[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Fri Apr 11 08:45:52 PDT 2014
I may have been unclear.
1. Check your bank (etc) site for the vulnerability.
If it's bad, make a note.
2. Change your password.
3. Go back to the bad ones tomorrow and check them again.
4. If a site has changed from bad to good, change your password there.
5. Repeat again tomorrow until there are no more bad sites on your list.
If the first check of a site was good, you'll only change that site's
password once.
If the first check was bad, you'll have to change your password twice.
The first change deactivates the password which was probably stolen over
the last two years, replacing it with a temporary password. The second
replaces the temporary password, which may also have been stolen.
The work your bank (etc) has to do is more elaborate. They have to
replace the trust certificates that SSL protects. because those have
secret keys and they also could have been stolen. However, when a site
goes from bad to good it's a pretty good indication they're doing all of
that. The certs are mainly important for protecting you from impostor
web sites. Impostors are mainly a threat to people who follow links
received in email, but they can also appear if the DNS is compromised
anywhere along the line. That mostly happens to Microsoft Windows users
with malware (that's most consumers who use Windows at home) and on
corporate intranets. Ironically, even though Microsoft's implementation
of SSL was not affected, the prevalence of Windows malware greatly
magnifies the vulnerability, One more example of how Windows ruins
everything, even for non-Windows users!
The OpenSSL source code's history is visible at its Github page. Several
security blogs show how you can look up the Dec 31 2011 change that
introduced the bug and the April 7 2014 change that fixes it. No
stealthy detective work is needed. However, Github is pretty swamped
this week with everybody looking at these two changes, so you might get
a timeout or a 500 error.
It will take years for everybody to fix everything. There are home
routers, ATM machines, point of sale terminals (we used to call them
"cash registers") and other "appliances" (voting machines?) which use
the buggy OpenSSL, and most consumers never update the firmware in those
things.
Corporate intranets with huge software stacks (internal accounting
processes etc) will be the most work.
But almost large consumer-facing commerce sites will have this fixed
within a few weeks. The fix isn't difficult for professionally managed
web sites, and the urgency is high and unusually well understood.
On 04/10/2014 10:07 PM, John Thielking wrote:
> KRON4 TV news had an interesting piece on this bug tonight. Hopefully
> they rebroadcast it at 11 so you all can see it. They were saying that
> they found out who created the bug, that it was a "mistake" and that
> it could take years for all the web sites involved to be fixed. What a
> headache.
>
> John Thielking
>
>
> On Thu, Apr 10, 2014 at 12:46 PM, Spencer Graves
> <spencer.graves at prodsyse.com <mailto:spencer.graves at prodsyse.com>> wrote:
>
> Hi, Cameron, Drew, et al.:
>
>
> 1. Do you have any reactions to the suggestion that a user
> could increase rather than decrease their vulnerability if they
> change a password BEFORE a host fixes the software on their end?
> The concern is that some of the information stolen via Heartbleed
> may still need need more work to decode than a password change
> before the host software is patched. If this is accurate, we
> should first check the hosts for our greatest vulnerabilities to
> ensure that they've installed an appropriate patch, then change
> our password, log out, then quickly log back in and change the
> password again, as Cameron suggested. If I understand correctly,
> the need to change the password twice is because a data thief may
> catch the first password change but is unlikely to be able to
> react quickly enough with that new information to catch your
> second password change if you do it quickly enough.
>
>
> 2. Wikipedia has an article on "Heartbleed", which been
> updated every few minutes since it was created 2014-04-09 04:39
> UTC. If you have information that you feel is not properly
> reflected there, I'd like to know. I might be able to help update
> it, though my schedule today is quite busy.
>
>
> Be safe.
> Spencer
>
>
> On 4/10/2014 6:16 AM, Drew wrote:
>> Cameron, I and others can help people move to a (user-friendly),
>> freedom-respecting GNU/Linux computer system such as Puppy Linux
>> http://puppylinux.com , or Zorin http://www.zorin-os.com/ , or
>> Linux Mint, etc.
>>
>> Green is Freedom!
>>
>> Drew
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>>
>> _______________________________________________
>> sosfbay-discuss mailing list
>> sosfbay-discuss at cagreens.org <mailto:sosfbay-discuss at cagreens.org>
>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
> --
> Spencer Graves, PE, PhD
> President and Chief Technology Officer
> Structure Inspection and Monitoring, Inc.
> 751 Emerson Ct.
> San José, CA 95126
> ph:408-655-4567 <tel:408-655-4567>
> web:www.structuremonitoring.com <http://www.structuremonitoring.com>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org <mailto:sosfbay-discuss at cagreens.org>
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140411/a11aee51/attachment.html>
More information about the sosfbay-discuss
mailing list