FWIS3

http://heartbleed.com/

Read and weep. And then go change all your passwords for encrypted sites! Because there's a fair chance some crook might have them.

Edit: or maybe not yet:

http://www.theguardian.com/technology/2 ... of-servers

Because some slowpokes haven't issued new SSL certs yet.

GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress.

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress.

don't hold back, swift. tell us what you really think.

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress.

Dude, if I had to start all over again I'd be a Plumber. I got into IT because Physics in this country doesn't pay squat.

i use Lastpass and they have added a feature that let's the program check if the sites you use are affected.

swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.

I'm thinking of switching to a password manager over this. I see Morrolan's posted Lastpass. What do we think of the security on that one? I was considering Bruce Schneier's Password Safe. Which do the IT folks here think is the better bet?

I don't know anything about Lastpass, other than that it's "cloud based"... which immediately makes me suspicious. I don't want my bank account credentials and such anywhere I don't have direct access to and control over.

I'd say use a local password manager like KeePass with a good (slow) algorithm like Blowfish, and a strong (long, memorable, hard to guess) master password. I'm not a crypto wizard though.

Another possibility is to use GPG (Gnu Privacy Guard), maybe with some sort of graphical frontend. (KGPG is good, Seahorse not quite as good. GPA sucks but gets the job done, barely.) This might be a good idea; if you're emailing with people about anything confidential, you should probably get familiar with GPG, because email is plaintext and can be easily intercepted.

I use a commercial password minder called RoboForm. Yes, they charge money for it. But, it's a pretty good tool. It has the ability to sync across multiple platforms and it can generate strong passwords for you if you don't feel like creating your own. My standard is to password protect the PW minder. I also use a password on my computer. A really good hacker could probably get past those but he would have to at least work for it. In some ways the best protection is the fact that you are one in 4 billion users on the internet.

then you may want to read up on it, GJ, it consistently scores high in reviews for safety. plus the premium version i use also allows me to use it on my smartphones and tablets, be they iOS or Android.

I don't use password managers.

Why? No objective reason, I just find them annoying.

I keep my passwords in a freeware tool called fsekrit, it's not a password manager: is an encrypted file editor, works like the Windows Notepad, it's small (60K), portable (meaning it doesn't require installation, I usually run it from my USB PenDrive) and the encrypted text is saved as part of the program.

I have several strong passwords I use for the important sites (the ones where my credit card info is kept for instance) and a zillion that I use in places I don't give a rat's ass if they're compromised.

Swift wrote:

Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.

Just to make you feel even better: That saying is at least from the 70s

Sigma_Orionis wrote:

Swift wrote:

Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.

Just to make you feel even better: That saying is at least from the 70s

As the only person here that actually makes a living from designing software, let me clear up a few things.

Almost everything is controlled by software these days, so if that quote were true in any way whatsoever, civilization would have already crumbled. The fact that shit applications exist is no need to point fingers at an entire profession. "That is not an exaggeration" ... oh yes it is. And what exactly do you know about how we design programs? That quote from the 70's .. when Voyager was launched. That thing what has the codes in it.

In this case, a computer scientist with a PHD introduced a bug in 2011 while patching the heartbeat code in OpenSSL. Dadoy.

It's a serious bug as far as these things go, but security paranoia has reached ridiculous levels, and the "don't use the internet for a few days" advice just made me laugh hysterically.

"Chances are some crook has your passwords" -- I don't know how you calculate chance, but obviously not the same way I do.

Nobody has ever stolen my identity or money from me, or blackmailed me, or set me on fire, because of buffer underruns on my internets, so forgive me for not buying into the panic.

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress.

.... he said, posting on his favourite online forum on a computer device containing software, via the internet.

Sure squid, but just you wait until year 3000 when the trimellenium bug hits and all flying cars just crash to the ground because they couldn't work out what day it is...

I agree with you squid. It's like when electronics first came out. They said it was unreliable, sissy stuff that can't be used in real applications like cars etc. It's not the technology that's bad it's those in it who aren't up to the required level of expertise.

A classic example was a gas heater controller a friend had issues with producing that was designed by a guy who know electronics to work with stuff but little about design. He attempted to design a RC timer to control a relay but what he achieved was a timer controlled by the drop out voltage of the relay. Naturally it varied and no one could work it out for years. The circuit looked like it should work but it was set to common collector rather than common emitter and that was enough to totally change the characteristics. To make things worse, I showed them the fault, told them how to change it and fix the problem permanently making it safer and more reliable but the cost of retesting for gas compliance was over $5000 so no one wanted to do it.
Net result is a faulty design that passed testing by under skilled testers, designed by an unskilled designer and not fixed by a greedy company owner.
These are one of the top selling gas controllers for imitation wood heaters in the USA.

If people aren't going to fix a gas device on a major selling item what chance is there of organising a software rewrite of someone's faulty code.
For the record I suggested a total redesign using a CPU and software control. It's more reliable and has far less development time than a discrete design. When done properly. The answer was that software requires different certification for gas devices...yeah, because you all know how to test simple electronics so well.

squ1d wrote:As the only person here that actually makes a living from designing software, let me clear up a few things.

Not so, EVERYONE knows that Software Development, Systems Administration, RDBMS Administration, Network Administration, Desktop Support, "The Internet is down, go fix it", "Fix my Smart Phone", "Why can't I use What's App?" , and "Steve Jobs" are all the same thing. don't you try to hand wave your way out of this one, I AM THE ULTIMATE COMPUTER AUTHORITY HERE! and I say it's YOUR FAULT

squ1d wrote:Almost everything is controlled by software these days, so if that quote were true in any way whatsoever, civilization would have already crumbled. The fact that shit applications exist is no need to point fingers at an entire profession. "That is not an exaggeration" ... oh yes it is. And what exactly do you know about how we design programs? That quote from the 70's .. when Voyager was launched. That thing what has the codes in it.

Fun fact: the original quote "If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization" it's attributed to Gerald Weinberg.

Dr. Weindberg was "Manager of Operating Systems Development in the Project Mercury (1959–1963)" (and NO Virginia, I am pretty sure his team wasn't designing general purpose Computer Operating Systems, so don't blame MS-DOS on him ) according to his Wiki entry. So I suppose the quote is even older, from the early 60s.

Bottom Line: Yew Code Monkeys are still getting blamed for the loss of Mariner I, among other things so it's STILL all your fault

Besides, developers (Particularly the Siebel Crowd) ALWAYS blame my infrastructure when they're being grilled for not meeting their deadlines, Nice to send one YOUR WAY

squ1d wrote:In this case, a computer scientist with a PHD introduced a bug in 2011 while patching the heartbeat code in OpenSSL. Dadoy.

It's a serious bug as far as these things go, but security paranoia has reached ridiculous levels, and the "don't use the internet for a few days" advice just made me laugh hysterically.

"Chances are some crook has your passwords" -- I don't know how you calculate chance, but obviously not the same way I do.

Nobody has ever stolen my identity or money from me, or blackmailed me, or set me on fire, because of buffer underruns on my internets, so forgive me for not buying into the panic.

OpenSSL has had several major security flaws throughout the years. I've been installing it as a dependency for OpenSSH, (and plenty of other stuff) since at least 2001. It's the first time I've heard such a ruckus for an OpenSSL security issue. So, I'd say you're probably right.

No Matter though [Points fingers at the Code Monkey] IT'S ALL YOUR FAULT

FZR1KG wrote:Sure squid, but just you wait until year 3000 when the trimellenium bug hits and all flying cars just crash to the ground because they couldn't work out what day it is...

I agree with you squid. It's like when electronics first came out. They said it was unreliable, sissy stuff that can't be used in real applications like cars etc. It's not the technology that's bad it's those in it who aren't up to the required level of expertise.

A classic example was a gas heater controller a friend had issues with producing that was designed by a guy who know electronics to work with stuff but little about design. He attempted to design a RC timer to control a relay but what he achieved was a timer controlled by the drop out voltage of the relay. Naturally it varied and no one could work it out for years. The circuit looked like it should work but it was set to common collector rather than common emitter and that was enough to totally change the characteristics. To make things worse, I showed them the fault, told them how to change it and fix the problem permanently making it safer and more reliable but the cost of retesting for gas compliance was over $5000 so no one wanted to do it.
Net result is a faulty design that passed testing by under skilled testers, designed by an unskilled designer and not fixed by a greedy company owner.
These are one of the top selling gas controllers for imitation wood heaters in the USA.

If people aren't going to fix a gas device on a major selling item what chance is there of organising a software rewrite of someone's faulty code.
For the record I suggested a total redesign using a CPU and software control. It's more reliable and has far less development time than a discrete design. When done properly. The answer was that software requires different certification for gas devices...yeah, because you all know how to test simple electronics so well.

And I do remember reading (about 10-20 years ago when software started creeping its way into cars) something where someone saying that software was unreliable, unlike electronics....

Bahaha Sigma ... I'm blaming your Clouds for everything in the future!! Why can't you make your Clouds more better???

Welp. I just saw a list of affected sites... LastPass is one of them. Morrolan - you need to change your password there immediately.

And I don't think I'll be using that particular password management service.

The Supreme Canuck wrote:Welp. I just saw a list of affected sites... LastPass is one of them. Morrolan - you need to change your password there immediately.

And I don't think I'll be using that particular password management service.

Umm... No. Not affected. Sorry.

http://filippo.io/Heartbleed/#lastpass.com

So it was vulnerable (kind of), but isn't anymore. Good.

I find it interesting, in a sad sort of way, that I have heard absolutely nothing from my bank, any of my credit cards, nor anyone else, about this. No "please change your password at once", no "nope, nothing to worry about, we've got it under control", zot, zilch, nada.

I actually did see that my bank issued a statement saying I was in the clear.

It is the only bank in Canada that I have seen do so. That's disheartening.