Heartbleed, Running the Code - Computerphile

Video quality	The size	Download

Информация о Heartbleed, Running the Code - Computerphile

Название	:	Heartbleed, Running the Code - Computerphile
Продолжительность	:	10.42
Дата публикации	:
Просмотров	:	455 rb

It was found by neel mehta from google
Comment from : MOC🥰

Yes i agree
Comment from : Kettle Salute

Don't you start fishing up your own request data after a while of running a program continuously fishing for ram data?
Comment from : JoeriVDE

my dad works at that uni
Comment from : Charles Denton

it will be too much to ask if he show the code on screen instead of paper!??!?
Comment from : D M

I assume that the payload is there to let the requester validate the integrity of the reply, but what is the purpose of the padding?
Comment from : mumiemonstret

Learning how Heartbleed makes the server send in random memory contents made me laugh so hard
Comment from : unfa🇺🇦

From a programmer's perspective it's astounding that the memcpy part of code was peer reviewed and passed all the checks without anyone thinking "But what if someone sends the length that is greater than the actual payload?" Also whoever wrote that file needs to read up about variable naming bp, lp, p, etc JeezbrbrGreat video though, thanks for uploading!
Comment from : Cypher

Super explanation
Comment from : Tehatin Richst

"lets move into the office"brgotta show this b-roll of ducks first
Comment from : dickwad666

There's nothing 'unusual' going on here There is no conspiracy to be traced back to Open SSL coders There's code written by humans, widely considered to be bullet-proof for years until the vulnerabilty was found and released, and this kind of event is a constant throughout many levels of computing & networks If we're going to get squeamish over the credibility of Open Source projects, the community will collapse and we'll resign the post to to the big boys who want your money AND STILL screw up the coding
Comment from : Bring MeSunshine

why is it not a segmentation fault?
Comment from : drezzium

nice colorscheme, which one is that?
Comment from : Gabriel Schneider

please provide subtitlesbrbest content
Comment from : Indian Software Engineer

how did they not validate the data!!! It seems like something so obvious and yetit was over looked
Comment from : Philip Gouldman

This is Literally lethal Technique I believe It requires only knowledge of raw sockets and network protocol 😶
Comment from : Manish Upadhyay

Give me the 500 Letters of Tom has a cat: Tom has a cat (other unrelated information)
Comment from : /Crash Studios

I'm sorry, but I don't think this is well enough explained Nice with the demonstration in the end, though
Comment from : GhostlyJorg

4:29 So if I have 10 PCs I have 10 Little Endians?
Comment from : U+014B

Is visually not friendly for our brain to comprehend the responses, because they are not visually easy to interpret, is words that are disoriented and our minds just harder to adapt to reading and interpreting the data
Comment from : Franky Nakamoto

Thanks Steven Bagley
Comment from : Hacking Vision

what is your ide?
Comment from : Levon Minasian

We're not going to give you the link for the exploit, no but you did tell us about it and now all we need to do is search for it and we will find it in 045 seconds
Comment from : diecast jam

accessing other rams over Internet is awesome
Comment from : Nelson Sharma

Hex560 bytes is just 10k bits?
Comment from : Vaibhav C Anil

Dr Bagley's shirts are fly as shit
Comment from : Cooper Gore

i held a architectural speech about this building here in germany! :) nice to see it again this random
Comment from : Pieter Vogt

Made me chuckle - 'and no, we're not going to give you a link to this one ' BUT we will show you its file name and tell you it's written in Python - just in case you don't know what py means as a file extension :-)
Comment from : Peet Morris

fucking awesome
Comment from : net ninja

very interesting
Comment from : brickson98m

What server did he mean?brbrBecause i didnt understand anything
Comment from : Arra Neon

Anyone know what editor he's using here?
Comment from : Roflcopter4b

not a programmer but, that block of code bout unchecked payload seems easy to understand for a programmer the exploit was there for long time?
Comment from : firstengineer secondscientist

lol ironically I just finished building an IDispatch struct
Comment from : oyze

why can't server just count the length itself?
Comment from : Gintas

I hope nowadays C programmers have learned to create understandable names to functions and members :|
Comment from : Felype Rennan

Trivial fail at it's best XD
Comment from : xXx

hmmm, it would seem like a way to fix this would be to clear the memory after we have read it set it all to 0s or something, so that the person exploiting the system will just get a bunch of 0s?
Comment from : amigojapan

i was kinda happy to see a beautiful number like 333,333 their for me to change
Comment from : _ImNic _

im the 333,334th subscriber
Comment from : _ImNic _

This is the problem with older languages like C In a modern language like C# or Java, this would have thrown an IndexOutOfRangeException, crashing the program Yes, it make it a Denial of Service vulnerability instead, but at least it doesn't leak potentially sensitive data
Comment from : Dave Pusey

what program did he use to open the file?
Comment from : catwes

I almost puked on seeing the semi-comic-sans font in the code walkthrough So unsettling
Comment from : A Series of Dark Caves

thanks
Comment from : Rusvi1

0:27 The ducks don't care for internets
Comment from : zwz • zdenek

Is that an Atari ST in the background?
Comment from : Mark Melanson

That's one beautiful campus
Comment from : Sebastian Keil

ok my head just exploded, how the hell did I get here?
Comment from : rawlinsonboy

how did I end up watching this I have no Idea what he was talkin about lol
Comment from : IhabA

Atari Falcon on your desk! Cool :)
Comment from : marakatti

Falcon /|
Comment from : EvilFranky

Great! Still having an Atari Falcon on the Desk :D
Comment from : samuraika

The problem is that languages like C with pointer arithmetic allows procedures shoot past array boundaries and read into other parts of the heap
Comment from : slr150

He is exactly like Ray Mears, but on a whole different level
Comment from : Verbindingsfout

I feel kinda sorry for the people who exploit like this most be a very lonely and sad existance they have
Comment from : Oluf The Explorer

why would a password be ascii? Silly error, it seems ancientkid stuff
Comment from : barry donovan

What code editor is he using?
Comment from : Elias Jørgensen

Wait Did you say the 8th of April? That's my birthday
Comment from : Caudex

Why wouldn't the function just get the length of the payload by analysing the payload itself? Why trust the secondary length variable provided when that information is implied by the actual payload? Anyone know the answer?
Comment from : Sheepzez

Stop using ET speak
Comment from : James Pruitt

I have nooooo idea what the hell am i watching o_0
Comment from : Jason Cabugao

Tom Scott's explanation of heart bleed was way better, not to troll :P
Comment from : BaconDrinker

Is that comic sans on his mac???!!!!!!
Comment from : ImRockintheChexMix

OMG thats a goldmine
Comment from : Eric Nyamu

C's syntax is like Java combined with PHP
Comment from : John Adams

A great explanation of the heartbleed bug by *****
Comment from : Sani

The best explication about Heart Bleed I've found Thank you very much!
Comment from : kevinnio

Kudos for the Atari ST sitting in the background!
Comment from : Michael Georgoulopoulos

Crazy bug! What gets me the most is how chronically underfunded OpenSSL apparently was At least people are pitching in now Hopefully other important open source projects won't have to go through that
Comment from : MacShapow

XKCD gave a far simpler explanation
Comment from : alwaysmpe

What IDE are you using my good sir
Comment from : coletivating

"Heartbleed" sounds like a great title for an anime series
Comment from : EnigmaV8

Why do you need the padding? Aren't that 16 bytes that slow down the protocol and cause cost (processing and network) uselessly every single heartbeat?
Comment from : Grinsekotze

I'm glad they showed those two ducks I was worried they would cut out those two ducks I love ducks Do you love ducks?
Comment from : Unknown

Nice explanation Well done
Comment from : Steve

#Heartbleed
Comment from : Joseph Macri

Have you guys ever considered using calloc() instead of malloc()? If you'd allocated your payload buffer using calloc() all heartbleed would ever get is nulls
Comment from : Cyberjocii

slurpy slurp that data all day
Comment from : George Maratos

The developer making the bug, forgot one of the cardinal rules of safe codebrCheck the incoming content, and the moment it doesn't fit the expected specification, discard it fully The SSL RFC seems to actually call for this
Comment from : Asbjørn Grandt

great video
Comment from : maqusss

link me python script please someone would like to try this on my server
Comment from : cra0kalo

An excellent look at Heartbleed and the nature of security bugs in-general
Comment from : Scott Lahteine

if this heartbleed never happened, do you guys change your password every once awhile? like half year or so, most of the people I know they don't change their passowrd, is it necessary to change it once awhile?
Comment from : Andrew M

wait wait waitif the payload length is given to the server by the client, and the server is to copy [payload length] bytes from memory and retransmit them, no one on the dev team thought that the client could lie about the payload length and receive how ever many bytes they requested?! Is there no QA or testing done on this stuff other than 'hey look, it works!' before its released?
Comment from : zombieregime

Very good reminder of how important it is to be defensive about your programming, especially in unsafe languages like C!
Comment from : Eddie Sundvall Säther