kmg90's forum posts

#1 Edited by kmg90 (409 posts) -
@mrpibb said:

Just to provide more insight into the matter, we use the Amazon Elastic Load Balancer for a SSL passthrough so the nginx component is not affected.

1) Amazon fixed the exploit pretty early during the Heartbleed chaos so we were safe there.

2) Additionally, we updated our SSL certs in March which also kept us safe as well.

On Thursday, we'll be moving to a new datacenter and netscalers which will provide an additional level of protection.

As a very security conscious user (I listen to the Security Now podcast and do follow various 'net-sec' experts)

Amazon has recommend users of SSL termination via Amazon Elastic Load Balancer reissue the certificates for their sites.

Pretty much any SSL certificate that was generated before April 7-8th is potentially compromised due to this bug this INCLUDES if the same certificate is used AFTER PATCHING AFFECTED SYSTEMS.

I understand that revoking and renewing SSL keys is a pain in the ass (especially combined with the rush of a lot of other users/services/companies doing the same) but this is as security expert Brian Schneier described it "(In terms of describing the scale of damage possible with this exploit) On the scale of 1 to 10, this is an 11".

But consider the following if you have not researched the overall impact and scope of this bug:

From Netcraft:

If you don't revoke your certificate, you may still be vulnerable to impersonation

If a remote attacker successfully retrieved private keys from a server while it was still vulnerable to the Heartbleed bug, then he would be able to impersonate the server by creating his own valid SSL certificate. The crucial issue is that an attacker can still do this after the affected website has upgraded to the latest version of OpenSSL, and it does not matter whether the real website has since deployed a new SSL certificate with different keys: Unless the previous certificate is revoked, the site will still be vulnerable to man-in-the-middle attacks.

This answer on securityexchange.com also points out the implication of having vulnerable servers:

There is more to consider than just new certificates (or rather, new key pairs) for every affected server. It also means:

  • Patching affected systems to OpenSSL 1.0.1g
  • Revocation of the old keypairs that were just supersceded
  • Changing all passwords
  • Invalidating all session keys and cookies
  • Evaluating the actual content handled by the vulnerable servers that could have been leaked, and reacting accordingly.
  • Evaluating any other information that could have been revealed, like memory addresses and security measures

Also from the same answer:

I summarized the bullet points above from heartbleed.com (emphasis mine):

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

What is leaked protected content and how to recover?

This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?

Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

#2 Edited by kmg90 (409 posts) -

With the recent public disclosure of Heartbleed bug in the widely used OpenSSL library, I ask is the Giant Bomb secure site (used for logging in and managing billing/premium membership) effected and if so have you patched the vulnerable systems?

Server response headers indicate that Giant Bomb uses nginx for their server and usually when using SSL with nginx requires using the OpenSSL Library.

I would appreciate it if someone could make a statement to community and if any action is needed on their part as this is a very serious bug.

Thanks

#3 Posted by kmg90 (409 posts) -

@milkman said:

Also probably worth posting his more complete and extended thoughts:

http://notch.net/2014/03/virtual-reality-is-going-to-change-the-world/


If you want to experience Minecraft in VR, there’s an excellent mod that does this. It’s called Minecrift, and you can find it here.

Thanks for posting this, didn't know he also wrote a blog post about his reaction and thoughts on this shocking news....

I agree and share similar views on Facebook, you need only look at their history to see that Facebook doesn't care about expanding/inovating new technologies they focus on increasing the amount of eyeballs they could sell to highest bidder (advertisers)

#5 Edited by kmg90 (409 posts) -

@chiablo said:

Remember the last time Facebook got involved in the hardware business?

You don't? Probably because the Facebook Phone was such an abysmal flop that it was quickly and quietly swept under the rug.

The only difference with the Rift is that it's a completely new market with no competition. Our only hope is that Facebook gave Oculus a ton of money and will leave them completely alone.

The VR landscape is quickly becoming a new battleground with Sony's recent reveal of Morpheus and Valves still to be announced VR plans and I put more stock in Valve or Sony to develop and market hardware than Facebook as they don't make most of there revenue from selling user's information...

I'm very interested in hearing/seeing/reading what Brad and the rest of the crew think of this shocking development.

#6 Posted by kmg90 (409 posts) -

The archive of the stream is currently being added as of this post on Archive.org

They upload by game and come in multiple flavors of resolution...

#7 Posted by kmg90 (409 posts) -

Coolio but I'll wait till the archives are avaibile on archive.org, as the twitch player is one of the most unoptimized video players on the web...

#8 Posted by kmg90 (409 posts) -

It's a bit dated at this point but luckily the game advances time in manageable fashion that allows most progression to be done in an afternoon.

http://interdimensionalgames.com/

Click Experience

Requires flash!

#9 Posted by kmg90 (409 posts) -

I would say Revelations is the weakest for me, I will agree that the original game was very repetitive however I remember having a blast when I first played the game back around it's release... It was good for what it was, a start.

AC to me was a big leap in a "living" open world with the crowds of people that would react differently and individually on what you were doing.

AC2 offered such a improved experience with a more ambitious story since they were building on from the tech of the first game instead of building from the ground up again....The improvements in the following games of the original make AC1 seem like terrible and simple game but at the time it was definitely breaking new ground in terms of scope and scale of what a living, active open world was.

#10 Edited by kmg90 (409 posts) -

The DS4 has compatibility problems with the left stick on PS3 in terms of diagonal movement....

If you try to change direction from walking straight forward to either left or right you should notice that movement is slowed....

Either my DS4 is flawed or I'm the one of the few people that notice this minor issue...