<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"> Cameron mentioned routers. I
just confirmed that they could be a problem and added information
on what to do about that to the Wikiversity article on "Managing
risk from cyber attacks". <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/12/2014 8:05 AM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMdGaMFULruCU5cfmaQY+S49d8y4VcVubgezfy8_N9gzYg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Thanks for the web update Spencer. I double checked my
Direct Express online account and it is possible to send
money to another bank account after logging in, but there is
also what is called "two factor security" involved. It seems
that I have to enter the code on the back of my debit card
before I can transfer money and even then the transaction
might be declined by Comerica Bank. I'm working with the
account issuer to disable online access and have them send
me a paper bill in the mail with all of my transactions for
the month listed instead of having online access, but it is
not clear how much trouble it will be to do this since the
customer service rep said they weren't sure if it was
possible to do this for an active online account. She had
the tech support people arrange to call me back sometime
next week. She also said that it was not possible to only
disable the online funds transfer feature and online bill
pay. Two factor security is better than just having a
password and login required before you can send money from
an online bank account. If your bank doesn't have at least
that level of security, they are fools and you should switch
banks or at least disable online access for your account.
Hopefully my security code is secure on the Direct Express
web site as I've never entered that code when using that
site. I'm still going to disable online access entirely ASAP
if I am allowed to do that.<br>
<br>
</div>
On a related note, I did a search to find out if the
Heartbleed bug affects security for credit card numbers and
PINs, not just passwords, and found at least one article that
confirms that it DOES affect other data such as CC numbers.
That article is located here:
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://www.christianpost.com/news/heart-bleed-virus-update-open-ssl-computer-bug-how-to-protect-your-security-passwords-for-gmail-yahoo-facebook-117732/">http://www.christianpost.com/news/heart-bleed-virus-update-open-ssl-computer-bug-how-to-protect-your-security-passwords-for-gmail-yahoo-facebook-117732/</a></p>
<p style="margin-bottom:0in"><br>
</p>
I also did a search to try to find out if the Heartbleed patch
is available for Windows XP. I found a bunch of articles that
talked about the end of XP security support on April 8, 2014
and that talked about the Heartbleed bug, but none of the
articles raised any alarms for XP users trying to patch the
Heartbleed bug. <br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 9:33 PM,
Spencer Graves <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:spencer.graves@prodsyse.com" target="_blank">spencer.graves@prodsyse.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems like
Heartbleed is now available on Wikiversity, "Managing
risk from cyber attacks". <br>
<br>
<br>
Please revise this as you see fit or send
suggestions to me. Cameron has done a great service in
providing his expertise on this list. The Wikipedia
article on Heartbleed received almost 47,000 views on
April 11 (UTC), and over 39,000 on the three previous
days combined. If this Wikiversity article gets a small
portion of that number of views, it will provide a great
service humanity. <br>
<br>
<br>
Creating that article helped me think through what
seemed like a sensible reaction. Alarmists said we
should change all our passwords. I think that's
overkill. Even creating a simple list of all the
accounts and passwords I've created over the years was
more work than I felt justified. And creating such a
list would miss the point. We need to worry about the
financial institutions that manage savings. If cyber
thieves drain those accounts, it could create big
problems for us. For more, see the Wikiversity article
(<a moz-do-not-send="true"
href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks"
target="_blank">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to John and
Drew for their additional comments. <br>
<span class="HOEnZb"><font color="#888888"> <br>
<br>
Spencer <br>
</font></span>
<div>
<div class="h5"> <br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
</div>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out, but I
finally decided to search the RT.com web
site using the search term "computer
hardware" to see if I could find an
article or two relating to my previous
statement that RT.com broadcast the claim
that computer hardware in general has been
compromised by the NSA. I did find the
following article at
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/"
target="_blank">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material
provided by Snowden does in fact indicate
that some people's computers are implanted
with special chips to aid the NSA in
monitoring them. This may not be
widespread just yet, but it does fit with
previously broadcast info from RT.com that
was saying that certain people's laptops
that have been ordered online are
sometimes transhipped to special NSA
facilities where they have their hardware
modified to contain implanted viruses or
malware (in the CMOS perhaps?). Of course
the article also says that the NSA may
choose to bug all computers sold in a
specific city, if that city is a region of
interest for the NSA. I'll bet that
Eugene, Oregon (Berkeley North) could be
one of those places. And who knows, they
might put radio bugs in all the watches
sold there too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is located
here:
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/"
target="_blank">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that this
stuff is based on is contained here:<br>
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/"
target="_blank">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at
2:19 PM, John Thielking <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question for
you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug
supported for systems running Windows XP,
which was just barely out of date as of
the time of broad announcement of the
Heartbleed bug, or do the people currently
running Windows XP also have to upgrade
their OS? I know my home computer only
has 500 MB of memory so I can't just do an
easy upgrade to Win 7. I hope not too
many POS terminals are also in the same
boat. They should upgrade to a new OS
anyway, but this problem may just compound
the problem presented by the Heartbleed
bug itself.<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">John Thielking<br>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11,
2014 at 12:52 PM, John Thielking <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>People should also know that
there may be additional security
gaps in ATMs and Point Of Sale
terminals due to their owners'
slow response to the need to do
away with using Windows XP. For
instance, the last time I went
to Round Table Pizza a couple of
weeks ago, the screen saver on
their POS terminal still said
"Windows XP". Chase signed a
contract for another year of
support from MS for Win XP for
their ATMs, but I can only
assume that everyone else will
no longer have support for Win
XP after early April 2014. Good
luck on that one too.<span><font
color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">John
Thielking<br>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On
Fri, Apr 11, 2014 at 12:14
PM, John Thielking <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>After reading
this I'm not
likely to trust
ATMs for awhile
with any of my
debit cards or
credit cards. At
least my latest
credit card
company and one of
my debit cards I'm
pretty sure I can
just go to the
bank teller of any
bank and get a
"cash advance"
from the teller
instead of using
an ATM. Often
times I don't need
a PIN when doing
that, just a photo
ID. I think the
fees for that
method may even be
less than using
the ATM anyway. Do
you think that the
bank teller's
systems are likely
to be more secure
than their ATM's?<br>
</div>
Thanks for
clarifying the other
info Cameron.<br>
<br>
</div>
Sincerely,<br>
<br>
</div>
John Thielking<br>
</div>
<div>
<div>
<div
class="gmail_extra"><br>
<br>
<div
class="gmail_quote">On
Fri, Apr 11, 2014
at 8:45 AM,
Cameron L. Spitzer
<span dir="ltr"><<a
moz-do-not-send="true" href="mailto:cls@truffula.us" target="_blank">cls@truffula.us</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div><br>
I may have
been unclear.<br>
1. Check your
bank (etc)
site for the
vulnerability.<br>
If it's bad,
make a note.<br>
2. Change
your password.<br>
<br>
3. Go back to
the bad ones
tomorrow and
check them
again.<br>
4. If a site
has changed
from bad to
good, change
your password
there.<br>
<br>
5. Repeat
again tomorrow
until there
are no more
bad sites on
your list.<br>
<br>
If the first
check of a
site was good,
you'll only
change that
site's
password once.<br>
If the first
check was bad,
you'll have to
change your
password
twice. The
first change
deactivates
the password
which was
probably
stolen over
the last two
years,
replacing it
with a
temporary
password. The
second
replaces the
temporary
password,
which may also
have been
stolen.<br>
<br>
<br>
The work your
bank (etc) has
to do is more
elaborate.
They have to
replace the
trust
certificates
that SSL
protects.
because those
have secret
keys and they
also could
have been
stolen.
However, when
a site goes
from bad to
good it's a
pretty good
indication
they're doing
all of that.
The certs are
mainly
important for
protecting you
from impostor
web sites.
Impostors are
mainly a
threat to
people who
follow links
received in
email, but
they can also
appear if the
DNS is
compromised
anywhere along
the line.
That mostly
happens to
Microsoft
Windows users
with malware
(that's most
consumers who
use Windows at
home) and on
corporate
intranets.
Ironically,
even though
Microsoft's
implementation
of SSL was not
affected, the
prevalence of
Windows
malware
greatly
magnifies the
vulnerability,
One more
example of how
Windows ruins
everything,
even for
non-Windows
users!<br>
<br>
<br>
The OpenSSL
source code's
history is
visible at its
Github page.
Several
security blogs
show how you
can look up
the Dec 31
2011 change
that
introduced the
bug and the
April 7 2014
change that
fixes it. No
stealthy
detective work
is needed.
However,
Github is
pretty swamped
this week with
everybody
looking at
these two
changes, so
you might get
a timeout or a
500 error.<br>
<br>
It will take
years for
everybody to
fix
everything.
There are home
routers, ATM
machines,
point of sale
terminals (we
used to call
them "cash
registers")
and other
"appliances"
(voting
machines?)
which use the
buggy OpenSSL,
and most
consumers
never update
the firmware
in those
things.<br>
Corporate
intranets with
huge software
stacks
(internal
accounting
processes etc)
will be the
most work.<br>
But almost
large
consumer-facing
commerce sites
will have this
fixed within a
few weeks.
The fix isn't
difficult for
professionally
managed web
sites, and the
urgency is
high and
unusually well
understood.
<div>
<div><br>
<br>
<br>
<br>
On 04/10/2014
10:07 PM, John
Thielking
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote
type="cite">
<div dir="ltr">
<div>KRON4 TV
news had an
interesting
piece on this
bug tonight.
Hopefully they
rebroadcast it
at 11 so you
all can see
it. They were
saying that
they found out
who created
the bug, that
it was a
"mistake" and
that it could
take years for
all the web
sites involved
to be fixed.
What a
headache.<br>
<br>
</div>
John Thielking<br>
</div>
<div
class="gmail_extra"><br>
<br>
<div
class="gmail_quote">On
Thu, Apr 10,
2014 at 12:46
PM, Spencer
Graves <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:spencer.graves@prodsyse.com"
target="_blank">spencer.graves@prodsyse.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
bgcolor="#FFFFFF"
text="#000000">
<div>Hi,
Cameron, Drew,
et al.: <br>
<br>
<br>
1. Do
you have any
reactions to
the suggestion
that a user
could increase
rather than
decrease their
vulnerability
if they change
a password
BEFORE a host
fixes the
software on
their end?
The concern is
that some of
the
information
stolen via
Heartbleed may
still need
need more work
to decode than
a password
change before
the host
software is
patched. If
this is
accurate, we
should first
check the
hosts for our
greatest
vulnerabilities
to ensure that
they've
installed an
appropriate
patch, then
change our
password, log
out, then
quickly log
back in and
change the
password
again, as
Cameron
suggested. If
I understand
correctly, the
need to change
the password
twice is
because a data
thief may
catch the
first password
change but is
unlikely to be
able to react
quickly enough
with that new
information to
catch your
second
password
change if you
do it quickly
enough. <br>
<br>
<br>
2.
Wikipedia has
an article on
"Heartbleed",
which been
updated every
few minutes
since it was
created
2014-04-09
04:39 UTC. If
you have
information
that you feel
is not
properly
reflected
there, I'd
like to know.
I might be
able to help
update it,
though my
schedule today
is quite
busy. <br>
<br>
<br>
Be
safe. <br>
Spencer
<br>
<div>
<div> <br>
<br>
On 4/10/2014
6:16 AM, Drew
wrote:<br>
</div>
</div>
</div>
<blockquote
type="cite">
<div>
<div>Cameron,
I and others
can help
people move to
a
(user-friendly),
freedom-respecting
GNU/Linux
computer
system such as
Puppy Linux <a
moz-do-not-send="true" href="http://puppylinux.com" target="_blank">http://puppylinux.com</a>
, or Zorin <a
moz-do-not-send="true" href="http://www.zorin-os.com" target="_blank">http://www.zorin-os.com</a>/
, or Linux
Mint, etc.<br>
<br>
Green is
Freedom!<br>
<br>
Drew<br>
-- <br>
Sent from my
Android device
with K-9 Mail.
Please excuse
my brevity. <br>
<fieldset></fieldset>
<br>
</div>
</div>
<span></span></blockquote>
</div>
<br>
_______________________________________________<br>
sosfbay-discuss
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss"
target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: <a class="moz-txt-link-abbreviated" href="http://www.structuremonitoring.com">www.structuremonitoring.com</a>
</pre>
</body>
</html>