Time to change your passwords (... or not)

Time to change your passwords (... or not)

Postby Cyborg Girl » Wed Apr 09, 2014 2:11 am

http://heartbleed.com/

Read and weep. And then go change all your passwords for encrypted sites! Because there's a fair chance some crook might have them. :(

Edit: or maybe not yet:

http://www.theguardian.com/technology/2 ... of-servers

Because some slowpokes haven't issued new SSL certs yet.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Time to change your passwords (... or not)

Postby Swift » Wed Apr 09, 2014 2:04 pm

GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress. flame:
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby code monkey » Wed Apr 09, 2014 11:36 pm

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress. flame:


don't hold back, swift. tell us what you really think.
and still i persist in wondering whether folly must always be our nemesis. edgar pangborn

come gentle night. come loving black browed night
give me my romeo. and when he shall die
take him and cut him out in little stars
and he will make the face of heaven so fine
that all will be in love with night
and pay no worship to the garish sun. william shakespeare
User avatar
code monkey
 
Posts: 1798
Joined: Wed May 29, 2013 7:41 am

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 12:02 am

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress. flame:



Dude, if I had to start all over again I'd be a Plumber. I got into IT because Physics in this country doesn't pay squat.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Morrolan » Thu Apr 10, 2014 1:35 am

i use Lastpass and they have added a feature that let's the program check if the sites you use are affected.
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am

Re: Time to change your passwords (... or not)

Postby Cyborg Girl » Thu Apr 10, 2014 1:36 am

swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Time to change your passwords (... or not)

Postby Swift » Thu Apr 10, 2014 1:55 am

Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 10, 2014 2:11 am

I'm thinking of switching to a password manager over this. I see Morrolan's posted Lastpass. What do we think of the security on that one? I was considering Bruce Schneier's Password Safe. Which do the IT folks here think is the better bet?
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Cyborg Girl » Thu Apr 10, 2014 2:22 am

I don't know anything about Lastpass, other than that it's "cloud based"... which immediately makes me suspicious. I don't want my bank account credentials and such anywhere I don't have direct access to and control over.

I'd say use a local password manager like KeePass with a good (slow) algorithm like Blowfish, and a strong (long, memorable, hard to guess) master password. I'm not a crypto wizard though.

Another possibility is to use GPG (Gnu Privacy Guard), maybe with some sort of graphical frontend. (KGPG is good, Seahorse not quite as good. GPA sucks but gets the job done, barely.) This might be a good idea; if you're emailing with people about anything confidential, you should probably get familiar with GPG, because email is plaintext and can be easily intercepted.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Time to change your passwords (... or not)

Postby SciFiFisher » Thu Apr 10, 2014 4:28 am

I use a commercial password minder called RoboForm. Yes, they charge money for it. But, it's a pretty good tool. It has the ability to sync across multiple platforms and it can generate strong passwords for you if you don't feel like creating your own. My standard is to password protect the PW minder. I also use a password on my computer. A really good hacker could probably get past those but he would have to at least work for it. In some ways the best protection is the fact that you are one in 4 billion users on the internet.
"To create more positive results in your life, replace 'if only' with 'next time'." — Author Unknown
"Experience is a hard teacher because she gives the test first, the lesson afterward." — Vernon Law
User avatar
SciFiFisher
Redneck Geek
 
Posts: 4889
Joined: Mon May 27, 2013 5:01 pm
Location: Sacramento CA

Re: Time to change your passwords (... or not)

Postby Morrolan » Thu Apr 10, 2014 4:30 am

then you may want to read up on it, GJ, it consistently scores high in reviews for safety. plus the premium version i use also allows me to use it on my smartphones and tablets, be they iOS or Android.
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 5:02 am

I don't use password managers.

Why? No objective reason, I just find them annoying.

I keep my passwords in a freeware tool called fsekrit, it's not a password manager: is an encrypted file editor, works like the Windows Notepad, it's small (60K), portable (meaning it doesn't require installation, I usually run it from my USB PenDrive) and the encrypted text is saved as part of the program.

I have several strong passwords I use for the important sites (the ones where my credit card info is kept for instance) and a zillion that I use in places I don't give a rat's ass if they're compromised.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 5:22 am

Swift wrote:
Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.


Just to make you feel even better: That saying is at least from the 70s
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby squ1d » Thu Apr 10, 2014 5:55 am

Sigma_Orionis wrote:
Swift wrote:
Gullible Jones wrote:swift, I'll just offer you a famous quote in this field...

"If civil engineers designed buildings the way software engineers design programs, civilization would crumble when the first woodpecker showed up."

That is not an exaggeration.

Gosh, I feel so much better now.


Just to make you feel even better: That saying is at least from the 70s


As the only person here that actually makes a living from designing software, let me clear up a few things.

Almost everything is controlled by software these days, so if that quote were true in any way whatsoever, civilization would have already crumbled. The fact that shit applications exist is no need to point fingers at an entire profession. "That is not an exaggeration" ... oh yes it is. And what exactly do you know about how we design programs? That quote from the 70's .. when Voyager was launched. That thing what has the codes in it.

In this case, a computer scientist with a PHD introduced a bug in 2011 while patching the heartbeat code in OpenSSL. Dadoy.

It's a serious bug as far as these things go, but security paranoia has reached ridiculous levels, and the "don't use the internet for a few days" advice just made me laugh hysterically.

"Chances are some crook has your passwords" -- I don't know how you calculate chance, but obviously not the same way I do.

Nobody has ever stolen my identity or money from me, or blackmailed me, or set me on fire, because of buffer underruns on my internets, so forgive me for not buying into the panic.
Last edited by squ1d on Thu Apr 10, 2014 6:01 am, edited 2 times in total.
squ1d
 
Posts: 679
Joined: Mon May 27, 2013 5:12 pm

Re: Time to change your passwords (... or not)

Postby squ1d » Thu Apr 10, 2014 5:58 am

Swift wrote:GJ, nothing against you or Sigma, but I've gotten to the point of despising computer people. They are rapidly approaching my feelings about Congress. Every time I turn around there is some new hacking disaster, or bug, or data breach. Fix the fucking system already. I'm close to the point of tossing all the computers in the trash and going back to rolling pennies, writing paper checks, shopping at real stores, and hiding my money in the mattress. flame:



.... he said, posting on his favourite online forum on a computer device containing software, via the internet. :D
squ1d
 
Posts: 679
Joined: Mon May 27, 2013 5:12 pm

Re: Time to change your passwords (... or not)

Postby FZR1KG » Thu Apr 10, 2014 12:30 pm

Sure squid, but just you wait until year 3000 when the trimellenium bug hits and all flying cars just crash to the ground because they couldn't work out what day it is... :P

I agree with you squid. It's like when electronics first came out. They said it was unreliable, sissy stuff that can't be used in real applications like cars etc. It's not the technology that's bad it's those in it who aren't up to the required level of expertise.

A classic example was a gas heater controller a friend had issues with producing that was designed by a guy who know electronics to work with stuff but little about design. He attempted to design a RC timer to control a relay but what he achieved was a timer controlled by the drop out voltage of the relay. Naturally it varied and no one could work it out for years. The circuit looked like it should work but it was set to common collector rather than common emitter and that was enough to totally change the characteristics. To make things worse, I showed them the fault, told them how to change it and fix the problem permanently making it safer and more reliable but the cost of retesting for gas compliance was over $5000 so no one wanted to do it.
Net result is a faulty design that passed testing by under skilled testers, designed by an unskilled designer and not fixed by a greedy company owner.
These are one of the top selling gas controllers for imitation wood heaters in the USA.

If people aren't going to fix a gas device on a major selling item what chance is there of organising a software rewrite of someone's faulty code.
For the record I suggested a total redesign using a CPU and software control. It's more reliable and has far less development time than a discrete design. When done properly. The answer was that software requires different certification for gas devices...yeah, because you all know how to test simple electronics so well. :roll:
FZR1KG
 

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 12:44 pm

squ1d wrote:As the only person here that actually makes a living from designing software, let me clear up a few things.


Not so, EVERYONE knows that Software Development, Systems Administration, RDBMS Administration, Network Administration, Desktop Support, "The Internet is down, go fix it", "Fix my Smart Phone", "Why can't I use What's App?" , and "Steve Jobs" are all the same thing. don't you try to hand wave your way out of this one, I AM THE ULTIMATE COMPUTER AUTHORITY HERE! and I say it's YOUR FAULT :P

squ1d wrote:Almost everything is controlled by software these days, so if that quote were true in any way whatsoever, civilization would have already crumbled. The fact that shit applications exist is no need to point fingers at an entire profession. "That is not an exaggeration" ... oh yes it is. And what exactly do you know about how we design programs? That quote from the 70's .. when Voyager was launched. That thing what has the codes in it.


Fun fact: the original quote "If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization" it's attributed to Gerald Weinberg.

Dr. Weindberg was "Manager of Operating Systems Development in the Project Mercury (1959–1963)" (and NO Virginia, I am pretty sure his team wasn't designing general purpose Computer Operating Systems, so don't blame MS-DOS on him :P) according to his Wiki entry. So I suppose the quote is even older, from the early 60s.

Bottom Line: Yew Code Monkeys are still getting blamed for the loss of Mariner I, among other things so it's STILL all your fault :P

Besides, developers (Particularly the Siebel Crowd) ALWAYS blame my infrastructure when they're being grilled for not meeting their deadlines, Nice to send one YOUR WAY :twisted:

squ1d wrote:In this case, a computer scientist with a PHD introduced a bug in 2011 while patching the heartbeat code in OpenSSL. Dadoy.

It's a serious bug as far as these things go, but security paranoia has reached ridiculous levels, and the "don't use the internet for a few days" advice just made me laugh hysterically.

"Chances are some crook has your passwords" -- I don't know how you calculate chance, but obviously not the same way I do.

Nobody has ever stolen my identity or money from me, or blackmailed me, or set me on fire, because of buffer underruns on my internets, so forgive me for not buying into the panic.


OpenSSL has had several major security flaws throughout the years. I've been installing it as a dependency for OpenSSH, (and plenty of other stuff) since at least 2001. It's the first time I've heard such a ruckus for an OpenSSL security issue. So, I'd say you're probably right.

No Matter though [Points fingers at the Code Monkey] IT'S ALL YOUR FAULT :P
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby Sigma_Orionis » Thu Apr 10, 2014 12:50 pm

FZR1KG wrote:Sure squid, but just you wait until year 3000 when the trimellenium bug hits and all flying cars just crash to the ground because they couldn't work out what day it is... :P

I agree with you squid. It's like when electronics first came out. They said it was unreliable, sissy stuff that can't be used in real applications like cars etc. It's not the technology that's bad it's those in it who aren't up to the required level of expertise.

A classic example was a gas heater controller a friend had issues with producing that was designed by a guy who know electronics to work with stuff but little about design. He attempted to design a RC timer to control a relay but what he achieved was a timer controlled by the drop out voltage of the relay. Naturally it varied and no one could work it out for years. The circuit looked like it should work but it was set to common collector rather than common emitter and that was enough to totally change the characteristics. To make things worse, I showed them the fault, told them how to change it and fix the problem permanently making it safer and more reliable but the cost of retesting for gas compliance was over $5000 so no one wanted to do it.
Net result is a faulty design that passed testing by under skilled testers, designed by an unskilled designer and not fixed by a greedy company owner.
These are one of the top selling gas controllers for imitation wood heaters in the USA.

If people aren't going to fix a gas device on a major selling item what chance is there of organising a software rewrite of someone's faulty code.
For the record I suggested a total redesign using a CPU and software control. It's more reliable and has far less development time than a discrete design. When done properly. The answer was that software requires different certification for gas devices...yeah, because you all know how to test simple electronics so well. :roll:


And I do remember reading (about 10-20 years ago when software started creeping its way into cars) something where someone saying that software was unreliable, unlike electronics....
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Time to change your passwords (... or not)

Postby squ1d » Thu Apr 10, 2014 1:28 pm

Bahaha Sigma ... I'm blaming your Clouds for everything in the future!! Why can't you make your Clouds more better???
squ1d
 
Posts: 679
Joined: Mon May 27, 2013 5:12 pm

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 10, 2014 4:22 pm

Welp. I just saw a list of affected sites... LastPass is one of them. Morrolan - you need to change your password there immediately.

And I don't think I'll be using that particular password management service.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Morrolan » Thu Apr 10, 2014 4:41 pm

The Supreme Canuck wrote:Welp. I just saw a list of affected sites... LastPass is one of them. Morrolan - you need to change your password there immediately.

And I don't think I'll be using that particular password management service.


Umm... No. Not affected. Sorry.

http://filippo.io/Heartbleed/#lastpass.com
"We don't let them have ideas. Why would we let them have guns?" Stalin
User avatar
Morrolan
 
Posts: 227
Joined: Fri May 31, 2013 1:09 am


Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 10, 2014 7:50 pm

So it was vulnerable (kind of), but isn't anymore. Good.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Re: Time to change your passwords (... or not)

Postby Swift » Thu Apr 10, 2014 8:05 pm

I find it interesting, in a sad sort of way, that I have heard absolutely nothing from my bank, any of my credit cards, nor anyone else, about this. No "please change your password at once", no "nope, nothing to worry about, we've got it under control", zot, zilch, nada.
Never, ever forget: we did this. This is what we can do.

In wilderness is the preservation of the world. - Henry David Thoreau

Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it's the only thing that ever has. - Margaret Mead
User avatar
Swift
 
Posts: 2353
Joined: Wed May 29, 2013 2:40 am
Location: At my keyboard

Re: Time to change your passwords (... or not)

Postby The Supreme Canuck » Thu Apr 10, 2014 8:11 pm

I actually did see that my bank issued a statement saying I was in the clear.

It is the only bank in Canada that I have seen do so. That's disheartening.
User avatar
The Supreme Canuck
 
Posts: 808
Joined: Mon Jun 10, 2013 9:27 pm
Location: Ottawa

Next

Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 9 guests