Home›Forums›General Discussion›Heartbleed Virus A Concern?
- This topic has 18 replies, 4 voices, and was last updated 10 years ago by
Rick in China.
-
AuthorPosts
-
April 10, 2014 at 3:37 pm #39427
Ray
ParticipantApril 11, 2014 at 11:53 am #39452Charlie
KeymasterIt’s bad from what I hear because of how many servers are affected, but I don’t think there’s anything that individual users can do to protect themselves from this. I’ve heard to try not to change any passwords or login to sites for the next 24-48 hours unless you have to. That might be an overreaction, but it’s hard to tell at this point. I wouldn’t worry too much, if only because there isn’t anything that we can do at this point but wait for hundreds of thousands of web servers around the world to update their software and eliminate this bug.
April 11, 2014 at 1:14 pm #39460Rick in China
ParticipantIt’s not a virus.. it’s a bug found in a very commonly used component to manage secure web traffic. Big difference 😀
Concerned – yes, but, realistically, I don’t think many people are going to be directly affected by this, it’s more of a could affect anyone wont likely affect you type thing, like SARS!
I agree with Charlie to some extent – there may be little value in changing passwords on services that haven’t been patched yet, but if by chance your login/pass has already been dumped out somewhere it’s there, and changing it now means you can potentially stop a threat from an older info dump, just you’d want to change it again once any service which hasn’t already been patched does patch.
April 11, 2014 at 6:13 pm #39467Charlie
KeymasterCame across this today: The Heartbleed Hit List
April 11, 2014 at 9:20 pm #39468Rick in China
Participant@Charlie
Supposed to have a link?April 11, 2014 at 9:25 pm #39470Ray
ParticipantNo kidding, i was seriously using one password for like 8 sites. My technogeekbutmakesthebig$$$ brother slapped some sense into me quicksmart 🙂
April 11, 2014 at 10:04 pm #39471Rick in China
ParticipantSame password for 8 sites isn’t an issue.. necessarily.
I classify my passwording into level of information provided. If I need to provide a lot of personal information, m’fer gets a unique strong password. If it’s, say, a forum where I have nothing necessarily other than a user name, doesn’t matter, can put it into the “common whatever” usage.
Choosing a strong password doesn’t necessarily mean shit, either. The services you use may use encryption – but encryption gets cracked, and newer types of encryption need to be implemented on legacy data. Users generally expect this kind of thing to happen – or don’t realise it needs to – and there are many other problems with any data on any service beyond just strong encryption that we need to consider. Safety comes only from assuming everything will be decrypted and all data will be vulnerable so be cautious with the data entered everywhere, forgetting that sometimes we think we’re on an official site when it’s not (MITM). Bottom line is expect everything to be compromised~
Most of the common password uniqueness and strength issues can be solved with quality password managers, but those also introduce other issues — SSOF or whatever, it’s all about being stingy like a m’fer about what you enter where 🙂
April 12, 2014 at 2:21 am #39472niklas
ParticipantConcerned – yes, but, realistically, I don’t think many people are going to be directly affected by this, it’s more of a could affect anyone wont likely affect you type thing, like SARS!
I’m not so sure. If there’s no cap on the heartbeat requests server-side then a single computer could be bombing out loads of these requests and snap up quite some information. And we’re not talking single computers being used for this, but huge botnets. I believe China have the biggest botnets by far as well.
A couple days ago when Heartbleed was getting much attention in news both my weixin and QQ accounts were logged out due to “suspicious activity” and I had to have them verified.
I’d say it’s pretty serious and now might be a good time to change passwords. Guess the waiting with changing password thing makes sense too, as many systems might still be vulnerable. To stay safe maybe change now, and then change again after a while when systems should’ve been upgraded and not vulnerable is a good idea.
April 12, 2014 at 12:39 pm #39475Charlie
Keymaster@Charlie
Supposed to have a link?Yes, I’m an idiot, sorry. Here’s the link: The Heartbleed Hit List: Passwords You Need to Change Right Now
I classify my passwording into level of information provided. If I need to provide a lot of personal information, m’fer gets a unique strong password. If it’s, say, a forum where I have nothing necessarily other than a user name, doesn’t matter, can put it into the “common whatever” usage.
This is an interesting strategy. I haven’t heard of anyone doing this, but it makes sense. But for the sites where you provide a lot of personal information, how do you manage those passwords? I think a password manager is the only way to stay on top of multiple difficult-to-crack passwords.
I use 1Password on Mac and iPhone and it is not cheap but it’s amazing. Once you get on a system like this you might as well just create insane passwords for everything (which I have been doing) since it’s the same amount of effort anyway. You aren’t remembering passwords and you aren’t manually inputting passwords (1Password has browser extensions and works through Alfred which I also use constantly).
Looks like the NSA has known about Heartbleed for years. Those bastards.
April 12, 2014 at 3:07 pm #39477Rick in China
Participant1password seems like the best password manager option – it’s what my company suggests to use also, and they’ll pay for it for employees who choose to use it.. I’m very tempted, there are lots of benefits, but to answer your question:
Sometimes, for example, I strap a bunch of combinations of characters and phrases together, sometimes situational – like if I see some rmb beside me on the counter I’m near I might do something like: rNIc$1&5/WwiBwT$1 — which I remember by “right now I see $1 and 5, what would I buy with that $1” – it’s not as strong as a 1Password generated key by any means, but I figure it’s strong *enough* for most cases. I can remember quite a few of these, I don’t know how many, maybe 12 to 15 of them kickin’ at a time..
RE: NSA – why would they report something that gives them so much access to information, who cares about *public security* right 😛
April 12, 2014 at 4:23 pm #39478April 12, 2014 at 5:15 pm #39479Charlie
Keymaster1password seems like the best password manager option – it’s what my company suggests to use also, and they’ll pay for it for employees who choose to use it..
Sounds like an amazing company you work at! I suggested 1Password to my company’s CEO after we had an employee’s password phished which led to a lot of problems and he scoffed incredulously at the price, hahah.
April 12, 2014 at 5:20 pm #39480Rick in China
Participant@Charlie
RE: “and he scoffed incredulously at the price”That’s the type of attitude towards security that leads to massive theft and destruction, and crying CEOs jumping out of windows 😛
April 12, 2014 at 5:23 pm #39481niklas
ParticipantCame across this today: The Heartbleed Hit List
Anyone know of a similar list but for Chinese websites?
April 13, 2014 at 1:33 pm #39487Charlie
KeymasterThat’s the type of attitude towards security that leads to massive theft and destruction, and crying CEOs jumping out of windows
¯\_(ツ)_/¯
Pretty sure you couldn’t jump out of a single window in entire Tianfu Software Park even if you wanted to! We’re too close to Foxconn to even consider allowing windows to fully open.
April 15, 2014 at 1:59 pm #39519Ray
Participantreddit is now recommending users change their passwords due to Heartbleed
April 15, 2014 at 2:04 pm #39520Rick in China
ParticipantPah.
I looked at the list of infected systems that recommend changing passwords. I think I had like, godaddy, and nothin’ else 😛
April 15, 2014 at 2:11 pm #39521Ray
ParticipantNew password suggestion: mynewpassword.
Security level: impenetrable 🙂
@RickinChina: godaddy.com was not what I was expecting. Got excited for a minute there…April 15, 2014 at 2:48 pm #39522Rick in China
ParticipantI was lazy and bought some cheap domain/whatever bits’n’pieces to squat on before. I’ve heard lots of godaddy hate for ages, but don’t really care, for the amount and lack of usage it is convenient and I don’t trust most smaller companies with my credit card details..not that I trust godaddy much more. So, yeah, that’s the only thing I think that affected me, although I’ll change the google pwds even if they say it’s not necessary.
What affected you?
-
AuthorPosts
- The forum ‘General Discussion’ is closed to new topics and replies.