[GPSCC-chat] Heartbleed is real. Do something real.

Sat Apr 12 21:49:11 PDT 2014

Cameron, Drew and anyone else familiar with the trials and tribulations of
software development:

I was serious when I suggested that the banks (or if you prefer, credit
unions) should come up with a better User Interface for their online
accounts that has the option to be inherently secure, rather than
inherently insecure.  At the present moment, I'm trying to guesstimate how
or what program might work to encourage the development of such a new UI.
It could be a community development project, like what I think Cameron was
saying that the SSL software for Unix was.  I definitely have problems
conceiving of a program that has too much government funding, as I suspect
that would turn out much like the rebuilding of Iraq or Afghanistan by the
likes of Haliburton. But it would be nice to have some formal input from
Congress and/or industry experts to provide a strong shot in the arm to get
this off the ground. A legislative mandate to require particular features
for a UI is likely not wise, since if insurmountable security flaws
inherent in any design that is easily modifiable by customer service
clicking a button develop, this may require a quick return to the old
system and any laws that prevent that could cause more harm than the good
that would come out of the new UI concept. Another option besides allowing
customer service to modify features is to simply have three types of
accounts available that can't be modified by customer service after the
customer signs up: 1) no online access, 2) online access to only account
balances and transaction history, similar to what you can get out of an ATM
statement print and 3) regular, fully featured online banking. Any comments
one way or the other? Any ideas? Thanks.

Sincerely,

John Thielking

On Sat, Apr 12, 2014 at 6:51 PM, Cameron L. Spitzer <cls at truffula.us> wrote:

>
> To give you a sense of the care that went into the RT article, they
> misspelled Stuxnet.  A proper name a security expert or a journalist on
> that beat would know well.
>
> I think it was already well known NSA bugs computers domestically.  It's
> not surprising they do it to mail orders instead of burglarizing each
> end-user's office, it's safer and more efficient.  Which is why that
> particular revelation didn't stand out in the pack.
>
> There are two common mechanisms.  A compromised BIOS can be used to launch
> a hidden, compromised kernel instead of the one your distro (Windows or
> Linux) maintains for you.  And the keyboard or its "controller" on the
> motherboard can be modified to log keystrokes.  These techniques are not
> unique to the NSA.  The east European malware syndicate uses BIOS attacks,
> and industrial spies and private eyes use key loggers.
>
> If you suspect a BIOS compromise, launch your system from a USB key
> prepared on a trusted system.  Whatever tricks the bad BIOS plays are not
> going to get past a stock GRUB installation.  You could even get a VM in
> Finland and build the GRUB image there from trusted sources.  It seems like
> a lot of trouble to go to about a rather remote risk, compared with much
> larger risks (e.g., using MS Windows or Gmail...) we tolerate for
> convenience.
>
>
>
> On 04/11/2014 03:29 PM, John Thielking wrote:
>
>   Sorry to keep dragging this out, but I finally decided to search the
> RT.com web site using the search term "computer hardware" to see if I could
> find an article or two relating to my previous statement that RT.com
> broadcast the claim that computer hardware in general has been compromised
> by the NSA. I did find the following article at
>
> http://rt.com/op-edge/nsa-hacking-individual-computers-008/
>
>
>  that states that some of the material provided by Snowden does in fact
> indicate that some people's computers are implanted with special chips to
> aid the NSA in monitoring them. This may not be widespread just yet, but it
> does fit with previously broadcast info from RT.com that was saying that
> certain people's laptops that have been ordered online are sometimes
> transhipped to special NSA facilities where they have their hardware
> modified to contain implanted viruses or malware (in the CMOS perhaps?).
> Of course the article also says that the NSA may choose to bug all
> computers sold in a specific city, if that city is a region of interest for
> the NSA. I'll bet that Eugene, Oregon (Berkeley North) could be one of
> those places. And who knows, they might put radio bugs in all the watches
> sold there too.
>    More to think about I guess.
>
>  A more speculative opinion piece is located here:
>
> http://rt.com/op-edge/nsa-spying-future-total-952/
>
>
>  and a link to the Derspiegal article that this stuff is based on is
> contained here:
>
> http://rt.com/op-edge/annie-machon-nsa-spying-925/<http://rt.com/op-edge/nsa-spying-future-total-952/>
>
>  Any further thoughts?
>
>  John Thielking
>
>
> On Fri, Apr 11, 2014 at 2:19 PM, John Thielking <peacemovies at gmail.com>wrote:
>
>>  Another more specific question for you Cameron:
>>
>>  Is the patch for the Heartbleed bug supported for systems running
>> Windows XP, which was just barely out of date as of the time of broad
>> announcement of the Heartbleed bug, or do the people currently running
>> Windows XP also have to upgrade their OS?  I know my home computer only has
>> 500 MB of memory so I can't just do an easy upgrade to Win 7.  I hope not
>> too many POS terminals are also in the same boat.  They should upgrade to a
>> new OS anyway, but this problem may just compound the problem presented by
>> the Heartbleed bug itself.
>>
>>  John Thielking
>>
>>
>> On Fri, Apr 11, 2014 at 12:52 PM, John Thielking <peacemovies at gmail.com>wrote:
>>
>>>  People should also know that there may be additional security gaps in
>>> ATMs and Point Of Sale terminals due to their owners' slow response to the
>>> need to do away with using Windows XP. For instance, the last time I went
>>> to Round Table Pizza a couple of weeks ago, the screen saver on their POS
>>> terminal still said "Windows XP". Chase signed a contract for another year
>>> of support from MS for Win XP for their ATMs, but I can only assume that
>>> everyone else will no longer have support for Win XP after early April
>>> 2014.  Good luck on that one too.
>>>
>>>  John Thielking
>>>
>>>
>>> On Fri, Apr 11, 2014 at 12:14 PM, John Thielking <peacemovies at gmail.com>wrote:
>>>
>>>>   After reading this I'm not likely to trust ATMs for awhile with any
>>>> of my debit cards or credit cards. At least my latest credit card company
>>>> and one of my debit cards I'm pretty sure I can just go to the bank teller
>>>> of any bank and get a "cash advance" from the teller instead of using an
>>>> ATM. Often times I don't need a PIN when doing that, just a photo ID.  I
>>>> think the fees for that method may even be less than using the ATM anyway.
>>>> Do you think that the bank teller's systems are likely to be more secure
>>>> than their ATM's?
>>>>    Thanks for clarifying the other info Cameron.
>>>>
>>>>  Sincerely,
>>>>
>>>>  John Thielking
>>>>
>>>>
>>>> On Fri, Apr 11, 2014 at 8:45 AM, Cameron L. Spitzer <cls at truffula.us>wrote:
>>>>
>>>>>
>>>>> I may have been unclear.
>>>>> 1.  Check your bank (etc) site for the vulnerability.
>>>>> If it's bad, make a note.
>>>>> 2.  Change your password.
>>>>>
>>>>> 3.  Go back to the bad ones tomorrow and check them again.
>>>>> 4.  If a site has changed from bad to good, change your password there.
>>>>>
>>>>> 5.  Repeat again tomorrow until there are no more bad sites on your
>>>>> list.
>>>>>
>>>>> If the first check of a site was good, you'll only change that site's
>>>>> password once.
>>>>> If the first check was bad, you'll have to change your password
>>>>> twice.  The first change deactivates the password which was probably stolen
>>>>> over the last two years, replacing it with a temporary password.  The
>>>>> second replaces the temporary password, which may also have been stolen.
>>>>>
>>>>>
>>>>> The work your bank (etc) has to do is more elaborate.  They have to
>>>>> replace the trust certificates that SSL protects. because those have secret
>>>>> keys and they also could have been stolen.  However, when a site goes from
>>>>> bad to good it's a pretty good indication they're doing all of that.  The
>>>>> certs are mainly important for protecting you from impostor web sites.
>>>>> Impostors are mainly a threat to people who follow links received in email,
>>>>> but they can also appear if the DNS is compromised anywhere along the
>>>>> line.  That mostly happens to Microsoft Windows users with malware (that's
>>>>> most consumers who use Windows at home) and on corporate intranets.
>>>>> Ironically, even though Microsoft's implementation of SSL was not affected,
>>>>> the prevalence of Windows malware greatly magnifies the vulnerability, One
>>>>> more example of how Windows ruins everything, even for non-Windows users!
>>>>>
>>>>>
>>>>> The OpenSSL source code's history is visible at its Github page.
>>>>> Several security blogs show how you can look up the Dec 31 2011 change that
>>>>> introduced the bug and the April 7 2014 change that fixes it.  No stealthy
>>>>> detective work is needed.  However, Github is pretty swamped this week with
>>>>> everybody looking at these two changes, so you might get a timeout or a 500
>>>>> error.
>>>>>
>>>>> It will take years for everybody to fix everything.  There are home
>>>>> routers, ATM machines, point of sale terminals (we used to call them "cash
>>>>> registers") and other "appliances" (voting machines?) which use the buggy
>>>>> OpenSSL, and most consumers never update the firmware in those things.
>>>>> Corporate intranets with huge software stacks (internal accounting
>>>>> processes etc) will be the most work.
>>>>> But almost large consumer-facing commerce sites will have this fixed
>>>>> within a few weeks.  The fix isn't difficult for professionally managed web
>>>>> sites, and the urgency is high and unusually well understood.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 04/10/2014 10:07 PM, John Thielking wrote:
>>>>>
>>>>>  KRON4 TV news had an interesting piece on this bug tonight.
>>>>> Hopefully they rebroadcast it at 11 so you all can see it. They were saying
>>>>> that they found out who created the bug, that it was a "mistake" and that
>>>>> it could take years for all the web sites involved to be fixed. What a
>>>>> headache.
>>>>>
>>>>>  John Thielking
>>>>>
>>>>>
>>>>> On Thu, Apr 10, 2014 at 12:46 PM, Spencer Graves <
>>>>> spencer.graves at prodsyse.com> wrote:
>>>>>
>>>>>>  Hi, Cameron, Drew, et al.:
>>>>>>
>>>>>>
>>>>>>       1.  Do you have any reactions to the suggestion that a user
>>>>>> could increase rather than decrease their vulnerability if they change a
>>>>>> password BEFORE a host fixes the software on their end?  The concern is
>>>>>> that some of the information stolen via Heartbleed may still need need more
>>>>>> work to decode than a password change before the host software is patched.
>>>>>> If this is accurate, we should first check the hosts for our greatest
>>>>>> vulnerabilities to ensure that they've installed an appropriate patch, then
>>>>>> change our password, log out, then quickly log back in and change the
>>>>>> password again, as Cameron suggested.  If I understand correctly, the need
>>>>>> to change the password twice is because a data thief may catch the first
>>>>>> password change but is unlikely to be able to react quickly enough with
>>>>>> that new information to catch your second password change if you do it
>>>>>> quickly enough.
>>>>>>
>>>>>>
>>>>>>       2.  Wikipedia has an article on "Heartbleed", which been
>>>>>> updated every few minutes since it was created 2014-04-09 04:39 UTC.  If
>>>>>> you have information that you feel is not properly reflected there, I'd
>>>>>> like to know.  I might be able to help update it, though my schedule today
>>>>>> is quite busy.
>>>>>>
>>>>>>
>>>>>>       Be safe.
>>>>>>       Spencer
>>>>>>
>>>>>>
>>>>>> On 4/10/2014 6:16 AM, Drew wrote:
>>>>>>
>>>>>>  Cameron, I and others can help people move to a (user-friendly),
>>>>>> freedom-respecting GNU/Linux computer system such as Puppy Linux
>>>>>> http://puppylinux.com , or Zorin http://www.zorin-os.com/ , or Linux
>>>>>> Mint, etc.
>>>>>>
>>>>>> Green is Freedom!
>>>>>>
>>>>>> Drew
>>>>>> --
>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>>>
>>>>>>   _______________________________________________
>>>>>> sosfbay-discuss mailing listsosfbay-discuss at cagreens.orghttp://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Spencer Graves, PE, PhD
>>>>>> President and Chief Technology Officer
>>>>>> Structure Inspection and Monitoring, Inc.
>>>>>> 751 Emerson Ct.
>>>>>> San José, CA 95126
>>>>>> ph:  408-655-4567
>>>>>> web:  www.structuremonitoring.com
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> sosfbay-discuss mailing list
>>>>>> sosfbay-discuss at cagreens.org
>>>>>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sosfbay-discuss mailing listsosfbay-discuss at cagreens.orghttp://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> sosfbay-discuss mailing list
>>>>> sosfbay-discuss at cagreens.org
>>>>> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>>>>>
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> sosfbay-discuss mailing listsosfbay-discuss at cagreens.orghttp://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140412/b1d18af7/attachment.html>