Neil Pate Posted April 12, 2014 Report Posted April 12, 2014 So, most of you here are probably aware of the Heartbleed bug in OpenSSL. How seriously is everybody taking this? Seems like a good time to change my password; "12345" was probably due for an extra digit on the end by now ;-) Quote
ShaunR Posted April 12, 2014 Report Posted April 12, 2014 So, most of you here are probably aware of the Heartbleed bug in OpenSSL. How seriously is everybody taking this? Seems like a good time to change my password; "12345" was probably due for an extra digit on the end by now ;-) Very seriously It is the only time I've ever heard that using encryption is worse than not using it. Luckily, the binaries shipped with LabVIEW are not susceptible-they're too old 1 Quote
Neil Pate Posted April 12, 2014 Author Report Posted April 12, 2014 Very seriously It is the only time I've ever heard that using encryption is worse than not using it. Luckily, the binaries shipped with LabVIEW are not susceptible-they're too old It's a good thing NI never got around to making an SSH toolkit Quote
ShaunR Posted April 12, 2014 Report Posted April 12, 2014 (edited) It's a good thing NI never got around to making an SSH toolkit OpenSSH is a different toolkit and, although it does use OpenSSL, the vulnerability only affects TLS (which OpenSSH doesn't use). OpenSSH is quite safe,but if you are using a TLS enabled process (like Apache) that has the heartbeat extension (i.e TLS 1.2) then they may get your SSH keys, your inside leg measurement and who you slept with last night . Edited April 12, 2014 by ShaunR Quote
mje Posted April 12, 2014 Report Posted April 12, 2014 Very serious indeed. I am amused that in an era where major vulnerabilities and breaches are so publicized, I have not heard a peep from a single institution I deal with. In the past they've always been quick to alert clients, but not this time. Forget the important ones (banks, stocks, payroll, government entities) not even the technology companies I deal with have said a word. Amazing, I have absolute confidence that should some even more serious vulnerability arise to which there is no immediate fix, that we will be left in the dark lest any organization affect their image or stock price. Honesty and disclosure are only needed if the serve the bottom line or political gain. Yes, I'm cynical, but I try my hardest to find evidence pointing me away from the cynicism. I'm just not finding any this time around. Quote
Neil Pate Posted April 12, 2014 Author Report Posted April 12, 2014 OpenSSH is a different toolkit and, although it does use OpenSSL, the vulnerability only affects TLS (which OpenSSH doesn't use) I was being a bit facetious, but I did not know about it only being TLS, so I forgive you. I have a ten week old at home, I didn't get to sleep with anybody last night Quote
ShaunR Posted April 12, 2014 Report Posted April 12, 2014 (edited) Very serious indeed. I am amused that in an era where major vulnerabilities and breaches are so publicized, I have not heard a peep from a single institution I deal with. In the past they've always been quick to alert clients, but not this time. Forget the important ones (banks, stocks, payroll, government entities) not even the technology companies I deal with have said a word. Amazing, I have absolute confidence that should some even more serious vulnerability arise to which there is no immediate fix, that we will be left in the dark lest any organization affect their image or stock price. Honesty and disclosure are only needed if the serve the bottom line or political gain.Yes, I'm cynical, but I try my hardest to find evidence pointing me away from the cynicism. I'm just not finding any this time around. Well. When I logged into my bank account the other day I was met with this message Customers may be aware of media interest in an external Internet related issue called 'Heartbleed'. we take the security of our banking services very seriously and we would like to reassure our customers that our online banking systems are not exposed to this vulnerability. As such customers are advised that there is currently no need for them to take any action with regards to changing passwords. Do we believe them? Edited April 12, 2014 by ShaunR Quote
jcarmody Posted April 12, 2014 Report Posted April 12, 2014 I made a comment in the NI BreakPoint forum with a quote I read today: "I am starting to think that no matter how smart you are, you are not smart enough to code in C." Quote
Mike Le Posted April 13, 2014 Report Posted April 13, 2014 Forget the important ones (banks, stocks, payroll, government entities) I was actually quite pleased to discover that none of my financial institutions have bothered to update their security software the past few years, and as such, none were vulnerable to Heartbleed. I've been cursing these institutions for years because they use incredibly old security systems (seriously, you're only going to let me use an 8 character password?). But in this case, their glacially slow tech adoption rate was a blessing in disguise. This Mashable list has been helpful for me in determining which passwords I need to change. I'm extra paranoid, though, so I'll probably change all of them as I get around to logging into them. I'd also like to take this opportunity to extol the virtues of KeePass as a password manager. Quote
mje Posted April 13, 2014 Report Posted April 13, 2014 I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass. I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it. Quote
Jordan Kuehn Posted April 13, 2014 Report Posted April 13, 2014 (edited) I would be very interested to hear from someone who is using LastPass. I've been on the fence for a few months and this very well could be the tipping point. Edited April 13, 2014 by Jordan Kuehn Quote
Mike Le Posted April 13, 2014 Report Posted April 13, 2014 (edited) I was nervous about LastPass operating over the internet. My paranoia seems to have been rewarded somewhat, as it's on the Mashable list as one of the "affected" sites. They're claiming that users do not need to change their master passwords. However, I suspect that any passwords they stored on your behalf were vulnerable to Heartbleed (even if the websites you stored were not vulnerable). Edited April 13, 2014 by Mike Le Quote
Val Brown Posted April 13, 2014 Report Posted April 13, 2014 I made a comment in the NI BreakPoint forum with a quote I read today: "I am starting to think that no matter how smart you are, you are not smart enough to code in C." I thought that was already well known back in the early 80s.... Quote
ShaunR Posted April 13, 2014 Report Posted April 13, 2014 I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass.I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it. Using a man-in-the-middle attack for convenience is a flawed concept. Quote
Ryan Podsim Posted April 14, 2014 Report Posted April 14, 2014 I've been using Lastpass for the last year now and liked it. I've liked the multilocation/multiperson/Cloud access, since my I got my wife on it also. I do use the iOS app on occasion. They did say they were effected by the Heartbleed vulnerability I feel their response was quick and did provide a nice tool to check you stored passwords for other sites effected(Also part of the security check function). I will note I did change my master PW as soon as I heard anything. I'm not paranoid! Oh and I LOVE the 100 Character password generator! As a side note: I've also tried Dashlane, and thought it was pretty good, but Lastpass got me cause (at-least at the time) they had cloud access for free and Dashlane didn't. Quote
lvb Posted April 16, 2014 Report Posted April 16, 2014 I've been rocking 1Password for the last few years and I've finally lost patience with their pathetic Android implementation (other platforms are fantastic though). This weekend as I go through my passwords I've decided to look at KeePass and LastPass.I agree, password managers are the way to go, but if you use Android, my recommendation is to avoid 1Password despite how much I like it. I would be very interested to hear from someone who is using LastPass. I've been on the fence for a few months and this very well could be the tipping point. I highly recommend Lastpass, especially if you are on Android. There is a security now episode by Steve Gibson that covers how Lastpass works, it is very secure even though it is cloud based. The latest Android app update includes a "service" so you can "fill forms" just like you can on the desktop. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.