Okay, the short version of the long post:
If you don't know what to do about things like the heartbeat/bleed bug, I'm
suggesting we all start contributing more to the projects we regularly use.
Learn to code if we haven't. Report bugs. Help with documentation and
localization.
That's how we redu
Joel Rees grabbed a keyboard and wrote:
> (Reader beware. Length breeds length.)
And this whole thread has gone on (and morphed) entirely too long.
Please take it to the Debian Offtopic list.
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
smime.p7s
Description: S/MIME Cr
(Reader beware. Length breeds length.)
On Thu, Apr 17, 2014 at 10:57 PM, somebody wrote:
> On 4/17/2014 5:40 AM, Curt wrote:
>
>> On 2014-04-17, ken wrote:
>>
>>>
>>> Steve brings up a very good point, one often overlooked in our zeal for
>>> getting so much FOSS for absolutely no cost. Since w
On 4/17/2014 10:31 AM, Curt wrote:
On 2014-04-17, Jerry Stuckle wrote:
This is a totally irresponsible post, showing the op knows very little
about programming.
http://en.wikipedia.org/wiki/Theo_de_Raadt
Theo de Raadt (/ˈθiː.oʊ dɛˈrɔːt/; Dutch: [ˈteː.o dɛˈraːt]; born May 19,
1968) is a
On 2014-04-17, Jerry Stuckle wrote:
>
> This is a totally irresponsible post, showing the op knows very little
> about programming.
http://en.wikipedia.org/wiki/Theo_de_Raadt
Theo de Raadt (/ˈθiː.oʊ dɛˈrɔːt/; Dutch: [ˈteː.o dɛˈraːt]; born May 19,
1968) is a software engineer who lives in Calg
On Thu, Apr 17, 2014 at 3:36 AM, ken wrote:
> Steve brings up a very good point, one often overlooked in our zeal for
> getting so much FOSS for absolutely no cost. Since we're all given the
> source code, we're all in part responsible for it and for improving it.
> This ethic should be visited
On 4/17/2014 5:40 AM, Curt wrote:
On 2014-04-17, ken wrote:
Steve brings up a very good point, one often overlooked in our zeal for
getting so much FOSS for absolutely no cost. Since we're all given the
source code, we're all in part responsible for it and for improving it.
I don't think th
On 2014-04-17, ken wrote:
>
> Steve brings up a very good point, one often overlooked in our zeal for
> getting so much FOSS for absolutely no cost. Since we're all given the
> source code, we're all in part responsible for it and for improving it.
I don't think the point is very good for the
On 04/16/2014 11:50 PM green wrote:
Steve Litt wrote at 2014-04-16 13:05 -0500:
I'd feel a lot better with 200 eyes than 4. Even 10 would make me
nervous.
But the fault is partly mine. I never contributed to the OpenSSL
project, either with dollars or eyes.
+1
Steve brings up a very good p
Steve Litt wrote at 2014-04-16 13:05 -0500:
> I'd feel a lot better with 200 eyes than 4. Even 10 would make me
> nervous.
>
> But the fault is partly mine. I never contributed to the OpenSSL
> project, either with dollars or eyes.
+1
signature.asc
Description: Digital signature
On Wed, 16 Apr 2014 08:48:01 -0600
Paul E Condon wrote:
> On 20140416_0823+, Curt wrote:
> > On 2014-04-16, Slavko wrote:
> > Robin Seggelmann introduced the bug:
> >
> > >From the Sydney Morning Herald:
> >
> > Dr Seggelmann, of Münster in Germany, said the bug which
> > introduced the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/16/2014 10:36 AM, Bill Wood wrote:
> On Wed, 2014-04-16 at 09:01 -0400, shawn wilson wrote:
>> On Wed, Apr 16, 2014 at 8:54 AM, John Hasler
>> wrote:
> . . .
>>> What is medical identity theft?
>
> Theft of patient identity information, usually
On 2014-04-16, Paul E Condon wrote:
>>
>> Only four eyes?
>
> This is a silly rhetorical question.
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look.
We're talking about code *review*.
>From the Syd
On 20140416_0754-0500, John Hasler wrote:
> Bill Wood writes:
> > I have noticed that everyone talks about the impact on the financial
> > services sector but no one has mentioned the health care information
> > sector. I understand that healthcare systems use SSL a great deal,
> > and medical ide
Perhaps smiles.
After all most countries do not associate so much critical information
to one number.
But many people do not put their private information by choice in places where
security of a site is a risk either so.
Sorry for the side track smiles.
Kare
On Wed, 16 Apr 2014, Lisi Reisz wr
On 20140416_0823+, Curt wrote:
> On 2014-04-16, Slavko wrote:
> >
> > If this vulnerability comes not from newbie and was made by intent,
> > thing are worse than wrong. Then it is an attack to alone fundamental of
> > the free/open software. And what community about this? Where are
> > inform
On Wed, 2014-04-16 at 09:01 -0400, shawn wilson wrote:
> On Wed, Apr 16, 2014 at 8:54 AM, John Hasler wrote:
. . .
> > What is medical identity theft?
Theft of patient identity information, usually for the purpose of
insurance fraud.
> I'd also be interested seeing the proof for the claim (I
On Wednesday 16 April 2014 14:54:03 Karen Lewellen wrote:
> I give you an example of medical identity theft. At least how it
> can happen stateside.
> You are say a senior or someone with a print disability in a
> doctor's office.
> You must get help completing the forms, and the first question yo
I give you an example of medical identity theft. At least how it can happen
stateside.
You are say a senior or someone with a print disability in a doctor's
office.
You must get help completing the forms, and the first question you
must provide is...?
your social security umber. Add that you
On Wed, Apr 16, 2014 at 8:54 AM, John Hasler wrote:
> Bill Wood writes:
>> and medical identity theft has risen sharply in recent years.
>
> What is medical identity theft?
I'd also be interested seeing the proof for the claim (I think he
means medical data breaches but IDK anyone has disclosed
Bill Wood writes:
> I have noticed that everyone talks about the impact on the financial
> services sector but no one has mentioned the health care information
> sector. I understand that healthcare systems use SSL a great deal,
> and medical identity theft has risen sharply in recent years.
What
On 2014-04-16, Slavko wrote:
>
> If this vulnerability comes not from newbie and was made by intent,
> thing are worse than wrong. Then it is an attack to alone fundamental of
> the free/open software. And what community about this? Where are
> information, from who this vulnerability arrived? It
Dňa 16. 4. 2014 1:50 Charles Kroeger wrote / napísal(a):
> At this point, the probability is close to one that every target has had
> its private keys extracted by multiple intelligence agencies. The real
> question is whether or not someone deliberately inserted this bug into
> OpenSSL, and
On Tue, 2014-04-15 at 15:55 -0400, Stephen Allen wrote:
. . .
> BTW Revenue Canada was hacked by this bug and publicly admitted so. So
> far only a minimal number of people were affected. They were offline for
> several days.
I've been following this thread since it started, as well as some oth
On Tue, 15 Apr 2014 07:00:03 +0200
shawn wilson wrote:
> >> On Apr 14, 2014 11:01 AM, "Chris Bannister"
> >>wrote:
> >> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> >> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Here's the article from Bruce's
On Tue, Apr 15, 2014 at 02:11:00PM +1200, Richard Hector wrote:
> On 15/04/14 12:59, shawn wilson wrote:
> >> That statement was made in the sense that at least the bank could have
> >> > issued a statement along the lines of 'you may have heard of the
> >> > heartbleed bug, we can assure all of ou
On 14/04/14 23:41, Richard Hector wrote:
> The only local bank I've heard any info about is Kiwibank, who are
> apparently not vulnerable due to running their systems on Windows.
Heh. It turns out my bank, ASB, apparently uses Windows/IIS as well. I
have yet to decide whether I'm happy about that.
On 2014-04-15, John Hasler wrote:
>
> If I did any online banking (I don't) I'd change all the passwords no
> matter what the banks said and consider closing the accounts and opening
> new ones with different account numbers as well. Maybe with different
> banks.
Except that in the case of an un
Am Dienstag, 15. April 2014, 11:41:34 schrieb Richard Hector:
> On 15/04/14 02:03, Stan Hoeppner wrote:
> >> I certainly wouldn't jump to conclusions that they're a bank therefore
> >>
> >> > they use IBM mainframes therefore they don't use OpenSSL therefore
> >> > they're invulnerable,
> >
> >
On Mon, Apr 14, 2014 at 10:34:29PM -0400, shawn wilson wrote:
> On Apr 14, 2014 10:11 PM, "Richard Hector" wrote:
> > They don't need to send an email, or anything intrusive. They just need
> > to put a big notice on the login page of their internet banking site -
> > along with (or instead of) al
On Tue, Apr 15, 2014 at 12:44 AM, Chris Bannister
wrote:
> On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote:
>> On Apr 14, 2014 11:01 AM, "Chris Bannister"
>> wrote:
>> >
>> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
>> > > On 4/13/2014 10:03 PM, Chris Bannister
On Mon, Apr 14, 2014 at 08:59:30PM -0400, shawn wilson wrote:
> On Apr 14, 2014 11:01 AM, "Chris Bannister"
> wrote:
> >
> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> > > On 4/13/2014 10:03 PM, Chris Bannister wrote:
> > > ...
> > > > considering it is a catastrophe worse th
On Apr 14, 2014 10:11 PM, "Richard Hector" wrote:
>
> On 15/04/14 12:59, shawn wilson wrote:
> >> That statement was made in the sense that at least the bank could have
> >> > issued a statement along the lines of 'you may have heard of the
> >> > heartbleed bug, we can assure all of our customers
On 15/04/14 12:59, shawn wilson wrote:
>> That statement was made in the sense that at least the bank could have
>> > issued a statement along the lines of 'you may have heard of the
>> > heartbleed bug, we can assure all of our customers that we are not
>> > affected by this bug and there is no ne
On Apr 14, 2014 9:15 PM, "John Hasler" wrote:
>
> shawn wilson writes:
> > No, I don't want to hear from my bank unless there's a problem. If
> > everything is going OK, don't spam me. If its not, by all means, let
> > me know. This didn't affect them so don't tell me anything.
>
> You assume that
shawn wilson writes:
> No, I don't want to hear from my bank unless there's a problem. If
> everything is going OK, don't spam me. If its not, by all means, let
> me know. This didn't affect them so don't tell me anything.
You assume that they would tell you if they were affected.
If I did any on
On Apr 14, 2014 11:01 AM, "Chris Bannister"
wrote:
>
> On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> > On 4/13/2014 10:03 PM, Chris Bannister wrote:
> > ...
> > > considering it is a catastrophe worse than the Y2K bug.
> >
> > This is several orders of magnitude less severe than
On 15/04/14 02:03, Stan Hoeppner wrote:
>> I certainly wouldn't jump to conclusions that they're a bank therefore
>> > they use IBM mainframes therefore they don't use OpenSSL therefore
>> > they're invulnerable,
> I jumped to no conclusion. Do you see the word "bank" in my original
> statement b
For those interested:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
--Dave
smime.p7s
Description: S/MIME Cryptographic Signature
On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
> ...
> > considering it is a catastrophe worse than the Y2K bug.
>
> This is several orders of magnitude less severe than Y2K.
I read https://www.schneier.com/blog/archives/2014/04/he
On 4/14/2014 6:41 AM, Richard Hector wrote:
> On 14/04/14 23:31, Stan Hoeppner wrote:
BTW, you shouldn't focus only on banks either. There are a lot of
popular services that use free software a lot, some of which happen to
include payment functionality.
>> I did not "focusing on bank
is it really necessary to discuss this on this list?
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/c62d2a36796a92df309092b679802...@cyberh0me.net
On 14/04/14 19:49, Curt wrote:
> On 2014-04-14, Richard Hector wrote:
>>
>> This one, on the other hand, was generally not predicted, and was widely
>> exploited before people got a chance to fix it. That's presumably still
>> going on.
>
> Widely exploited?
>
> http://en.wikipedia.org/wiki/Hear
On Mon, Apr 14, 2014 at 11:22 PM, Joel Rees wrote:
> On Mon, Apr 14, 2014 at 8:41 PM, Richard Hector
> wrote:
>>
>> The only local bank I've heard any info about is Kiwibank, who are
>> apparently not vulnerable due to running their systems on Windows.
>
>
> That's a laugh. Not vulnerable to this
On Mon, Apr 14, 2014 at 8:41 PM, Richard Hector wrote:
> On 14/04/14 23:31, Stan Hoeppner wrote:
> >> > BTW, you shouldn't focus only on banks either. There are a lot of
> >> > popular services that use free software a lot, some of which happen to
> >> > include payment functionality.
> > I did no
Stan Hoeppner:
> On 4/14/2014 5:53 AM, Jochen Spieker wrote:
>> Stan Hoeppner:
>>>
>>> This problem only exists *if* these devices connect to a compromised or
>>> rogue host via SSL/TLS *and* the user hasn't reset and or deleted
>>> locally cached usernames and passwords.
>>
>> That is not the wh
On 14/04/14 23:31, Stan Hoeppner wrote:
>> > BTW, you shouldn't focus only on banks either. There are a lot of
>> > popular services that use free software a lot, some of which happen to
>> > include payment functionality.
> I did not "focusing on banks". I replied to Chris Bannister's statement
>
On 4/14/2014 5:53 AM, Jochen Spieker wrote:
> Stan Hoeppner:
>> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>>
>>> Then there is also the very serious issue of embedded devices using
>>> openssl. Tablets, smartphones, routers, ... etc. etc.
>>
>> This problem only exists *if* these devices conne
Stan Hoeppner:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
>
>> Then there is also the very serious issue of embedded devices using
>> openssl. Tablets, smartphones, routers, ... etc. etc.
>
> This problem only exists *if* these devices connect to a compromised or
> rogue host via SSL/TLS *an
On 2014-04-14, Brian wrote:
>
> The increase in the bank balances of many consultants is well-documented
> as part of the history of the Y2K period. What is is still under discussion
> is whether the failure of a set of traffic lights in Alice Springs was its
> only major effect.
>
My understandin
On 2014-04-14, Richard Hector wrote:
>
> My understanding is that it has been widely exploited _since_ disclosure.
>
> I could be wrong, of course - I think I heard it in chat around the office.
>
No kidding.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "
On 14/04/14 21:49, Curt wrote:
> On 2014-04-14, Richard Hector wrote:
>> >
>> > This one, on the other hand, was generally not predicted, and was widely
>> > exploited before people got a chance to fix it. That's presumably still
>> > going on.
> Widely exploited?
>
> http://en.wikipedia.org/wiki
On 2014-04-14, Richard Hector wrote:
>
> This one, on the other hand, was generally not predicted, and was widely
> exploited before people got a chance to fix it. That's presumably still
> going on.
Widely exploited?
http://en.wikipedia.org/wiki/Heartbleed
Possible exploitation prior to disclo
On Mon 14 Apr 2014 at 21:15:23 +1200, Richard Hector wrote:
> On 14/04/14 18:55, Stan Hoeppner wrote:
> >
> > This is several orders of magnitude less severe than Y2K.
>
> Y2K was extensively predicted, a lot of people did a lot of work to
> avoid it, and in the end it wasn't very significant, n
On 14/04/14 18:55, Stan Hoeppner wrote:
> On 4/13/2014 10:03 PM, Chris Bannister wrote:
> ...
>> considering it is a catastrophe worse than the Y2K bug.
>
> This is several orders of magnitude less severe than Y2K.
Y2K was extensively predicted, a lot of people did a lot of work to
avoid it, an
On 4/13/2014 10:03 PM, Chris Bannister wrote:
...
> considering it is a catastrophe worse than the Y2K bug.
This is several orders of magnitude less severe than Y2K.
> It seems very likely that people are using compromised apps on their
> smartphone and you'd think it would be advisable to warn
On Apr 13, 2014 11:03 PM, "Chris Bannister"
wrote:
>
> Then there is also the very serious issue of embedded devices using
> openssl. Tablets, smartphones, routers, ... etc. etc.
>
You're correct about network hardware (though the only one I'm aware of so
far is F5 with the latest firmware). If
57 matches
Mail list logo
