On 2014-04-11 21:42, Andrey Borzenkov wrote:
В Fri, 11 Apr 2014 20:01:53 +0200 "Carlos E. R." <> пишет:
I know little of how the vulnerability works,
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Thanks. I love this paragraph: +++···················· Lessons What can we learn from this? I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before. ····················++- My C teacher, about two decades ago, warned us /against/ using C. he spent hours stressing problems with C and how unsafe it was. Apparently, he had been doing some type of audit of C compilers for a government agency, I think. He could not talk about the details, but he was scared, and transmitted some of it to us... I'm not a fan of C. But I have been paid to use it, so I used it.
It can read up to 64K starting from the memory location where incoming packet (which is being processed) is allocated. This is local memory belonging to process. There is no way to control *what* is read nor control memory location that is read; one can only make some guesses based on knowledge of a program being attacked and its allocation patterns. Good metaphor from another site: "but it's not [targeted attack]. It's more like panning for gold than robbing a bank.".
I see. So maybe they get nothing... Impossible for us to know what they got, I guess. So we have to assume the worst, to be safe... -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)