The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

---

Q&A

What is the CVE-2014-0160?

CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.

Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

What is being leaked?

Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalidated and considered compromised.

What is leaked protected content and how to recover?

This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?

Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

Recovery sounds laborious, is there a short cut?

After seeing what we saw by "attacking" ourselves, with ease, we decided to take this very seriously. We have gone laboriously through patching our own critical services and are dealing with possible compromise of our primary and secondary key material. All this just in case we were not first ones to discover this and this could have been exploited in the wild already.

How revocation and reissuing of certificates works in practice?

If you are a service provider you have signed your certificates with a Certificate Authority (CA). You need to check your CA how compromised keys can be revoked and new certificate reissued for the new keys. Some CAs do this for free, some may take a fee.

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

How widespread is this?

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

What versions of the OpenSSL are affected?

Status of different versions:

• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

How common are the vulnerable OpenSSL versions?

The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems. A major contributing factor has been that TLS versions 1.1 and 1.2 came available with the first vulnerable OpenSSL version (1.0.1) and security community has been pushing the TLS 1.2 due to earlier attacks against TLS (such as the BEAST).

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
• SUSE Linux Enterprise Server
• FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
• FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
• FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

How can OpenSSL be fixed?

Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.

Should heartbeat be removed to aid in detection of vulnerable services?

Recovery from this bug might have benefitted if the new version of the OpenSSL would both have fixed the bug and disabled heartbeat temporarily until some future version. Majority, if not almost all, of TLS implementations that responded to the heartbeat request at the time of discovery were vulnerable versions of OpenSSL. If only vulnerable versions of OpenSSL would have continued to respond to the heartbeat for next few months then large scale coordinated response to reach owners of vulnerable services would become more feasible. However, swift response by the Internet community in developing online and standalone detection tools quickly surpassed the need for removing heartbeat altogether.

Can I detect if someone has exploited this against me?

Exploitation of this bug leaves no traces of anything abnormal happening to the logs.

Can IDS/IPS detect or block this attack?

Although the heartbeat can appear in different phases of the connection setup, intrusion detection and prevention systems (IDS/IPS) rules to detect heartbeat have been developed. Due to encryption differentiating between legitimate use and attack can not be based on the content of the request, but the attack may be detected by comparing the size of the request against the size of the reply. This implies that IDS/IPS can be programmed to detect the attack but not to block it unless heartbeat requests are blocked altogether.

Has this been abused in the wild?

We don't know. Security community should deploy TLS/DTLS honeypots that entrap attackers and to alert about exploitation attempts.

Can attacker access only 64k of the memory?

There is no total of 64 kilobytes limitation to the attack, that limit applies only to a single heartbeat. Attacker can either keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed.

Is this a MITM bug like Apple's goto fail bug was?

No this doesn't require a man in the middle attack (MITM). Attacker can directly contact the vulnerable service or attack any user connecting to a malicious service. However in addition to direct threat the theft of the key material allows man in the middle attackers to impersonate compromised services.

Does TLS client certificate authentication mitigate this?

No, heartbeat request can be sent and is replied to during the handshake phase of the protocol. This occurs prior to client certificate authentication.

Does OpenSSL's FIPS mode mitigate this?

No, OpenSSL Federal Information Processing Standard (FIPS) mode has no effect on the vulnerable heartbeat functionality.

Does Perfect Forward Secrecy (PFS) mitigate this?

Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption. Please seehttps://twitter.com/ivanristic/status/453280081897467905 how leaked tickets may affect this.

Can heartbeat extension be disabled during the TLS handshake?

No, vulnerable heartbeat extension code is activated regardless of the results of the handshake phase negotiations. Only way to protect yourself is to upgrade to fixed version of OpenSSL or to recompile OpenSSL with the handshake removed from the code.

Who found the Heartbleed Bug?

This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) atCodenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.

What is the Defensics SafeGuard?

The SafeGuard feature of the Codenomicon's Defensics security testtools automatically tests the target system for weaknesses that compromise the integrity, privacy or safety. The SafeGuard is systematic solution to expose failed cryptographic certificate checks, privacy leaks or authentication bypass weaknesses that have exposed the Internet users to man in the middle attacks and eavesdropping. In addition to the Heartbleed bug the new Defensics TLS Safeguard feature can detect for instance the exploitable security flaw in widely used GnuTLS open source software implementing SSL/TLS functionality and the "goto fail;" bug in Apple's TLS/SSL implementation that was patched in February 2014.

Who coordinates response to this vulnerability?

Immediately after our discovery of the bug on 3rd of April 2014, NCSC-FI took up the task of verifying it, analyzing it further and reaching out to the authors of OpenSSL, software, operating system and appliance vendors, which were potentially affected. However, this vulnerability had been found and details released independently by others before this work was completed. Vendors should be notifying their users and service providers. Internet service providers should be notifying their end users where and when potential action is required.

Is there a bright side to all this?

For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.

What can be done to prevent this from happening in future?

The security community, we included, must learn to find these inevitable human mistakes sooner. Please support the development effort of software you trust your privacy to. Donate money to the OpenSSL project.

Where to find more information?

This Q&A was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014. The OpenSSL project has made a statement athttps://www.openssl.org/news/secadv_20140407.txt. NCSC-FI published an advisory athttps://www.cert.fi/en/reports/2014/vulnerability788210.html. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

References

• CVE-2014-0160
• NCSC-FI case# 788210
• OpenSSL Security Advisory (published 7th of April 2014, ~17:30 UTC)
• CloudFlare: Staying ahead of OpenSSL vulnerabilities (published 7th of April 2014, ~18:00 UTC)
• heartbleed.com (published 7th of April 2014, ~19:00 UTC)
• Ubuntu / Security Notice USN-2165-1
• FreshPorts / openssl 1.0.1_10
• Tor Project / OpenSSL bug CVE-2014-0160
• RedHat / RHSA-2014:0376-1
• CentOS / CESA-2014:0376
• Fedora / Status on CVE-2014-0160
• CERT/CC (USA)
• NCSC-FI (Finland)
• CERT.at (Austria)
• CIRCL (Luxembourg)
• CERT-FR (France)
• JPCERT/CC (Japan)
• CERT-SE (Sweden)
• NorCERT (Norway)
• NCSC-NL (Netherlands)
• CNCERT/CC (People's Republic of China)
• Public Safety Canada
• LITNET CERT (Lithuania)
• MyCERT (Malaysia)
• UNAM-CERT (Mexico)
• SingCERT (Singapore)
• Q-CERT (Qatar)

Filipinos celebrate as Pacquiao avenges loss

Filipinos cheer as they watch the WBO World Welterweight championship boxing match between the Philippines’ Manny Pacquiao and American Timothy Bradley at The MGM Grand Garden Arena in Las Vegas, live via satellite at Marikina city, east of Manila, Philippines on Palm Sunday, April 13, 2014. AP

“Manny is still the eighth wonder of the world,” Fr. Joey Faller said as Filipinos jumped from their seats, raised their arms and burst into cheers after the country’s boxing hero, Manny Pacquiao, regained his WBO welterweight title from American Timothy Bradley Jr. in a unanimous 12-round decision in Las Vegas on Sunday.

“Manny has proven that he is the better fighter. He still has the speed, the great footwork and the tsunami of punches,” said Faller, administrator of the Kamay ni Hesus (Hand of Jesus) shrine in Lucban town, Quezon province.

But he noticed something in the way Pacquiao, who has won world titles in eight boxing divisions, fought Bradley and he did not hesitate to say it.

“What he lacks now is the killer instinct,” Faller said. “He is so compassionate and not the Pacquiao we saw in the past. Probably his being born again Christian mellowed down his aggressiveness.”

But it’s not yet time for Pacquiao, 35, to quit boxing, the priest said.

“There is one unfinished business for him—to fight (Floyd) Mayweather (Jr.) for a one mega ultimate fight of the century,” Faller said, referring to the current World Boxing Council (WBC) welterweight champion, WBC and World Boxing Association (WBA) superwelterweight champion.

That is probably still in the cards, with Pacquiao saying he’s still good for another two years.

Cheers from colleagues

Among those who cheered Pacquiao’s victory over Bradley on Sunday were his colleagues in the House of Representatives.

Speaker Feliciano Belmonte Jr. said the Sarangani representative’s reclaiming his welterweight championship belt this late in his career showed that discipline and determination would always trump adversity.

“At 35, [Manny Pacquiao’s] victory over a much younger Bradley (30), who was said to have been even better trained now than in their previous fight, has shown the world that he continues to be the pound-for-pound King of Boxing,” Belmonte said in a statement.

Not so exciting

In the covered court at Bernardo Park in Quezon City, PO1 Conrad Lim did not find the fight too exciting, noting that Pacquiao was in good fighting condition but Bradley was not.

Still, Lim said he was happy that Pacquiao won. “He has proven that he still has [many] years as a fighter in him,” he said.

In the covered court in San Lorenzo village in Makati City, the crowd erupted in cheers every time Pacquiao had Bradley in a corner, raining punches on the American.

Even foreign residents of the village were seen cheering for Pacquiao.

“I’m a massive fan of Pacquiao. I even have posters of him all over my house,” said Marc Zanetta, a British national working at the UK Embassy in Taguig City.

Accompanied by a fellow British citizen, Zanetta said he always made it a point to see Pacquiao’s fights.

“I saw the previous fight (with Bradley). Although I think he won that one, this time he was faster. He was better. He was an experienced boxer and he wasn’t intimidated with Bradley’s antics. I am happy with the results,” Zanetta said.

“He was still slower but this is still exciting,” Alberto Kwong, 70, said, referring to Pacquiao. “He has shown once again that he is a champion.”

Suspense in Tondo

At the Tondo Sports Complex in Manila, the crowd fell silent during the fifth and sixth rounds, which were obviously dominated by Bradley.

“He’s losing,” someone in the crowd said, referring to Pacquiao, who was taking big blows from Bradley. “He should retire.”

But Pacquiao came back in the seventh round with his trademark rapid combinations, staggering Bradley at one point.

And the sports complex exploded in cheers after the score was announced.

Manila Mayor Joseph Estrada had been expected to watch the fight in the sports complex, but did not show up.

Vice Mayor Francisco “Isko” Domagoso joined hundreds of boxing fans at the San Andres Sports Complex and cheered with them after Pacquiao was announced the winner.

“Long live, Manny! You made us Filipinos proud again,” Domagoso later tweeted in Filipino.

More than 2,000 people endured the midday heat at the Navotas City Sports Complex and cheered Pacquiao on as the Filipino pressured his American opponent.

“Yes, that’s it,” they cried as Pacquiao staggered Bradley with a left to the head.

“In their first fight, Manny was cheated,” an old man said after the score was announced. “But this time, [he’s the clear winner].”

30-km walk

In Pampanga province, Ben Lampa, a village watchman in Pulong Santol, did not wait for the end of the fight and declared Pacquiao the “winner in round 10.”

Resident Domingo Ponce said Pacquiao “did everything he could to win.”

Nimfa Ferrer, a housewife, said she was happy for Pacquiao even though he did not knock out Bradley.

Fifty Aeta people walked for two hours to Sapang Bato village in Angeles City, 30 kilometers from their own village, to watch the fight.

“[Pacquiao is] our idol,” Roman King, one of them, said. “We want to see him [fight].”

They were not disappointed, as Pacquiao gave them what international boxing referee Bruce McTavish described as a “smart fight.” But McTavish said he was not sure how long Pacquiao would have power in his punches to stay in business.

Traffic in Baguio

In Baguio City, traffic slowed down as early as 10 a.m. on Naguilian and Abanao roads because of the big crowds of people who turned out for the free public viewing of the fight.

The crowds broke into cheers after Pacquiao was announced the winner at about 1 p.m.

In Nueva Ecija province, commuters in the Science City of Muñoz complained about the lack of tricycles to ferry them to their destinations. The tricycle drivers took time out to watch the fight on television at barber shops and other public places.

Ireneo Bucsit Jr., 27, a teacher at Muñoz National High School, said Pacquiao proved he was sharper than Bradley despite his age.

“It was sweet revenge for Pacquiao,” he said.

Mayor Adrienne Cuevas said the fight reaffirmed Pacquiao’s brand of heroism that every Filipino should emulate.

“He showed the virtue of working hard for a great cause,” Cuevas said.

In Bataan province, businessman Bong Talastas, 58, of Balanga City, was unconvinced that Pacquiao gave his all.

“It seems that somebody is controlling his moves to prevent Bradley from being knocked out. For the benefit of the orchestrator, the [farce] must go on,” he said.

Storm survivors happy

In communities in the Visayas ravaged by Yolanda on Nov. 8, storm survivors rejoiced at Pacquiao’s victory over Bradley.

“Of course, I am happy to see him win again and somehow I will go home to our tent happy and contented,” said Florencio Villanuna, 77, whose family lost their home in San Jose district in Tacloban City.

“He is really the best fighter today,” Villanuna said after Pacquiao was declared the winner of the fight.

In the island village of Malangabang in Concepcion town, Iloilo province, fishermen did not go to sea to watch the fight.

“We are all happy that Pacquiao won. We are also slowly recovering despite the damage to our houses,” village councilor Sonny Ciriaco said.

In Tagbilaran City, Bohol province, village gyms erupted in cheers after Pacquiao’s victory over Bradley was announced.

“It was exciting. There were no knockdowns, but that’s OK. We got the victory,” said Mayor John Geesnell Yap, whose administration sponsored the public viewing of the fight in 15 villages.

Supt. Joie Yape, spokesperson for the Bohol Provincial Police Office, said no untoward incidents were reported in the province during the fight.

Except for a drunken man who created a scene at the Cebu Coliseum, there were also no crime reports in Cebu City.

“Pacman (Pacquiao’s boxing moniker) brought peace in Cebu City,” said Chief Insp. Romeo Santander, chief of the Cebu City Police Intelligence Bureau.

In an evacuation center in Davao City, Tuanob Talugmao and Teody Mansimuy-at were excited about watching the fight live on television.

“What’s more exciting is that he won,” Talugmamo said.

“Although there were no knockdowns, the fight was still very exciting. First, we thought he would lose. But he won,” Mansimuy-at said.

Time-off for troops

In Unkaya Pukan town in Basilan province, troops of the military’s 18th Infantry Battalion were still in fighting mood after clashes with Abu Sayyaf terrorists on Friday, but they took time out to watch Pacquiao fight Bradley again.

“That’s all they asked from me. It’s OK with them if the clashes last all night, but not during Pacquiao’s fight,” said Lt. Col. Paolo Perez, the battalion commander, said.

Perez said he decided to subscribe to pay per view for his troops.

“The cheering was terrible, as if no clashes with the Abu Sayyaf happened,” he said.—Reports from Gil C. Cabacungan, Nina P. Calleja, Jeannette I. Andrade, Maricar B. Brizuela and Nathaniel R. Melican in Manila; Delfin Mallari Jr., Madonna Virola, Mar Arguelles and Shiena Barrameda, Inquirer Southern Luzon; Tonette Orejas, Anselmo Roque, Armand Galang and Greg Refraccion, Inquirer Central Luzon; Richard Balonglong and Villamor Visaya Jr., Inquirer Northern Luzon; Joey A. Gabieta, Carmel Loise Matus, Jhunnex Napallacan and Nestor Burgos Jr., Inquirer Visayas; Karlos Manlupig, Julie S. Alipala and Edwin O. Fernandez, Inquirer Mindanao; and AFP


~Inquirer

Memes flourish after Pacquiao victory

MANILA, Philippines—With Manny Pacquiao’s astounding victory come an outpouring of congratulatory greetings. But not everything was expressed through the conventional manner.

After a convincing victory to reclaim the World Boxing Organization Welterweight title, Pacquiao, along with his opponent Timothy Bradley, was the immediate subject of memes.

Not to be outdone, Bureau of Internal Revenue (BIR) Commissioner Kim Henares was also given the meme treatment.

One instance is a photograph of Pacquiao’s fans shouting “Manny! Manny!”, coupled with a smirking photo of Henares with the caption “Money! Money!”

 

Pacquiao has been one of the favorite subjects of Henares and the BIR’s tax collection drive.

As Pacquiao’s opponent, Bradley also cannot escape the meme treatment.

A “hi I’m Bradley, and I like warm hugs,” meme featured the American boxer’s head plastered on the body of Frozen’s Olaf.

 

It probably alludes to Bradley’s constant clinches with Pacquiao or Mommy Dionisia Pacquiao’s motherly hug with him after the fight.

And of course, who could forget the instant internet celebrity that was Pacquiao’s mom or Mommy D?

Just as she ruled the internet and the hearts of international journalists, Mommy D was also “memefied.”

In the meme, after allegedly casting a spell on Bradley during the fight, Mommy D is seen making small talk to her son’s opponent.

 

~Inquirer

Pacquiao laughs off Bradley’s threat to end his career

LAS VEGAS—Manny Pacquiao will hang up his gloves when he wants to. It won’t be by forced retirement, as Timothy Bradley threatens to do.

“That (Bradley boast) is not new to me,” said a grinning Pacquiao on Wednesday. “(Brandon) Rios also told me that and look what happened.”

The only fighter to win world titles in eight weight divisions ravaged Rios last November in Macau.

Though not noted for his punching power, Bradley has repeatedly vowed to knock out Pacquiao and end the Filipino ring icon’s 19-year pro career.

Pacquiao said that isn’t likely to happen when they clash anew on Saturday.

Dismissing Bradley’s claims that he’s no longer the furious, fearsome boxer that terrorized foes until two years ago, Pacquiao said the hunger is back and he feels younger and stronger at 35.

He credited Hall of Fame trainer Freddie Roach and strength and conditioning coach Justin Fortune for his resurgence.

“Justin did a lot of exercises we didn’t do in the last seven years,” Pacquiao said.

He added that losing to Bradley never crossed his mind.

Pacquiao said he prefers to fight an aggressive Bradley so that he can unleash shots  and combinations that they’ve been working out in the gym.

But he is not taking Bradley lightly. “We saw his toughness in the ring in his last two fights, but I’m prepared for whatever he will bring in the ring,” the fighting congressman said.

~Inquirer

Pacquiao wins unanimous decision vs Bradley

LAS VEGAS/MANILA — Revenge was served, and it was cold.

Manny Pacquiao won a 12-round unanimous decision over Timothy Bradley on Saturday to avenge his controversial 2012 loss to the previously unbeaten American.

The Filipino ring icon improved to 56-5 with two drawn and 38 wins inside the distance as he regained the World Boxing Organization welterweight world title he lost to Bradley on June 9, 2012.

Although he couldn’t get his first knockout win since 2009, Pacquiao lived up to his pre-fight promise to come out with more aggression, denying Bradley’s avowed aim of sending him into retirement with another defeat.

“I think I can go another two years,” said Pacquiao, who has won world titles in an unprecedented eight weight divisions. “I’m so happy to be world champion again. Tim Bradley was not an easy fight.”

Bradley, who said he fought from the first round with a right calf injury, fell to 31-1, with 12 knockouts.

“Life goes on,” Bradley said of his first pro defeat. “It’s back to the gym. Not a big deal.”

“You won the fight, you deserved the win,” Bradley said. “I have no excuses.”

After a forgetful 2012, Pacquiao has now picked up two impressive wins in just five months following a dominant victory over Mexican-American Brandon Rios last November at the Venetian in Macau.

Scorecard

Judge Glen Trowbridge scored the bout 118-110 for Pacquiao, while both Michael Pernick and Canada’s Craig Metcalf saw it 116-112 for the ‘Pacman,’ whose every move was cheered by the star-studded crowd of 15,601 at the MGM Grand Garden Arena.

“Bradley is better from the first fight,” Pacquiao said. “He hurt me on the chin. He made adjustments.

“I knew I had to do more this time than I did the last time,” he added.

Pacquiao landed 35 percent of his 563 punches, while Bradley connected with just 22 percent of his 627 blows. Pacquiao’s jab was much more effective, landing 23 percent to Bradley’s measly 11 percent, and the Pacman had a slight edge in landing 148 power punches to Bradley’s 109.

Round by round

Pacquiao’s performance righted one of the biggest perceived wrongs in recent boxing history. Pacquiao was an eight-division world champion on 15-fight winning streak when Bradley was awarded a split decision in their last bout.

Pacquiao was more aggressive and accurate from the opening minutes of the rematch, sticking to trainer Freddie Roach’s pleas to take the action to Bradley. They exchanged big shots in the opening rounds, but Pacquiao appeared to wear out Bradley with the heavy early pace — and the Pacman never slowed down.

Pacquiao landed a series of big left hands in the early rounds, knocking back Bradley with gusto.

Bradley responded impressively in the fourth round, wobbling Pacquiao twice with a right hand.

The pace slowed in the fifth, with Bradley showing off his defense and movement while Pacquiao attempted to trap him against the ropes.

Pacquiao appeared to wobble Bradley late in the seventh round with a vicious combination, but Bradley stood with his back against the ropes and defiantly encouraged it, blocking most of the shots. Bradley appeared to pretend to have wobbly legs at one point after a Pacquiao miss, but his open mouth betrayed his weariness while Pacquiao steadily racked up rounds midway through the fight.

Bradley came on strong in the 12th, and the fighters’ heads collided late in the round. Pacquiao avoided any trouble until the final bell, when he did a short dance step to his corner.

Pacquiao finished the fight with a cut over his left eye. Roach said Pacquiao needed stitches to close the jagged cut.

Old ‘killer instinct’

Saturday’s victory showcased more of the old “killer instinct,” with Bradley saying it was clear that Pacquiao was “going for it”.

But Roach said Bradley’s unexpected strategy of seeking a big knockout blow of his own caught him and Pacquiao by surprise.

“He was swinging for the fences all night,” Roach said of Bradley, who said he thought it was the only way he could win the fight.

But as the pace slowed in the later rounds, Pacquiao dominated, putting together multi-punch combinations that kept Bradley off balance.

“I tried, I really tried,” said Bradley. “I wanted that knockout. I kept trying to throw something over the top, that’s what the plan was.”

But Bradley trainer Joel Diaz said he knew the plan had gone out the window when Bradley came to the corner after the first round saying he thought he had torn his right calf muscle.

Diaz tried massaging it, but Bradley told him to stop because it hurt.

“From that point on, I knew I didn’t have much to work with, because our plan was to dominate Pacquiao and we couldn’t do it,” Diaz said.

The injury was later diagnosed as a strain, and Bradley said he had “no excuses”.

“Manny is a great fighter, one of the best in the world maybe the best ever,” he said.

Before the rematch

While Bradley remains publicly confident he beat Pacquiao in their first bout despite fighting on two injured feet, that much-derided decision sent both fighters’ careers on wild spirals.

The two judges who scored the bout 115-113 for Bradley are no longer in the boxing business, but their decision ended Pacquiao’s 15-fight win streak and forced Bradley to defend himself against widespread criticism of the result.

Bradley endured death threats and depression before returning to the ring in unusually reckless style. He brawled with Ruslan Provodnikov in March 2013 in a sensational unanimous-decision victory that silenced critics of his style and heart. Bradley then outpointed veteran Mexican champion Juan Manuel Marquez last fall, polishing his skills and making himself attractive to Pacquiao for a rematch.

Pacquiao was knocked unconscious by Marquez in the sixth round of their fourth fight in late 2012, and he took nearly a year off before returning for an unspectacular victory over Brandon Rios last fall. Pacquiao’s last two performances prompted Bradley to declare Pacquiao had lost his killer instinct, noting he was unable or unwilling to stop any of his opponents since late 2009.

Pacquiao’s next foe

Pacquiao’s next opponent could be the winner of the May 17 bout between Mike Alvarado and Marquez.

If Marquez wins, he could meet Pacquiao for the fifth time.

“I have no problem with fighting Marquez again, but that’s up to my promoter, Bob Arum,” Pacquiao said.

Motherly love

After the decision was announced, Dionisia Pacquiao, the fighting congressman’s mother, quickly approached the fallen American.

Mommy D, as she is fondly called, was probably the first to console Bradley from the Pacquiao camp, giving the American some motherly hug and a playful jab to the chin.

And Mommy D did not disappoint, claiming the 8th spot on the World’s trending topics on Twitter as of 1:30 p.m. (Manila time).

~Inquirer :)

Love triangle ng mga grade 7, nauwi sa madugong batuhan

Tatlong bata mula sa pampanga ang nahuli ng mga barangay na nagkakagulo matapos mag-reklamo ang isang kapitbahay sa ingay at kaguluhan.

Ang dahilan umano ng away ay ang love triangle ng mga batang nahuli kabilang ang dalawang lalake at isang batang babae, na pare-parehong Grade 7 sa isang paaralan sa Pampanga.

Ayon sa na-interview na barangay tanod, ang dahilan ng away ay bangayan sa pag-ibig ng mga bata

"Siya po kasi, nilalandi niya pa po. Girlfriend ko po kasi kinuha ko yung phone at kung ano ano tinetext nung lalake"
Sambit ng batang nahuli.

Napuruhan naman ang sinasabing ka-text nung babae at naka-confine ngayon sa St. Lukes matapos may mamuong dugo sa ulo. Hindi padin gumigising ang lalake.

Inaalam pa ngayon kung ano ang aksyong gagawin ng pamilya ng biktima.

'Sloppy' Pacquiao still draws praise from Roach

Manny Pacquiao and trainer Freddie Roach celebrate victory over Timothy Bradley of the US following their WBO World Welterweight Championship title match at the MGM Grand Arena in Las Vegas, Nevada. Photo by Joe Klamar, Agence France-Presse

Hall-of-Fame trainer Freddie Roach is happy with Manny Pacquiao's performance even as he acknowledged that the "Pacman" was somewhat "sloppy" in his unanimous decision win against American Timothy Bradley.

Pacquiao avenged his controversial June 2012 loss to Bradley with a clear-cut decision win in the rematch, outpointing the American over 12 rounds to regain the WBO welterweight championship.

“Manny was a little sloppy tonight,” Roach said, as quoted by ESPN.com. “But I was happy with his performance.”

Bradley clearly buzzed Pacquiao in the fourth round, landing a right that the “Pacman” later admitted hurt him. But Bradley, who wanted to go for a knockout, became a victim of his own aggression, as he opened himself up for Pacquiao’s power punches.

“It looked like Bradley was going for a one-punch home run,” Roach observed.

Bradley later explained that he wanted to “throw something over the top,” such as the wild overhand rights that he kept launching in the second half of the fight. Pacquiao was easily able to spin away from his attacks, however, often while landing multiple-punch combinations of his own.

Yet the “Pacman” was effusive in his praise of Bradley after the fight and refused to talk trash about the American fighter.

“He gave me a good fight. He’s not that easy,” said Pacquiao. “I listened to my corner about keeping my hands up and timing.”

“He threw a lot of punches,” he added. “He threw wide, wide, wide hooks. I got hit one time, and I said it’s not good to be careless.”

Pacquiao slowly but surely took control of the bout from the sixth round onward, and wound up winning a wide points decision, 116-112, 116-112, and 118-110.