[GPSCC-chat] Heartbleed is real. Do something real.

Cameron L. Spitzer cls at truffula.us
Sat Apr 12 11:10:15 PDT 2014 

 >Alarmists said we should change all our passwords.  I think that's 
overkill.

I disagree.
Bruce Schneier is no "alarmist."  He's the author of the standard 
textbook Applied Cryptography, and a member of the Electronic Frontier 
Foundation's advisory board.  And he's the best tech writer to general 
audiences since Carl Sagan.  If you're having trouble with rational risk 
assessment (a widespread problem among activists), you should read his 
book /Beyond Fear/ <https://www.schneier.com/book-beyondfear.html>.

This is the worst Internet security problem due to a single programming 
error that I can remember, ever, because of the circumstances of its 
deployment and the nature of the exploit.
When a vulnerability like this one is discovered, you /must/ assume the 
bad guys have had the use of it since it was deployed.
It allows not just stealing your password, but stealing the secrets that 
would make it impossible for your browser to detect an impostor HTTPS site.
And in the standard deployment, exploiting the bug leaves no trace.
In this case, the window was wide open for roughly two years. Your 
passwords have /probably/ been stolen from affected sites.
Whether you have been managing them well is irrelevant.  Take all the 
needless risks you like, but don't lead others to take risks by denying 
them.

Throwaway passwords used only for commenting on newspaper articles (etc) 
need not be replaced, unless they share recovery secrets with more 
sensitive accounts.  But /anything/ useful for identity theft poses a risk.
For example, the attacker might use your account at some ancestry site 
to discover some non-secret "secret" (e.g., street you lived on as a 
child, mother's maiden name) to accomplish a password reset on your bank 
site.  (Next time, /lie/ about your mother's maiden name, and keep the 
lie someplace safe.)  Identity thieves work on thousands of identities 
at a time, filling in a jigsaw puzzle on each potential victim.  They 
use efficient, automated, mass production techniques.  They rattle 
/every/ doorknob.  You never know which pieces they already have or 
still need.

I've been following my employer's well organized response to this 
problem.  One takeaway is our local experts are not at all concerned 
about Secure Shell V2.  A long obsolete implementation used SSL, but the 
one we've been using doesn't.  I had been mistaken about that.  They're 
also pretty confident about password managers that do client side 
encryption.  E.g., LastPass <https://lastpass.com/> and Kwallet 
<http://userbase.kde.org/KDE_Wallet_Manager>. These tools make it 
practical to maintain distinct, strong passwords for each web site and 
hosted application, so you can stop using "log in with Facebook" type 
shortcuts.  Of course, LastPass on an unmaintained Windows XP host is 
only as secure as that host.  If it's full of memory-scraping malware, 
you've got a local version of Heartbleed.

Rational risk assessment means ignoring irrelevant factors.  Mass 
production identity thieves don't care about your politics. 
(Spearfishers do.  They use everything they know about you to compile a 
word list for guessing password and recovery secrets.) They don't care 
how paranoid you are about mass surveillance.

Forward this message as you see fit.
-/Cameron/



On 04/11/2014 09:33 PM, Spencer Graves wrote:
> Hi, Cameron, et al.:
>
>
>       A discussion of how to deal with problems like Heartbleed is now 
> available on Wikiversity, "Managing risk from cyber attacks".
>
>
>       Please revise this as you see fit or send suggestions to me.  
> Cameron has done a great service in providing his expertise on this 
> list.  The Wikipedia article on Heartbleed received almost 47,000 
> views on April 11 (UTC), and over 39,000 on the three previous days 
> combined.  If this Wikiversity article gets a small portion of that 
> number of views, it will provide a great service humanity.
>
>
>       Creating that article helped me think through what seemed like a 
> sensible reaction.  Alarmists said we should change all our 
> passwords.  I think that's overkill.  Even creating a simple list of 
> all the accounts and passwords I've created over the years was more 
> work than I felt justified.  And creating such a list would miss the 
> point.  We need to worry about the financial institutions that manage 
> savings.  If cyber thieves drain those accounts, it could create big 
> problems for us.  For more, see the Wikiversity article 
> (https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks).
>
>
>       Thanks again, Cameron -- and thanks to John and Drew for their 
> additional comments.
>
>
>       Spencer
>
>
> On 4/11/2014 3:29 PM, John Thielking wrote:
>> Sorry to keep dragging this out, but I finally decided to search the 
>> RT.com web site using the search term "computer hardware" to see if I 
>> could find an article or two relating to my previous statement that 
>> RT.com broadcast the claim that computer hardware in general has been 
>> compromised by the NSA. I did find the following article at
>>
>> http://rt.com/op-edge/nsa-hacking-individual-computers-008/
>>
>>
>> that states that some of the material provided by Snowden does in 
>> fact indicate that some people's computers are implanted with special 
>> chips to aid the NSA in monitoring them. This may not be widespread 
>> just yet, but it does fit with previously broadcast info from RT.com 
>> that was saying that certain people's laptops that have been ordered 
>> online are sometimes transhipped to special NSA facilities where they 
>> have their hardware modified to contain implanted viruses or malware 
>> (in the CMOS perhaps?).  Of course the article also says that the NSA 
>> may choose to bug all computers sold in a specific city, if that city 
>> is a region of interest for the NSA. I'll bet that Eugene, Oregon 
>> (Berkeley North) could be one of those places. And who knows, they 
>> might put radio bugs in all the watches sold there too.
>>   More to think about I guess.
>>
>> A more speculative opinion piece is located here:
>>
>> http://rt.com/op-edge/nsa-spying-future-total-952/
>>
>>
>> and a link to the Derspiegal article that this stuff is based on is 
>> contained here:
>>
>> http://rt.com/op-edge/annie-machon-nsa-spying-925/ 
>> <http://rt.com/op-edge/nsa-spying-future-total-952/>
>>
>>
>> Any further thoughts?
>>
>> John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 2:19 PM, John Thielking 
>> <peacemovies at gmail.com <mailto:peacemovies at gmail.com>> wrote:
>>
>>     Another more specific question for you Cameron:
>>
>>     Is the patch for the Heartbleed bug supported for systems running
>>     Windows XP, which was just barely out of date as of the time of
>>     broad announcement of the Heartbleed bug, or do the people
>>     currently running Windows XP also have to upgrade their OS?  I
>>     know my home computer only has 500 MB of memory so I can't just
>>     do an easy upgrade to Win 7.  I hope not too many POS terminals
>>     are also in the same boat.  They should upgrade to a new OS
>>     anyway, but this problem may just compound the problem presented
>>     by the Heartbleed bug itself.
>>
>>     John Thielking
>>
...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/d38de298/attachment.html>

More information about the sosfbay-discuss mailing list