 | | |
| cloaked_wolf wrote: | |
| | |
If Joe Average wasn't confused before...
| x404.co.uk http://www.x404.co.uk/forum/ |
|
| Heartbleed Bug: Public urged to reset all passwords http://www.x404.co.uk/forum/viewtopic.php?f=3&t=21745 |
Page 1 of 2 |
| Author: | pcernie [ Wed Apr 09, 2014 8:59 pm ] |
| Post subject: | Heartbleed Bug: Public urged to reset all passwords |
http://www.bbc.co.uk/news/technology-26954540 Oh dear... |
|
| Author: | cloaked_wolf [ Wed Apr 09, 2014 9:35 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
...hang fire... http://www.theguardian.com/technology/2 ... perts-warn |
|
| Author: | pcernie [ Wed Apr 09, 2014 9:40 pm ] | |||||||||
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords | |||||||||
If Joe Average wasn't confused before... |
||||||||||
| Author: | jonbwfc [ Wed Apr 09, 2014 9:51 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
It's a crock. The vast majority of passwords DON'T MATTER. They serve an identification rather than authentication function. Why the blazes should I care if the government knows what my instagram password is? What would they use it for? Changing the tags on my holiday snaps? Change the passwords to things which are actually important (banks, email accounts maybe) just in case if you're feeling paranoid. But changing every single password on every single web service you use? Regardless of it's value or not as a target? Its more a waste of your own time than anything else. Because the basic fundamental point is nobody cares about the vast majority of the data you generate other than you. Stop listening to the paranoid knob heads in the 'web security industry' and start thinking rationally for a second. |
|
| Author: | big_D [ Thu Apr 10, 2014 3:59 am ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
Until the old certificates have been revoked and the server has been fixed, there is no point changing the password. At the moment, although one o two passwords might have been captured, the flaw only lets out a 64KB block of data, so maybe hundreds of usernames and passwords, not millions will be leaked, but the SSL key will be leaked, which means the attacker can impersonate the affected site after the attack, using a man-in-the-middle attack or a DNS redirect attack (like Turkey before the elections) or DNS poisoning attacks. Also, if the server is running Microsoft IIS webserver and not Apache, then it will be unaffected. The Guardian article is also a little disingenuous, they talk about Yahoo! but they don't mention bigger sites that are affected, like Twitter, Facebook and Instagram. |
|
| Author: | paulzolo [ Thu Apr 10, 2014 11:28 am ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
Got en email from IFTT today telling me that I’ve been logged out of my account on my iPhone app, and to reset it next time I log in. I really don”t want to go through every single password I have and change it. I’ll lose a weekend to that thankless task. |
|
| Author: | pcernie [ Fri Apr 11, 2014 3:03 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
Yeah, Pinterest emailed me (only signed up for details about a watch that showed in an image search ffs, who actually uses that service?  ).ION... Heartbleed programmer: Sorry, my bad http://www.techradar.com/news/internet/ ... d--1241710 That 'mistakes missed at multiple levels' thing is partly why I have little faith in climate calculations. |
|
| Author: | paulzolo [ Fri Apr 11, 2014 3:17 pm ] | |||||||||||||||||||||||||||
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords | |||||||||||||||||||||||||||
Hmm....
I wonder about open source software at times. People like to point out the fact that it’s peer reviewed, checked, and that bugs are traceable to individuals. I have this image in my mind (which I know is erroneous) of keen amateurs poking around with code because they can, not because they are paid to do so, but somehow this is “OK”. |
||||||||||||||||||||||||||||
| Author: | jonbwfc [ Fri Apr 11, 2014 9:04 pm ] | |||||||||
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords | |||||||||
While the 'motivated amateur' might be true of the smaller stuff, it's not true of OpenSSL or it's ilk. Stuff like that - crypto, basically - is mostly done by scientists and serious engineers. This is genuinely tricky stuff; I know people much smarter than me who really struggle to get a handle on the maths of crypto, let alone be able to review the code which relies on that maths. You can't just pick this stuff up, you have to have the right mind for it in the first place and then you pretty much have to do it full time to keep up. I agree in one sense though - there's a dogmatic principle in some open source circles that peer review and open access to source by definition means the code produced is more efficient, reliable, secure etc etc etc. This rather blows that out of the water. If an open source product which is this ubiquitous and this important can have this bug in it for years, the whole rationale that 'open is better' has to be subject to question. |
||||||||||
| Author: | timark_uk [ Sat Apr 12, 2014 12:29 am ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
Also available in networking devices Tasty. Mark |
|
| Author: | pcernie [ Sat Apr 12, 2014 2:10 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
NSA Said to Exploit Heartbleed Bug for Intelligence for Years http://www.bloomberg.com/news/2014-04-1 ... umers.html Yet another potential instance of, 'Who cares about the plebs? The 'game' continues!'. Morons. This is supposed to be a continually updated list of what sites are vulnerable or not. https://github.com/musalbas/heartbleed- ... 300UTC.txt |
|
| Author: | ProfessorF [ Sat Apr 12, 2014 2:29 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
1password is having a 50% off sale at the moment in light of this. |
|
| Author: | jonlumb [ Sat Apr 12, 2014 3:19 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
It would also appear that people need to update security certificates as well as OpenSSL as it's been possible to obtain private SSL keys using the flaw: http://www.theverge.com/us-world/2014/4 ... urity-keys |
|
| Author: | big_D [ Sat Apr 12, 2014 3:34 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
That was the main point of the OpenSSL bug, it leaked the private keys, so every site needs to get a new certificate. The key was leaked nearly every time the exploit was used, usernames and passwords were hit or miss, whether they would be in the 64KB of memory at all. That is also why you should turn on revoked certificate checking, stupid though that Mozilla seem to have removed the checking a couple of versions ago! |
|
| Author: | jonbwfc [ Sat Apr 12, 2014 7:25 pm ] |
| Post subject: | Re: Heartbleed Bug: Public urged to reset all passwords |
There does seem to be discussion as to how easy it is to grab private keys using heartbleed and it's a topic under active investigation. See the article here, which was contradicted within 4 hours of being published! IT's quite a good explanation of how heart bleed works, into the bargain. |
|
| Page 1 of 2 | All times are UTC |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|