On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote: > On 4/13/2014 10:03 PM, Chris Bannister wrote: > ... > > considering it is a catastrophe worse than the Y2K bug. > > This is several orders of magnitude less severe than Y2K.
I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11" So I gathered, perhaps wrongly, that in that case the Y2K bug would have to be greater than 11 on a scale of 1 to 10. Later, ... "I wonder if there is going to be some backlash from the mainstream press and the public. If nothing really bad happens -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf." That reads to me as though the Y2K bug is not as serious. But in saying that, there is this post: https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html > > It seems very likely that people are using compromised apps on their > > smartphone and you'd think it would be advisable to warn people ASAP! > > OpenSSL is a library, not an 'app'. http://tech.firstpost.com/news-analysis/android-devices-and-apps-affected-by-heartbleed-check-if-your-smartphone-is-vulnerable-221655.html "Google has said that nearly all versions of AOSP from 4.1 and up contain vulnerable versions of OpenSSL, but all except one had heartbeats turned off, so no one could attack these systems. Only Android 4.1.1 had the heartbeat feature turned on, so those devices are vulnerable. Moreover, some OEMs may have switched heartbeat feature back on in their phone’s software, which leaves them vulnerable too." > > Not even an email from the bank! > > Many/most financial institutions disdain open source software and would > much rather pay for proprietary commercial solutions so there is someone > to sue and recover damages when things go tits up. That statement was made in the sense that at least the bank could have issued a statement along the lines of 'you may have heard of the heartbleed bug, we can assure all of our customers that we are not affected by this bug and there is no need to panic.' Using this site http://filippo.io/Heartbleed/ shows that the bank and ISP I use are OK. Why worry? It's incidents like http://clarecurran.org.nz/post.php?post_id=309 and http://www.itnews.com.au/News/363635,christchurch-transport-card-flaws-expose-identities-grant-free-bus-rides.aspx which are not a great confidence booster towards the attitude to security. I realise that banks are in an entirely different league here, and my statement was more about the attitude to the public, and hence of the public. > > Then there is also the very serious issue of embedded devices using > > openssl. Tablets, smartphones, routers, ... etc. etc. > > This problem only exists *if* these devices connect to a compromised or > rogue host via SSL/TLS *and* the user hasn't reset and or deleted > locally cached usernames and passwords. http://readwrite.com/2014/04/11/heartbleed-bug-virus-clients-routers-virtual-machines-vpn The point, I'm making is there should at least be some transparency. Y2K - all over the media. Snowden leaks - all over the media. Heartbleed - not a whisper. I saw one statement " ... lucky the general media is too thick to click on so far ..." :) -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/20140414150113.GA23216@tal
