What we should do (Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...))

[Joel Rees]

Okay, the short version of the long post:

If you don't know what to do about things like the heartbeat/bleed bug, I'm
suggesting we all start contributing more to the projects we regularly use.

Learn to code if we haven't. Report bugs. Help with documentation and
localization.

That's how we reduce the number of bugs and the potential for damage.

Whether my long response to Jerry's long response to Theo's rant about the
openssl project's approach to development helps to understand how pointer
issues interact with library issues and team management issues, ... Well,
maybe it doesn't help you.

But the important thing is that we all need to help a little bit more, and
running away from learning to code doesn't help.

On Sat, Apr 19, 2014 at 11:12 AM, David Guntner  wrote:

> Joel Rees grabbed a keyboard and wrote:
> > (Reader beware. Length breeds length.)
>
> And this whole thread has gone on (and morphed) entirely too long.
> Please take it to the Debian Offtopic list.
>
> http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


-- 
Joel Rees

Computer memory is just fancy paper,
and computer I/O and the CPU are just fancy pens.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[David Guntner]

Joel Rees grabbed a keyboard and wrote:
> (Reader beware. Length breeds length.)

And this whole thread has gone on (and morphed) entirely too long.
Please take it to the Debian Offtopic list.

http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Joel Rees]

(Reader beware. Length breeds length.)

On Thu, Apr 17, 2014 at 10:57 PM, somebody wrote:

> On 4/17/2014 5:40 AM, Curt wrote:
>
>> On 2014-04-17, ken  wrote:
>>
>>>
>>> Steve brings up a very good point, one often overlooked in our zeal for
>>> getting so much FOSS for absolutely no cost.  Since we're all given the
>>> source code, we're all in part responsible for it and for improving it.
>>>
>>
>> I don't think the point is very good for the reasons outlined below (by
>> others).
>>
>
I wonder how you could say that.

I include myself when I say this, but we are freeloading. If we want our
infrastructure to work, we have to start contributing more to the critical
parts.

And the degree to which the financial world relies on freebies from freedom
lovers, well, if the guys trying to make money on frictionless market
exchanges had to write their own, maybe they'd find it a little easier to
face the reality about "frictionless".

Having said that, it seems to me that the following just reinforces the
argument that we all need to take more part in this stuff.

http://www.datamation.com/open-source/does-heartbleed-
>> disprove-open-source-is-safer-1.html
>>
>>   Robin Seggelmann, the OpenSSL developer who claims responsibility for
>>   Heartbleed, says that both he and a reviewer missed the bug. He
>> concludes that
>>   more reviewers are needed to avoid a repetition of the incident -- that
>> there
>>   were not enough eyes in this case.
>>
>
More eyes means us. We may not be able to read code, but we can sure file
bug reports, and we can run more of our own services on our own servers
where we can work out the setups ourselves and watch the results and file
bug reports.

And we can learn to code when the developers are too swamped with bug
reports to handle them all.


>   Another conclusion that might be drawn from Seggelmann's account is that
>>   depending on developers to review their own work is not a good idea.
>
>
Which is saying that more of us need to get our eyes on the code.


> Unless
>>   considerable time passes between the writing of the code and the
>> review, the
>>   developers are probably too close to the code to be likely to observe
>> the flaws
>>   in it.
>>
>>   However, the weakness of Seggelmann's perspective is that the argument
>> is
>>   circular: if Heartbleed was undiscovered, then there must not have been
>> enough
>>   eyes on the code. The proof is in the discovery or the failure to
>> discover,
>>   which is not exactly a useful argument.
>>
>
Not a useful argument? So?

Discovering an argument circularity in no way disproves a hypothesis. It
only shows that more work is necessary, to understand the problem. And the
cycle itself is often useful when looking for a way to establish a real
foundation to the argument.


>   A more useful analysis has been offered by Theo de Raadt, the founder of
>>   OpenBSD and OpenSSH...
>>
>> http://article.gmane.org/gmane.os.openbsd.misc/211963
>>
>> (I'll quote most of de Raadt's usenet article--hope nobody minds).
>>
>
In this case it appears that some context is necessary, as well.


>   So years ago we added exploit mitigations counter measures to libc
>>   malloc and mmap, so that a variety of bugs can be exposed.
>
>
Theo is talking about openBSD's libraries, and about libraries from other
OSses that have taken similar approaches.

One thing I think I remember openBSD did for this kind of thing was putting
free()ed memory into a pool that is sanitized (over-written with zeros)
before being returned to the allocatable pool.

(I think some people have tried overwriting with random data, but that's
for preventing memory burn-in, and does take enough extra time to be
unwarranted for most allocation uses. And is only important when you have
reason to worry about the spooks grabbing your hardware and taking it down
to the physics lab.)

Another involved randomization of the allocation addresses returned, and
finer granularity on the allocations.

 Such
>>   memory accesses will cause an immediate crash, or even a core dump,
>>   then the bug can be analyed, and fixed forever.
>>
>
I think Theo has learned to not dig in too deeply when talking with the
press. Which leaves more technically inclined types to either wonder what
he's talking about or dig in to find out. (In my case, I was lurking on the
miscellaneous list at openbsd during part of the time he is referring to.
My comments come from memory; if you are interested, you should probably
dig into their archives.)

"Fixed forever" is a bit of an exaggeration, of course. But he means that
the collected set of strategies that openBSD uses will often mean that
array accesses out of bounds will hit memory that is not flagged as
accessible when a program is running on openBSD. And openBSD is pretty
aggressive about having the MMU through exceptions on such accesses.

There are granularity issues, depending on page sizes, but openBSD is
pretty aggressive there, too.

Which means that, if op

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Jerry Stuckle]

On 4/17/2014 10:31 AM, Curt wrote:

On 2014-04-17, Jerry Stuckle  wrote:


This is a totally irresponsible post, showing the op knows very little
about programming.


http://en.wikipedia.org/wiki/Theo_de_Raadt

  Theo de Raadt (/ˈθiː.oʊ dɛˈrɔːt/; Dutch: [ˈteː.o dɛˈraːt]; born May 19,
  1968) is a software engineer who lives in Calgary, Alberta, Canada. He
  is the founder and leader of the OpenBSD and OpenSSH projects, and was
  a founding member of the NetBSD project.

The article does go on to say that although "few deny he is a talented hacker[5]
and security 'guru'," he suffers from "outspokenness".

To say he knows very little about programming seems extreme. I guess
you're one of the few referred to in the article.




His comments about malloc() wrappers shows he knows nothing about how 
the code actually works.  He may be a "talented security guru" (that has 
yet to be proven), but he's not a good C programmer.


Jerry


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/534ffd99.5060...@attglobal.net

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-17, Jerry Stuckle  wrote:
>
> This is a totally irresponsible post, showing the op knows very little 
> about programming.

http://en.wikipedia.org/wiki/Theo_de_Raadt

 Theo de Raadt (/ˈθiː.oʊ dɛˈrɔːt/; Dutch: [ˈteː.o dɛˈraːt]; born May 19,
 1968) is a software engineer who lives in Calgary, Alberta, Canada. He
 is the founder and leader of the OpenBSD and OpenSSH projects, and was
 a founding member of the NetBSD project.

The article does go on to say that although "few deny he is a talented hacker[5]
and security 'guru'," he suffers from "outspokenness".

To say he knows very little about programming seems extreme. I guess
you're one of the few referred to in the article. 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkvpbo.30g.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Brad Alexander]

On Thu, Apr 17, 2014 at 3:36 AM, ken  wrote:

> Steve brings up a very good point, one often overlooked in our zeal for
> getting so much FOSS for absolutely no cost.  Since we're all given the
> source code, we're all in part responsible for it and for improving it.
>  This ethic should be visited not only on lists like this one, but
> certainly also in CIS classes and definitely in business and governmental
> administration courses as well.


While I can agree in principle with this, in practice, it's not that black
and white. Let's look at a real-world example: cars. I, like most on this
list, have owned many in my life, can drive them, and even do routine
maintenance on them, e.g. brakes, oil changes, changing belts, even
changing the odd water pump, a car is a complex system. There are many
computers and moving parts that have to work (more or less) in unison for
the car to operate properly. There are trained mechanics who know how they
"tick."

Similarly, software such as openssl is a complex beast. Very few people are
going to be able to review it, let alone code for it. The two most dire
warnings in the crypto code biz are a) never implement your own crypto
system, because there are a million ways to do it, and 999,997 of them are
wrong, and b) peer review is your friend. But just as I would probably
prefer a certified mechanic to rebuild the engine in most modern cars, I
would hope that the guys writing the code have a helluva lot more expertise
than I do and are checking up behind each other. Plus, like OpenBSD, have
mechanisms in place to minimize damage when things do go awry.


> And right now there is github where over the past couple weeks I've
> noticed quite a few "projects"-- in fact, the majority of them-- started by
> one person but with no other contributors.  A significant contribution can
> be as small as improving documentation.  As Steve points out, without more
> involvement from more people, we're probably headed for repeated such
> calamities.
>

Well, you are free not to use those. I judge this on a case-by-case basis.
For instance, I'm not likely to be an early adopter of "Joe's super-secret
foolproof cryptosystem" with one dev and a handful of commits, but I might
just think about using, say, the pitivi video editor at an early beta.
Going back to the car analogy, I said above I would want a certified
mechanic to rebuild my engine in a modern car, but I have no problem going
my neighbor and having him change the brake pads and rotors, or even to do
that myself.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Jerry Stuckle]

On 4/17/2014 5:40 AM, Curt wrote:

On 2014-04-17, ken  wrote:


Steve brings up a very good point, one often overlooked in our zeal for
getting so much FOSS for absolutely no cost.  Since we're all given the
source code, we're all in part responsible for it and for improving it.


I don't think the point is very good for the reasons outlined below (by
others).

http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html

  Robin Seggelmann, the OpenSSL developer who claims responsibility for
  Heartbleed, says that both he and a reviewer missed the bug. He concludes that
  more reviewers are needed to avoid a repetition of the incident -- that there
  were not enough eyes in this case.

  Another conclusion that might be drawn from Seggelmann's account is that
  depending on developers to review their own work is not a good idea. Unless
  considerable time passes between the writing of the code and the review, the
  developers are probably too close to the code to be likely to observe the 
flaws
  in it.

  However, the weakness of Seggelmann's perspective is that the argument is
  circular: if Heartbleed was undiscovered, then there must not have been enough
  eyes on the code. The proof is in the discovery or the failure to discover,
  which is not exactly a useful argument.

  A more useful analysis has been offered by Theo de Raadt, the founder of
  OpenBSD and OpenSSH...

http://article.gmane.org/gmane.os.openbsd.misc/211963

(I'll quote most of de Raadt's usenet article--hope nobody minds).

  So years ago we added exploit mitigations counter measures to libc
  malloc and mmap, so that a variety of bugs can be exposed.  Such
  memory accesses will cause an immediate crash, or even a core dump,
  then the bug can be analyed, and fixed forever.

  Some other debugging toolkits get them too.  To a large extent these
  come with almost no performance cost.

  But around that time OpenSSL adds a wrapper around malloc & free so
  that the library will cache memory on it's own, and not free it to the
  protective malloc.

  You can find the comment in their sources ...

  #ifndef OPENSSL_NO_BUF_FREELISTS
  /* On some platforms, malloc() performance is bad enough that you can't just

  OH, because SOME platforms have slow performance, it means even if you
  build protective technology into malloc() and free(), it will be
  ineffective.  On ALL PLATFORMS, because that option is the default,
  and Ted's tests show you can't turn it off because they haven't tested
  without it in ages.

  So then a bug shows up which leaks the content of memory mishandled by
  that layer.  If the memoory had been properly returned via free, it
  would likely have been handed to munmap, and triggered a daemon crash
  instead of leaking your keys.

  OpenSSL is not developed by a responsible team.




(Sorry, a bit long here).

This is a totally irresponsible post, showing the op knows very little 
about programming.


It doesn't matter if malloc() wrappers were replaced or not.  The 
application gets memory from the OS in one or more pages (the exact 
number is dependent on several parameters).  malloc() then subdivides 
this allocation for application use.


Now this is key - it really doesn't matter whether the memory has been 
subdivided or not - if the application has a pointer to the memory, the 
application can access the memory (this has been a source of MANY bugs 
in C and C++).  This access is direct access to the memory, and does not 
call malloc().


As an example: the application calls malloc() with a request for 4 bytes 
of memory.  malloc(), seeing there is currently no free space available 
for the application, sends a request to the OS for 256K of memory (so it 
has extra for the next request).  malloc() then returns a pointer to 
(very near) the start of that memory, containing room for 4 bytes of 
application data.


But the application now has a pointer and can directly access any memory 
in that 256K block.  And since no library code is involved, nothing will 
catch a problem.  Only if the program tries to access memory beyond the 
256K block will there be a problem; the CPU will detect the application 
is trying to access an invalid address and notify the OS (which will 
typically attempt to terminate the application).


So the whole premise on which his "not responsible team" is complete 
crap.  He is the irresponsible one here.


As a side note - I've been programming for about 47 years now (including 
several years at IBM) and managed many projects, both small and large. 
One thing I've found - people aren't perfect.  There are ALWAYS bugs in 
the code.  Good eyes and good QC measures (including code test suites) 
will catch a lot of bugs.  But it doesn't matter how many eyes you have 
on the code, or how many test suites you run the code through.  ANY 
non-trivial program is likely to have bugs (the last figure I heard was 
around 1 *serious* bug for every 1K LOC in releas

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-17, ken  wrote:
>
> Steve brings up a very good point, one often overlooked in our zeal for 
> getting so much FOSS for absolutely no cost.  Since we're all given the 
> source code, we're all in part responsible for it and for improving it. 

I don't think the point is very good for the reasons outlined below (by
others).

http://www.datamation.com/open-source/does-heartbleed-disprove-open-source-is-safer-1.html

 Robin Seggelmann, the OpenSSL developer who claims responsibility for
 Heartbleed, says that both he and a reviewer missed the bug. He concludes that
 more reviewers are needed to avoid a repetition of the incident -- that there
 were not enough eyes in this case.

 Another conclusion that might be drawn from Seggelmann's account is that
 depending on developers to review their own work is not a good idea. Unless
 considerable time passes between the writing of the code and the review, the
 developers are probably too close to the code to be likely to observe the flaws
 in it.

 However, the weakness of Seggelmann's perspective is that the argument is
 circular: if Heartbleed was undiscovered, then there must not have been enough
 eyes on the code. The proof is in the discovery or the failure to discover,
 which is not exactly a useful argument.

 A more useful analysis has been offered by Theo de Raadt, the founder of
 OpenBSD and OpenSSH...

http://article.gmane.org/gmane.os.openbsd.misc/211963

(I'll quote most of de Raadt's usenet article--hope nobody minds).

 So years ago we added exploit mitigations counter measures to libc
 malloc and mmap, so that a variety of bugs can be exposed.  Such
 memory accesses will cause an immediate crash, or even a core dump,
 then the bug can be analyed, and fixed forever.

 Some other debugging toolkits get them too.  To a large extent these
 come with almost no performance cost.

 But around that time OpenSSL adds a wrapper around malloc & free so
 that the library will cache memory on it's own, and not free it to the
 protective malloc.

 You can find the comment in their sources ...

 #ifndef OPENSSL_NO_BUF_FREELISTS
 /* On some platforms, malloc() performance is bad enough that you can't just

 OH, because SOME platforms have slow performance, it means even if you
 build protective technology into malloc() and free(), it will be
 ineffective.  On ALL PLATFORMS, because that option is the default,
 and Ted's tests show you can't turn it off because they haven't tested
 without it in ages.

 So then a bug shows up which leaks the content of memory mishandled by
 that layer.  If the memoory had been properly returned via free, it
 would likely have been handed to munmap, and triggered a daemon crash
 instead of leaking your keys.

 OpenSSL is not developed by a responsible team.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkv891.29q.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[ken]

On 04/16/2014 11:50 PM green wrote:

Steve Litt wrote at 2014-04-16 13:05 -0500:

I'd feel a lot better with 200 eyes than 4. Even 10 would make me
nervous.

But the fault is partly mine. I never contributed to the OpenSSL
project, either with dollars or eyes.


+1



Steve brings up a very good point, one often overlooked in our zeal for 
getting so much FOSS for absolutely no cost.  Since we're all given the 
source code, we're all in part responsible for it and for improving it. 
 This ethic should be visited not only on lists like this one, but 
certainly also in CIS classes and definitely in business and 
governmental administration courses as well.  And right now there is 
github where over the past couple weeks I've noticed quite a few 
"projects"-- in fact, the majority of them-- started by one person but 
with no other contributors.  A significant contribution can be as small 
as improving documentation.  As Steve points out, without more 
involvement from more people, we're probably headed for repeated such 
calamities.



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/534f8472.1010...@mousecar.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[green]

Steve Litt wrote at 2014-04-16 13:05 -0500:
> I'd feel a lot better with 200 eyes than 4. Even 10 would make me
> nervous.
> 
> But the fault is partly mine. I never contributed to the OpenSSL
> project, either with dollars or eyes.

+1


signature.asc
Description: Digital signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Steve Litt]

On Wed, 16 Apr 2014 08:48:01 -0600
Paul E Condon  wrote:

> On 20140416_0823+, Curt wrote:
> > On 2014-04-16, Slavko  wrote:

> > Robin Seggelmann introduced the bug:
> > 
> > >From the Sydney Morning Herald:
> > 
> >  Dr Seggelmann, of Münster in Germany, said the bug which
> > introduced the flaw was "unfortunately" missed by him and a
> > reviewer when it was introduced into the open source OpenSSL
> > encryption protocol over two years ago.
> > 
> > Only four eyes?
> 
> This is a silly rhetorical question. 
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look. 

I'd feel a lot better with 200 eyes than 4. Even 10 would make me
nervous.

But the fault is partly mine. I never contributed to the OpenSSL
project, either with dollars or eyes.

SteveT

Steve Litt*  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140416140539.53f7a0dd@mydesk

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Ralph Katz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/16/2014 10:36 AM, Bill Wood wrote:
> On Wed, 2014-04-16 at 09:01 -0400, shawn wilson wrote:
>> On Wed, Apr 16, 2014 at 8:54 AM, John Hasler
>>  wrote:
> . . .
>>> What is medical identity theft?
> 
> Theft of patient identity information, usually for the purpose of 
> insurance fraud.
> 
>> I'd also be interested seeing the proof for the claim (I think
>> he means medical data breaches but IDK anyone has disclosed that 
>> information).
> 
> My brother was heavily involved in bringing hospitals into HIPAA 
> compliance after the Act was implemented in, I think, 1996.  He 
> subsequently consulted for the state government and hospital
> systems defining security and privacy policies and conducting
> audits until his retirement a few years ago.  He told me yesterday
> (U.S. CDT) about the sharp rise in patient identity theft in recent
> years.  His comment was that ID theft occurred more often as 1-1
> cases than as massive breaches like the recent Target exploits.
> Apparently the goal is usually to obtain health services and
> prescriptions from another person's insurance.  The consequences of
> the corruption of the victim's medical records can be devastating.
> 

More info here:
http://www.consumer.ftc.gov/articles/0171-medical-identity-theft


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTTqdlAAoJECe2FpioHXO6jzEH/AwtRnTv0jm2I+1XDEZDfGF/
oU6LdokbkGkTZmNlBHIsI/YrF/3dDbJUr+83crAtY+36gV29bEsBr7sQsAvvoIbr
TlKyanGonaC72IpVVcNNy7yUU/vjgExw5lqjjDWmhfCEZh3ojlR3NwxmigAdNZsc
DUicNGjga8gVF+TLWnIcWujh1IhDDtEr0LFWhuSahJ2HQSXVEa/on+NhhkBAj2o6
jY3NrpmMItnp9/1nkRikx++B96iSAPjjq/HQbzDU3OMA+iYjvGD4s4JwkIuP3jUs
SM2dtVELmpmOlDkjb7QQAy+DN4tlw8b3S5RODzR+0ybw5e6zlMHtelv6bGXOtZQ=
=AZoQ
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534ea76b.7000...@rcn.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-16, Paul E Condon  wrote:
>> 
>> Only four eyes?
>
> This is a silly rhetorical question. 
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look. 

We're talking about code *review*. 

>From the Sydney Morning Herald:

 Dr Seggelmann, of Münster in Germany, said the bug which introduced the
 flaw was "unfortunately" missed by him and a reviewer when it was
**
 introduced into the open source OpenSSL encryption protocol over two
 years ago.

...

 After he submitted the code, a reviewer "apparently also didn’t notice
  **
 the missing validation", Dr Seggelmann said, "so the error made its way
 from the development branch into the released version." Logs show that
 reviewer was Dr Stephen Henson.

...

 Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that
 "bad cryptography is much more frequent than good cryptography", and the
 "fact that a source code can be read does not imply that it is actually
 read, especially by cryptography experts".

 "A reviewer would only look at the way [the algorithm] works, not at the
 code of the program that was submitted. The same happened with GNUPG,
 the reviewer accepted the code."


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkt7kd.2e5.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Paul E Condon]

On 20140416_0754-0500, John Hasler wrote:
> Bill Wood writes:
> > I have noticed that everyone talks about the impact on the financial
> > services sector but no one has mentioned the health care information
> > sector.  I understand that healthcare systems use SSL a great deal,
> > and medical identity theft has risen sharply in recent years.
> 
> What is medical identity theft?

A very good, leading question. I think it is the kind of vacuous meme
that happens when a person's words get ahead of his thinking, the
origin of bad law.


-- 
Paul E Condon   
pecon...@mesanetworks.net


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140416151455.gb22...@big.lan.gnu

Re: [OT] Medical identity theft was: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Karen Lewellen]

Perhaps smiles.
After all most countries do not associate so much critical information 
to one number.
But many people do not put their private information by choice in places where 
security  of a site is a risk either so.

Sorry for the side track smiles.
Kare

On Wed, 16 Apr 2014, Lisi Reisz wrote:


On Wednesday 16 April 2014 14:54:03 Karen Lewellen wrote:

I give you an example of medical identity theft.  At least how it
can happen stateside.
You are say a senior or someone with a print disability in a
doctor's office.
You must get help completing the forms, and the first question you
must provide  is...?


This is a very American rant.  The inability of the rest of us to make
sense of it is because it doesn't apply to most of us.

Anyhow, anyone who wants my medical identity is welcome to it - so
long as I lose it when they acquire it. ;-)

Lisi


your social security umber.   Add that you may also be providing
this person private insurance numbers and the like.  A person need
only write down our identification and have a field day.
Given how challenging it is to correct damage done on your credit
file, see the informative story on the 60 minutes website about
this, a person may never get cleared.  the thief on the other hand
is getting credit cards and cell phones and medial things with your
information.
because the victim may not be able to investigate with ease, they
might not even know their identity has been compromised.
make sense?
Kare

On Wed, 16 Apr 2014, shawn wilson wrote:

On Wed, Apr 16, 2014 at 8:54 AM, John Hasler 

wrote:

Bill Wood writes:

and medical identity theft has risen sharply in recent years.


What is medical identity theft?


I'd also be interested seeing the proof for the claim (I think he
means medical data breaches but IDK anyone has disclosed that
information).


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org Archive:
https://lists.debian.org/CAH_OBieq6ECfG914h=E3_UXq2Q_YnUv6O-vzd9O
hcrkaqw7...@mail.gmail.com



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201404161545.05229.lisi.re...@gmail.com





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/pine.bsf.4.64.1404161100460.41...@server1.shellworld.net

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Paul E Condon]

On 20140416_0823+, Curt wrote:
> On 2014-04-16, Slavko  wrote:
> >
> > If this vulnerability comes not from newbie and was made by intent,
> > thing are worse than wrong. Then it is an attack to alone fundamental of
> > the free/open software. And what community about this? Where are
> > information, from who this vulnerability arrived? It is experienced
> > expert or it is a novice? Contribute this person to another (especially
> > security) projects too? What this person tell about this? And more and
> > more another questions are left unanswered.
> 
> Robin Seggelmann introduced the bug:
> 
> >From the Sydney Morning Herald:
> 
>  Dr Seggelmann, of Münster in Germany, said the bug which introduced the
>  flaw was "unfortunately" missed by him and a reviewer when it was
>  introduced into the open source OpenSSL encryption protocol over two
>  years ago.
> 
> Only four eyes?

This is a silly rhetorical question. 
How many 'eyes' are appropriate for a last, final look?
Many, many eyes had surely already looked at the same code before
this final look. 

-- 
Paul E Condon   
pecon...@mesanetworks.net


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140416144801.ga22...@big.lan.gnu

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Bill Wood]

On Wed, 2014-04-16 at 09:01 -0400, shawn wilson wrote:
> On Wed, Apr 16, 2014 at 8:54 AM, John Hasler  wrote:
   . . .
> > What is medical identity theft?

Theft of patient identity information, usually for the purpose of
insurance fraud.

> I'd also be interested seeing the proof for the claim (I think he
> means medical data breaches but IDK anyone has disclosed that
> information).

My brother was heavily involved in bringing hospitals into HIPAA
compliance after the Act was implemented in, I think, 1996.  He
subsequently consulted for the state government and hospital systems
defining security and privacy policies and conducting audits until his
retirement a few years ago.  He told me yesterday (U.S. CDT) about the
sharp rise in patient identity theft in recent years.  His comment was
that ID theft occurred more often as 1-1 cases than as massive breaches
like the recent Target exploits. Apparently the goal is usually to
obtain health services and prescriptions from another person's
insurance.  The consequences of the corruption of the victim's medical
records can be devastating.

-- 
Bill Wood


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1397659016.27492.37.camel@bills-debian

[OT] Medical identity theft was: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Lisi Reisz]

On Wednesday 16 April 2014 14:54:03 Karen Lewellen wrote:
> I give you an example of medical identity theft.  At least how it
> can happen stateside.
> You are say a senior or someone with a print disability in a
> doctor's office.
> You must get help completing the forms, and the first question you
> must provide  is...?

This is a very American rant.  The inability of the rest of us to make 
sense of it is because it doesn't apply to most of us.

Anyhow, anyone who wants my medical identity is welcome to it - so 
long as I lose it when they acquire it. ;-)

Lisi

> your social security umber.   Add that you may also be providing
> this person private insurance numbers and the like.  A person need
> only write down our identification and have a field day.
> Given how challenging it is to correct damage done on your credit
> file, see the informative story on the 60 minutes website about
> this, a person may never get cleared.  the thief on the other hand
> is getting credit cards and cell phones and medial things with your
> information.
> because the victim may not be able to investigate with ease, they
> might not even know their identity has been compromised.
> make sense?
> Kare
>
> On Wed, 16 Apr 2014, shawn wilson wrote:
> > On Wed, Apr 16, 2014 at 8:54 AM, John Hasler  
wrote:
> >> Bill Wood writes:
> >>> and medical identity theft has risen sharply in recent years.
> >>
> >> What is medical identity theft?
> >
> > I'd also be interested seeing the proof for the claim (I think he
> > means medical data breaches but IDK anyone has disclosed that
> > information).
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmas...@lists.debian.org Archive:
> > https://lists.debian.org/CAH_OBieq6ECfG914h=E3_UXq2Q_YnUv6O-vzd9O
> >hcrkaqw7...@mail.gmail.com


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/201404161545.05229.lisi.re...@gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Karen Lewellen]

I give you an example of medical identity theft.  At least how it can happen 
stateside.
You are say a senior or someone with a print disability in a doctor's 
office.
You must get help completing the forms, and the first question you 
must provide  is...?
your social security umber.   Add that you may also be providing this 
person private insurance numbers and the like.  A person need only write down our 
identification and have a field day.
Given how challenging it is to correct damage done on your credit file, 
see the informative story on the 60 minutes website about this, a person 
may never get cleared.  the thief on the other hand is getting credit cards 
and cell phones and medial things with your information.
because the victim may not be able to investigate with ease, they might 
not even know their identity has been compromised.

make sense?
Kare

On Wed, 16 Apr 2014, shawn wilson wrote:


On Wed, Apr 16, 2014 at 8:54 AM, John Hasler  wrote:

Bill Wood writes:



and medical identity theft has risen sharply in recent years.


What is medical identity theft?


I'd also be interested seeing the proof for the claim (I think he
means medical data breaches but IDK anyone has disclosed that
information).


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBieq6ECfG914h=e3_uxq2q_ynuv6o-vzd9ohcrkaqw7...@mail.gmail.com





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: 
https://lists.debian.org/pine.bsf.4.64.1404160946490.36...@server1.shellworld.net

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Wed, Apr 16, 2014 at 8:54 AM, John Hasler  wrote:
> Bill Wood writes:

>> and medical identity theft has risen sharply in recent years.
>
> What is medical identity theft?

I'd also be interested seeing the proof for the claim (I think he
means medical data breaches but IDK anyone has disclosed that
information).


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBieq6ECfG914h=e3_uxq2q_ynuv6o-vzd9ohcrkaqw7...@mail.gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[John Hasler]

Bill Wood writes:
> I have noticed that everyone talks about the impact on the financial
> services sector but no one has mentioned the health care information
> sector.  I understand that healthcare systems use SSL a great deal,
> and medical identity theft has risen sharply in recent years.

What is medical identity theft?
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87r44x8mfn@thumper.dhh.gt.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-16, Slavko  wrote:
>
> If this vulnerability comes not from newbie and was made by intent,
> thing are worse than wrong. Then it is an attack to alone fundamental of
> the free/open software. And what community about this? Where are
> information, from who this vulnerability arrived? It is experienced
> expert or it is a novice? Contribute this person to another (especially
> security) projects too? What this person tell about this? And more and
> more another questions are left unanswered.

Robin Seggelmann introduced the bug:

>From the Sydney Morning Herald:

 Dr Seggelmann, of Münster in Germany, said the bug which introduced the
 flaw was "unfortunately" missed by him and a reviewer when it was
 introduced into the open source OpenSSL encryption protocol over two
 years ago.

Only four eyes?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlksfck.2e5.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Slavko]

Dňa 16. 4. 2014 1:50 Charles Kroeger  wrote / napísal(a):

> At this point, the probability is close to one that every target has had 
> its private keys extracted by multiple intelligence agencies.  The real 
> question is whether or not someone deliberately inserted this bug into 
> OpenSSL, and has had two years of unfettered access to everything.  My 
> guess is accident, but I have no proof.

(please, i am not sure with some English terms below, thanks)

Very good question! On the word, there are questions if the NSA (and
similar) knew about this for long time or not. IMHO, if they didn't knew
about this vulnerability for months, then they aren't doing their job as
good.

Back to proper question. Was this vulnerability done by mistake? My C
knowledge is very low, but i understand, that this was stupid mistake.
If this stupid mistake can be done in Internet's essential crypto
library, then something is wrong! Very wrong. Nobody check the quality
of the code? Nobody realize tests? Need i learn C, to i can check this
by myself?

If this vulnerability comes not from newbie and was made by intent,
thing are worse than wrong. Then it is an attack to alone fundamental of
the free/open software. And what community about this? Where are
information, from who this vulnerability arrived? It is experienced
expert or it is a novice? Contribute this person to another (especially
security) projects too? What this person tell about this? And more and
more another questions are left unanswered.

It is a time to fearing?

regards




0xA8050C7E.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Bill Wood]

On Tue, 2014-04-15 at 15:55 -0400, Stephen Allen wrote:
   . . .
> BTW Revenue Canada was hacked by this bug and publicly admitted so. So
> far only a minimal number of people were affected. They were offline for
> several days.

I've been following this thread since it started, as well as some other
Internet sites that have been mentioned, and I have noticed that
everyone talks about the impact on the financial services sector but no
one has mentioned the health care information sector.  I understand that
healthcare systems use SSL a great deal, and medical identity theft has
risen sharply in recent years.  Does anyone know if there have been any
exploits of Heartbleed in this sector, or if any healthcare
organizations have said anything about fixing the problem?

-- 
Bill Wood


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1397619146.26973.8.camel@bills-debian

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Charles Kroeger]

On Tue, 15 Apr 2014 07:00:03 +0200
shawn wilson  wrote:

> >> On Apr 14, 2014 11:01 AM, "Chris Bannister" 
> >>wrote:

> >> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:

> >> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html

Here's the article from Bruce's CRYPT-GRAM from April 15, 2014:

Heartbleed

Heartbleed is a catastrophic bug in OpenSSL:

 "The Heartbleed bug allows anyone on the Internet to read the
 memory of the systems protected by the vulnerable versions of
 the OpenSSL software. This compromises the secret keys used to
 identify the service providers and to encrypt the traffic, the
 names and passwords of the users and the actual content. This
 allows attackers to eavesdrop communications, steal data
 directly from the services and users and to impersonate
 services and users.

Basically, an attacker can grab 64K of memory from a server.  The attack 
leaves no trace, and can be done multiple times to grab a different 
random 64K of memory.  This means that anything in memory -- SSL private 
keys, user keys, anything -- is vulnerable.  And you have to assume that 
it is all compromised.  All of it.

"Catastrophic" is the right word.  On the scale of 1 to 10, this is an 11.

The bug has been patched.  After you patch your systems, you have to get 
a new public/private key pair, update your SSL certificate, and then 
change every password that could potentially be affected.

At this point, the probability is close to one that every target has had 
its private keys extracted by multiple intelligence agencies.  The real 
question is whether or not someone deliberately inserted this bug into 
OpenSSL, and has had two years of unfettered access to everything.  My 
guess is accident, but I have no proof.

http://heartbleed.com/
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
 
or http://tinyurl.com/ngcytay
https://news.ycombinator.com/item?id=7548991
https://xkcd.com/1353/
http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/
https://freedom-to-tinker.com/blog/felten/how-to-protect-yourself-from-heartbleed/
 
or http://tinyurl.com/kqe4b5c
http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
 
or http://tinyurl.com/lhjr7zf
http://filippo.io/Heartbleed/

More about Heartbleed on my blog:
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html

-- 
CK


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/br5uujfskg...@mid.individual.net

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Stephen Allen]

On Tue, Apr 15, 2014 at 02:11:00PM +1200, Richard Hector wrote:
> On 15/04/14 12:59, shawn wilson wrote:
> >> That statement was made in the sense that at least the bank could have
> >> > issued a statement along the lines of 'you may have heard of the
> >> > heartbleed bug, we can assure all of our customers that we are not
> >> > affected by this bug and there is no need to panic.'
> >> >
> > No, I don't want to hear from my bank unless there's a problem. If
> > everything is going OK, don't spam me. If its not, by all means, let me
> > know. This didn't affect them so don't tell me anything.
> > 
> 
> They don't need to send an email, or anything intrusive. They just need
> to put a big notice on the login page of their internet banking site -
> along with (or instead of) all the ads they have for cheap loans or term
> deposits or whatever. It would make virtually no difference to the speed
> of logging in, and would reassure me that they take security seriously.
> 
> Richard

Indeed - that is what the Royal Bank of Canada did (They werent
affected).

BTW Revenue Canada was hacked by this bug and publicly admitted so. So
far only a minimal number of people were affected. They were offline for
several days.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140415195534.GA16470@Jessie

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 14/04/14 23:41, Richard Hector wrote:
> The only local bank I've heard any info about is Kiwibank, who are
> apparently not vulnerable due to running their systems on Windows.

Heh. It turns out my bank, ASB, apparently uses Windows/IIS as well. I
have yet to decide whether I'm happy about that. I guess I'm happy for now.

Source: http://www.reddit.com/r/newzealand/comments/22ybc5/heartbleed_in_nz/

Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534cfd80.6060...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-15, John Hasler  wrote:
>
> If I did any online banking (I don't) I'd change all the passwords no
> matter what the banks said and consider closing the accounts and opening
> new ones with different account numbers as well.  Maybe with different
> banks.

Except that in the case of an uncorrected vulnerability you might then
be offering the black hats your new password, whereas they might not have
been aware of the old one (before the news broke).

Logic would seem to suggest changing passwords for sites with corrected
heartbleed vulnerabilities; how to garner that information, or whether
it is safe to assume this or that financial institution has, or would
have, or must have, fixed the bug by now I will leave as exercise for
the reader.

Well, not entirely: here is the mashable list for the big boys:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkptso.2gh.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Martin Steigerwald]

Am Dienstag, 15. April 2014, 11:41:34 schrieb Richard Hector:
> On 15/04/14 02:03, Stan Hoeppner wrote:
> >> I certainly wouldn't jump to conclusions that they're a bank therefore
> >> 
> >> > they use IBM mainframes therefore they don't use OpenSSL therefore
> >> > they're invulnerable, 
> > 
> > I jumped to no conclusion.  Do you see the word "bank" in my original
> > statement below?  No, you see "financial institutions".
> 
> Sorry. I'll add the logical step: "... they're a bank therefore they're
> a financial institution therefore they use IBM mainframes ..."

I read that certain banks in Germany had the heartbleed bug and are in the 
process of fixing it  – which they hopefully completed by now.

So I recommend to ask your bank whether they had this issue *or* change your 
access data to it *just in case*.

Instead of guessing. Guessing or speculation does not help a single bit with 
this bug. This bug is digital. Either some webserver had it or not. And if it 
had it… someone may have exploited it.

-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/174698271.Deaz8gYHDD@merkaba

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Chris Bannister]

On Mon, Apr 14, 2014 at 10:34:29PM -0400, shawn wilson wrote:
> On Apr 14, 2014 10:11 PM, "Richard Hector"  wrote:
> > They don't need to send an email, or anything intrusive. They just need
> > to put a big notice on the login page of their internet banking site -
> > along with (or instead of) all the ads they have for cheap loans or term
> > deposits or whatever. It would make virtually no difference to the speed
> > of logging in, and would reassure me that they take security seriously.
> >
> 
> This is totally OT (this thread sorta has been for a while)

There is an old saying, "Don't try and put a fire out with gasoline!"

> All banks take security seriously - if they fail audits, someone will get
> fired (probably a C level someone). Past that, I can say BofA seems to
> spend extra effort on security for businesses and high value customers, and

A few years ago I had some checks stolen and subsequently cashed. The
banks weren't interested until I got the cops involved and only then did
they refund my money. Sure, they are worried about security -- their own
security.

> If a company starts posting CVEs on their home page, I'll think it kinda

Don't be ridiculous. 

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140415045614.GC4034@tal

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Tue, Apr 15, 2014 at 12:44 AM, Chris Bannister
 wrote:
> On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote:
>> On Apr 14, 2014 11:01 AM, "Chris Bannister" 
>> wrote:
>> >
>> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
>> > > On 4/13/2014 10:03 PM, Chris Bannister wrote:
>> > > ...
>> > > > considering it is a catastrophe worse than the Y2K bug.
>> > >
>> > > This is several orders of magnitude less severe than Y2K.
>> >
>> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
>> > "Catastrophic" is the right word. On the scale of 1 to 10, this is an
>> > 11"
>> >
>> > So I gathered, perhaps wrongly, that in that case the Y2K bug would have
>> > to be greater than 11 on a scale of 1 to 10.
>> >
>>
>> No we're using hex based scales now. And how this works is when someone
>> tries to be stupid and rate something a 17, it rotates into being a 0.
>
> You'd be better of emailing Mr Schneier on that one.
>

You're going to blame someone else for your (quite literal) +1 on
their comment. OK :)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAH_OBic6Q=S4Zygi=2srfsw3tmnenn7u6941m2abkvfmeob...@mail.gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Chris Bannister]

On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote:
> On Apr 14, 2014 11:01 AM, "Chris Bannister" 
> wrote:
> >
> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> > > On 4/13/2014 10:03 PM, Chris Bannister wrote:
> > > ...
> > > > considering it is a catastrophe worse than the Y2K bug.
> > >
> > > This is several orders of magnitude less severe than Y2K.
> >
> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
> > "Catastrophic" is the right word. On the scale of 1 to 10, this is an
> > 11"
> >
> > So I gathered, perhaps wrongly, that in that case the Y2K bug would have
> > to be greater than 11 on a scale of 1 to 10.
> >
> 
> No we're using hex based scales now. And how this works is when someone
> tries to be stupid and rate something a 17, it rotates into being a 0.

You'd be better of emailing Mr Schneier on that one.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140415044417.GB4034@tal

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 10:11 PM, "Richard Hector"  wrote:
>
> On 15/04/14 12:59, shawn wilson wrote:
> >> That statement was made in the sense that at least the bank could have
> >> > issued a statement along the lines of 'you may have heard of the
> >> > heartbleed bug, we can assure all of our customers that we are not
> >> > affected by this bug and there is no need to panic.'
> >> >
> > No, I don't want to hear from my bank unless there's a problem. If
> > everything is going OK, don't spam me. If its not, by all means, let me
> > know. This didn't affect them so don't tell me anything.
> >
>
> They don't need to send an email, or anything intrusive. They just need
> to put a big notice on the login page of their internet banking site -
> along with (or instead of) all the ads they have for cheap loans or term
> deposits or whatever. It would make virtually no difference to the speed
> of logging in, and would reassure me that they take security seriously.
>

This is totally OT (this thread sorta has been for a while)

All banks take security seriously - if they fail audits, someone will get
fired (probably a C level someone). Past that, I can say BofA seems to
spend extra effort on security for businesses and high value customers, and
Wells Fargo is probably one of the most secure financial instructions I
know of (based on someone I know who Fortify for them and my mom
complaining about how irritating it is to deal with them). I also know of a
security company who has contracts with a financial instruction. Basically
they care and have tons more knowledge working on a subject than either of
us have.

If a company starts posting CVEs on their home page, I'll think it kinda
cool or interesting, but I'm not going to read through it or take them more
seriously because of it.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 15/04/14 12:59, shawn wilson wrote:
>> That statement was made in the sense that at least the bank could have
>> > issued a statement along the lines of 'you may have heard of the
>> > heartbleed bug, we can assure all of our customers that we are not
>> > affected by this bug and there is no need to panic.'
>> >
> No, I don't want to hear from my bank unless there's a problem. If
> everything is going OK, don't spam me. If its not, by all means, let me
> know. This didn't affect them so don't tell me anything.
> 

They don't need to send an email, or anything intrusive. They just need
to put a big notice on the login page of their internet banking site -
along with (or instead of) all the ads they have for cheap loans or term
deposits or whatever. It would make virtually no difference to the speed
of logging in, and would reassure me that they take security seriously.

Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534c9534.9030...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 9:15 PM, "John Hasler"  wrote:
>
> shawn wilson writes:
> > No, I don't want to hear from my bank unless there's a problem. If
> > everything is going OK, don't spam me. If its not, by all means, let
> > me know. This didn't affect them so don't tell me anything.
>
> You assume that they would tell you if they were affected.
>
> If I did any online banking (I don't) I'd change all the passwords no
> matter what the banks said and consider closing the accounts and opening
> new ones with different account numbers as well.  Maybe with different
> banks.

Well yes, there are few businesses that have good security and information
policies and who I trust.

However, my point is that banks are in the business of keeping my money -
that's what I pay them for. They're not a news outlet or someone who I
trust to give me advice for the best use of other people's systems. And,
when compromises do happen, we don't hear about it unless there was
specific data loss found.

So basically they should never send me this type of email.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[John Hasler]

shawn wilson writes:
> No, I don't want to hear from my bank unless there's a problem. If
> everything is going OK, don't spam me. If its not, by all means, let
> me know. This didn't affect them so don't tell me anything.

You assume that they would tell you if they were affected.

If I did any online banking (I don't) I'd change all the passwords no
matter what the banks said and consider closing the accounts and opening
new ones with different account numbers as well.  Maybe with different
banks.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/874n1v9yvf@thumper.dhh.gt.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 14, 2014 11:01 AM, "Chris Bannister" 
wrote:
>
> On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> > On 4/13/2014 10:03 PM, Chris Bannister wrote:
> > ...
> > > considering it is a catastrophe worse than the Y2K bug.
> >
> > This is several orders of magnitude less severe than Y2K.
>
> I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
> "Catastrophic" is the right word. On the scale of 1 to 10, this is an
> 11"
>
> So I gathered, perhaps wrongly, that in that case the Y2K bug would have
> to be greater than 11 on a scale of 1 to 10.
>

No we're using hex based scales now. And how this works is when someone
tries to be stupid and rate something a 17, it rotates into being a 0.

They're different types of bugs. Taking a scale and making something out of
bounds for it is stupid but really, so is comparing one bug to the other.
They generally affected different types of systems, were caused by
different types of oversight, were generally on a different programming
level, and mostly the Y2K bug affected financial instructions and this bug
has little affect there.

> > > Not even an email from the bank!
> >
> > Many/most financial institutions disdain open source software and would
> > much rather pay for proprietary commercial solutions so there is someone
> > to sue and recover damages when things go tits up.
>
> That statement was made in the sense that at least the bank could have
> issued a statement along the lines of 'you may have heard of the
> heartbleed bug, we can assure all of our customers that we are not
> affected by this bug and there is no need to panic.'
>

No, I don't want to hear from my bank unless there's a problem. If
everything is going OK, don't spam me. If its not, by all means, let me
know. This didn't affect them so don't tell me anything.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 15/04/14 02:03, Stan Hoeppner wrote:
>> I certainly wouldn't jump to conclusions that they're a bank therefore
>> > they use IBM mainframes therefore they don't use OpenSSL therefore
>> > they're invulnerable, 
> I jumped to no conclusion.  Do you see the word "bank" in my original
> statement below?  No, you see "financial institutions".

Sorry. I'll add the logical step: "... they're a bank therefore they're
a financial institution therefore they use IBM mainframes ..."

> 
>> > and I wish that they'd tell us either way.
> Yes, that would be nice.  But outside of technical geeks, none of their
> customers are paying attention.

Of course they're not paying attention. Nobody's telling them about it.
The non-technical people I've spoken to have generally not heard of it.
Maybe they haven't heard of it either: that's one of the things that
concerns me.

>  And, more importantly, as a rule
> chiseled in granite, financial institutions, especially banks, never
> admit to doing anything wrong, because it opens them up to liability,
> lawsuits, thus monetary loss.  The lawyers have sewn the executives lips
> shut on this while they spend days, if not weeks to a month figuring out
> how to best handle "needed" disclosure without losing [m|b]illions.

That may be the problem, sure. Even though I wouldn't consider it them
doing something wrong, I can see that some would, and it's an
opportunity for lawyers to make money.

Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534c722e.9080...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[David Guntner]

For those interested:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 --Dave



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Chris Bannister]

On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
> ...
> > considering it is a catastrophe worse than the Y2K bug.  
> 
> This is several orders of magnitude less severe than Y2K.

I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
"Catastrophic" is the right word. On the scale of 1 to 10, this is an
11"

So I gathered, perhaps wrongly, that in that case the Y2K bug would have
to be greater than 11 on a scale of 1 to 10.

Later, ...
"I wonder if there is going to be some backlash from the mainstream
press and the public. If nothing really bad happens -- if this turns out
to be something like the Y2K bug -- then we are going to face criticisms
of crying wolf."

That reads to me as though the Y2K bug is not as serious.

But in saying that, there is this post:
https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html

> > It seems very likely that people are using compromised apps on their
> > smartphone and you'd think it would be advisable to warn people ASAP!
> 
> OpenSSL is a library, not an 'app'.

http://tech.firstpost.com/news-analysis/android-devices-and-apps-affected-by-heartbleed-check-if-your-smartphone-is-vulnerable-221655.html

"Google has said that nearly all versions of AOSP from 4.1 and up
contain vulnerable versions of OpenSSL, but all except one had
heartbeats turned off, so no one could attack these systems. Only
Android 4.1.1 had the heartbeat feature turned on, so those devices are
vulnerable. Moreover, some OEMs may have switched heartbeat feature back
on in their phone’s software, which leaves them vulnerable too."

> > Not even an email from the bank! 
> 
> Many/most financial institutions disdain open source software and would
> much rather pay for proprietary commercial solutions so there is someone
> to sue and recover damages when things go tits up.

That statement was made in the sense that at least the bank could have
issued a statement along the lines of 'you may have heard of the
heartbleed bug, we can assure all of our customers that we are not
affected by this bug and there is no need to panic.'

Using this site http://filippo.io/Heartbleed/ shows that the bank and
ISP I use are OK. 

Why worry? It's incidents like
http://clarecurran.org.nz/post.php?post_id=309 and
http://www.itnews.com.au/News/363635,christchurch-transport-card-flaws-expose-identities-grant-free-bus-rides.aspx
which are not a great confidence booster towards the attitude to
security. I realise that banks are in an entirely different league here,
and my statement was more about the attitude to the public, and hence of
the public.

> > Then there is also the very serious issue of embedded devices using
> > openssl. Tablets, smartphones, routers, ... etc. etc. 
> 
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.

http://readwrite.com/2014/04/11/heartbleed-bug-virus-clients-routers-virtual-machines-vpn

The point, I'm making is there should at least be some transparency. Y2K
- all over the media. Snowden leaks - all over the media. Heartbleed -
not a whisper. 

I saw one statement " ... lucky the general media is too thick to click
on so far ..." :)

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140414150113.GA23216@tal

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Stan Hoeppner]

On 4/14/2014 6:41 AM, Richard Hector wrote:
> On 14/04/14 23:31, Stan Hoeppner wrote:
 BTW, you shouldn't focus only on banks either. There are a lot of
 popular services that use free software a lot, some of which happen to
 include payment functionality.
>> I did not "focusing on banks".  I replied to Chris Bannister's statement
>> regarding *his bank*, which you snipped, again intentionally deleting
>> context in order to be a contradictarian.
> 
> Chris, like me, appears to be in New Zealand.
> 
> The only local bank I've heard any info about is Kiwibank, who are
> apparently not vulnerable due to running their systems on Windows.

So they're just vulnerable to everything else...

> I believe at least one local bank runs most of their stuff on Linux, but
> I haven't heard anything from them.
> 
> Perhaps (some of the) banks are a bit smaller here, and don't
> necessarily run to the mainframes used elsewhere.
> 
> I certainly wouldn't jump to conclusions that they're a bank therefore
> they use IBM mainframes therefore they don't use OpenSSL therefore
> they're invulnerable, 

I jumped to no conclusion.  Do you see the word "bank" in my original
statement below?  No, you see "financial institutions".

> and I wish that they'd tell us either way.

Yes, that would be nice.  But outside of technical geeks, none of their
customers are paying attention.  And, more importantly, as a rule
chiseled in granite, financial institutions, especially banks, never
admit to doing anything wrong, because it opens them up to liability,
lawsuits, thus monetary loss.  The lawyers have sewn the executives lips
shut on this while they spend days, if not weeks to a month figuring out
how to best handle "needed" disclosure without losing [m|b]illions.

On 4/14/2014 1:55 AM, Stan Hoeppner wrote:
 Many/most financial institutions disdain open source software and would
 much rather pay for proprietary commercial solutions so there is someone
 to sue and recover damages when things go tits up.
 
 Most financial institutions tend to run operations on IBM or clone
 mainframes.  Thus they'll likely be using IBM's mainframe
 implementations of SSL/TLS, or a commercial front end termination
 device, neither of which are likely affected by this CVE which is for a
 few specific version of OpenSSL only.

Financial Institutions, not an exhaustive list:

banks
credit unions
credit/debit card companies - VISA/MasterCard/etc
credit/debit card processors - Paymentech, etc
exchanges - stock and mercantile, dozens of them worldwide
NYSE, NASDAQ, London, Hong Kong, Tokyo, Chicago Merc
brokerage houses - hundreds worldwide
fund management companies - pensions, mutual funds, IRAs, etc
etc, etc

Cheers,

Stan


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534beac5.5020...@hardwarefreak.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Andre]

is it really necessary to discuss this on this list?


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/c62d2a36796a92df309092b679802...@cyberh0me.net

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Scott Ferguson]

On 14/04/14 19:49, Curt wrote:
> On 2014-04-14, Richard Hector  wrote:
>>
>> This one, on the other hand, was generally not predicted, and was widely
>> exploited before people got a chance to fix it. That's presumably still
>> going on.
> 
> Widely exploited?
> 
> http://en.wikipedia.org/wiki/Heartbleed
> 
> Possible exploitation prior to disclosure 
> 
>  Many major web sites patched or disabled the bug within days of 
>  its announcement,[30] but it is unclear whether potential attackers were 
> aware of 
>  it earlier and to what extent it was exploited. Based on examinations of 
> audit logs 
>  by researchers, it has been reported that some attackers may have exploited 
> the 
>  flaw for at least five months before discovery and announcement.[31][32] 
> Errata 
>  Security has partially rejected this hypothesis,[33] whereas the Department 
> of 
>  Homeland Security believes that as of April 11, "there have not been any 
> reported 
>  attacks or malicious incidents involving this particular vulnerability 
> confirmed".
> 
> 


Thanks Curt.

People please don't panic, when in doubt disbelieve the journalistic
hype. Despite what some "journalists" would have you believe (I'm
looking at you, the aptly named Ben Grubb) it's still safe to use the
internet.

For a short and reliable guide to the problem and it's effects read:-
http://www.licquia.org/archives/2014/04/13/my-heart-bleeds-or-whats-going-on-with-heartbleed/
http://heartbleed.com/

Affected applications:-
https://www.openssl.org/related/apps.html


Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534be6dc.9060...@gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Chris Angelico]

On Mon, Apr 14, 2014 at 11:22 PM, Joel Rees  wrote:
> On Mon, Apr 14, 2014 at 8:41 PM, Richard Hector 
> wrote:
>>
>> The only local bank I've heard any info about is Kiwibank, who are
>> apparently not vulnerable due to running their systems on Windows.
>
>
> That's a laugh. Not vulnerable to this parade, but ...

Hey, it must be a relief for the Windows sysadmins to watch some
security news go through that they *don't* have to panic over. Gives
some presumably much-appreciated respite, while the rest of us go
checking all our stuff.

> Banks use RedHat quite extensively. OpenBSD shows up in odd places, even
> though keeping it maintained is a bit of a hassle.
>
> OpenSSL?

Bear in mind that the only servers that matter are those that can be
accessed by end users via SSL. If, for instance, they have web servers
separate from database servers, the database servers can't (AFAIK) be
vulnerable to Heartbleed.

ChrisA


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAPTjJmqAQ=vf69qjopbov61incnl2qafbyzgsxu4iuekbvx...@mail.gmail.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Joel Rees]

On Mon, Apr 14, 2014 at 8:41 PM, Richard Hector wrote:

> On 14/04/14 23:31, Stan Hoeppner wrote:
> >> > BTW, you shouldn't focus only on banks either. There are a lot of
> >> > popular services that use free software a lot, some of which happen to
> >> > include payment functionality.
> > I did not "focusing on banks".  I replied to Chris Bannister's statement
> > regarding *his bank*, which you snipped, again intentionally deleting
> > context in order to be a contradictarian.
>
> Chris, like me, appears to be in New Zealand.
>
> The only local bank I've heard any info about is Kiwibank, who are
> apparently not vulnerable due to running their systems on Windows.
>

That's a laugh. Not vulnerable to this parade, but ...


> I believe at least one local bank runs most of their stuff on Linux, but
> I haven't heard anything from them.
>
> Perhaps (some of the) banks are a bit smaller here, and don't
> necessarily run to the mainframes used elsewhere.
>

Banks use RedHat quite extensively. OpenBSD shows up in odd places, even
though keeping it maintained is a bit of a hassle.

OpenSSL?


> I certainly wouldn't jump to conclusions that they're a bank therefore
> they use IBM mainframes therefore they don't use OpenSSL therefore
> they're invulnerable, and I wish that they'd tell us either way.
>
> Richard


My bank has been trying to get me to update my password for about six
months, I think. Just recently, they got a new OTP keychain-type dongle
that they are trying to get all their on-line customers to start using.
(I'm debating that one with myself. If done right, the OTP dongle could be
quite successful in mitigating this kind of stuff, but I'm pretty sure the
current dongles are taking the easy approach.)

-- 
Joel Rees

Computer memory is just fancy paper;
CPUs and IO devices are just fancy pens.

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Jochen Spieker]

Stan Hoeppner:
> On 4/14/2014 5:53 AM, Jochen Spieker wrote:
>> Stan Hoeppner:
>>> 
>>> This problem only exists *if* these devices connect to a compromised or
>>> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
>>> locally cached usernames and passwords.
>> 
>> That is not the whole truth. 
> 
> Yes, this is the whole truth.

Sorry, I managed to completely misread what I responded to.

> Intentionally quoting me out of context and then attempting to "correct"
> my factual statements, without adding anything constructive to the
> thread.  That's trolling.

I have never applied Hanlon's Razor to myself yet, but there's a first
time for everything. Calm down.

J.
-- 
Fashion is more important to me than war, famine, disease or art.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 14/04/14 23:31, Stan Hoeppner wrote:
>> > BTW, you shouldn't focus only on banks either. There are a lot of
>> > popular services that use free software a lot, some of which happen to
>> > include payment functionality.
> I did not "focusing on banks".  I replied to Chris Bannister's statement
> regarding *his bank*, which you snipped, again intentionally deleting
> context in order to be a contradictarian.

Chris, like me, appears to be in New Zealand.

The only local bank I've heard any info about is Kiwibank, who are
apparently not vulnerable due to running their systems on Windows.

I believe at least one local bank runs most of their stuff on Linux, but
I haven't heard anything from them.

Perhaps (some of the) banks are a bit smaller here, and don't
necessarily run to the mainframes used elsewhere.

I certainly wouldn't jump to conclusions that they're a bank therefore
they use IBM mainframes therefore they don't use OpenSSL therefore
they're invulnerable, and I wish that they'd tell us either way.

Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534bc964.20...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Stan Hoeppner]

On 4/14/2014 5:53 AM, Jochen Spieker wrote:
> Stan Hoeppner:
>> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>>
>>> Then there is also the very serious issue of embedded devices using
>>> openssl. Tablets, smartphones, routers, ... etc. etc. 
>>
>> This problem only exists *if* these devices connect to a compromised or
>> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
>> locally cached usernames and passwords.
> 
> That is not the whole truth. 

Yes, this is the whole truth.

> It has by now been shown that certificates
> and private keys were at risk for two years. You are affected by this
> bug if your browser (or any other SSL/TLS client) does not properly
> check for certificate revocations or if you try to visit a previously
> vulnerable system whose certificate was not revoked for some reason.

Hence my statement above:  "connect to a compromised or rogue host"

>> So, no, definitely not on the impact scale of Y2K.  That affected
>> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
>> is the majority of the planet, whose financial institutions do not use
>> OpenSSL, are entirely safe from this bug.
> 
> No. This applies to everyone who is using sites that previously used a
> vulnerable version of OpenSSL. Since I generally cannot know which
> software is used by a specific site, I tend to go as far as concluding
> that any certificate from before 2014-04-08 may be stolen.

Intentionally quoting me out of context and then attempting to "correct"
my factual statements, without adding anything constructive to the
thread.  That's trolling.

> BTW, you shouldn't focus only on banks either. There are a lot of
> popular services that use free software a lot, some of which happen to
> include payment functionality.

I did not "focusing on banks".  I replied to Chris Bannister's statement
regarding *his bank*, which you snipped, again intentionally deleting
context in order to be a contradictarian.

Might have to add you to the kill file...

Cheers,

Stan


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534bc714.4040...@hardwarefreak.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Jochen Spieker]

Stan Hoeppner:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>
>> Then there is also the very serious issue of embedded devices using
>> openssl. Tablets, smartphones, routers, ... etc. etc. 
> 
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.

That is not the whole truth. It has by now been shown that certificates
and private keys were at risk for two years. You are affected by this
bug if your browser (or any other SSL/TLS client) does not properly
check for certificate revocations or if you try to visit a previously
vulnerable system whose certificate was not revoked for some reason.

> So, no, definitely not on the impact scale of Y2K.  That affected
> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
> is the majority of the planet, whose financial institutions do not use
> OpenSSL, are entirely safe from this bug.

No. This applies to everyone who is using sites that previously used a
vulnerable version of OpenSSL. Since I generally cannot know which
software is used by a specific site, I tend to go as far as concluding
that any certificate from before 2014-04-08 may be stolen.

BTW, you shouldn't focus only on banks either. There are a lot of
popular services that use free software a lot, some of which happen to
include payment functionality.

J.
-- 
If I am asked 'How are you' more than a million times in my life I
promise to explode.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-14, Brian  wrote:
>
> The increase in the bank balances of many consultants is well-documented
> as part of the history of the Y2K period. What is is still under discussion
> is whether the failure of a set of traffic lights in Alice Springs was its
> only major effect.
>
My understanding was that Y2K was a tempest in a teapot, but maybe it was
a downpour in a shower.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkndn7.2k5.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-14, Richard Hector  wrote:
>
> My understanding is that it has been widely exploited _since_ disclosure.
>
> I could be wrong, of course - I think I heard it in chat around the office.
>

No kidding.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlkndik.2k5.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 14/04/14 21:49, Curt wrote:
> On 2014-04-14, Richard Hector  wrote:
>> >
>> > This one, on the other hand, was generally not predicted, and was widely
>> > exploited before people got a chance to fix it. That's presumably still
>> > going on.
> Widely exploited?
> 
> http://en.wikipedia.org/wiki/Heartbleed
> 
> Possible exploitation prior to disclosure 

My understanding is that it has been widely exploited _since_ disclosure.

I could be wrong, of course - I think I heard it in chat around the office.

Richard


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534bb159.2060...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Curt]

On 2014-04-14, Richard Hector  wrote:
>
> This one, on the other hand, was generally not predicted, and was widely
> exploited before people got a chance to fix it. That's presumably still
> going on.

Widely exploited?

http://en.wikipedia.org/wiki/Heartbleed

Possible exploitation prior to disclosure 

 Many major web sites patched or disabled the bug within days of 
 its announcement,[30] but it is unclear whether potential attackers were aware 
of 
 it earlier and to what extent it was exploited. Based on examinations of audit 
logs 
 by researchers, it has been reported that some attackers may have exploited 
the 
 flaw for at least five months before discovery and announcement.[31][32] 
Errata 
 Security has partially rejected this hypothesis,[33] whereas the Department of 
 Homeland Security believes that as of April 11, "there have not been any 
reported 
 attacks or malicious incidents involving this particular vulnerability 
confirmed".


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/slrnlknbmn.2k5.cu...@einstein.electron.org

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Brian]

On Mon 14 Apr 2014 at 21:15:23 +1200, Richard Hector wrote:

> On 14/04/14 18:55, Stan Hoeppner wrote:
> > 
> > This is several orders of magnitude less severe than Y2K.
> 
> Y2K was extensively predicted, a lot of people did a lot of work to
> avoid it, and in the end it wasn't very significant, no? I don't mean it
> wasn't a significant amount of work to fix the bugs, I just mean the
> final effect wasn't significant. Correct me if I'm wrong.

The increase in the bank balances of many consultants is well-documented
as part of the history of the Y2K period. What is is still under discussion
is whether the failure of a set of traffic lights in Alice Springs was its
only major effect.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/14042014104455.33e51e6b1...@desktop.copernicus.demon.co.uk

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Richard Hector]

On 14/04/14 18:55, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
> ...
>> considering it is a catastrophe worse than the Y2K bug.  
> 
> This is several orders of magnitude less severe than Y2K.

Y2K was extensively predicted, a lot of people did a lot of work to
avoid it, and in the end it wasn't very significant, no? I don't mean it
wasn't a significant amount of work to fix the bugs, I just mean the
final effect wasn't significant. Correct me if I'm wrong.

This one, on the other hand, was generally not predicted, and was widely
exploited before people got a chance to fix it. That's presumably still
going on.

>> It seems very likely that people are using compromised apps on their
>> smartphone and you'd think it would be advisable to warn people ASAP!
> 
> OpenSSL is a library, not an 'app'.

And apps use libraries, do they not? What smartphone apps use openssl I
don't know.

>> Not even an email from the bank! 
> 
> Many/most financial institutions disdain open source software and would
> much rather pay for proprietary commercial solutions so there is someone
> to sue and recover damages when things go tits up.
> 
> Most financial institutions tend to run operations on IBM or clone
> mainframes.  Thus they'll likely be using IBM's mainframe
> implementations of SSL/TLS, or a commercial front end termination
> device, neither of which are likely affected by this CVE which is for a
> few specific version of OpenSSL only.

Maybe they do, maybe they don't. I would at least hope they'd stick a
notice on their homepage telling us a) whether they're vulnerable and b)
reminding us that if we use the same password on other sites as on the
bank, then firstly we should change it pronto, and secondly we should
start using different passwords, and this is a good example why.

>> Then there is also the very serious issue of embedded devices using
>> openssl. Tablets, smartphones, routers, ... etc. etc. 
> 
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
> locally cached usernames and passwords.
> 
> So, no, definitely not on the impact scale of Y2K.  That affected
> *everyone* whereas this does not.  Anyone using an MS Windows PC, which
> is the majority of the planet, whose financial institutions do not use
> OpenSSL, are entirely safe from this bug.

Financial institutions might be safe - social media sites, as I
understand it, generally aren't. I care about that quite a lot too, and
many more people use those than use any one bank.

Richard



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534ba72b.8010...@walnut.gen.nz

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[Stan Hoeppner]

On 4/13/2014 10:03 PM, Chris Bannister wrote:
...
> considering it is a catastrophe worse than the Y2K bug.  

This is several orders of magnitude less severe than Y2K.

> It seems very likely that people are using compromised apps on their
> smartphone and you'd think it would be advisable to warn people ASAP!

OpenSSL is a library, not an 'app'.

> Not even an email from the bank! 

Many/most financial institutions disdain open source software and would
much rather pay for proprietary commercial solutions so there is someone
to sue and recover damages when things go tits up.

Most financial institutions tend to run operations on IBM or clone
mainframes.  Thus they'll likely be using IBM's mainframe
implementations of SSL/TLS, or a commercial front end termination
device, neither of which are likely affected by this CVE which is for a
few specific version of OpenSSL only.

> Then there is also the very serious issue of embedded devices using
> openssl. Tablets, smartphones, routers, ... etc. etc. 

This problem only exists *if* these devices connect to a compromised or
rogue host via SSL/TLS *and* the user hasn't reset and or deleted
locally cached usernames and passwords.

So, no, definitely not on the impact scale of Y2K.  That affected
*everyone* whereas this does not.  Anyone using an MS Windows PC, which
is the majority of the planet, whose financial institutions do not use
OpenSSL, are entirely safe from this bug.

The *nix community is going ape shit over this not because of bank
accounts potentially getting drained, but because so many
command/control systems of the Internet backbone are vulnerable to
leaking encryption keys, potentially allowing any cracker access to them.

Cheers,

Stan


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/534b8648.1000...@hardwarefreak.com

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

[shawn wilson]

On Apr 13, 2014 11:03 PM, "Chris Bannister" 
wrote:
>

> Then there is also the very serious issue of embedded devices using
> openssl. Tablets, smartphones, routers, ... etc. etc.
>

You're correct about network hardware (though the only one I'm aware of so
far is F5 with the latest firmware). If anyone knows of other network
hardware that uses openssl (any version) I'd like to know.

However, how exactly would this bug be used to compromise a client (tablet
or smartphone) whose app uses openssl libs?

(I think you spoke in err and my initial intent was to dispel FUD. However
if there's a way, I'm really curious)