- because they only use SSL as a wrapper, and they use form-based login further in

Why assume everybody is actually relying on SSL just because they have it turned on?

Re:Maybe (1)

viperidaenz (2515578) | about 5 months ago | (#47294647)

So why are they using SSL in the first place?

Re:Maybe (1)

jafiwam (310805) | about 5 months ago | (#47297131)

So why are they using SSL in the first place?

Looking for the "lock symbol" is the one thing the masses have managed to learn about Internet security.

People (the inexperienced ones) cause customer service headaches when they can't / won't learn that this system doesn't need it. "Where is the lock?" "How come you don't have a lock?" "My grandson says the lock means you are secure." etc.

For $40 a year, a company can head off 40 tech support calls with the worst type of users (the ones that don't even understand enough to put the answers in context and need 15 minutes of explaining to understand the answer) by slapping an SSL cert on every server. Sometimes it's even people in the "IT department" that have this gap in knowledge.

The company I work for does exactly this. I even got kudos for suggesting a wildcard cert would be cheaper and easier than individual certs for all the hostnames. Now it's standard procedure to slap the the cert on everything public facing. And, there's only one renewal date to deal with as opposed to a trickle of them every other week all year.

Re:Maybe (0)

Anonymous Coward | about 5 months ago | (#47294651)

Oh look, somebody doesn't understand Heartbleed.

"form based security further in"? WTF will that do to stop attacks if attackers can snoop your password and/or key out of the server's memory?

"data doesn't actually need to be secure"? And why would they bother with the hassle and overhead of implementing SSL if they don't need it?

As expected (2)

Virtucon (127420) | about 5 months ago | (#47294741)

Only 50% found it critical enough to deal with the problem quickly. The rest either have embedded systems or dependencies that are preventing them from upgrading or they aren't savvy enough to know that they're system is vulnerable. For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. You can of course roll your own and build it yourself etc. but most organizations aren't going to do that. There's also that small percentage that will never upgrade no matter what because they're is some other reason not to, org blow back or systems are near end of life for example.

Re:As expected (1)

Rick Zeman (15628) | about 5 months ago | (#47294937)

For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. .

End of life'd after just a year. Just wow. That would really want me to put Ubuntu into a production environment. Not.

Re:As expected (5, Informative)

Ingenium13 (162116) | about 5 months ago | (#47294981)

13.04 wasn't an LTS release. LTS releases come out every 2 years and are supported for 5 years (12.04, 14.04, etc). The non-LTS releases can be thought of as betas for the LTS releases.

Re:As expected (1)

John Bokma (834313) | about 5 months ago | (#47298841)

More like alphas. At least at the desktop.

Re:As expected (1)

bipbop (1144919) | about 5 months ago | (#47300057)

The LTS releases are more or less like that, too.

As expected (0)

Anonymous Coward | about 5 months ago | (#47298759)

Ill bet in most cases, there is no IT person paid to even watch over those systems. This is just a symptom of cut throat economics that is the order of the day.

Open Sores are bleeding (0)

Anonymous Coward | about 5 months ago | (#47294797)

See? Told you all so, long ago, that this kind of shit would happen what with all the "open sores is best, linux is secure and windows is not secure" crap propoganda that flew around here on slashdot for years. Android, heartbleed, and who knows what is next. Here 'tis boys!

Re:Open Sores are bleeding (0)

Anonymous Coward | about 5 months ago | (#47296437)

Yeah, because Windows is the best software in the world, and doesnt have any holes at all. Not a single one, mind you. Now get off my lawn.

Re:Open Sores are bleeding (0)

Anonymous Coward | about 5 months ago | (#47296701)

Windows (and other MS products) have actually become amazingly secure recently, not the least after Microsoft started actively using fuzzing for removing buffer overflows and the like. There's a reason we see so many vulnerabilities in Java and Adobe software these days Ã" MS software is no longer the easiest way in.

Re:Open Sores are bleeding (0)

Anonymous Coward | about 5 months ago | (#47301167)

All your open sores bullshit & fud lies are coming back in your face (hahahaha) & windows does more and supports more hardware better, by far. You lose bullshit artist. Tell us about Android and all the holes present in it and the 'impenetrable linux' bullcrap we heard spouted here for more than a decade, lol! Windows is the best and most versatle operating system in the world because it just does more, better.

Blame much of it on chef, puppet, cfentine, etc. (0)

Anonymous Coward | about 5 months ago | (#47294987)

I just went through this with several shops where they refused to activate simple tools to make specific patches. Excuses included:

1) If someone is inside our network, we have much bigger problems.
2) We need to have a complex fully featured system that manages all the packages (but we don't allow any actual time to write it.)
3) The service manager installs that, just tweak that. (Most service managers could not care less about versions rewriting them to do so requires re-engineering extremely unstable code written by people who just do "install the ruby gem/CPAN module/python module/maven jar file", and can't be bothered to keep track of minor releases.
4) Oh, no, the service might restart!!!! (It restarts all the time anyway. Get over your preci0ous selves, and learn how to do failover correctly.)
5) We have to have a meeting. And a release plan. And we're in code freeze due to deployment. And we can't spend time on system testing, that's your problem. And the testing system is supposed to be automated, and the guy in Kamchatka is almost done!!!

Not suprising... (1)

Lumpy (12016) | about 5 months ago | (#47295033)

There are servers out there still broadcasting the "code red" worm...

Re:Not suprising... (0)

Anonymous Coward | about 5 months ago | (#47295431)

Your blockchain is STONED [theregister.co.uk] !

not mine! (0)

Anonymous Coward | about 5 months ago | (#47295241)

I use plaintext for everything!

Re:not mine! (0)

Anonymous Coward | about 5 months ago | (#47295449)

So do i, but jokes on them, i send my data monospaced

Certificate renewal (1)

manu0601 (2221348) | about 5 months ago | (#47295455)

Certificate Authorities (CA) could help here: if a secured server was mandatory to get certificate renewal, things would be cleaned up.

Problem is: each CA has no interest into doing this extra work, and no central authority can force them to do so. Major browsers could push them, though, by telling users that some CA are more trustable than others.

Re:Certificate renewal (2)

Torp (199297) | about 5 months ago | (#47296203)

LOL. Most certificate authorities are just saying 'here's what this guy told us his name is'. Basically worthless.
But it's nice to have a near monopoly service that's no better than a self signed certificate.

Re:Certificate renewal (1)

jandrese (485) | about 5 months ago | (#47297761)

Certificates are renewed on multi-year timeframes. We're talking about 2 months here, relatively few of the websites in question would have needed to re-up their certs.

not news anymore. (0)

Anonymous Coward | about 5 months ago | (#47296301)

The bug doesn't make the news much anymore

See even the article says so, its patched, it was patched before the immoral marketing company gave it a name and got paid by microsoft but we have to have fud dont we.

Open source is more secure, does get bugs sometimes but it gets fixed almost immediately. closed source ie microsoft gets fixed after the NSA get in to your computer and company information.

No one to update (0)

Anonymous Coward | about 5 months ago | (#47296799)

Many smaller companies have servers, but have no in-house sysadmins.

They use third party IT companies to fix their servers WHEN needed.

The average CEO of a small company is very much unaware of any heartbleeds, thus there's nothing to fix as far as they know.

They'll call for help when shit hits the fan.

Re:No one to update (0)

Anonymous Coward | about 5 months ago | (#47297459)

You are full of microsoft FUD mate, get off the internet if you have nothing relevant to say and stop the usual fud. there is enough of it already from paid microsoft affiliates.

Update in haste? (1)

satch89450 (186046) | about 5 months ago | (#47297507)

How critical is the bug for the particular server? That will vary. For example, my little mail server is running CentOS 4, and does not have the HeartBeat "enhancement" because the updates to that particular distribution stopped before that little throb was introduced. (Sometimes is pays to stay away from the "bleeding edge" of progress!) Yes, it's time to upgrade, but I'm taking my time and doing it slow, because I want to use CentOS 7 when it's released. I'm replacing hardware, too, and I'm testing that hardware before I place all my marbles there. (Not that it matters much.)

Also, I have SSH locked down to specific IP address, no Web service of any kind -- indeed, it's a "mostly closed" system with public-facing holes only for SSH (limited by tcpwrappers), SMTP (not SMTPS or SUBMISSION), DOMAIN (severely rate-limited and with blocks for ANY), NTP, and TRACEROUTE. This effectively blocks any access to heartbleed.

When the first alerts came out, the first thing I did was run the web-based exploit detectors. They didn't get through. At that time, I reviewed the services not blocked by the firewall, and to the best of my knowledge, none of the services I list above use the Secure Shell library. So I satisfied myself that my mail server was tight.

Everything else on my network is behind the same firewall, using NAT to gain access to the outside world. There is no open path to my desktop computers or internal-only servers.

I'm very much of the school "if it ain't broke, don't fix it in a hurry." In my case, I'm rebuilding servers (some celebrating 10 years of service or more) with the latest proven software one at a time, with the mail server being last in the chain. I'm replacing hardware as well as software, one by one. (I'm probably going to update the old hardware so I have standbys if the new hardware experiences infant mortality, but that's a detail.)

So, in come cases carefully researched, there isn't any need to take action against Heartbleed, because the exploits are blocked upstream.

G I wonder why. (0)

Anonymous Coward | about 5 months ago | (#47298387)

its brcause Canonical never updates their fucking repositories.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?