<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi, Cameron: <br>
<br>
<br>
Thanks very much for all you've written on this. <br>
<br>
<br>
Do you think the Wikipedia article on "Heartbleed" could be
improved, e.g., by adding a section on "Gravity" (or some similar
title), explaining what you just said? I can help you with
implementation if you don't feel comfortable with the Mediawiki
markup language and the Wikipedia culture, I can help with that.
Additions without appropriate citations may be quickly reverted,
but balanced comments with reasonable citations will likely be
retained. I think it's worth doing, because (as I previously
noted) this "Heartbleed" article received almost 47,000 views on
April 11 (UTC), and over 39,000 on the three previous days
combined. <br>
<br>
<br>
Example: 17:12 today (5:12 PM, UTC), an anonymous user
added a comment that, "It is believed that Heartbleed originates
from the same organisation as stuxnet and duqu." This comment
included a reference to an article that mentioned neither stuxnet
nor duqu. It was undone 49 minutes later. The article also
includes comments that, "According to two insider sources speaking
to Bloomberg.com, the United States National Security Agency was
aware of the flaw since shortly after its introduction, but chose
to keep it secret, instead of reporting it, in order to exploit it
for their own purposes." These comments cite 3 sources and are
likely to remain in the article unless none of the 3 actually
mention the NSA. <br>
<br>
<br>
Best Wishes, <br>
Spencer <br>
<br>
<br>
On 4/12/2014 11:10 AM, Cameron L. Spitzer wrote:<br>
</div>
<blockquote cite="mid:53498187.3040909@truffula.us" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix"><br>
>Alarmists said we should change all our passwords. I think
that's overkill.<br>
<br>
I disagree.<br>
Bruce Schneier is no "alarmist." He's the author of the
standard textbook Applied Cryptography, and a member of the
Electronic Frontier Foundation's advisory board. And he's the
best tech writer to general audiences since Carl Sagan. If
you're having trouble with rational risk assessment (a
widespread problem among activists), you should read his book <a
moz-do-not-send="true"
href="https://www.schneier.com/book-beyondfear.html"><i>Beyond
Fear</i></a>.<br>
<br>
This is the worst Internet security problem due to a single
programming error that I can remember, ever, because of the
circumstances of its deployment and the nature of the exploit.<br>
When a vulnerability like this one is discovered, you <i>must</i>
assume the bad guys have had the use of it since it was
deployed.<br>
It allows not just stealing your password, but stealing the
secrets that would make it impossible for your browser to detect
an impostor HTTPS site.<br>
And in the standard deployment, exploiting the bug leaves no
trace.<br>
In this case, the window was wide open for roughly two years.
Your passwords have <i>probably</i> been stolen from affected
sites.<br>
Whether you have been managing them well is irrelevant. Take
all the needless risks you like, but don't lead others to take
risks by denying them.<br>
<br>
Throwaway passwords used only for commenting on newspaper
articles (etc) need not be replaced, unless they share recovery
secrets with more sensitive accounts. But <i>anything</i>
useful for identity theft poses a risk.<br>
For example, the attacker might use your account at some
ancestry site to discover some non-secret "secret" (e.g., street
you lived on as a child, mother's maiden name) to accomplish a
password reset on your bank site. (Next time, <i>lie</i> about
your mother's maiden name, and keep the lie someplace safe.)
Identity thieves work on thousands of identities at a time,
filling in a jigsaw puzzle on each potential victim. They use
efficient, automated, mass production techniques. They rattle <i>every</i>
doorknob. You never know which pieces they already have or
still need.<br>
<br>
I've been following my employer's well organized response to
this problem. One takeaway is our local experts are not at all
concerned about Secure Shell V2. A long obsolete implementation
used SSL, but the one we've been using doesn't. I had been
mistaken about that. They're also pretty confident about
password managers that do client side encryption. E.g., <a
moz-do-not-send="true" href="https://lastpass.com/">LastPass</a>
and <a moz-do-not-send="true"
href="http://userbase.kde.org/KDE_Wallet_Manager">Kwallet</a>.
These tools make it practical to maintain distinct, strong
passwords for each web site and hosted application, so you can
stop using "log in with Facebook" type shortcuts. Of course,
LastPass on an unmaintained Windows XP host is only as secure as
that host. If it's full of memory-scraping malware, you've got
a local version of Heartbleed.<br>
<br>
Rational risk assessment means ignoring irrelevant factors.
Mass production identity thieves don't care about your
politics. (Spearfishers do. They use everything they know
about you to compile a word list for guessing password and
recovery secrets.) They don't care how paranoid you are about
mass surveillance.<br>
<br>
Forward this message as you see fit.<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/11/2014 09:33 PM, Spencer Graves wrote:<br>
</div>
<blockquote cite="mid:5348C220.9020504@prodsyse.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi, Cameron, et al.: <br>
<br>
<br>
A discussion of how to deal with problems like
Heartbleed is now available on Wikiversity, "Managing risk
from cyber attacks". <br>
<br>
<br>
Please revise this as you see fit or send suggestions to
me. Cameron has done a great service in providing his
expertise on this list. The Wikipedia article on Heartbleed
received almost 47,000 views on April 11 (UTC), and over
39,000 on the three previous days combined. If this
Wikiversity article gets a small portion of that number of
views, it will provide a great service humanity. <br>
<br>
<br>
Creating that article helped me think through what
seemed like a sensible reaction. Alarmists said we should
change all our passwords. I think that's overkill. Even
creating a simple list of all the accounts and passwords I've
created over the years was more work than I felt justified.
And creating such a list would miss the point. We need to
worry about the financial institutions that manage savings.
If cyber thieves drain those accounts, it could create big
problems for us. For more, see the Wikiversity article (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks">https://en.wikiversity.org/wiki/Managing_risk_from_cyber_attacks</a>).
<br>
<br>
<br>
Thanks again, Cameron -- and thanks to John and Drew for
their additional comments. <br>
<br>
<br>
Spencer <br>
<br>
<br>
On 4/11/2014 3:29 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMfF7t-B0Hw5t==HXqxCZPaZSmciN9ffztkkWQHAxo3KYA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Sorry to keep dragging this out, but I finally
decided to search the RT.com web site using the
search term "computer hardware" to see if I could
find an article or two relating to my previous
statement that RT.com broadcast the claim that
computer hardware in general has been compromised by
the NSA. I did find the following article at
<p style="margin-bottom:0in"><a
moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-hacking-individual-computers-008/">http://rt.com/op-edge/nsa-hacking-individual-computers-008/</a></p>
<p style="margin-bottom:0in"><br>
</p>
that states that some of the material provided by
Snowden does in fact indicate that some people's
computers are implanted with special chips to aid
the NSA in monitoring them. This may not be
widespread just yet, but it does fit with previously
broadcast info from RT.com that was saying that
certain people's laptops that have been ordered
online are sometimes transhipped to special NSA
facilities where they have their hardware modified
to contain implanted viruses or malware (in the CMOS
perhaps?). Of course the article also says that the
NSA may choose to bug all computers sold in a
specific city, if that city is a region of interest
for the NSA. I'll bet that Eugene, Oregon (Berkeley
North) could be one of those places. And who knows,
they might put radio bugs in all the watches sold
there too.<br>
</div>
More to think about I guess.<br>
<br>
</div>
A more speculative opinion piece is located here:
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/nsa-spying-future-total-952/</a></p>
<p style="margin-bottom:0in"><br>
</p>
and a link to the Derspiegal article that this stuff is
based on is contained here:<br>
<p style="margin-bottom:0in"><a moz-do-not-send="true"
href="http://rt.com/op-edge/nsa-spying-future-total-952/">http://rt.com/op-edge/annie-machon-nsa-spying-925/</a></p>
<br>
</div>
Any further thoughts?<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Apr 11, 2014 at 2:19 PM,
John Thielking <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:peacemovies@gmail.com" target="_blank">peacemovies@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>Another more specific question for you Cameron:<br>
<br>
</div>
Is the patch for the Heartbleed bug supported for
systems running Windows XP, which was just barely
out of date as of the time of broad announcement of
the Heartbleed bug, or do the people currently
running Windows XP also have to upgrade their OS? I
know my home computer only has 500 MB of memory so I
can't just do an easy upgrade to Win 7. I hope not
too many POS terminals are also in the same boat.
They should upgrade to a new OS anyway, but this
problem may just compound the problem presented by
the Heartbleed bug itself.<span class="HOEnZb"><font
color="#888888"><br>
<br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">John
Thielking<br>
</font></span></div>
<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
...<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
sosfbay-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:sosfbay-discuss@cagreens.org">sosfbay-discuss@cagreens.org</a>
<a class="moz-txt-link-freetext" href="http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss">http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Spencer Graves, PE, PhD
President and Chief Technology Officer
Structure Inspection and Monitoring, Inc.
751 Emerson Ct.
San José, CA 95126
ph: 408-655-4567
web: <a class="moz-txt-link-abbreviated" href="http://www.structuremonitoring.com">www.structuremonitoring.com</a>
</pre>
</body>
</html>