[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My fellow (Debian) Linux users ...

On Mon, Apr 14, 2014 at 1:37 AM, Ralf Mardorf <ralf.mardorf@rocketmail.com> wrote:


On Sun, 2014-04-13 at 09:33 +0900, Joel Rees wrote:
> In what sense do you mean hacked?
> Cracked, as in passwords and other sensitive information

Exactly in this way.

But how serious is the current exposure?

I was trying to separate the question of potential exposure from actual exposure.

If the really elite black hats have exploits and are tapping into every vulnerable server, we would have serious problems, but not because of the vulnerabilities. 

Elite black hats stay focused for a variety of reasons, and very few on this list are in their focus. (Developers, yes, some, but ordinary users, maybe one or two in ten thousand.) If they have a reason to quit staying focused, it would indicate very serious problems in general social milieu -- I mean, problems of the sort that the people of The Ukraine have, but in every country.

The USNSA, well, there is nothing we can do about them for now. 

If you have reason to believe you are in the focus of someone who can take advantage of the heartbeat/bleed, fixing openssl and the potentially exposed tokens/credentials won't help you much.

If you aren't, do we have any real news of this vulnerability being used in the kits that script kiddies use? I mean, that the general unskilled black-hat-wannabees use?
 
> The openssl issues have been baking for how many years?

Too long for Linux community members to be surprised by the news of
today ;). While there are no news on television and radio in Germany not
mentioning apocalyptic openssl issues, I haven't seen one serious post
about it on any open source mailing list.

I don't think that it is that the problem is being ignored.
 
JFTR

-------- Forwarded Message --------
From: freebsd-questions-request@freebsd.org
To: ralf
Date: Sun, 13 Apr 2014 14:39:45 +0000
> Your membership in the mailing list freebsd-questions has been
> disabled due to excessive bounces [...]
>
> To re-enable your membership, you can simply respond to this message
> (leaving the Subject: line intact), or visit the confirmation page at [...]

IMO this is a better solution, simply visiting a confirmation page
instead of being unsubscribed, however, I only own an Alice account and
3 Rocketmail accounts, but all accounts do cause issues now, currently
not for Debian lists only :(.

Regards,
Ralf

PS: Cc'ing is wanted.

Well, yeah, that's what I meant. You got caught in the conflux of two separate problems that are the result of almost two decades of misusing the core internet technologies. Until the illusion of large, cheap markets evaporates, the misuses will continue. (But we aren't sure we want that illusion to evaporate too soon.) All you can do is ride the waves the best you can until things settle down again for a while.

--
Joel Rees

Computer memory is just fancy paper; 
CPUs and IO devices are just fancy pens.
Reply to: