Don't forget to change your passwords!

CCIP · 04-09-14, 06:59 PM

I know some of you are probably tired of hearing this today, but for the benefits of those who may be out of the loop:

http://www.bbc.com/news/technology-26954540

Basically, a serious exploit called Heartbleed has been discovered in the OpenSSL (Secure Socket Layer), a protocol that is commonly used for transmitting sensitive data online. Many services, especially those where money or private information might be stored, have suggested changing your passwords - Canada's tax agency even shut their sites for the moment to ensure no data leaks. So, better safe than sorry! Good excuse to do a routine password change anyway, which is nice to do every once in a while.

Lionclaw · 04-10-14, 01:49 AM

Thanks, first time I've heard about it.

It's going to take time to change every password.

Jimbuna · 04-10-14, 05:00 AM

Potentially very worrying.

banryu79 · 04-10-14, 05:41 AM

Potentially the worst bug in the entire history of the world wide web

If you want the details:
http://heartbleed.com/
(this web page was made by the guys of Codenomicon)

Btw, it is better to wait for the release of a patched implementation, otherwise changing your password is perfectly useless...
And for password managment I strongly raccomand the use of a dedicated software (a password manager) like KeePass

Besides remembering your password it has a very useful password generator tool so you can generate strong password.

Skybird · 04-10-14, 05:54 AM

Worst security event ever in the internet's history so far.

Currently changing passwords do nothing if they have not previously changed their SSL software and certificates, your new passwords would be corrupted, too then.

There is a list somewhere of sites that showed which one were safe or not safe yesterday, around noon time. Maybe it gets updated. For adminstrators and server operators there also are one or two sites where you could let your servers check .

Its pretty bad, exceeding the scale. Be advised that changing passwords does nothing if they have not updated their SSL software and certificates before. You want to be certain they did, before dwelling in the illusion of being safe again just because you changed those codes of yours.

It's funny somehow how little note the world has taken, shows how little common people understand about the web, and how exposed they are to their ignorance' inherent dangers. If in California the Big One would have flattened LA, people would have taken note, wouldn't they?

Skybird · 04-10-14, 05:55 AM

Ah, banryu was a bit faster than me...

Catfish · 04-10-14, 06:04 AM

The "new" Internet is the old ARPANET.
Certificates are of no use if the NSA can publish those itself, or just interceot or read out those from any personal PC.

So if you want any security against breaches or eavesdropping, we need another net, and other protocols.

Up to then all you do is already compromised.

Skybird · 04-10-14, 06:54 AM

Windows Cloud, anyone!?

The bugs are now placed in the OS itself. No firewall and virus scanner can get them there. He who thinks he is safe when using an antivirus or firewall, lives on the moon.

I personally am convinced that they already have started to sink bugs into the hardware, into ROMs and BIOS. They would be incompetent if they had not done so by now.

Don't trust chips made by somebody else. Only trust chips you made yourself.

Skybird · 04-10-14, 07:37 AM

This is the list I mentioned.

https://github.com/musalbas/heartble...r/top10000.txt

Note that it was valid Wednesday.

Also note, since there are many gamers here, amongst the sites still vulnerable yesterday, was Steam.

Also note this: risks remain even after servers have been patched and passwords have been chnaged, because criminals could use the old exploit to decypher old data traffic that they have collected before. You may want to think about whether or not you are at risk from that direction.

04-10-14, 08:03 AM

I start to hate the internet...

Skybird · 04-10-14, 08:08 AM

At the time of writing this, the subsim.com website IS NOT affected:

STEED · 04-10-14, 08:22 AM

The Internet is safe and your stuff is secure and safe trust the Internet.

I trust the Internet as about much as I trust a politician...ZERO.

banryu79 · 04-10-14, 10:34 AM

Steam or subsim... seriously I'm a bit more worried about my online bank account, you know!

Skybird · 04-10-14, 11:04 AM

It could very well be that it is no criminal gangsters behind this, or an unintended error during programming of source code, but that intelligence agencies, namely the NSA, are behind this, in an effort to generally weaken security standards in the web and install backdoors that are hidden as "criminal" attacks or "software bugs" to allow what is called "plausible denial". That certain intelligence services are explicitly trying to overhear and control ALL the internet and enforce access to EVERY system there is, is no longer a secret by now, is it.

Wolferz · 04-10-14, 11:23 AM

Quote:

Originally Posted by Skybird

It could very well be that it is no criminal gangsters behind this, or an unintended error during programming of source code, but that intelligence agencies, namely the NSA, are behind this, in an effort to generally weaken security standards in the web and install backdoors that are hidden as "criminal" attacks or "software bugs" to allow what is called "plausible denial". That certain intelligence services are explicitly trying to overhear and control ALL the internet and enforce access to EVERY system there is, is no longer a secret by now, is it.

It's the side benefit that DARPA had planned from the get go. Easy access for intelligence gathering and information control purposes.
Orwell was only off by what, thirty years?

04-09-14, 06:59 PM	#1
CCIP Navy Seal Join Date: Apr 2005 Location: Waterloo, Canada Posts: 8,700 Downloads: 29 Uploads: 2	Don't forget to change your passwords! I know some of you are probably tired of hearing this today, but for the benefits of those who may be out of the loop: http://www.bbc.com/news/technology-26954540 Basically, a serious exploit called Heartbleed has been discovered in the OpenSSL (Secure Socket Layer), a protocol that is commonly used for transmitting sensitive data online. Many services, especially those where money or private information might be stored, have suggested changing your passwords - Canada's tax agency even shut their sites for the moment to ensure no data leaks. So, better safe than sorry! Good excuse to do a routine password change anyway, which is nice to do every once in a while. __________________ There are only forty people in the world and five of them are hamburgers. -Don Van Vliet (aka Captain Beefheart)

04-10-14, 05:00 AM	#3
Jimbuna Chief of the Boat Join Date: Feb 2006 Location: 250 metres below the surface Posts: 190,453 Downloads: 63 Uploads: 13	Potentially very worrying. __________________ Wise men speak because they have something to say; Fools because they have to say something. Oh my God, not again!!

04-10-14, 05:41 AM	#4
banryu79 Samurai Navy Join Date: Feb 2014 Location: Italy Posts: 554 Downloads: 82 Uploads: 2	Potentially the worst bug in the entire history of the world wide web If you want the details: http://heartbleed.com/ (this web page was made by the guys of Codenomicon) Btw, it is better to wait for the release of a patched implementation, otherwise changing your password is perfectly useless... And for password managment I strongly raccomand the use of a dedicated software (a password manager) like KeePass Besides remembering your password it has a very useful password generator tool so you can generate strong password. Last edited by banryu79; 04-10-14 at 05:54 AM.

04-10-14, 05:54 AM	#5
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	Worst security event ever in the internet's history so far. Currently changing passwords do nothing if they have not previously changed their SSL software and certificates, your new passwords would be corrupted, too then. There is a list somewhere of sites that showed which one were safe or not safe yesterday, around noon time. Maybe it gets updated. For adminstrators and server operators there also are one or two sites where you could let your servers check . Its pretty bad, exceeding the scale. Be advised that changing passwords does nothing if they have not updated their SSL software and certificates before. You want to be certain they did, before dwelling in the illusion of being safe again just because you changed those codes of yours. It's funny somehow how little note the world has taken, shows how little common people understand about the web, and how exposed they are to their ignorance' inherent dangers. If in California the Big One would have flattened LA, people would have taken note, wouldn't they? __________________ If you feel nuts, consult an expert.

04-10-14, 05:55 AM	#6
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	Ah, banryu was a bit faster than me... __________________ If you feel nuts, consult an expert.

04-10-14, 01:49 AM	#2
Lionclaw Ace of the Deep Join Date: Dec 2003 Posts: 1,006 Downloads: 5 Uploads: 0	Thanks, first time I've heard about it. It's going to take time to change every password.

04-10-14, 06:04 AM	#7
Catfish Dipped Squirrel Operative Join Date: Sep 2001 Location: ..where the ocean meets the sky Posts: 17,765 Downloads: 38 Uploads: 0	The "new" Internet is the old ARPANET. Certificates are of no use if the NSA can publish those itself, or just interceot or read out those from any personal PC. So if you want any security against breaches or eavesdropping, we need another net, and other protocols. Up to then all you do is already compromised.

04-10-14, 06:54 AM	#8
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	Windows Cloud, anyone!? The bugs are now placed in the OS itself. No firewall and virus scanner can get them there. He who thinks he is safe when using an antivirus or firewall, lives on the moon. I personally am convinced that they already have started to sink bugs into the hardware, into ROMs and BIOS. They would be incompetent if they had not done so by now. Don't trust chips made by somebody else. Only trust chips you made yourself. __________________ If you feel nuts, consult an expert.

04-10-14, 07:37 AM	#9
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	This is the list I mentioned. https://github.com/musalbas/heartble...r/top10000.txt Note that it was valid Wednesday. Also note, since there are many gamers here, amongst the sites still vulnerable yesterday, was Steam. Also note this: risks remain even after servers have been patched and passwords have been chnaged, because criminals could use the old exploit to decypher old data traffic that they have collected before. You may want to think about whether or not you are at risk from that direction. __________________ If you feel nuts, consult an expert.

04-10-14, 08:03 AM	#10
Nippelspanner Stowaway Posts: n/a Downloads: Uploads:	I start to hate the internet...

04-10-14, 08:08 AM	#11
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	At the time of writing this, the subsim.com website IS NOT affected: __________________ If you feel nuts, consult an expert. Last edited by Onkel Neal; 04-12-14 at 11:38 AM. Reason: corrected

04-10-14, 08:22 AM	#12
STEED Lucky Jack Join Date: Jan 2006 Location: Down Town UK Posts: 27,695 Downloads: 89 Uploads: 48	The Internet is safe and your stuff is secure and safe trust the Internet. I trust the Internet as about much as I trust a politician...ZERO. __________________ Dr Who rest in peace 1963-2017. To borrow Davros saying...I NAME YOU CHIBNALL THE DESTROYER OF DR WHO YOU KILLED IT!

04-10-14, 10:34 AM	#13
banryu79 Samurai Navy Join Date: Feb 2014 Location: Italy Posts: 554 Downloads: 82 Uploads: 2	Steam or subsim... seriously I'm a bit more worried about my online bank account, you know!

04-10-14, 11:04 AM	#14
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 42,602 Downloads: 10 Uploads: 0	It could very well be that it is no criminal gangsters behind this, or an unintended error during programming of source code, but that intelligence agencies, namely the NSA, are behind this, in an effort to generally weaken security standards in the web and install backdoors that are hidden as "criminal" attacks or "software bugs" to allow what is called "plausible denial". That certain intelligence services are explicitly trying to overhear and control ALL the internet and enforce access to EVERY system there is, is no longer a secret by now, is it. __________________ If you feel nuts, consult an expert.