Is Heartbleed really untraceable?
I was sent a PM about this and a really good point was raised there. If EFF claims that networking logs showed enough detail to confirm Heartbleed exploit attempts going on, then why did Codenomicon's heartbleed.com website claim that the bug doesn't show up in logs?
Recognizing that this is outside my specialty, I did not venture into this topic but I have been wondering about this myself. To say that Heartbleed leaves no traces in the logs is a pretty big commitment. This is because there are a lot of different software options that you could potentially use. Within those, there may be settings you can use to turn logs on or off, limit the size of the log files, etc. Also, people can always create their own software which logs whatever they'd like logged. So, to say that it doesn't show up on most logs could be correct, but to say it doesn't show up in any logs would be a hasty generalization.
I think it's possible and maybe even likely that most companies would not have sufficient logs. There are multiple reasons for this:
Despite turning logs on, if you have a server and it loses a hard drive every 2-5 years (because they all die eventually), you might leave your logs behind. They're very large and can be undesirable when considered in the context of your back up (depending on the resource limitations that apply to your backup options... and backing up requires processing resources for compression, bandwidth for sending the compressed file as well as the storage itself).
Some websites don't have access to their logs since they're on a shared hosting environment. Attempting to get logs out of a shared hosting company is likely to be difficult to impossible.
Logs often have so many entries that trying to find a hacking attempt among the legitimate attempts could be extremely difficult. I do realize that in order to make use of the Heartbleed bug, one would probably generate an awful lot of entries on the log. However, on a big server, that could be a drop in an ocean. A hacker is probably going to be thinking about hiding the hacking attempt. In addition to obscuring their IP address, they probably also know better than to be "noisy", in other words, to create a huge number of weird requests of a type that might get noticed. If possible, they might do things with the specific intention of making it hard for you to tell the difference between their illegitimate request and real requests. Finding evidence in the logs could be extremely difficult or even impossible, depending on how well the attempts are camoflaged.
I've noticed that in IT, one tiny difference between the data format people are actually using and the data format you're imagining might mean that the data they actually have can't be used for the purpose you're thinking of. For instance, if the logs don't record every single packet or don't retain the input, then the logs may not be useful in this case.
I do not know exactly what is in network log files, or what data format they use, or how many different systems and settings there are, but I would not be surprised if many companies don't have logs that record enough detail for them to be useful for detecting Heartbleed exploit attempts. I am curious about this. Does anyone know about this? Would you please add a screen shot of some relevant logs, especially if they have the right format to detect a Heartbleed attempt, and let me know what type of device and software generated it?
That's been fixed. I was pretty surprised about this mistake. I remember finding that Canadian website link via a news article discussing the impact of Heartbleed. Maybe I copied the number from the news article, but somehow got mixed up while switching between the two pages and ended up grabbing a number that was relevant to some other topic on the news page. Thanks for catching that.
I added a note about this to the post.
Should this learning experience / Heartbleed instructions post be in main or discussions?
[pollid:677]
I wasn't sure that this was on topic enough for main, but Gunnar_Zarncke argued that this post should be in main "because it is totally applicable to practical rationality and real risks".
If a significant number of people vote and the majority wants this to become an article, I'll put it there after fixing whatever errors I'm notified about in the comments, and after requesting or making a polished version of the poll for it that Gunnar_Zarncke started (the one that asks those questions to encourage you to review your reactions to Heartbleed). I really wanted to include such a poll. I just didn't have the time to construct a quality one.
I have had not a single email from any of them about Heartbleed
This delayed my finding out about it. I discovered later that most of them had posted their notice someplace a little out of the way - on some blog that's not even under their main domain name (Google did this and I think Microsoft may have done it), or in a little "news" box that you only see after signing in to the website. I don't know what immunized me against the instinct to write it off as a hoax. Perhaps it was all of the security literature I've read and my daily experiences that have informed me that security is difficult and that flawed code can easily be written by accident.
Thanks. That's fixed. I also checked all the other links in the post for 404 errors and fixed two others.
I have read around 25% of The Sequences, most of HPMOR, a lot of LessWrong posts, some Daniel Khaneman, have familiarized myself with logical fallacies, and have begun learning about research methodology. I've been checking my own reasoning and beliefs for flaws and doing self-improvement for years. I have also attended LessWrong and Effective Altruist meetups, and a CFAR workshop after party.
Like many of you, I am an IT person and an atheist. I have a large amount of interest in effective altruism, research, self-improvement and technology in general, and a lesser degree of interest in other topics the community also enjoys like artificial intelligence and transhumanism. I do believe that it's fairly likely that the Singularity will happen within my lifetime, but do not believe that the first AGIs are likely to be friendly.
Aisarka is intended to be more of a neat handle than a claim but I hope to live up to it.
Does anyone know where the most recent version of the welcome thread is? I searched and searched for keywords like "welcome" and "introduction" / "introduce". Do you not use welcome threads anymore?
I want to test my ideas, mostly ideas for technology projects and/or startup ideas. Doing scientific research is best but can be quite costly and time-consuming, so I assume it would be optimal to filter the ideas first in order to select the best ones for testing. I already do things like looking for problems and unintended consequences, looking for relevant studies, and showing them to people hoping to find flaws, but I would bet that somebody has created an idea review process that can be applied for even better preliminary filtering. It would be ideal if the process itself had been calibrated such that I could get the probability of an idea working if it has survived the review process. Finding out about processes that have not been calibrated in this way (or perhaps have a somewhat different purpose like locating as many problems as possible) would be better than nothing. I checked the Internet of course, but I am concerned because I don't exactly know how to go about making that all-important distinction between marketing claims and processes that actually work. I could spend quite some time looking for evidence for various marketing claims only to discover that most of them are unsupported. Is there a gold standard in this area? If not, do any of you know of any idea review processes that you believe to be decent based on your understanding of one of more of: rationality, science, technology, startups, related areas?