Scott P. Havens was wrong

Like any vain person I google myself. I am pretty boring and I am fine with that.

But one thing that shows up is this link How Not To Handle Security Problems.

This was from when I worked at Arvixe in support. There was a scanner that created false positives for the heartbleed vulnerability when our servers used a non vulnerable OpenSSL and were not susceptible to Heartbleed but Scott Havens, did not seem to get this so he wrote a post exposing our great technical support staff by name on his blog back in 2014.

Most of us left Arvixe when it was transferred over to EIG via A Small Orange Webhosting. From the time Scott Haven’s wrote about us we never once had our OpenSSl on any server cracked or hacked or any information stolen via the Heartbleed bug because we were never vulnerable. Anything that happened after October 1st 2015 I cannot comment on since I was not working there after that date but in case people google names and say to themselves “Wow, they did not patch for Heartbleed! I am not going to hire them!” I just want to say that Hrishakesh W. James G., Michael Carr, Ryan C., and Patrick Stein + all the other folks I worked with at Arvixe were great and we handled this request the best we could because Scott Havens did not understand that Heartbleed scanners did not work on our OpenSSL version. We were never vulnerable, so therefore there was nothing to handle so we handled the non-security issue perfectly.

2 thoughts on “Scott P. Havens was wrong

  1. That’s interesting, because Heartbleed “scanners,” as you call them, didn’t “scan” for signatures that resembled the problem and that might possibly be wrong if they didn’t understand the OpenSSL version they were scanning. They, very literally and very directly, exploited the Heartbleed bug on the server. It could have been OpenSSL, or Microsoft’s schannel, or Bob’s Next Door Discount SSL. It didn’t matter: if the scanners worked, it means the server was vulnerable to that bug, because the scanners worked by literally doing the hack on that server and checking if it worked. I understand that, as just a layperson who read about it while it was happening. I think that’s why Scott Havens was bothered, because claiming that a “scanner” was wrong was just another way of saying you didn’t understand the core problem with the security.

    • Thanks for the reply Kyle, Yes, I am quite sure the scanners did not know what type of SSL they were scanning. We tried and tried to replicate the results but never could. We took that ticket quite seriously. Sometimes when it seems like there is a lot of different people taking the ticket it can appear to be “passing the buck” but we actually wanted others to check our work since Heartbleed was quite a serious issue.

Leave a Reply

Your email address will not be published. Required fields are marked *