[GPSCC-chat] Heartbleed is real. Do something real.
John Thielking
peacemovies at gmail.com
Wed Apr 9 15:19:18 PDT 2014
I don't use online banking much, though I do pay bills with a debit card. I
may be able to use a real credit card soon instead, though I have yet to
actually receive the card that I was notified that was sent to me in the
mail. Like I said in another thread, the US govt likely has a backdoor into
every encryption method out there, including RSA's stuff (there was a
specific news item on that one) and anyone running HTTPS. My best bet in
regards to this is that my Direct Express online access/password only
allows me to look at my account balance and transaction history. As far as
I know, I can't look up my account number or transfer money by logging in.
Good luck.
Sincerely,
John Thielking
On Wed, Apr 9, 2014 at 2:47 PM, Cameron L. Spitzer <cls at truffula.us> wrote:
>
> Most of the "secure" web sites you use have been *broken for the last two
> years*. Bruce Schneier says the OpenSSL "Heartbleed" bug disclosed
> yesterday, on a scale of 1 to 10, is an 11, "catastrophic<https://www.schneier.com/blog/archives/2014/04/heartbleed.html>."
> I recommend James Fallows' coverage<http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>at the Atlantic.
> Arstechnica<http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>is even better, they demonstrate the exploit against
> yahoo.com.
>
> If you bank online, you need to check your bank's site with something like
> this <http://filippo.io/Heartbleed/>, and change your password. Change
> it now, then check the site. If the check fails, check it again later, and
> change your password *again* when it passes.
> The first change neutralizes your password which *was probably stolen*during the last two years. The second neutralizes the new one that was
> stolen yesterday before your bank fixed its server. Now that the bug is
> public, you can safely assume *all* unpatched sites are compromised.
> If you run an HTTPS web server, you need to update it, and then you need
> to get a new cert. That's what your bank needs to do.
> If someone else runs an HTTPS web server for you, check it. If it's
> broken and they don't fix it soon, change providers.
>
> Forward as you see fit.
>
> -*Cameron*
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/068f9f66/attachment.html>
More information about the sosfbay-discuss
mailing list