<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems like Heartbleed is
now available on Wikiversity, "Managing risk from cyber attacks".
<br>
<br>
<br>
Please revise this as you see fit or send suggestions to
me. Cameron has done a great service in providing his expertise
on this list. The Wikipedia article on Heartbleed received almost
47,000 views on April 11 (UTC), and over 39,000 on the three
previous days combined. If this Wikiversity article gets a small
portion of that number of views, it will provide a great service
humanity. <br>
<br>
<br>
Creating that article helped me think through what seemed
like a sensible reaction. Alarmists said we should change all our
passwords. I think that's overkill. Even creating a simple list
of all the accounts and passwords I've created over the years was
more work than I felt justified. And creating such a list would
miss the point. We need to worry about the financial institutions
that manage savings. If cyber thieves drain those accounts, it
could create big problems for us. For more, see the Wikiversity
article
(<a class="moz-txt-link-freetext" href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to John and Drew for
their additional comments. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMfF7t-B0Hw5t==HXqxCZPaZSmciN9ffztkkWQHAxo3KYA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out, but I finally
decided to search the RT.com web site using the search
term "computer hardware" to see if I could find an
article or two relating to my previous statement that
RT.com broadcast the claim that computer hardware in
general has been compromised by the NSA. I did find the
following article at
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material provided by
Snowden does in fact indicate that some people's
computers are implanted with special chips to aid the
NSA in monitoring them. This may not be widespread just
yet, but it does fit with previously broadcast info from
RT.com that was saying that certain people's laptops
that have been ordered online are sometimes transhipped
to special NSA facilities where they have their hardware
modified to contain implanted viruses or malware (in the
CMOS perhaps?). Of course the article also says that
the NSA may choose to bug all computers sold in a
specific city, if that city is a region of interest for
the NSA. I'll bet that Eugene, Oregon (Berkeley North)
could be one of those places. And who knows, they might
put radio bugs in all the watches sold there too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is located here:
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that this stuff is
based on is contained here:<br>
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 2:19 PM, John
Thielking <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:peacemovies@gmail.com" target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question for you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug supported for
systems running Windows XP, which was just barely out of
date as of the time of broad announcement of the
Heartbleed bug, or do the people currently running
Windows XP also have to upgrade their OS? I know my
home computer only has 500 MB of memory so I can't just
do an easy upgrade to Win 7. I hope not too many POS
terminals are also in the same boat. They should
upgrade to a new OS anyway, but this problem may just
compound the problem presented by the Heartbleed bug
itself.<span class="HOEnZb"><font color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">John Thielking<br>
</font></span></div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 12:52
PM, John Thielking <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>People should also know that there may be
additional security gaps in ATMs and Point Of
Sale terminals due to their owners' slow
response to the need to do away with using
Windows XP. For instance, the last time I went
to Round Table Pizza a couple of weeks ago,
the screen saver on their POS terminal still
said "Windows XP". Chase signed a contract for
another year of support from MS for Win XP for
their ATMs, but I can only assume that
everyone else will no longer have support for
Win XP after early April 2014. Good luck on
that one too.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">John Thielking<br>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11,
2014 at 12:14 PM, John Thielking <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>After reading this I'm not
likely to trust ATMs for awhile
with any of my debit cards or
credit cards. At least my latest
credit card company and one of
my debit cards I'm pretty sure I
can just go to the bank teller
of any bank and get a "cash
advance" from the teller instead
of using an ATM. Often times I
don't need a PIN when doing
that, just a photo ID. I think
the fees for that method may
even be less than using the ATM
anyway. Do you think that the
bank teller's systems are likely
to be more secure than their
ATM's?<br>
</div>
Thanks for clarifying the other
info Cameron.<br>
<br>
</div>
Sincerely,<br>
<br>
</div>
John Thielking<br>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri,
Apr 11, 2014 at 8:45 AM, Cameron
L. Spitzer <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:cls@truffula.us"
target="_blank">cls@truffula.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div><br>
I may have been unclear.<br>
1. Check your bank (etc)
site for the
vulnerability.<br>
If it's bad, make a note.<br>
2. Change your password.<br>
<br>
3. Go back to the bad
ones tomorrow and check
them again.<br>
4. If a site has changed
from bad to good, change
your password there.<br>
<br>
5. Repeat again tomorrow
until there are no more
bad sites on your list.<br>
<br>
If the first check of a
site was good, you'll only
change that site's
password once.<br>
If the first check was
bad, you'll have to change
your password twice. The
first change deactivates
the password which was
probably stolen over the
last two years, replacing
it with a temporary
password. The second
replaces the temporary
password, which may also
have been stolen.<br>
<br>
<br>
The work your bank (etc)
has to do is more
elaborate. They have to
replace the trust
certificates that SSL
protects. because those
have secret keys and they
also could have been
stolen. However, when a
site goes from bad to good
it's a pretty good
indication they're doing
all of that. The certs
are mainly important for
protecting you from
impostor web sites.
Impostors are mainly a
threat to people who
follow links received in
email, but they can also
appear if the DNS is
compromised anywhere along
the line. That mostly
happens to Microsoft
Windows users with malware
(that's most consumers who
use Windows at home) and
on corporate intranets.
Ironically, even though
Microsoft's implementation
of SSL was not affected,
the prevalence of Windows
malware greatly magnifies
the vulnerability, One
more example of how
Windows ruins everything,
even for non-Windows
users!<br>
<br>
<br>
The OpenSSL source code's
history is visible at its
Github page. Several
security blogs show how
you can look up the Dec 31
2011 change that
introduced the bug and the
April 7 2014 change that
fixes it. No stealthy
detective work is needed.
However, Github is pretty
swamped this week with
everybody looking at these
two changes, so you might
get a timeout or a 500
error.<br>
<br>
It will take years for
everybody to fix
everything. There are
home routers, ATM
machines, point of sale
terminals (we used to call
them "cash registers") and
other "appliances" (voting
machines?) which use the
buggy OpenSSL, and most
consumers never update the
firmware in those things.<br>
Corporate intranets with
huge software stacks
(internal accounting
processes etc) will be the
most work.<br>
But almost large
consumer-facing commerce
sites will have this fixed
within a few weeks. The
fix isn't difficult for
professionally managed web
sites, and the urgency is
high and unusually well
understood.
<div>
<div><br>
<br>
<br>
<br>
On 04/10/2014 10:07
PM, John Thielking
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>KRON4 TV news
had an interesting
piece on this bug
tonight. Hopefully
they rebroadcast
it at 11 so you
all can see it.
They were saying
that they found
out who created
the bug, that it
was a "mistake"
and that it could
take years for all
the web sites
involved to be
fixed. What a
headache.<br>
<br>
</div>
John Thielking<br>
</div>
<div
class="gmail_extra"><br>
<br>
<div
class="gmail_quote">On
Thu, Apr 10, 2014
at 12:46 PM,
Spencer Graves <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:spencer.graves@prodsyse.com"
target="_blank">spencer.graves@prodsyse.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Hi,
Cameron, Drew,
et al.: <br>
<br>
<br>
1. Do
you have any
reactions to
the suggestion
that a user
could increase
rather than
decrease their
vulnerability
if they change
a password
BEFORE a host
fixes the
software on
their end?
The concern is
that some of
the
information
stolen via
Heartbleed may
still need
need more work
to decode than
a password
change before
the host
software is
patched. If
this is
accurate, we
should first
check the
hosts for our
greatest
vulnerabilities
to ensure that
they've
installed an
appropriate
patch, then
change our
password, log
out, then
quickly log
back in and
change the
password
again, as
Cameron
suggested. If
I understand
correctly, the
need to change
the password
twice is
because a data
thief may
catch the
first password
change but is
unlikely to be
able to react
quickly enough
with that new
information to
catch your
second
password
change if you
do it quickly
enough. <br>
<br>
<br>
2.
Wikipedia has
an article on
"Heartbleed",
which been
updated every
few minutes
since it was
created
2014-04-09
04:39 UTC. If
you have
information
that you feel
is not
properly
reflected
there, I'd
like to know.
I might be
able to help
update it,
though my
schedule today
is quite
busy. <br>
<br>
<br>
Be
safe. <br>
Spencer
<br>
<div>
<div> <br>
<br>
On 4/10/2014
6:16 AM, Drew
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>Cameron,
I and others
can help
people move to
a
(user-friendly),
freedom-respecting
GNU/Linux
computer
system such as
Puppy Linux <a
moz-do-not-send="true" href="http://puppylinux.com" target="_blank">http://puppylinux.com</a>
, or Zorin <a
moz-do-not-send="true" href="http://www.zorin-os.com" target="_blank">http://www.zorin-os.com</a>/
, or Linux
Mint, etc.<br>
<br>
Green is
Freedom!<br>
<br>
Drew<br>
-- <br>
Sent from my
Android device
with K-9 Mail.
Please excuse
my brevity. <br>
<fieldset></fieldset>
<br>
</div>
</div>
<span></span></blockquote>
</div>
<br>
_______________________________________________<br>
sosfbay-discuss
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss"
target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: <a class="moz-txt-link-abbreviated" href="http://www.structuremonitoring.com">www.structuremonitoring.com</a>
</pre>
</body>
</html>