scardeal
scardeal Dork
4/10/14 12:55 p.m.

I haven't seen a post on it, but there's a bug that affects quite a number of websites out there that has recently been discovered. Flaw in OpenSSL that lets malicious users read memory in 64k chunks. That means your password is vulnerable.

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Has GRM been affected at all?

GameboyRMH
GameboyRMH MegaDork
4/10/14 1:09 p.m.

I think this thing is a much bigger problem in theory than practice. I won't be changing any passwords over it.

Rusnak_322
Rusnak_322 Dork
4/10/14 1:36 p.m.

Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?

N Sperlo
N Sperlo MegaDork
4/10/14 1:37 p.m.

I also heard you SHOULDN'T change your password. Dunno.

Flight Service
Flight Service MegaDork
4/10/14 1:39 p.m.
Rusnak_322 wrote: Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?

Post pro-electic car & anti-Miata comments!

Gimp
Gimp SuperDork
4/10/14 2:06 p.m.
N Sperlo wrote: I also heard you SHOULDN'T change your password. Dunno.

You shouldn't change your password until you know that the site has made the required updates. Most of your big ones have, but one of the more common CMS systems for creating sites, Drupal, hasn't full patched yet.

If you change your password before a patch, you'll just have to do it all over again.

1988RedT2
1988RedT2 PowerDork
4/10/14 2:08 p.m.
Flight Service wrote:
Rusnak_322 wrote: Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?
Post pro-electic car & anti-Miata comments!

Oh, noes! Not THAT!

MadScientistMatt
MadScientistMatt UltraDork
4/10/14 2:50 p.m.

We've confirmed DIYAutoTune was not affected by the bug. A couple of the test tools are giving false positives because we are running an (unaffected) openSSL variant, and our SSL certificate was generated in the affected timeframe. We're in the process of replacing the SSL certificate to prevent any false positives from popping up.

NOHOME
NOHOME SuperDork
4/10/14 3:24 p.m.

With a cheat sheet of over 100 passwords required to keep my life going, this is going to suck.

Remember when you could actually have a password that was possible to remember!?

N Sperlo
N Sperlo MegaDork
4/10/14 3:48 p.m.

In reply to Gimp:

Thanks for clearing that up.

Mike
Mike HalfDork
4/10/14 5:20 p.m.

What seems annoying from where I sit is that many providers are just reporting that they patched, without also talking about certificate changes or data exposure.

GameboyRMH
GameboyRMH MegaDork
4/10/14 5:27 p.m.

The thing about data exposure is that any that may have happened because of this already happened, and unless you're the NSA you're very unlikely to have the kind of systems needed to look back and find out what it was.

To be on the safe side they should do certificate changes, but I don't think any CA is going to give you a free new one, especially since the odds of getting a cert back through this vulnerability are quite slim.

novaderrik
novaderrik PowerDork
4/11/14 4:37 a.m.

how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing?

these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...

eastsidemav
eastsidemav Dork
4/11/14 6:19 a.m.
novaderrik wrote: how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing? these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...

Sorry to get sidetracked, but that work was a major part of the reason Y2K ended up not being a big deal...

GameboyRMH
GameboyRMH MegaDork
4/11/14 7:15 a.m.
novaderrik wrote: how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing? these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...

I wish it were a nasty conspiracy to make us all filthy rich, but for me I just ran "yum update" on a couple of servers and called it a day. Total work time: 2 mins.

And Y2k wasn't a problem because of all the work geeks put in. Without it, yeah a lot of systems would have crashed or otherwise berkeleyed up.

Sky_Render
Sky_Render Dork
4/11/14 9:15 a.m.

Dear Lord, I'm tired of hearing about this. It is not NEARLY as large of a problem as the media makes it out to be.

First of all, no bank uses OpenSSL. None. Take a look at this list, where just about every major bank says "We weren't affected by this, because we weren't dumb enough to use an open standard for our encryption."

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Next, just because OpenSSL/HTTPS is vulernable, doesn't mean all your passwords and data are compromised. Heartbleed allows an attacker to read a random 64-Kb chunk of memory from a server. That's it. Memory is randomly accessed and always changing. So the chance of an attacker actually getting your private key is very, very small.

However, let's say that an attacker did manage to compromise the SSL transaction between you and Facebook (an example of a site that actually did use OpenSSL). The only way any meaningful data could come out of that attack is if the attacker could read the majority of the packets between you and Facebook's server(s). Because packets traversing the Internet take different paths, the attacker would either need to be (a) directly in your network (or directly outside your house using an air sniffer to obtain data from your WiFi) or (b) have a packet sniffer on a mirrored port in Facebook's intranet.

A good allegory would be to say that an attacker could listen in on your phone calls but only if he was in the house of either you or who you were talking to.

Was this a security issue? Yes. Did it need to be fixed? Yes. Was it as bad as the media made it out to be? NOT AT ALL.

Signed, Someone who does this E36 M3 for a living.

Rusted_Busted_Spit
Rusted_Busted_Spit UltraDork
4/11/14 9:33 a.m.

In reply to Sky_Render:

Thank you for that. As another person who does this for a living I have been inundated by people freaking out over this. Usually I can calm them down but not always.

rebelgtp
rebelgtp UberDork
4/11/14 9:47 a.m.

I have had people bringing their computers in wanting us to fix them because of this. Some really have no concept. As mentioned above we updated our servers in all of a couple minutes.

Oh this is also not as big of an issue if you do not use the same username and password for everything.

Sky_Render
Sky_Render Dork
4/11/14 9:53 a.m.

The "problem" is that most people have no idea how the Internet works. And there's nothing wrong with that; not everyone is a geek/engineer/IT professional.

The problem is that the media, who apparently don't have much to report on right now, blow everything out of proportion in an effort to boost ratings.

And my post above completely ignored the multifactor authentication that many websites (especially banks) use now.

Strike_Zero
Strike_Zero SuperDork
4/11/14 9:56 a.m.
rebelgtp wrote: Oh this is also not as big of an issue if you do not use the same username and password for everything.

QFT!!

GameboyRMH
GameboyRMH MegaDork
4/11/14 10:08 a.m.
Strike_Zero wrote:
rebelgtp wrote: Oh this is also not as big of an issue if you do not use the same username and password for everything.
QFT!!

For lazy folks, I tell them to at least use a unique and stronger password for e-mail and banking. E-mail is the keys to the kingdom of your online accounts and banking is your berkeleying money.

rebelgtp
rebelgtp UberDork
4/11/14 10:43 a.m.

trigun7469
trigun7469 HalfDork
4/11/14 10:53 a.m.

Someone was actually hacked at work today, with the small amount they pay you think a multi-million dollar non-profit that teaches computer science could prevent it.

You'll need to log in to post.

Our Preferred Partners
tY3CXiYv8oNp4VaM6qhuvgPn0KuxE82C5m74wnEMfZsqqAeJV1Bcf0TbXIkDlT9m