<div dir="ltr">
<p style="margin-bottom:0in">I attended a retired union worker's BBQ
today where reps from various legislators' offices were available to
answer questions. I mentioned the Heartbleed bug a couple of times in
my comments (once before and once after the legislators' assistants
and some legislators themselves showed up late). I mentioned that
the Heartbleed bug affects the security of credit card numbers and
PINS as well as the passwords to your favorite web sites. I mentioned
that to find out if your favorite web site has been patched to fix
the Heartbleed bug, you can simply Google for “Heartbleed” and
find an article that has a link to one of the sites that allows you
to test the web sites that you use to see if they have fixed the bug.
I also urged the legislators to come up with rules requiring banks to
take various additional security measures and to allow online account
feature choices that would tend to thwart any similar future bug.
Such security features and selections include: Any two factor
security for transferring funds online should include an offline
component such as mailing the customer a new debit card upon their
request with new card numbers and a new security code on the back.
The new security code should only need to be used if the customer
transfers money online or uses the online bill pay features, so that
if the customer does not use those features, the new security code
would not be entered into the user interface of the bank's web site
by the customer. Another user selection would include the ability to
let the customer select (through a secure method) to either disable
the online money transfer features such as bank account money
transfers and online bill pay at some point after the creation of the
account or to sign up for a secure online account at the start that
has those online features permanently disabled. The “secure method”
for changing (enabling or disabling) these features could include, in
the case of Direct Express where there are not always Comerica bank
branches available in every town, a network of banks such as Chase
and Wells Fargo, who do tend to have branches in more places, who
could securely transfer such requests to Comerica upon the customer
visiting the local branch and presenting a photo ID. It is possible
to implement part of these features without making any changes to
existing procedures by simply using an online bank account that
requires you to enter your current 3 or 4 digit security code on the
back of your debit card before making any online money transfers or
before using online bill pay features. Then if you want to be secure
in this way, order a new debit or credit card with all new numbers
and simply never use those online money transfer features so that you
never enter the new security code into your bank's web site user
interface. If you really want to be secure, you can tell your bank to
disable online access to your account(s). That way if someone hacks
your security code when you use it on a third party web site, they
won't be able to use your bank's web site to steal any funds from you
(especially from your other accounts such as your savings accounts),
at least not through the front door anyhow. As for legislation or
not, it may be best to simply present these ideas to the experts and
legislators and have them lobby the banks, rather than casting new
sections of law into stone, as the banks may need to adapt quickly to
future security threats that may circumvent these new ideas and
because of that they should not have their hands tied by legislation.
The next opportunity to do this type of lobbying in the San Jose
area will be at the Senior Scam Stopper Seminar, Friday, April 18<sup>th</sup>,
2014 from 2PM-4PM at the Campbell Community Center Orchard City
Banquet Hall, 1 W Campbell Avenue, Campbell, CA 95008. CA State
Assembly member Paul Fong is putting on this event in conjunction
with the Contractors State License Board. The event will include a
panel of experts on preventing seniors from being scammed. It is
recommended to RSVP for this event as seating will be limited. To
RSVP, call 408-371-2802 or visit <a href="http://www.asmdc.org/yh">www.asmdc.org/yh</a>.
Thanks.</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in">Sincerely,</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in">John Thielking</p>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Apr 12, 2014 at 12:58 PM, Spencer Graves <span dir="ltr"><<a href="mailto:spencer.graves@prodsyse.com" target="_blank">spencer.graves@prodsyse.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi, Cameron: <br>
<br>
<br>
Thanks very much for all you've written on this. <br>
<br>
<br>
Do you think the Wikipedia article on "Heartbleed" could be
improved, e.g., by adding a section on "Gravity" (or some similar
title), explaining what you just said? I can help you with
implementation if you don't feel comfortable with the Mediawiki
markup language and the Wikipedia culture, I can help with that.
Additions without appropriate citations may be quickly reverted,
but balanced comments with reasonable citations will likely be
retained. I think it's worth doing, because (as I previously
noted) this "Heartbleed" article received almost 47,000 views on
April 11 (UTC), and over 39,000 on the three previous days
combined. <br>
<br>
<br>
Example: 17:12 today (5:12 PM, UTC), an anonymous user
added a comment that, "It is believed that Heartbleed originates
from the same organisation as stuxnet and duqu." This comment
included a reference to an article that mentioned neither stuxnet
nor duqu. It was undone 49 minutes later. The article also
includes comments that, "According to two insider sources speaking
to Bloomberg.com, the United States National Security Agency was
aware of the flaw since shortly after its introduction, but chose
to keep it secret, instead of reporting it, in order to exploit it
for their own purposes." These comments cite 3 sources and are
likely to remain in the article unless none of the 3 actually
mention the NSA. <br>
<br>
<br>
Best Wishes, <br>
Spencer <br><div><div class="h5">
<br>
<br>
On 4/12/2014 11:10 AM, Cameron L. Spitzer wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div class="h5">
<div><br>
>Alarmists said we should change all our passwords. I think
that's overkill.<br>
<br>
I disagree.<br>
Bruce Schneier is no "alarmist." He's the author of the
standard textbook Applied Cryptography, and a member of the
Electronic Frontier Foundation's advisory board. And he's the
best tech writer to general audiences since Carl Sagan. If
you're having trouble with rational risk assessment (a
widespread problem among activists), you should read his book <a href="https://www.schneier.com/book-beyondfear.html" target="_blank"><i>Beyond
Fear</i></a>.<br>
<br>
This is the worst Internet security problem due to a single
programming error that I can remember, ever, because of the
circumstances of its deployment and the nature of the exploit.<br>
When a vulnerability like this one is discovered, you <i>must</i>
assume the bad guys have had the use of it since it was
deployed.<br>
It allows not just stealing your password, but stealing the
secrets that would make it impossible for your browser to detect
an impostor HTTPS site.<br>
And in the standard deployment, exploiting the bug leaves no
trace.<br>
In this case, the window was wide open for roughly two years.
Your passwords have <i>probably</i> been stolen from affected
sites.<br>
Whether you have been managing them well is irrelevant. Take
all the needless risks you like, but don't lead others to take
risks by denying them.<br>
<br>
Throwaway passwords used only for commenting on newspaper
articles (etc) need not be replaced, unless they share recovery
secrets with more sensitive accounts. But <i>anything</i>
useful for identity theft poses a risk.<br>
For example, the attacker might use your account at some
ancestry site to discover some non-secret "secret" (e.g., street
you lived on as a child, mother's maiden name) to accomplish a
password reset on your bank site. (Next time, <i>lie</i> about
your mother's maiden name, and keep the lie someplace safe.)
Identity thieves work on thousands of identities at a time,
filling in a jigsaw puzzle on each potential victim. They use
efficient, automated, mass production techniques. They rattle <i>every</i>
doorknob. You never know which pieces they already have or
still need.<br>
<br>
I've been following my employer's well organized response to
this problem. One takeaway is our local experts are not at all
concerned about Secure Shell V2. A long obsolete implementation
used SSL, but the one we've been using doesn't. I had been
mistaken about that. They're also pretty confident about
password managers that do client side encryption. E.g., <a href="https://lastpass.com/" target="_blank">LastPass</a>
and <a href="http://userbase.kde.org/KDE_Wallet_Manager" target="_blank">Kwallet</a>.
These tools make it practical to maintain distinct, strong
passwords for each web site and hosted application, so you can
stop using "log in with Facebook" type shortcuts. Of course,
LastPass on an unmaintained Windows XP host is only as secure as
that host. If it's full of memory-scraping malware, you've got
a local version of Heartbleed.<br>
<br>
Rational risk assessment means ignoring irrelevant factors.
Mass production identity thieves don't care about your
politics. (Spearfishers do. They use everything they know
about you to compile a word list for guessing password and
recovery secrets.) They don't care how paranoid you are about
mass surveillance.<br>
<br>
Forward this message as you see fit.<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/11/2014 09:33 PM, Spencer Graves wrote:<br>
</div>
<blockquote type="cite">
<div>Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems like
Heartbleed is now available on Wikiversity, "Managing risk
from cyber attacks". <br>
<br>
<br>
Please revise this as you see fit or send suggestions to
me. Cameron has done a great service in providing his
expertise on this list. The Wikipedia article on Heartbleed
received almost 47,000 views on April 11 (UTC), and over
39,000 on the three previous days combined. If this
Wikiversity article gets a small portion of that number of
views, it will provide a great service humanity. <br>
<br>
<br>
Creating that article helped me think through what
seemed like a sensible reaction. Alarmists said we should
change all our passwords. I think that's overkill. Even
creating a simple list of all the accounts and passwords I've
created over the years was more work than I felt justified.
And creating such a list would miss the point. We need to
worry about the financial institutions that manage savings.
If cyber thieves drain those accounts, it could create big
problems for us. For more, see the Wikiversity article (<a href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks" target="_blank">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to John and Drew for
their additional comments. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out, but I finally
decided to search the RT.com web site using the
search term "computer hardware" to see if I could
find an article or two relating to my previous
statement that RT.com broadcast the claim that
computer hardware in general has been compromised by
the NSA. I did find the following article at
<p style="margin-bottom:0in"><a href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/" target="_blank">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material provided by
Snowden does in fact indicate that some people's
computers are implanted with special chips to aid
the NSA in monitoring them. This may not be
widespread just yet, but it does fit with previously
broadcast info from RT.com that was saying that
certain people's laptops that have been ordered
online are sometimes transhipped to special NSA
facilities where they have their hardware modified
to contain implanted viruses or malware (in the CMOS
perhaps?). Of course the article also says that the
NSA may choose to bug all computers sold in a
specific city, if that city is a region of interest
for the NSA. I'll bet that Eugene, Oregon (Berkeley
North) could be one of those places. And who knows,
they might put radio bugs in all the watches sold
there too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is located here:
<p style="margin-bottom:0in"><a href="http://rt.com/op-edge/nsa-spying-future-total-952/" target="_blank">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that this stuff is
based on is contained here:<br>
<p style="margin-bottom:0in"><a href="http://rt.com/op-edge/nsa-spying-future-total-952/" target="_blank">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 2:19 PM,
John Thielking <span dir="ltr"><<a href="mailto:peacemovies@gmail.com" target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question for you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug supported for
systems running Windows XP, which was just barely
out of date as of the time of broad announcement of
the Heartbleed bug, or do the people currently
running Windows XP also have to upgrade their OS? I
know my home computer only has 500 MB of memory so I
can't just do an easy upgrade to Win 7. I hope not
too many POS terminals are also in the same boat.
They should upgrade to a new OS anyway, but this
problem may just compound the problem presented by
the Heartbleed bug itself.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">John
Thielking<br>
</font></span></div>
<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
...<br>
<br>
<fieldset></fieldset>
<br>
</div></div><div class=""><pre>_______________________________________________
sosfbay-discuss mailing list
<a href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</div></blockquote><div class="">
<br>
<br>
<pre cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: <a href="tel:408-655-4567" value="+14086554567" target="_blank">408-655-4567</a>
web: <a href="http://www.structuremonitoring.com" target="_blank">www.structuremonitoring.com</a>
</pre>
</div></div>
<br>_______________________________________________<br>
sosfbay-discuss mailing list<br>
<a href="mailto:sosfbay-discuss@cagreens.org">sosfbay-discuss@cagreens.org</a><br>
<a href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a><br></blockquote></div><br></div>