<div dir="ltr"><div>People should also know that there may be additional security gaps in ATMs and Point Of Sale terminals due to their owners' slow response to the need to do away with using Windows XP. For instance, the last time I went to Round Table Pizza a couple of weeks ago, the screen saver on their POS terminal still said "Windows XP". Chase signed a contract for another year of support from MS for Win XP for their ATMs, but I can only assume that everyone else will no longer have support for Win XP after early April 2014. Good luck on that one too.<br>
<br></div>John Thielking<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 12:14 PM, John Thielking <span dir="ltr"><<a href="mailto:peacemovies@gmail.com" target="_blank">peacemovies@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>After reading this I'm not likely to trust ATMs for awhile with any of my debit cards or credit cards. At least my latest credit card company and one of my debit cards I'm pretty sure I can just go to the bank teller of any bank and get a "cash advance" from the teller instead of using an ATM. Often times I don't need a PIN when doing that, just a photo ID. I think the fees for that method may even be less than using the ATM anyway. Do you think that the bank teller's systems are likely to be more secure than their ATM's?<br>
</div> Thanks for clarifying the other info Cameron.<br><br></div>Sincerely,<br><br></div>John Thielking<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 8:45 AM, Cameron L. Spitzer <span dir="ltr"><<a href="mailto:cls@truffula.us" target="_blank">cls@truffula.us</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
I may have been unclear.<br>
1. Check your bank (etc) site for the vulnerability.<br>
If it's bad, make a note.<br>
2. Change your password.<br>
<br>
3. Go back to the bad ones tomorrow and check them again.<br>
4. If a site has changed from bad to good, change your password
there.<br>
<br>
5. Repeat again tomorrow until there are no more bad sites on
your list.<br>
<br>
If the first check of a site was good, you'll only change that
site's password once.<br>
If the first check was bad, you'll have to change your password
twice. The first change deactivates the password which was
probably stolen over the last two years, replacing it with a
temporary password. The second replaces the temporary password,
which may also have been stolen.<br>
<br>
<br>
The work your bank (etc) has to do is more elaborate. They have
to replace the trust certificates that SSL protects. because those
have secret keys and they also could have been stolen. However,
when a site goes from bad to good it's a pretty good indication
they're doing all of that. The certs are mainly important for
protecting you from impostor web sites. Impostors are mainly a
threat to people who follow links received in email, but they can
also appear if the DNS is compromised anywhere along the line.
That mostly happens to Microsoft Windows users with malware
(that's most consumers who use Windows at home) and on corporate
intranets. Ironically, even though Microsoft's implementation of
SSL was not affected, the prevalence of Windows malware greatly
magnifies the vulnerability, One more example of how Windows ruins
everything, even for non-Windows users!<br>
<br>
<br>
The OpenSSL source code's history is visible at its Github page.
Several security blogs show how you can look up the Dec 31 2011
change that introduced the bug and the April 7 2014 change that
fixes it. No stealthy detective work is needed. However, Github
is pretty swamped this week with everybody looking at these two
changes, so you might get a timeout or a 500 error.<br>
<br>
It will take years for everybody to fix everything. There are
home routers, ATM machines, point of sale terminals (we used to
call them "cash registers") and other "appliances" (voting
machines?) which use the buggy OpenSSL, and most consumers never
update the firmware in those things.<br>
Corporate intranets with huge software stacks (internal accounting
processes etc) will be the most work.<br>
But almost large consumer-facing commerce sites will have this
fixed within a few weeks. The fix isn't difficult for
professionally managed web sites, and the urgency is high and
unusually well understood.<div><div><br>
<br>
<br>
<br>
On 04/10/2014 10:07 PM, John Thielking wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">
<div dir="ltr">
<div>KRON4 TV news had an interesting piece on this bug tonight.
Hopefully they rebroadcast it at 11 so you all can see it.
They were saying that they found out who created the bug, that
it was a "mistake" and that it could take years for all the
web sites involved to be fixed. What a headache.<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 10, 2014 at 12:46 PM,
Spencer Graves <span dir="ltr"><<a href="mailto:spencer.graves@prodsyse.com" target="_blank">spencer.graves@prodsyse.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi, Cameron, Drew, et al.: <br>
<br>
<br>
1. Do you have any reactions to the suggestion
that a user could increase rather than decrease their
vulnerability if they change a password BEFORE a host
fixes the software on their end? The concern is that
some of the information stolen via Heartbleed may still
need need more work to decode than a password change
before the host software is patched. If this is
accurate, we should first check the hosts for our
greatest vulnerabilities to ensure that they've
installed an appropriate patch, then change our
password, log out, then quickly log back in and change
the password again, as Cameron suggested. If I
understand correctly, the need to change the password
twice is because a data thief may catch the first
password change but is unlikely to be able to react
quickly enough with that new information to catch your
second password change if you do it quickly enough. <br>
<br>
<br>
2. Wikipedia has an article on "Heartbleed",
which been updated every few minutes since it was
created 2014-04-09 04:39 UTC. If you have information
that you feel is not properly reflected there, I'd like
to know. I might be able to help update it, though my
schedule today is quite busy. <br>
<br>
<br>
Be safe. <br>
Spencer <br>
<div>
<div> <br>
<br>
On 4/10/2014 6:16 AM, Drew wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>Cameron, I and others can help people
move to a (user-friendly), freedom-respecting
GNU/Linux computer system such as Puppy Linux <a href="http://puppylinux.com" target="_blank">http://puppylinux.com</a>
, or Zorin <a href="http://www.zorin-os.com" target="_blank">http://www.zorin-os.com</a>/
, or Linux Mint, etc.<br>
<br>
Green is Freedom!<br>
<br>
Drew<br>
-- <br>
Sent from my Android device with K-9 Mail. Please
excuse my brevity. <br>
<fieldset></fieldset>
<br>
</div>
</div>
<div>
<pre>_______________________________________________
sosfbay-discuss mailing list
<a href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</div>
</blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: <a href="tel:408-655-4567" value="+14086554567" target="_blank">408-655-4567</a>
web: <a href="http://www.structuremonitoring.com" target="_blank">www.structuremonitoring.com</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
sosfbay-discuss mailing list<br>
<a href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a><br>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
sosfbay-discuss mailing list
<a href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
sosfbay-discuss mailing list<br>
<a href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a><br>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a><br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>