The real - because just sucks.

User info

Welcome, Guest! Please login or register.

The cat is out of the bag

Posts 1 to 2 of 2


1. The cat is out of the bag, and it is "out there" now
2. Everybody knows about it
3. The code is screwed on so many levels that it's actually funny
4. The random number generator is a complete disaster
5. Memory management is Heartbleed-level on steroids
6. There are literally comments in the random generator that state explicitly that it isn't random
7. It spits out a nice looking fake random-ish thing that leaks info about the key
8. There is literally a comment that says something like "HERE IS A PADDING ORACLE," followed by an actual real-life padding oracle, lol
9. valgrind reveals the code doesn't compile the way you think it does
10. Looks like a bug in gcc they're taking advantage of to do code-injection DURING THE COMPILE (wew lad)
11. You can see this by compiling and decompiling and looking at how the code is different
12. Other tools are not fooled, but gdb is fooled, so there may be even an exploit in gdb
13. Reaction from OpenSSL headquarters: "lol what? who, me? hey, what's that over there? *smoke grenade*"
14. People flying to LibreSSL at light speed
15. Finance sector didn't want to touch this with a 10 foot pole, moved off immediately

Writeup of bug so far (to be updated soon):
1. Technical writeup - zerobinqmdqd236y.onion/?db7270cde887391c#iDX2jFWUqXqTV8ne4Szqs5UakxEWc7mJu8LonjE7jm4=
2. Ridiculous comments - zerobinqmdqd236y.onion/?779e3ea0f8da54c5#asq6no4V9AQKX/lf7ySpjRhur2nT/YHzorPc5sfrOwQ=


Heartbleed looks a lot worse than we thought. OpenSSL looks pervaded by a large-scale memory management issue, combined with some other revelations about its random number generator, that lead to much worse things. Possibly it could be used to decrypt files, such as the insurance files. It may not also be a bug, but rather a "bug," to put it one way.