"Discover Cooking, Discuss Life."

Go Back   Discuss Cooking - Cooking Forums > The Back Porch > Off Topic Discussions
Reply
 
Thread Tools Display Modes
 
Old 04-09-2014, 06:44 PM   #1
Chef Extraordinaire
 
taxlady's Avatar
 
Join Date: Sep 2010
Location: near Montreal, Quebec, Canada
Posts: 18,884
Send a message via Skype™ to taxlady
Heartbleed bug

There is a serious security vulnerability that has possibility of affecting most banking and shopping sites. It's called the heartbleed bug. Here's a link to what CNET has to say, 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords - CNET

I would suggest that everyone postpone online shopping and banking for at least a day or two. My bank assures me that they aren't vulnerable because they care about security and use SSL. Not convincing - the bug is in SSL.

I wish PayPal, and banking sites would post something about this on their landing page. Revenue Canada did. They have temporarily closed netfile, efile, etc., etc.

__________________

__________________
May you live as long as you wish and love as long as you live.
Robert A. Heinlein
taxlady is offline   Reply With Quote
Old 04-09-2014, 06:50 PM   #2
Chef Extraordinaire
 
taxlady's Avatar
 
Join Date: Sep 2010
Location: near Montreal, Quebec, Canada
Posts: 18,884
Send a message via Skype™ to taxlady
Here's another link about the bug: Heartbleed Bug

You can check which versions of SSL are vulnerable.
__________________

__________________
May you live as long as you wish and love as long as you live.
Robert A. Heinlein
taxlady is offline   Reply With Quote
Old 04-10-2014, 07:05 AM   #3
Executive Chef
 
Hoot's Avatar
Site Moderator
 
Join Date: Aug 2007
Location: The edge of the Great Dismal Swamp
Posts: 3,308
Apparently, this nasty little bug has been around for a year or two. Changing all your passwords is a good idea.
__________________
I used to be a racist, but I don't have much interest in it since Dale Earnhardt got killed.
Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read.
Good judgement comes from experience; experience comes from bad judgement.
Hoot is offline   Reply With Quote
Old 04-10-2014, 11:02 AM   #4
Wine Guy
 
Steve Kroll's Avatar
 
Join Date: Mar 2011
Location: Twin Cities, Minnesota
Posts: 5,413
Changing your passwords AFTER a fix has been put in place is a better idea.

Unfortunately, the media has once again has created an atmosphere of mass hysteria, all the while being completely ignorant of how technology actually works. Changing passwords before an OpenSSL vulnerability (not bug) has been plugged is a little like telling everyone in a burgled apartment building to change their access codes before the locksmith has updated the locks.

So what's one to do? The best advice I've read is to wait until a specific website notifies you it's updated its SSL software and THEN change your password. Some may even offer automatic password resets. In the meantime, don't pass any information to it that you wouldn't feel comfortable with others potentially gaining access to (e.g. credit cards, SSN, etc.)

Note that many of the largest companies, such as Yahoo, Google, Amazon, Facebook, and several major banks, already have fixes in place.

Another article offering some good advice: http://www.tomsguide.com/us/heartble...ews-18588.html

One more thing. You may see increased instances of "phishing" in the coming days, where hackers will send you an email that attempts to lure you to lookalike websites to collect personal information. Please be vigilant and don't fall for these ploys.
__________________
Steve Kroll is offline   Reply With Quote
Old 04-10-2014, 12:13 PM   #5
Chef Extraordinaire
 
taxlady's Avatar
 
Join Date: Sep 2010
Location: near Montreal, Quebec, Canada
Posts: 18,884
Send a message via Skype™ to taxlady
I read to change your passwords now and change them again when the fix is in place. That makes sense to me.
__________________
May you live as long as you wish and love as long as you live.
Robert A. Heinlein
taxlady is offline   Reply With Quote
Old 04-10-2014, 12:20 PM   #6
Chef Extraordinaire
 
taxlady's Avatar
 
Join Date: Sep 2010
Location: near Montreal, Quebec, Canada
Posts: 18,884
Send a message via Skype™ to taxlady
From The Internet's Telltale Heartbleed : The New Yorker

"The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the “catastrophic bug” known as Heartbleed, “On the scale of 1 to 10, this is an 11,” it’s safe to conclude that the Internet has a serious problem."
__________________
May you live as long as you wish and love as long as you live.
Robert A. Heinlein
taxlady is offline   Reply With Quote
Old 04-10-2014, 01:06 PM   #7
Wine Guy
 
Steve Kroll's Avatar
 
Join Date: Mar 2011
Location: Twin Cities, Minnesota
Posts: 5,413
Quote:
Originally Posted by taxlady View Post
...Bruce Schneier, who has been writing about computer security for more than fifteen years...
No offense, TL, but Bruce Schneier is also a writer who has an interest in talking to the media and selling books.

I've been a computer programmer since 1978 and have worked in the past as both a network and database administrator. I'm currently employed as a database developer for the largest real estate network in the US. Part of my job has included securing networks and preventing prying eyes from getting access to data.

I'm not trying to downplay the seriousness of this exploit, but I am saying that much of the advice passed on by the media and anonymous "experts" when these things happen is dead wrong. Some of the solutions I've seen over the last couple of days (example: Don't go to work today. Instead, stay home and change all your passwords) are just plain silly and naive.

Furthermore, this vulnerability didn't just pop up last week. It's been around for two years. If you are a regular user of the internet, chances are some of your data may have already been compromised during this period. A better strategy than some of the knee-jerk solutions offered is to stay on top of things by changing your passwords every few months. I have several that I rotate through on different sites. And on sites that I visit often and that store important personally identifiable information, such as credit cards, banking information, home addresses, etc., I may change my password every few weeks.
__________________
Steve Kroll is offline   Reply With Quote
Old 04-10-2014, 01:28 PM   #8
Chef Extraordinaire
 
taxlady's Avatar
 
Join Date: Sep 2010
Location: near Montreal, Quebec, Canada
Posts: 18,884
Send a message via Skype™ to taxlady
Quote:
Originally Posted by Steve Kroll View Post
No offense, TL, but Bruce Schneier is also a writer who has an interest in talking to the media and selling books.

I've been a computer programmer since 1978 and have worked in the past as both a network and database administrator. Part of my job has included securing networks.

I'm not trying to downplay the seriousness of this exploit, but I am saying that much of the advice passed on by the media and anonymous "experts" when these things happen is dead wrong. Some of the solutions I've seen over the last couple of days (example: Don't go to work today. Instead, stay home and change all your passwords) are just plain silly and naive.

Furthermore, this vulnerability didn't just pop up last week. It's been around for two years. If you are a regular user of the internet, chances are some of your data may have already been compromised during this period. A better strategy than some of the knee-jerk solutions offered is to stay on top of things by changing your passwords every few months. I have several that I rotate through on different sites. And on sites that I visit often and that store important personally identifiable information, such as credit cards, banking information, home addresses, etc., I may change my password every few weeks.
"...Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole..." This is well known among those interested in security and I knew it before I read it in that New Yorker article.

I agree that some of the advice is mostly "Panic!"

Of course it's a good idea to change passwords regularly, but most people don't. It's also a really good idea not to use the same password on more than one "important" site. E.g., though Discuss Cooking is important to me, it isn't a big deal if someone got the password, so mine is the same as on lots of similar sites, but it isn't the same as any of the sites where security is important, like banking, PayPal, Amazon, etc., etc.

I've been talking to Stirling about this and he is concerned too. He has been a programmer since 1983 or 1984. He is very interested in security and cryptography and keeps up on it. I'm not sure what all he has done in security, but he did work on the software for a system of secure distributed backup for companies. He worked with/for his friend who was the designer of the software and the founder of the company that was making it.
__________________
May you live as long as you wish and love as long as you live.
Robert A. Heinlein
taxlady is offline   Reply With Quote
Old 04-10-2014, 02:22 PM   #9
Chef Extraordinaire
 
GotGarlic's Avatar
 
Join Date: May 2007
Location: Southeastern Virginia
Posts: 16,879
From mashable.com: http://mashable.com/2014/04/09/heart...ites-affected/

Sent from my GT-N8013 using Discuss Cooking mobile app
__________________
The trouble with eating Italian food is that five or six days later you're hungry again. ~ George Miller
GotGarlic is offline   Reply With Quote
Old 04-10-2014, 09:05 PM   #10
Executive Chef
 
bakechef's Avatar
Site Moderator
 
Join Date: Nov 2009
Location: North Carolina
Posts: 4,082
luckily my Credit Union doesn't use that version of SSL. My other credit union which I don't keep much money in, doesn't have anything on their website.
__________________

__________________
I'm Bloggin'

http://bakingbetter.com
bakechef is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



» Discuss Cooking on Facebook

Our Communities

Our communities encompass many different hobbies and interests, but each one is built on friendly, intelligent membership.

» More about our Communities

Automotive Communities

Our Automotive communities encompass many different makes and models. From U.S. domestics to European Saloons.

» More about our Automotive Communities

Marine Communities

Our Marine websites focus on Cruising and Sailing Vessels, including forums and the largest cruising Wiki project on the web today.

» More about our Marine Communities


Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 10:07 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.