Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
> ...
> > considering it is a catastrophe worse than the Y2K bug.
>
> This is several orders of magnitude less severe than Y2K.
I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
"Catastrophic" is the right word. On the scale of 1 to 10, this is an
11"
So I gathered, perhaps wrongly, that in that case the Y2K bug would have
to be greater than 11 on a scale of 1 to 10.
Later, ...
"I wonder if there is going to be some backlash from the mainstream
press and the public. If nothing really bad happens -- if this turns out
to be something like the Y2K bug -- then we are going to face criticisms
of crying wolf."
That reads to me as though the Y2K bug is not as serious.
But in saying that, there is this post:
https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html
> > It seems very likely that people are using compromised apps on their
> > smartphone and you'd think it would be advisable to warn people ASAP!
>
> OpenSSL is a library, not an 'app'.
http://tech.firstpost.com/news-analysis/android-devices-and-apps-affected-by-heartbleed-check-if-your-smartphone-is-vulnerable-221655.html
"Google has said that nearly all versions of AOSP from 4.1 and up
contain vulnerable versions of OpenSSL, but all except one had
heartbeats turned off, so no one could attack these systems. Only
Android 4.1.1 had the heartbeat feature turned on, so those devices are
vulnerable. Moreover, some OEMs may have switched heartbeat feature back
on in their phone’s software, which leaves them vulnerable too."
> > Not even an email from the bank!
>
> Many/most financial institutions disdain open source software and would
> much rather pay for proprietary commercial solutions so there is someone
> to sue and recover damages when things go tits up.
That statement was made in the sense that at least the bank could have
issued a statement along the lines of 'you may have heard of the
heartbleed bug, we can assure all of our customers that we are not
affected by this bug and there is no need to panic.'
Using this site http://filippo.io/Heartbleed/ shows that the bank and
ISP I use are OK.
Why worry? It's incidents like
http://clarecurran.org.nz/post.php?post_id=309 and
http://www.itnews.com.au/News/363635,christchurch-transport-card-flaws-expose-identities-grant-free-bus-rides.aspx
which are not a great confidence booster towards the attitude to
security. I realise that banks are in an entirely different league here,
and my statement was more about the attitude to the public, and hence of
the public.
> > Then there is also the very serious issue of embedded devices using
> > openssl. Tablets, smartphones, routers, ... etc. etc.
>
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.
http://readwrite.com/2014/04/11/heartbleed-bug-virus-clients-routers-virtual-machines-vpn
The point, I'm making is there should at least be some transparency. Y2K
- all over the media. Snowden leaks - all over the media. Heartbleed -
not a whisper.
I saw one statement " ... lucky the general media is too thick to click
on so far ..." :)
--
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the
oppressing." --- Malcolm X
Reply to: