[GPSCC-chat] Heartbleed is real. Do something real.

John Thielking peacemovies at gmail.com
Tue Apr 15 11:28:13 PDT 2014 

My apologies for this thread skipping back from the Move Your Money Out Of
Banks thread back to this thread, but I can't find any trace of the other
thread in my gmail inbox. Anyway, to continue the discussion between Drew
and myself about Meriwest, I went there again this AM to try to iron out
some remaining issues. First, I asked them about overdraft protection/no
protection options and the fees involved. They told me that yes I could
select the option where ALL overdrafts (er well they literally said ACH
overdrafts) would be declined. But they also said that if a non PIN
required transaction was declined due to insufficient funds, there would be
no debit to my account for the attempted draft, but there would still be a
$35 fee charged to my account.  I selected the "decline ACH overdrafts too"
option and crossed my fingers and hoped that no one would attempt multiple
unauthorized ACH overdrafts to my account.

Later after I went home I called Direct Express to order a new card to
protect myself from the Heartbleed bug possibly compromising my debit card
numbers and I asked them about their policies on overdrafts. They said that
most of the time an overdraft is not possible since they will decline all
attempted overdrafts except in the rare case where a merchant had a credit
charge go through after the maximum 5-10 day waiting period and you
happened to have spent those funds already. In that case, there is no
overdraft fee involved. They know you are good for the funds and they wait
patiently for the next deposit from Social Security to come through and
deduct what you owe them from that. Also, in the case of any attempted
overdraft being declined, there still is no fee involved. Comerica is an
exception to the bad track records of banks such as Chase and Wells Fargo.
Plus, the Direct Express card itself is managed under contract with the
Treasury Dept, which either through the contract terms or just plain old
incentives, provides Comerica with the motivation to treat the Direct
Express customers at least with a touch of respect. Chase has an F rating
with the BBB and has a customer complaint roster and government actions
list on the BBB web site that is a mile long. Comerica's BBB file is fairly
clean, with only a few complaints and they have a much deserved B- to A+
rating from the BBB depending on which specific branch you look up. I could
not find a single govt action against Comerica on the BBB web site. I have
no regrets continuing to have a Direct Express debit card and will likely
continue to get my SS deposits there even if I end up doing a cash advance
every month for the full amount and depositing that into my new credit
union account in Eugene.  My original reason for doing that was not because
I had any knowledge about Comerica's BBB ratings. It was simply to protect
myself from a possibly jealous dealer (Chase) possibly closing my account
if they found out I was trading bitcoin. Comerica doesn't have the
authority to close my Direct Express account. Only the Social Security
Admin can close the account without my authorization. So as long as I am
trading bitcoin that will be what I end up doing..

I also went to the Meriwest branch today to try to finish creating a log in
for e-statements without having to first sign up for online banking. The
web site was down so we couldn't do anything. But the customer service
person (different person from yesterday) still had the, hopefully mistaken,
belief that you have to sign up for online banking before you can create a
log in for the e-statements feature. I will try again tomorrow. Cheers!

Sincerely,

John Thielking


On Sun, Apr 13, 2014 at 2:46 PM, Spencer Graves <spencer.graves at prodsyse.com
> wrote:

>  Hi, Cameron, et al.:
>
>
>       Might anyone have a source to back up Cameron's discussion about
> Heartbleed and identity theft operations  of some criminal organizations?
>
>
>       I'd like to add a discussion of that to the Wikipedia article on
> "Heartbleed", but I'm concerned that my comments on that would be removed
> if I don't cite a credible source.
>
>
>       Thanks,
>       Spencer
>
>
> On 4/12/2014 6:27 PM, Cameron L. Spitzer wrote:
>
>
> >"It is believed that Heartbleed originates from the same organisation as
> stuxnet and duqu."
>
> That's just silly, of course.  OpenSSL is developed in the open using a
> collaboration tool called Git that was invented for Linux kernel
> development.
> OpenSSL's Git instance is online where anyone can fetch any version any
> time.
> To see the fix, just google "heartbleed git commits" and follow the first
> link<http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3#patch2>.
> That's the fix (bug code in red, fix code in green, in two files) being
> introduced to the code line.
>
> The bug was introduced with the heartbeat feature.  That commit is here<http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1>
> .
> Robin Segglemann is not mysterious.  He's given interviews about it by
> now.  It's a dumb error (missing bounds check, shouldn't trust the remote
> system) that was all too common in networking software a decade ago but
> reviewers usually look for these days.
> A stealthy intelligence agency introducing a secret back door would have
> made some effort to hide it or sneak it in.  It would be much more subtle.
>
>
> >"the United States National Security Agency was aware of the flaw since
> shortly after its introduction"
>
> Of Course.  OpenSSL is open source security software.  NSA reviews that
> more carefully and faster than anybody else does.  We'd all be amazed if
> they, of all reviewers, *didn't* spot a missing bounds check.  (More
> disappointed than amazed it got past everybody else.)  Discovering the bug
> and not promptly informing OpenSSL's maintainers was evil.
>
>
>
> On 04/12/2014 12:58 PM, Spencer Graves wrote:
>
> Hi, Cameron:
>
>
> [...]     Example:  17:12 today (5:12 PM, UTC), an anonymous user added a
> comment that, "It is believed that Heartbleed originates from the same
> organisation as stuxnet and duqu."  This comment included a reference to an
> article that mentioned neither stuxnet nor duqu.  It was undone 49 minutes
> later.  The article also includes comments that, "According to two insider
> sources speaking to Bloomberg.com, the United States National Security
> Agency was aware of the flaw since shortly after its introduction, but
> chose to keep it secret, instead of reporting it, in order to exploit it
> for their own purposes." [...]
>
>
>
>
>
> _______________________________________________
> sosfbay-discuss mailing listsosfbay-discuss at cagreens.orghttp://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
>
>
> --
> Spencer Graves, PE, PhD
> President and Chief Technology Officer
> Structure Inspection and Monitoring, Inc.
> 751 Emerson Ct.
> San José, CA 95126
> ph:  408-655-4567
> web:  www.structuremonitoring.com
>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140415/3de16844/attachment.html>

More information about the sosfbay-discuss mailing list