<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
<br>
Nobody credible is suggesting the NSA or anybody else has a
backdoor in Secure Shell Version 2 (SSH) or the ciphers it uses.
If it were even suspected, there would be a mad race to come up
with a replacement.<br>
SSH was developed in Finland because it's the only developed
nation not subject to the US' "munitions related" export
controls. That's why the big security software developers all
have offices there. They learned that lesson from NSA's
heavy-handed interference with the original Digital Encryption
Standard and Pretty Good Privacy. If you've been researching the
history of digital security, you already know about those
outrages.<br>
<br>
To understand these problems, you have to distinguish <i>algorithm</i>
from <i>implementation</i>. There is no "<i>method</i>." The
strength of SSH and its ciphers, and of PGP/GPG, and anything else
that uses asymmetric encryption, including SSL, comes from the
mathematical reality that it's astronomically more difficult to
factor the product of two very large prime numbers than it was to
multiply those two primes in the first place. The NSA is about as
"likely" to find a way around that as they are to find a way to
travel faster than light. That's algorithm. Vulnerabilities like
Heartbleed come from mistakes in implementation, not from
weaknesses in the mathematical algorithms themselves. The last
one we all had to patch (it was in SSH) was due to a mistake where
a pseudorandom number was more predictable than it should have
been.<br>
<br>
<a href="http://heartbleed.com/">Heartbleed</a> gives a black eye
to the "open source fanboys" who've been claiming for years that
nothing this serious would ever get past the "crowd" of
reviewers. "Vulns" this bad get stopped in code-review all the
time, and one got through. But it hardly means "the NSA has a
back door in everything." ("The NSA has a back door in
everything" is a way to rationalize your own choices of
convenience over security. Everybody does it.)<br>
Nor does it mean the closed source implementations are better.
Microsoft has its own SSL implementation. It's surely been
code-reviewed by NSA, and it may even have NSA's backdoor in it.
Perhaps that's in the pile Snowden handed off to Greenwald, and <i>Der
Spiegel</i> hasn't got around to revealing it.<br>
<br>
By the way, the media are reporting "two thirds of the Web"
vulnerable. <a
href="http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html">According
to Netcraft</a>, it's 17% of hostnames. Maybe the "two thirds"
is because that 17% is most of the big names.<br>
<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/09/2014 03:19 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMeFiXji3noc06xS0b_dL6_z-=KxTxYtyj4XbHQNfL5dUg@mail.gmail.com"
type="cite">
<div dir="ltr">I don't use online banking much, though I do pay
bills with a debit card. I may be able to use a real credit card
soon instead, though I have yet to actually receive the card
that I was notified that was sent to me in the mail. Like I said
in another thread, the US govt likely has a backdoor into every
encryption <i>method</i> [emphasis added] out there, including
RSA's stuff (there was a specific news item on that one) and
anyone running HTTPS. My best bet in regards to this is that my
Direct Express online access/password only allows me to look at
my account balance and transaction history. As far as I know, I
can't look up my account number or transfer money by logging in.
Good luck.<br clear="none">
<br clear="none">
Sincerely,<br clear="none">
<br clear="none">
John Thielking</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Apr 9, 2014 at 2:47 PM, Cameron
L. Spitzer <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:cls@truffula.us" target="_blank">cls@truffula.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
Most of the "secure" web sites you use have been <b>broken
for the last two years</b>. Bruce Schneier says the
OpenSSL "Heartbleed" bug disclosed yesterday, on a scale
of 1 to 10, is an 11, "<a moz-do-not-send="true"
href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html"
target="_blank">catastrophic</a>." I recommend James
Fallows' <a moz-do-not-send="true"
href="http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/"
target="_blank">coverage</a> at the Atlantic. <a
moz-do-not-send="true"
href="http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/"
target="_blank">Arstechnica</a> is even better, they
demonstrate the exploit against <a
moz-do-not-send="true" href="http://yahoo.com"
target="_blank">yahoo.com</a>.<br>
<br>
If you bank online, you need to check your bank's site
with something like <a moz-do-not-send="true"
href="http://filippo.io/Heartbleed/" target="_blank">this</a>,
and change your password. Change it now, then check the
site. If the check fails, check it again later, and
change your password <i>again</i> when it passes.<br>
The first change neutralizes your password which <b>was
probably stolen</b> during the last two years. The
second neutralizes the new one that was stolen yesterday
before your bank fixed its server. Now that the bug is
public, you can safely assume <b>all</b> unpatched
sites are compromised.<br>
If you run an HTTPS web server, you need to update it,
and then you need to get a new cert. That's what your
bank needs to do.<br>
If someone else runs an HTTPS web server for you, check
it. If it's broken and they don't fix it soon, change
providers.<br>
<br>
Forward as you see fit.<span class="HOEnZb"><font
color="#888888"><br>
<br>
-<i>Cameron</i><br>
<br>
<br>
</font></span></div>
</div>
<br>
_______________________________________________<br>
sosfbay-discuss mailing list<br>
<a moz-do-not-send="true"
href="mailto:sosfbay-discuss@cagreens.org">sosfbay-discuss@cagreens.org</a><br>
<a moz-do-not-send="true"
href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss"
target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
sosfbay-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sosfbay-discuss@cagreens.org">sosfbay-discuss@cagreens.org</a>
<a class="moz-txt-link-freetext" href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</blockquote>
<br>
</body>
</html>