[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Wed Apr 9 14:47:03 PDT 2014
Most of the "secure" web sites you use have been *broken for the last
two years*. Bruce Schneier says the OpenSSL "Heartbleed" bug disclosed
yesterday, on a scale of 1 to 10, is an 11, "catastrophic
<https://www.schneier.com/blog/archives/2014/04/heartbleed.html>." I
recommend James Fallows' coverage
<http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>
at the Atlantic. Arstechnica
<http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>
is even better, they demonstrate the exploit against yahoo.com.
If you bank online, you need to check your bank's site with something
like this <http://filippo.io/Heartbleed/>, and change your password.
Change it now, then check the site. If the check fails, check it again
later, and change your password /again/ when it passes.
The first change neutralizes your password which *was probably stolen*
during the last two years. The second neutralizes the new one that was
stolen yesterday before your bank fixed its server. Now that the bug is
public, you can safely assume *all* unpatched sites are compromised.
If you run an HTTPS web server, you need to update it, and then you need
to get a new cert. That's what your bank needs to do.
If someone else runs an HTTPS web server for you, check it. If it's
broken and they don't fix it soon, change providers.
Forward as you see fit.
-/Cameron/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/27e428da/attachment.html>
More information about the sosfbay-discuss
mailing list