<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">John: <br>
<br>
<br>
Possibly the largest network of Automated Teller Machines
(ATMs) in the world may be those run by credit unions. Many if
not all credit unions world wide honor each other's debit cards.
Provident Credit Union (providentcu.org) advertises, "Over 28,000
CO-OP Network ATMs worldwide (including over 5,500 ATMs in
7-Eleven stores around the country). Provident deposits accepted
at many of these locations. Over 22,000 MoneyPass ATMs nationwide
(including at US Bank, Dunkin’ Donuts, Walgreens, and more). Over
4,900 Alliance One ATMs in 43 states nationwide. Provident
members can use any Bank of the West ATM without incurring a
surcharge. Bank of the West has over 650 branches in 19 states
(including many in San Francisco Bay Area). Provident deposits
accepted at many of these locations." I just checked to see what
Provident Credit Union offered for St. Francis, KS, where I
attended High School. They said they had no branches near there.
The nearest ATM was 25 miles away, and they listed 3 others within
40 miles. I checked Denver 200 miles from St. Francis: I got a
list of over 50 branches I could enter and many more ATMs. <br>
<br>
<br>
I rarely enter a Provident CU office; the closest is 3-4
miles away. I usually get cash back when I use my debit card with
major retailers. If I need to make a deposit or I need more cash,
I use the ATM at a credit union closer that's less than one mile
from where we live. If I recall correctly, I had a problem once
making a deposit at this other credit union. A few months later,
the problem was resolved. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/12/2014 5:23 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMcH_yFmjJMLK1-8PRZU1X3yBCku68jwBqRmCu9pHWU4Rg@mail.gmail.com"
type="cite">
<div dir="ltr">
<p style="margin-bottom:0in">I attended a retired union worker's
BBQ
today where reps from various legislators' offices were
available to
answer questions. I mentioned the Heartbleed bug a couple of
times in
my comments (once before and once after the legislators'
assistants
and some legislators themselves showed up late). I mentioned
that
the Heartbleed bug affects the security of credit card numbers
and
PINS as well as the passwords to your favorite web sites. I
mentioned
that to find out if your favorite web site has been patched to
fix
the Heartbleed bug, you can simply Google for “Heartbleed” and
find an article that has a link to one of the sites that
allows you
to test the web sites that you use to see if they have fixed
the bug.
I also urged the legislators to come up with rules requiring
banks to
take various additional security measures and to allow online
account
feature choices that would tend to thwart any similar future
bug. Such security features and selections include: Any two
factor
security for transferring funds online should include an
offline
component such as mailing the customer a new debit card upon
their
request with new card numbers and a new security code on the
back.
The new security code should only need to be used if the
customer
transfers money online or uses the online bill pay features,
so that
if the customer does not use those features, the new security
code
would not be entered into the user interface of the bank's web
site
by the customer. Another user selection would include the
ability to
let the customer select (through a secure method) to either
disable
the online money transfer features such as bank account money
transfers and online bill pay at some point after the creation
of the
account or to sign up for a secure online account at the start
that
has those online features permanently disabled. The “secure
method”
for changing (enabling or disabling) these features could
include, in
the case of Direct Express where there are not always Comerica
bank
branches available in every town, a network of banks such as
Chase
and Wells Fargo, who do tend to have branches in more places,
who
could securely transfer such requests to Comerica upon the
customer
visiting the local branch and presenting a photo ID. It is
possible
to implement part of these features without making any changes
to
existing procedures by simply using an online bank account
that
requires you to enter your current 3 or 4 digit security code
on the
back of your debit card before making any online money
transfers or
before using online bill pay features. Then if you want to be
secure
in this way, order a new debit or credit card with all new
numbers
and simply never use those online money transfer features so
that you
never enter the new security code into your bank's web site
user
interface. If you really want to be secure, you can tell your
bank to
disable online access to your account(s). That way if someone
hacks
your security code when you use it on a third party web site,
they
won't be able to use your bank's web site to steal any funds
from you
(especially from your other accounts such as your savings
accounts),
at least not through the front door anyhow. As for legislation
or
not, it may be best to simply present these ideas to the
experts and
legislators and have them lobby the banks, rather than casting
new
sections of law into stone, as the banks may need to adapt
quickly to
future security threats that may circumvent these new ideas
and
because of that they should not have their hands tied by
legislation. The next opportunity to do this type of lobbying
in the San Jose
area will be at the Senior Scam Stopper Seminar, Friday, April
18<sup>th</sup>,
2014 from 2PM-4PM at the Campbell Community Center Orchard
City
Banquet Hall, 1 W Campbell Avenue, Campbell, CA 95008. CA
State
Assembly member Paul Fong is putting on this event in
conjunction
with the Contractors State License Board. The event will
include a
panel of experts on preventing seniors from being scammed. It
is
recommended to RSVP for this event as seating will be limited.
To
RSVP, call 408-371-2802 or visit <a moz-do-not-send="true"
href="http://www.asmdc.org/yh">www.asmdc.org/yh</a>.
Thanks.</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in">Sincerely,</p>
<p style="margin-bottom:0in"><br>
</p>
<p style="margin-bottom:0in">John Thielking</p>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Apr 12, 2014 at 12:58 PM,
Spencer Graves <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:spencer.graves@prodsyse.com" target="_blank">spencer.graves@prodsyse.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi, Cameron: <br>
<br>
<br>
Thanks very much for all you've written on this.
<br>
<br>
<br>
Do you think the Wikipedia article on "Heartbleed"
could be improved, e.g., by adding a section on
"Gravity" (or some similar title), explaining what you
just said? I can help you with implementation if you
don't feel comfortable with the Mediawiki markup
language and the Wikipedia culture, I can help with
that. Additions without appropriate citations may be
quickly reverted, but balanced comments with reasonable
citations will likely be retained. I think it's worth
doing, because (as I previously noted) this "Heartbleed"
article received almost 47,000 views on April 11 (UTC),
and over 39,000 on the three previous days combined. <br>
<br>
<br>
Example: 17:12 today (5:12 PM, UTC), an anonymous
user added a comment that, "It is believed that
Heartbleed originates from the same organisation as
stuxnet and duqu." This comment included a reference to
an article that mentioned neither stuxnet nor duqu. It
was undone 49 minutes later. The article also includes
comments that, "According to two insider sources
speaking to Bloomberg.com, the United States National
Security Agency was aware of the flaw since shortly
after its introduction, but chose to keep it secret,
instead of reporting it, in order to exploit it for
their own purposes." These comments cite 3 sources and
are likely to remain in the article unless none of the 3
actually mention the NSA. <br>
<br>
<br>
Best Wishes, <br>
Spencer <br>
<div>
<div class="h5"> <br>
<br>
On 4/12/2014 11:10 AM, Cameron L. Spitzer wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div><br>
>Alarmists said we should change all our
passwords. I think that's overkill.<br>
<br>
I disagree.<br>
Bruce Schneier is no "alarmist." He's the author
of the standard textbook Applied Cryptography, and
a member of the Electronic Frontier Foundation's
advisory board. And he's the best tech writer to
general audiences since Carl Sagan. If you're
having trouble with rational risk assessment (a
widespread problem among activists), you should
read his book <a moz-do-not-send="true"
href="https://www.schneier.com/book-beyondfear.html"
target="_blank"><i>Beyond Fear</i></a>.<br>
<br>
This is the worst Internet security problem due to
a single programming error that I can remember,
ever, because of the circumstances of its
deployment and the nature of the exploit.<br>
When a vulnerability like this one is discovered,
you <i>must</i> assume the bad guys have had the
use of it since it was deployed.<br>
It allows not just stealing your password, but
stealing the secrets that would make it impossible
for your browser to detect an impostor HTTPS site.<br>
And in the standard deployment, exploiting the bug
leaves no trace.<br>
In this case, the window was wide open for roughly
two years. Your passwords have <i>probably</i>
been stolen from affected sites.<br>
Whether you have been managing them well is
irrelevant. Take all the needless risks you like,
but don't lead others to take risks by denying
them.<br>
<br>
Throwaway passwords used only for commenting on
newspaper articles (etc) need not be replaced,
unless they share recovery secrets with more
sensitive accounts. But <i>anything</i> useful
for identity theft poses a risk.<br>
For example, the attacker might use your account
at some ancestry site to discover some non-secret
"secret" (e.g., street you lived on as a child,
mother's maiden name) to accomplish a password
reset on your bank site. (Next time, <i>lie</i>
about your mother's maiden name, and keep the lie
someplace safe.) Identity thieves work on
thousands of identities at a time, filling in a
jigsaw puzzle on each potential victim. They use
efficient, automated, mass production techniques.
They rattle <i>every</i> doorknob. You never
know which pieces they already have or still need.<br>
<br>
I've been following my employer's well organized
response to this problem. One takeaway is our
local experts are not at all concerned about
Secure Shell V2. A long obsolete implementation
used SSL, but the one we've been using doesn't. I
had been mistaken about that. They're also pretty
confident about password managers that do client
side encryption. E.g., <a moz-do-not-send="true"
href="https://lastpass.com/" target="_blank">LastPass</a>
and <a moz-do-not-send="true"
href="http://userbase.kde.org/KDE_Wallet_Manager"
target="_blank">Kwallet</a>. These tools make
it practical to maintain distinct, strong
passwords for each web site and hosted
application, so you can stop using "log in with
Facebook" type shortcuts. Of course, LastPass on
an unmaintained Windows XP host is only as secure
as that host. If it's full of memory-scraping
malware, you've got a local version of Heartbleed.<br>
<br>
Rational risk assessment means ignoring irrelevant
factors. Mass production identity thieves don't
care about your politics. (Spearfishers do. They
use everything they know about you to compile a
word list for guessing password and recovery
secrets.) They don't care how paranoid you are
about mass surveillance.<br>
<br>
Forward this message as you see fit.<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/11/2014 09:33 PM, Spencer Graves wrote:<br>
</div>
<blockquote type="cite">
<div>Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems
like Heartbleed is now available on Wikiversity,
"Managing risk from cyber attacks". <br>
<br>
<br>
Please revise this as you see fit or send
suggestions to me. Cameron has done a great
service in providing his expertise on this
list. The Wikipedia article on Heartbleed
received almost 47,000 views on April 11 (UTC),
and over 39,000 on the three previous days
combined. If this Wikiversity article gets a
small portion of that number of views, it will
provide a great service humanity. <br>
<br>
<br>
Creating that article helped me think
through what seemed like a sensible reaction.
Alarmists said we should change all our
passwords. I think that's overkill. Even
creating a simple list of all the accounts and
passwords I've created over the years was more
work than I felt justified. And creating such a
list would miss the point. We need to worry
about the financial institutions that manage
savings. If cyber thieves drain those accounts,
it could create big problems for us. For more,
see the Wikiversity article (<a
moz-do-not-send="true"
href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks"
target="_blank">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to
John and Drew for their additional comments. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out,
but I finally decided to search the
RT.com web site using the search term
"computer hardware" to see if I could
find an article or two relating to my
previous statement that RT.com
broadcast the claim that computer
hardware in general has been
compromised by the NSA. I did find the
following article at
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/"
target="_blank">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material
provided by Snowden does in fact
indicate that some people's computers
are implanted with special chips to
aid the NSA in monitoring them. This
may not be widespread just yet, but it
does fit with previously broadcast
info from RT.com that was saying that
certain people's laptops that have
been ordered online are sometimes
transhipped to special NSA facilities
where they have their hardware
modified to contain implanted viruses
or malware (in the CMOS perhaps?). Of
course the article also says that the
NSA may choose to bug all computers
sold in a specific city, if that city
is a region of interest for the NSA.
I'll bet that Eugene, Oregon (Berkeley
North) could be one of those places.
And who knows, they might put radio
bugs in all the watches sold there
too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is
located here:
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/"
target="_blank">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that
this stuff is based on is contained here:<br>
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/"
target="_blank">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014
at 2:19 PM, John Thielking <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com"
target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question
for you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug
supported for systems running Windows
XP, which was just barely out of date
as of the time of broad announcement
of the Heartbleed bug, or do the
people currently running Windows XP
also have to upgrade their OS? I know
my home computer only has 500 MB of
memory so I can't just do an easy
upgrade to Win 7. I hope not too many
POS terminals are also in the same
boat. They should upgrade to a new OS
anyway, but this problem may just
compound the problem presented by the
Heartbleed bug itself.<span><font
color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">John
Thielking<br>
</font></span></div>
<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
...<br>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<div class="">
<pre>_______________________________________________
sosfbay-discuss mailing list
<a moz-do-not-send="true" href="mailto:sosfbay-discuss@cagreens.org" target="_blank">sosfbay-discuss@cagreens.org</a>
<a moz-do-not-send="true" href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss" target="_blank">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</div>
</blockquote>
<div class=""> <br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: <a class="moz-txt-link-abbreviated" href="http://www.structuremonitoring.com">www.structuremonitoring.com</a>
</pre>
</body>
</html>