[GPSCC-chat] Heartbleed is real. Do something real.

[Cameron L. Spitzer]

Most of the "secure" web sites you use have been *broken for the last 
two years*.  Bruce Schneier says the OpenSSL "Heartbleed" bug disclosed 
yesterday, on a scale of 1 to 10, is an 11, "catastrophic 
<https://www.schneier.com/blog/archives/2014/04/heartbleed.html>." I 
recommend James Fallows' coverage 
<http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/> 
at the Atlantic. Arstechnica 
<http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/> 
is even better, they demonstrate the exploit against yahoo.com.

If you bank online, you need to check your bank's site with something 
like this <http://filippo.io/Heartbleed/>, and change your password.  
Change it now, then check the site.  If the check fails, check it again 
later, and change your password /again/ when it passes.
The first change neutralizes your password which *was probably stolen* 
during the last two years.  The second neutralizes the new one that was 
stolen yesterday before your bank fixed its server.  Now that the bug is 
public, you can safely assume *all* unpatched sites are compromised.
If you run an HTTPS web server, you need to update it, and then you need 
to get a new cert.  That's what your bank needs to do.
If someone else runs an HTTPS web server for you, check it.  If it's 
broken and they don't fix it soon, change providers.

Forward as you see fit.

-/Cameron/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/27e428da/attachment.html>