My heart bleeds for this buggy hoax

Be the 1st to vote.

With the magick numbers, this can mean two things. The whole story is a hoax, as part of the global 0;heartbleed” story (notice how we can get nice, marketable slogan to call it), or there is a problem, and we aren’t getting the real numbers. My fiat currency is on the former: the whole global story is a hoax, to extract more money (like Y2K) for the computer “security” industry.

The federal tax agency says the social insurance of roughly 900 people were stolen from its systems, which were left vulnerable by the so-called Heartbleed bug.

In a statement, Canada Revenue Agency commissioner Andrew Treusch said federal security agencies notified his agency of a six-hour breach 0;by someone exploiting the Heartbleed vulnerability.”

The tax agency on the weekend restored online filing systems after blocking public access on April 9 due to the Heartbleed bug.

via CRA says 900 social insurance numbers stolen due to Heartbleed bug.

As for my SIN number: they can have it. I’d be happy for someone else to get my tax bill.

No tags for this post.

4 thoughts on “My heart bleeds for this buggy hoax

  1. columjaddica

    The HeartBleed bug isn’t really a hoax. Although you have no way of knowing what was stolen using the bug so each of the individual stolen info stories could be hoaxes.

    It is truth that the bug enabled some very bad exploits. It is truth that the bug was in place for two years before it was public knowledge. HeartBleed bug can be confirmed through the publicly available source code of the affected versions of OpenSSL and tested with several published exploit scripts.

    When OpenSSL was combined on a web server running NGINX it was especially dangerous. When used then it would return plain-text communications that were supposed to be encrypted, cookies, passwords, usernames etc. All through an encrypted tunnel that defeats network analysis a company might use to find leaks, and all without being logged on the server. Merely updating OpenSSL to a non-bugged version does not 100% solve the problem. Somebody could have previously walked away with information returned from one attack that can then be used to perform other attacks elsewhere. In particular if they recovered a password that is used elsewhere, and most people reuse passwords.

    I haven’t talked much about it here, because it’s not really a pure fakery story IMO but the effect on people’s perceptions of online privacy is quite in line with the Snowden revelations. Still, it’s not really a fake story and to some broad steps would need to be taken to really secure things again. All of the keys in the internet kingdom really need to be changed but I don’t expect that to happen.

    1. ab Post author

      Thanks for helping us C. I don’t know much about SSL etc and welcome your input. I still think there are problems with the story when it’s promoted so heavily.

      1. columjaddica

        The severity of the bug is extreme in so many ways, and the scope of systems affected was broad. I hate to be fear-monger but it is really is the worst bug/exploit I’ve heard of.

        I try to temper my feeling on it by realizing that there are probably dozens of other bugs and backholes of similar severity that the hackers and agencies decide to sit on and use themselves rather than disclose to the public. Computer and network security is probably a joke and has always been. So from that perspective, nothing has changed.

        It feels like lead-up to some cyber war with internet-kill-switch, which they could fabricate with the most ease at any time. Simulating internet warfare would not be difficult.

        The whole HeartBleed thing reminds me of that opinion survey I posted in the chat about perceptions of privacy and freedom online. This story just moved the needle, especially for those in IT or with lots of computer experience. Also, Open Source software kind of took a hit.


Leave a Reply

Your email address will not be published. logo

This site uses Akismet to reduce spam. Learn how your comment data is processed.