<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
>Alarmists said we should change all our passwords. I think
that's overkill.<br>
<br>
I disagree.<br>
Bruce Schneier is no "alarmist." He's the author of the standard
textbook Applied Cryptography, and a member of the Electronic
Frontier Foundation's advisory board. And he's the best tech
writer to general audiences since Carl Sagan. If you're having
trouble with rational risk assessment (a widespread problem among
activists), you should read his book <a
href="https://www.schneier.com/book-beyondfear.html"><i>Beyond
Fear</i></a>.<br>
<br>
This is the worst Internet security problem due to a single
programming error that I can remember, ever, because of the
circumstances of its deployment and the nature of the exploit.<br>
When a vulnerability like this one is discovered, you <i>must</i>
assume the bad guys have had the use of it since it was deployed.<br>
It allows not just stealing your password, but stealing the
secrets that would make it impossible for your browser to detect
an impostor HTTPS site.<br>
And in the standard deployment, exploiting the bug leaves no
trace.<br>
In this case, the window was wide open for roughly two years.
Your passwords have <i>probably</i> been stolen from affected
sites.<br>
Whether you have been managing them well is irrelevant. Take all
the needless risks you like, but don't lead others to take risks
by denying them.<br>
<br>
Throwaway passwords used only for commenting on newspaper articles
(etc) need not be replaced, unless they share recovery secrets
with more sensitive accounts. But <i>anything</i> useful for
identity theft poses a risk.<br>
For example, the attacker might use your account at some ancestry
site to discover some non-secret "secret" (e.g., street you lived
on as a child, mother's maiden name) to accomplish a password
reset on your bank site. (Next time, <i>lie</i> about your
mother's maiden name, and keep the lie someplace safe.) Identity
thieves work on thousands of identities at a time, filling in a
jigsaw puzzle on each potential victim. They use efficient,
automated, mass production techniques. They rattle <i>every</i>
doorknob. You never know which pieces they already have or still
need.<br>
<br>
I've been following my employer's well organized response to this
problem. One takeaway is our local experts are not at all
concerned about Secure Shell V2. A long obsolete implementation
used SSL, but the one we've been using doesn't. I had been
mistaken about that. They're also pretty confident about password
managers that do client side encryption. E.g., <a
href="https://lastpass.com/">LastPass</a> and <a
href="http://userbase.kde.org/KDE_Wallet_Manager">Kwallet</a>.
These tools make it practical to maintain distinct, strong
passwords for each web site and hosted application, so you can
stop using "log in with Facebook" type shortcuts. Of course,
LastPass on an unmaintained Windows XP host is only as secure as
that host. If it's full of memory-scraping malware, you've got a
local version of Heartbleed.<br>
<br>
Rational risk assessment means ignoring irrelevant factors. Mass
production identity thieves don't care about your politics.
(Spearfishers do. They use everything they know about you to
compile a word list for guessing password and recovery secrets.)
They don't care how paranoid you are about mass surveillance.<br>
<br>
Forward this message as you see fit.<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/11/2014 09:33 PM, Spencer Graves wrote:<br>
</div>
<blockquote cite="mid:5348C220.9020504@prodsyse.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems like Heartbleed
is now available on Wikiversity, "Managing risk from cyber
attacks". <br>
<br>
<br>
Please revise this as you see fit or send suggestions to
me. Cameron has done a great service in providing his expertise
on this list. The Wikipedia article on Heartbleed received
almost 47,000 views on April 11 (UTC), and over 39,000 on the
three previous days combined. If this Wikiversity article gets
a small portion of that number of views, it will provide a great
service humanity. <br>
<br>
<br>
Creating that article helped me think through what seemed
like a sensible reaction. Alarmists said we should change all
our passwords. I think that's overkill. Even creating a simple
list of all the accounts and passwords I've created over the
years was more work than I felt justified. And creating such a
list would miss the point. We need to worry about the financial
institutions that manage savings. If cyber thieves drain those
accounts, it could create big problems for us. For more, see
the Wikiversity article (<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to John and Drew for
their additional comments. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMfF7t-B0Hw5t==HXqxCZPaZSmciN9ffztkkWQHAxo3KYA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out, but I finally
decided to search the RT.com web site using the search
term "computer hardware" to see if I could find an
article or two relating to my previous statement that
RT.com broadcast the claim that computer hardware in
general has been compromised by the NSA. I did find
the following article at
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material provided by
Snowden does in fact indicate that some people's
computers are implanted with special chips to aid the
NSA in monitoring them. This may not be widespread
just yet, but it does fit with previously broadcast
info from RT.com that was saying that certain people's
laptops that have been ordered online are sometimes
transhipped to special NSA facilities where they have
their hardware modified to contain implanted viruses
or malware (in the CMOS perhaps?). Of course the
article also says that the NSA may choose to bug all
computers sold in a specific city, if that city is a
region of interest for the NSA. I'll bet that Eugene,
Oregon (Berkeley North) could be one of those places.
And who knows, they might put radio bugs in all the
watches sold there too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is located here:
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that this stuff is
based on is contained here:<br>
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 2:19 PM, John
Thielking <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:peacemovies@gmail.com" target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question for you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug supported for
systems running Windows XP, which was just barely out
of date as of the time of broad announcement of the
Heartbleed bug, or do the people currently running
Windows XP also have to upgrade their OS? I know my
home computer only has 500 MB of memory so I can't
just do an easy upgrade to Win 7. I hope not too many
POS terminals are also in the same boat. They should
upgrade to a new OS anyway, but this problem may just
compound the problem presented by the Heartbleed bug
itself.<span class="HOEnZb"><font color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">John
Thielking<br>
</font></span></div>
<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
...<br>
</body>
</html>