|
|
Post by Morreion on Apr 11, 2014 10:34:58 GMT -5
Massive Internet Security Vulnerability -- Here's What You Need To Do (Forbes)...At a high level, the programming error that was discovered in OpenSSL means that anyone equipped with the right knowledge and tools – including technologically-sophisticated hackers and criminals – could read data from the memory of webservers running vulnerable versions of OpenSSL; any information that was transmitted securely – including passwords and credit card numbers – was potentially readable by criminals once it reached the server.
It is estimated that half-a-million sites that were using OpenSSL to ensure the security of data were, in fact, quite insecure.
This is a serious vulnerability. Some might argue that it is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet...Heartbleed (Schneier on Security)"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own. Test your vulnerability here.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.The Heartbleed Hit List: The Passwords You Need to Change Right Now (Mashable)An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
But it hasn't always been clear which sites have been affected. Mashable reached out some of the most popular social, email, banking and commerce sites on the web. We've rounded up their responses below.Lastpass Heartbleed test
|
|
|
|
Post by Regolyth on Apr 11, 2014 14:43:18 GMT -5
I just kept getting back errors when I put in information.  |
|
|
|
Post by Morreion on Apr 11, 2014 17:34:05 GMT -5
I've got a better checker linked now... Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately (SMH.com.au)A number of conspiracy theorists have speculated the bug was inserted maliciously.
Dr Seggelmann said it was "tempting" to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.
"But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
"It is a possibility, and it's always better to assume the worst than best case in security matters, but since I didn't know (about) the bug until it was released and (I am) not affiliated with any agency, I can only speculate."I'm throwing my hands up in despair about internet security. This was a vulnerability inserted by an open-source programmer and it was verified as OK by another programmer. In reality, it was a huge vulnerability. Imagine if this guy was a Russian Mafia plant or a Hezzbollah or al-Qaeda operative. It's not too farfetched to believe that economic terrorism could cause the world market to crash and for people to not trust the internet in the future. On top of this: Gov't says report on power grid threats mishandled (AP) Apparently if 9 critical power substations are taken out in the US, the electrical grid could be out for weeks if not months. The government wasn't happy that this information has been reported. As a guy who has worried about a nuclear EMP attack (1 nuke going off at high altitude taking out most electronics and modern engines below), this means it is even easier to kill millions of people by shutting down electricity and food transportation (the typical supermarket has only 3 days worth of food on hand, after that- no food). All I can say is, I hope we don't see any huge attacks (internet or otherwise) in the future, but I'm to the point that it doesn't look good. Try to be prepared I guess *sighs* Edit: And to top it all off, here's an answer to the question 'how is the government helping keep us safe?' NSA Said to Exploit Heartbleed Bug for Intelligence for Years (Bloomberg)This is making conspiracy theorists look sane. Trust no one, nothing is safe, would be my guess. |
|
|
|
Post by Regolyth on Apr 16, 2014 10:15:46 GMT -5
I've read about how vulnerable the electrical grid is before. Funny thing is, I went to one of the museums in D.C. and they told about this same thing, and how easily it could happen. A government funded place is telling about the dangers we could face... and yet they don't do anything about it. It's almost like they want something to happen so we can depend on them or something.  |
|
|
|
Post by Morreion on Apr 16, 2014 10:53:06 GMT -5
Here's my theory- when the federal government screws up, whether in the field of security, policy, anything really...any disaster that they didn't prepare for means they will ask for and receive more money, power, and personnel to prevent future disasters (that will happen anyway)- after the fact. It's a winning situation for them, even if they are the reason for the disaster. Case in point- the Department of Homeland Security after 9/11- they went from security guards at airports to buying 2200 armored vehicles and 1.4 billion bullets not too long ago. But that didn't stop the Boston Marathon bomber who flew back from Dagestan after the Russians warned us about him but- we misspelled his name in a database so we missed him at the airport and he went on to do the bombings (I kid you not, look it up). I guess its time for more money and personnel again. This is the way human nature works, and it isn't pretty, which is why most people don't want to think about it.
|
|
|
|
Post by Regolyth on Apr 16, 2014 15:55:34 GMT -5
I read some things that the government does and it vexes me to no end. Like the raid on the Amish guy who was selling raw milk across state lines. Apparently the FDA spent over a year tailing him and set up a large sting operation with S.W.A.T. and all kinds of unnecessary things. That's so wasteful. He's selling raw milk in two states that agree to allow the selling of raw milk. Even if that weren't the case, who cares? Use that much effort on the guys peddling drugs to our children, or one of the thousands of gangs in the nation. Vexing, no? And the problem is, can we really do anything about it? It'll take "we the people" to get control back. If that happened though, I imagine it slowly digressing again and falling back into corrupt hands in 100-150 years. *pulls out hair*  |
|
|
|
Post by Morreion on Apr 16, 2014 20:27:55 GMT -5
Yep, I think you're right- it's human nature behind all of this. By the way, the war on Amish milk and such, a lot of that over-regulation stems from crony capitalist donations from large companies to keep their competition down. It's called regulatory capture and it is infuriating, because then a lot of people think crony capitalism is free market capitalism. No it isn't, it's a corrupt government selling over-regulation powers to the highest bidder. It always bothers me when people think corporations run America when it's a corrupt government that's taken on too much power that sells itself to the highest bidder. If I don;t like a particular corporation, I can refuse to buy its products. If I don't like federal government corruption, I'm screwed because the feds have the power to throw anyone in prison for flimsy technical reasons, applied selectively. Somehow a monopoly by a business is bad but a monopoly of power by unelected politically corrupt bureaucrats is fine. I can't figure that out. The only solution I can think of to stop this corruption is to restrict federal government power...the Constitution did that at one time. Now it seems the citizenry 'wants things done' and is willing to give lots of power to politicians. That never works out well- see world history. Power corrupts. /soapbox off |
|
|
|
Post by Regolyth on Apr 17, 2014 11:24:55 GMT -5
The only solution I can think of to stop this corruption is to restrict federal government power...the Constitution did that at one time. Technically it still does, it just seems that overlooks it when it's convenient for them. Sadness.  I think it should be illegal for corporations to give money to individuals in the government. If someone wants to run for a particular position in the government, they shouldn't be able to accept any money from corporations, and maybe even individuals, to fund their campaign. It just promotes more corruption. Honestly, maybe they shouldn't even be allowed to fund their own campaign. I know that sounds weird, but it would prevent the rich from having huge campaigns for a seat versus someone less wealthy. Or maybe there should just be a cap on what they can spend. All people running for President can only spend one million dollars on their campaign. All people running for senate can only spent $500,000; governors $100,000, mayors $10,000, etc. My numbers are probably way off from what it takes to fund a campaign, but it's the logic I'm getting at. I don't know if it's the right way to do it, but something should be done about it. It's just ridiculous now. I think Benjamin Franklin said that "no one should make a career out of being a politician, but should do it to serve one's country." That's not the exact quote, but it goes something like that. I read it a few months back. If he did say it, I think it holds truth. |
|
|
|
Post by Morreion on Apr 17, 2014 11:50:33 GMT -5
You have some good ideas there, but whenever they do campaign finance reform, somehow there's another way for money to flood into the process. It's like a leaky dike.
I prefer just making the politicians have too little power to be worth buying. Corporations wouldn't buy politicians if the politicians couldn't punish their business rivals through over-regulation, tax code manipulation, etc. I think Texas is onto something- the Texas legislature meets every other year for a month or two- being a Texas state politician is a part-time job where you are forced to have another career to pay the bills. You aren't spending a 40-year career 24/7 trying to manipulate things to get re-elected. Think of all of the Senators that have died in office of old, old age as multi-millionaires- that's the problem.
|
|
|
|
Post by Regolyth on Apr 21, 2014 8:29:16 GMT -5
Good ol' Texas. They seem to be doing a lot right, from what I see about them in the news, even though the news is usually painting what they're doing in a negative light.
Your old age comment made me think of something, supreme court justices. They should have a term limit. Why are they the exception?
|
|
