[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

On 4/14/2014 6:41 AM, Richard Hector wrote:
> On 14/04/14 23:31, Stan Hoeppner wrote:
>>>> BTW, you shouldn't focus only on banks either. There are a lot of
>>>> popular services that use free software a lot, some of which happen to
>>>> include payment functionality.
>> I did not "focusing on banks".  I replied to Chris Bannister's statement
>> regarding *his bank*, which you snipped, again intentionally deleting
>> context in order to be a contradictarian.
> Chris, like me, appears to be in New Zealand.
> The only local bank I've heard any info about is Kiwibank, who are
> apparently not vulnerable due to running their systems on Windows.

So they're just vulnerable to everything else...

> I believe at least one local bank runs most of their stuff on Linux, but
> I haven't heard anything from them.
> Perhaps (some of the) banks are a bit smaller here, and don't
> necessarily run to the mainframes used elsewhere.
> I certainly wouldn't jump to conclusions that they're a bank therefore
> they use IBM mainframes therefore they don't use OpenSSL therefore
> they're invulnerable, 

I jumped to no conclusion.  Do you see the word "bank" in my original
statement below?  No, you see "financial institutions".

> and I wish that they'd tell us either way.

Yes, that would be nice.  But outside of technical geeks, none of their
customers are paying attention.  And, more importantly, as a rule
chiseled in granite, financial institutions, especially banks, never
admit to doing anything wrong, because it opens them up to liability,
lawsuits, thus monetary loss.  The lawyers have sewn the executives lips
shut on this while they spend days, if not weeks to a month figuring out
how to best handle "needed" disclosure without losing [m|b]illions.

On 4/14/2014 1:55 AM, Stan Hoeppner wrote:
>>>> Many/most financial institutions disdain open source software and would
>>>> much rather pay for proprietary commercial solutions so there is someone
>>>> to sue and recover damages when things go tits up.
>>>> Most financial institutions tend to run operations on IBM or clone
>>>> mainframes.  Thus they'll likely be using IBM's mainframe
>>>> implementations of SSL/TLS, or a commercial front end termination
>>>> device, neither of which are likely affected by this CVE which is for a
>>>> few specific version of OpenSSL only.

Financial Institutions, not an exhaustive list:

credit unions
credit/debit card companies - VISA/MasterCard/etc
credit/debit card processors - Paymentech, etc
exchanges - stock and mercantile, dozens of them worldwide
    NYSE, NASDAQ, London, Hong Kong, Tokyo, Chicago Merc
brokerage houses - hundreds worldwide
fund management companies - pensions, mutual funds, IRAs, etc
etc, etc



Reply to: