[GPSCC-chat] Heartbleed is real. Do something real.

John Thielking peacemovies at gmail.com
Wed Apr 9 17:37:54 PDT 2014


Cameron,

It is reassuring to know that not all software companies are under the
thumb of the NSA. However, I also heard that the hardware that we commonly
use is also compromised, so that no software can overcome the built in back
doors on those devices.  I don't have an exact reference for that hardware
bit. I heard about it on a recent broadcast of the news on rt.com. Also, an
online book I read on privacy for journalists and other sources have said
that the emf coming from computer monitors and the computers themselves can
be monitored remotely even if the computer is not connected to the
Internet, to again compromise privacy. Remember that the tiny radios in
cell phones can communicate with cell towers up to 20 miles away (which
fact some are using to discredit claims that cell phones on flight 93 on
9/11 couldn't have communicated with the ground --- which has since
modified my position on that point since finding that out). So it seems
reasonable that an emf source consuming many watts, such as a computer,
could easily be monitored from at least a quarter mile away or more.  Any
thoughts?  Thanks.

Sincerely,

John Thielking


On Wed, Apr 9, 2014 at 4:50 PM, Cameron L. Spitzer <cls at truffula.us> wrote:

>
>
> Nobody credible is suggesting the NSA or anybody else has a backdoor in
> Secure Shell Version 2 (SSH) or the ciphers it uses.  If it were even
> suspected, there would be a mad race to come up with a replacement.
> SSH was developed in Finland because it's the only developed nation not
> subject to the US' "munitions related" export controls.  That's why the big
> security software developers all have offices there.  They learned that
> lesson from NSA's heavy-handed interference with the original Digital
> Encryption Standard and Pretty Good Privacy.  If you've been researching
> the history of digital security, you already know about those outrages.
>
> To understand these problems, you have to distinguish *algorithm* from
> *implementation*.  There is no "*method*."  The strength of SSH and its
> ciphers, and of PGP/GPG, and anything else that uses asymmetric encryption,
> including SSL, comes from the mathematical reality that it's astronomically
> more difficult to factor the product of two very large prime numbers than
> it was to multiply those two primes in the first place.  The NSA is about
> as "likely" to find a way around that as they are to find a way to travel
> faster than light.  That's algorithm.  Vulnerabilities like Heartbleed come
> from mistakes in implementation, not from weaknesses in the mathematical
> algorithms themselves.  The last one we all had to patch (it was in SSH)
> was due to a mistake where a pseudorandom number was more predictable than
> it should have been.
>
> Heartbleed <http://heartbleed.com/> gives a black eye to the "open source
> fanboys" who've been claiming for years that nothing this serious would
> ever get past the "crowd" of reviewers.  "Vulns" this bad get stopped in
> code-review all the time, and one got through.  But it hardly means "the
> NSA has a back door in everything."  ("The NSA has a back door in
> everything" is a way to rationalize your own choices of convenience over
> security.  Everybody does it.)
> Nor does it mean the closed source implementations are better.  Microsoft
> has its own SSL implementation.  It's surely been code-reviewed by NSA, and
> it may even have NSA's backdoor in it.  Perhaps that's in the pile Snowden
> handed off to Greenwald, and *Der Spiegel* hasn't got around to revealing
> it.
>
> By the way, the media are reporting "two thirds of the Web" vulnerable.  According
> to Netcraft<http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html>,
> it's 17% of hostnames.  Maybe the "two thirds" is because that 17% is most
> of the big names.
>
> -*Cameron*
>
>
>
> On 04/09/2014 03:19 PM, John Thielking wrote:
>
> I don't use online banking much, though I do pay bills with a debit card.
> I may be able to use a real credit card soon instead, though I have yet to
> actually receive the card that I was notified that was sent to me in the
> mail. Like I said in another thread, the US govt likely has a backdoor into
> every encryption *method* [emphasis added] out there, including RSA's
> stuff (there was a specific news item on that one) and anyone running
> HTTPS. My best bet in regards to this is that my Direct Express online
> access/password only allows me to look at my account balance and
> transaction history.  As far as I know, I can't look up my account number
> or transfer money by logging in. Good luck.
>
> Sincerely,
>
> John Thielking
>
>
> On Wed, Apr 9, 2014 at 2:47 PM, Cameron L. Spitzer <cls at truffula.us>wrote:
>
>>
>> Most of the "secure" web sites you use have been *broken for the last
>> two years*.  Bruce Schneier says the OpenSSL "Heartbleed" bug disclosed
>> yesterday, on a scale of 1 to 10, is an 11, "catastrophic<https://www.schneier.com/blog/archives/2014/04/heartbleed.html>."
>> I recommend James Fallows' coverage<http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>at the Atlantic.
>> Arstechnica<http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>is even better, they demonstrate the exploit against
>> yahoo.com.
>>
>> If you bank online, you need to check your bank's site with something
>> like this <http://filippo.io/Heartbleed/>, and change your password.
>> Change it now, then check the site.  If the check fails, check it again
>> later, and change your password *again* when it passes.
>> The first change neutralizes your password which *was probably stolen*during the last two years.  The second neutralizes the new one that was
>> stolen yesterday before your bank fixed its server.  Now that the bug is
>> public, you can safely assume *all* unpatched sites are compromised.
>> If you run an HTTPS web server, you need to update it, and then you need
>> to get a new cert.  That's what your bank needs to do.
>> If someone else runs an HTTPS web server for you, check it.  If it's
>> broken and they don't fix it soon, change providers.
>>
>> Forward as you see fit.
>>
>> -*Cameron*
>>
>>
>>
>> _______________________________________________
>> sosfbay-discuss mailing list
>> sosfbay-discuss at cagreens.org
>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing listsosfbay-discuss at cagreens.orghttp://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/223d6866/attachment.html>


More information about the sosfbay-discuss mailing list