Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sorry, if it came across as me implying you pulled that from thin air.

One of the most interesting things we had was the core dumps. Randomnly (depending on memory state) we'd crash rather than dump out memory in the HTTP response. We had all that data going back over the entire period. That gave us a lot of confidence this hadn't been exploited because we could see the rate of crashes plus we could see the actual core dumps to see the memory state when the crash happened.



Ahh. That's more comforting. So, any wide scale deliberate exploitation would have resulted in an obvious spike of crash dumps.

That leaves whatever the scale of passively trolling, say, Google's cache might have been. Unknown, but probably not huge.


Right. Which was one of the reasons we used YARA on all the data we pulled from Google and other caches so we could extract the leaked data and categorize it. Then we called all the affected customers (I did a lot of those calls personally) and offered to give them the leaked information so they could look for exploitation. The idea being that if they had seen some anamoly with something that we knew was in Google's cache then it would be evidence of exploitation that way.


I'm curious why those core dumps, lasting for months at least, were not investigated


Enjoy my "Inside Cloudbleed" RSA talk: https://www.rsaconference.com/videos/inside-cloudbleed I talked about that and much more there.


Thanks a lot!

Starts at 25:30 for anyone curious.

> We were recording the core dumps [...] We didn't look at this




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: