REVscene - Vancouver Automotive Forum


Welcome to the REVscene Automotive Forum forums.

Registration is Free!You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! The banners on the left side and below do not show for registered users!

If you have any problems with the registration process or your account login, please contact contact us.


Go Back   REVscene Automotive Forum > Automotive Chat > Vancouver Off-Topic / Current Events

Vancouver Off-Topic / Current Events The off-topic forum for Vancouver, funnies, non-auto centered discussions, WORK SAFE. While the rules are more relaxed here, there are still rules. Please refer to sticky thread in this forum.

Reply
 
Thread Tools
Old 04-09-2014, 10:00 AM   #1
I HERP TO YOU DERP
 
hypediss's Avatar
 
Join Date: Oct 2004
Location: 604
Posts: 1,189
Thanked 230 Times in 102 Posts
Heartbleed...

This has been around the new for a couple for days - think it would be to good to bring this to the attention of fellow RS'ers.

http://www.theglobeandmail.com/techn...ticle17892756/

Quote:
An alarming lapse in Internet security has exposed millions of passwords, credit-card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery.

Some popular sites that may have been affected: The CRA, Yahoo, Flickr, OkCupid, Eventbrite, Indiegogo, Imgur.

The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for e-mails, instant messaging and a wide range of electronic commerce.

Security researchers who uncovered the threat, known as “Heartbleed,” are particularly worried about the breach because it went undetected for more than two years.

Although there is now a way to close the security hole, there are still plenty of reasons to be concerned, said David Chartier, CEO of Codenomicon. A small team from the Finnish security firm diagnosed Heartbleed while working independently from another Google Inc. researcher who also discovered the threat.

“I don’t think anyone that had been using this technology is in a position to definitively say they weren’t compromised,” Chartier said.

Chartier and other computer security experts are advising people to consider changing all their online passwords.

“I would change every password everywhere because it’s possible something was sniffed out,” said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. “You don’t know because an attack wouldn’t have left a distinct footprint.”

But changing the passwords won’t do any good, these experts said, until the affected services install the software released Monday to fix the problem. That puts the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the Heartbleed fix has been installed so they can change their passwords.

Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services that could be potentially hurt by Heartbleed. The Sunnyvale, Calif., company said most of its most popular services – including sports, finance and Tumblr – had been fixed, but work was still being done on other products that it didn’t identify in a statement Tuesday.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet. About two-thirds of Web servers rely on OpenSSL, Chartier said.

Despite the worries raised by Heartbleed, Codenomicon said many large consumer sites aren’t likely to be affected because of their “conservative choice” of equipment and software. “Ironically, smaller and more progressive services or those who have upgraded to [the] latest and best encryption will be affected most,” the security firm said in a blog post.

In a Tuesday post announcing it had installed the Heartbleed fix, Tumblr offered its users some blunt advice.

“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr said. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug.”
Cliff Notes:
- Hope to God that the services you use have patched the bug on their servers
- If service is patched, change passwords
Advertisement
hypediss is offline   Reply With Quote
This post thanked by:
Old 04-10-2014, 01:17 PM   #2
My homepage has been set to RS
 
tool001's Avatar
 
Join Date: Apr 2005
Location: vancouver
Posts: 2,217
Thanked 811 Times in 274 Posts
Microsoft must have had a good laugh for once..
tool001 is offline   Reply With Quote
Old 04-10-2014, 01:39 PM   #3
To me, there is the Internet and there is RS
 
underscore's Avatar
 
Join Date: Apr 2007
Location: Okanagan
Posts: 16,222
Thanked 8,872 Times in 3,849 Posts
Is there a list of major places using OpenSSL?
__________________
1991 Toyota Celica GTFour RC // 2007 Toyota Rav4 V6 // 2000 Jeep Grand Cherokee
1992 Toyota Celica GT-S ["sold"] \\ 2007 Jeep Grand Cherokee CRD [sold] \\ 2000 Jeep Cherokee [sold] \\ 1997 Honda Prelude [sold] \\ 1992 Jeep YJ [sold/crashed] \\ 1987 Mazda RX-7 [sold] \\ 1987 Toyota Celica GT-S [crushed]
Quote:
Originally Posted by maksimizer View Post
half those dudes are hotter than ,my GF.
Quote:
Originally Posted by RevYouUp View Post
reading this thread is like waiting for goku to charge up a spirit bomb in dragon ball z
Quote:
Originally Posted by Good_KarMa View Post
OH thank god. I thought u had sex with my wife. :cry:
underscore is offline   Reply With Quote
Old 04-10-2014, 01:48 PM   #4
Even when im right, revscene.net is still right!
 
Join Date: Jan 2005
Location: Vancouver
Posts: 1,397
Thanked 92 Times in 43 Posts
Quote:
Originally Posted by underscore View Post
Is there a list of major places using OpenSSL?
The Heartbleed Hit List: The Passwords You Need to Change Right Now
__________________
(604) Black 2008 Acura TL Type-S, 09/07 - 09/11
(604) Black 2010 Acura RDX - 09/11 - 05/15
(613) White 2013 Kia Rio5, 09/12 - 09/13
(604) White 2014 BMW 335i xDrive, 05/15 - 01/17
(604) Blue 2017 BMW 240i xDrive, 01/17 - 12/20
(604) White 2021 Tesla Model 3 SR+, 12/20 - Present
ntan is offline   Reply With Quote
This post thanked by:
Old 04-10-2014, 01:54 PM   #5
What hasn't Killed me, has made me more tolerant of RS!
 
Join Date: Aug 2012
Location: Vancouver
Posts: 181
Thanked 109 Times in 44 Posts
I doubt an exploit like this could have stayed secret for two years. The chances of this exploit actually being used up till now are pretty slim I think.
JaPoola is offline   Reply With Quote
Old 04-10-2014, 02:00 PM   #6
Even when im right, revscene.net is still right!
 
Join Date: Jan 2005
Location: Vancouver
Posts: 1,397
Thanked 92 Times in 43 Posts
The recent security flaws in SSL is scary: First the Apple SSL security issue, now this... let's hope this is the last of it.
__________________
(604) Black 2008 Acura TL Type-S, 09/07 - 09/11
(604) Black 2010 Acura RDX - 09/11 - 05/15
(613) White 2013 Kia Rio5, 09/12 - 09/13
(604) White 2014 BMW 335i xDrive, 05/15 - 01/17
(604) Blue 2017 BMW 240i xDrive, 01/17 - 12/20
(604) White 2021 Tesla Model 3 SR+, 12/20 - Present
ntan is offline   Reply With Quote
Old 04-10-2014, 02:05 PM   #7
RS.net, where our google ads make absolutely no sense!
 
Anjew's Avatar
 
Join Date: Jan 2006
Location: vancouver
Posts: 925
Thanked 237 Times in 102 Posts
if you have android, download heartbleed detector...
Anjew is offline   Reply With Quote
Old 04-10-2014, 02:22 PM   #8
I keep RS good
 
Ulic Qel-Droma's Avatar
 
Join Date: May 2001
Location: Cosmos
Posts: 28,661
Thanked 5,538 Times in 1,502 Posts
can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.
Ulic Qel-Droma is offline   Reply With Quote
Old 04-10-2014, 02:33 PM   #9
Where's my RS Christmas Lobster?!
 
z3german's Avatar
 
Join Date: Feb 2012
Location: Richmond
Posts: 1,116
Thanked 903 Times in 285 Posts
Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
z3german is offline   Reply With Quote
This post thanked by:
Old 04-10-2014, 02:37 PM   #10
14 dolla balla aint got nothing on me!
 
Cillu's Avatar
 
Join Date: Mar 2010
Location: Vancouver
Posts: 663
Thanked 268 Times in 95 Posts
It might be easier for you to make a passphrase instead. They're much easier to remember.
__________________
db1 - daily [sold]
ca5 - 2013 winter beater/dead
db2 #51 - garage queen/summer daily
golf mk3 - 2016 winter beater [sold]
ae92 - 2017 spring beater
Cillu is offline   Reply With Quote
Old 04-10-2014, 02:41 PM   #11
To me, there is the Internet and there is RS
 
underscore's Avatar
 
Join Date: Apr 2007
Location: Okanagan
Posts: 16,222
Thanked 8,872 Times in 3,849 Posts
Four random words is supposed to be the most secure, but nobody lets you use that.
__________________
1991 Toyota Celica GTFour RC // 2007 Toyota Rav4 V6 // 2000 Jeep Grand Cherokee
1992 Toyota Celica GT-S ["sold"] \\ 2007 Jeep Grand Cherokee CRD [sold] \\ 2000 Jeep Cherokee [sold] \\ 1997 Honda Prelude [sold] \\ 1992 Jeep YJ [sold/crashed] \\ 1987 Mazda RX-7 [sold] \\ 1987 Toyota Celica GT-S [crushed]
Quote:
Originally Posted by maksimizer View Post
half those dudes are hotter than ,my GF.
Quote:
Originally Posted by RevYouUp View Post
reading this thread is like waiting for goku to charge up a spirit bomb in dragon ball z
Quote:
Originally Posted by Good_KarMa View Post
OH thank god. I thought u had sex with my wife. :cry:
underscore is offline   Reply With Quote
Old 04-10-2014, 03:06 PM   #12
reads most threads with his pants around his ankles, especially in the Forced Induction forum.
 
Mr.HappySilp's Avatar
 
Join Date: Mar 2004
Location: Vancouver
Posts: 10,645
Thanked 2,191 Times in 1,131 Posts
Quote:
Originally Posted by Ulic Qel-Droma View Post
can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.
No system is 100% secure as long as it have Internet access.
Mr.HappySilp is offline   Reply With Quote
This post thanked by:
Old 04-10-2014, 03:11 PM   #13
2013, 2016, 2017 & 2018 NHL Fantasy RS1 Champion
 
HonestTea's Avatar
 
Join Date: Aug 2005
Location: Vancouver
Posts: 6,953
Thanked 1,241 Times in 573 Posts
Quote:
Originally Posted by z3german View Post
Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
FUCK I KNOW THAT FEEL BRO
HonestTea is offline   Reply With Quote
Old 04-10-2014, 03:17 PM   #14
I HERP TO YOU DERP
 
hypediss's Avatar
 
Join Date: Oct 2004
Location: 604
Posts: 1,189
Thanked 230 Times in 102 Posts
Quote:
Originally Posted by z3german View Post
Scares me shitless... I am to the point where I cannot think of another password I can remember...

Guess gotta spend the $25 on a good PW manager and change them all sigh.....

I am totally locked out of my 3 microsoft accounts too, last year or something they forced me to change the passwords with so many denied PW changes.
-cant use previous pw
-too similar to previous pw
-needs capital
-needs number

LIKE JESUS let me make my own damn password, I only use your crappy email service for junk anyways.
LastPass is your answer
hypediss is offline   Reply With Quote
Old 04-10-2014, 03:36 PM   #15
Rs has made me the man i am today!
 
m3thods's Avatar
 
Join Date: May 2008
Location: Burnaby
Posts: 3,148
Thanked 1,053 Times in 595 Posts
Quote:
Originally Posted by hypediss View Post
LastPass is your answer
This- Lastpass has been very helpful in generating random passwords. You just need to remember your master one to actually log into the service.
m3thods is offline   Reply With Quote
Old 04-10-2014, 03:47 PM   #16
Where's my RS Christmas Lobster?!
 
z3german's Avatar
 
Join Date: Feb 2012
Location: Richmond
Posts: 1,116
Thanked 903 Times in 285 Posts
Quote:
Originally Posted by hypediss View Post
LastPass is your answer
I dont mind paying for a service like that, but can anyone chime in on

lastpass vs keepass?

or better yet paid vs keepass (free/opensouce)
z3german is offline   Reply With Quote
Old 04-10-2014, 06:20 PM   #17
My homepage has been set to RS
 
Alby's Avatar
 
Join Date: Nov 2003
Location: Vancouver
Posts: 2,099
Thanked 2,114 Times in 482 Posts
CRA has been affected too.

?Heartbleed? bug forces revenue agency to shut down online tax-return filing | canada.com

Quote:
OTTAWA — The Canada Revenue Agency abruptly pulled the plug on its online services Wednesday over security concerns, saying it will take until the weekend at least before taxpayers can again file their returns online. The problem has forced it to extend the deadline for online filing.

In addition, the government’s super-IT agency was unable to say how widespread the problem might be across federal departments, or how long it might take to fix. The security loophole that led to the shutdown is found in many government and consumer websites around the world, and could have provided improper access to sensitive information during the two years before it was revealed this week.

Shared Services Canada said it was working to “identify the extent of the problem and to apply solutions, including implementing patches, as required.”

Those patches — or digital repairs — could take several days to complete, one expert said. Because of the nature of the security loophole, which can’t be traced, it may be impossible to say how much, if any, private information has been accessed.

“The people who have filed (income tax returns), maybe someone was watching,” said David Skillicorn, a computer security expert from Queen’s University in Kingston, Ont. “The issue for the CRA, more importantly, is that they don’t know how much their internal systems were compromised.”

The outage was caused by an online security loophole known as the Heartbleed bug.

Heartbleed is a two-year old vulnerability found in software used by thousands of websites globally to encrypt information when logging in to secure online services. The loophole lets someone see encrypted information sent between two computers, such as usernames and passwords, but permits secretly snooping around the system running the website and the user’s personal computer.

It only works on systems that use a security device known as Open SSL – which the CRA website does – to encrypt login information.

The Canada Revenue Agency services affected by Wednesday’s shutdown included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.

The shutdown came just as the agency had ramped up for tax-filing season, and as it has continued to encourage Canadians to file electronically rather than by using paper forms.

“Given that we are in the midst of tax filing season, this will be challenging and will require sustained effort and collaboration across the agency to minimize the impact on the services we provide to Canadians,” CRA commissioner Andrew Treusch wrote in a notice to employees Wednesday.

Taxpayers looking to file their returns were blocked Wednesday morning from logging on to the Canada Revenue Agency website. An online message told taxpayers that as a security precaution, access was blocked until concerns were addressed.

“We know there’s a systems vulnerability. We have identified that, so we shut down those systems right away as a precautionary measure only,” National Revenue Minister Kerry-Lynne Findlay said. “We’re investigating. We’re working on it.”

Findlay’s office said late Wednesday that no penalties or interest would be applied to anyone filing online after the April 30 tax deadline. The grace period will correspond to however long the service outage lasts.

“Consideration will be given to taxpayers who are unable to comply with their filing requirements because of this service interruption,” she told the House of Commons.

The revenue agency suspended its online tax service for an unprecedented nine days in 2007 because of a computer malfunction caused by a faulty patch. Data security, however, was not a concern at that time. Rather, the faulty patch caused irregularities in the transfer of information between the databases that store and handle Canadians’ tax information.

The Canadian Bankers Association, which represents some 59 domestic and foreign banks, said Wednesday the online banking applications of Canadian banks were not affected by the bug.

“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.

- With files from Kathryn May, Ottawa Citizen, and the Canadian Press.
Alby is offline   Reply With Quote
Old 04-10-2014, 06:35 PM   #18
Need my Daily Fix of RS
 
Majestic12's Avatar
 
Join Date: Jan 2011
Location: Vancouver
Posts: 295
Thanked 199 Times in 87 Posts
Quote:
Originally Posted by z3german View Post
I dont mind paying for a service like that, but can anyone chime in on

lastpass vs keepass?

or better yet paid vs keepass (free/opensouce)
Just started using Keepass. Works fine, especially with browser integration. You can also integrate it with a Dropbox account too.

My plan is to get a small usb keychain and put Keepass mobile on it to autosync with Dropbox, so no matter where I am, I will have an encrypted copy of my password database with me.
Majestic12 is offline   Reply With Quote
Old 04-11-2014, 08:50 AM   #19
To me, there is the Internet and there is RS
 
underscore's Avatar
 
Join Date: Apr 2007
Location: Okanagan
Posts: 16,222
Thanked 8,872 Times in 3,849 Posts
But if you lose the keychain or your master password is compromised you're fucked. I have unique passwords for a few important things and one generic one for shit I don't really care about.
__________________
1991 Toyota Celica GTFour RC // 2007 Toyota Rav4 V6 // 2000 Jeep Grand Cherokee
1992 Toyota Celica GT-S ["sold"] \\ 2007 Jeep Grand Cherokee CRD [sold] \\ 2000 Jeep Cherokee [sold] \\ 1997 Honda Prelude [sold] \\ 1992 Jeep YJ [sold/crashed] \\ 1987 Mazda RX-7 [sold] \\ 1987 Toyota Celica GT-S [crushed]
Quote:
Originally Posted by maksimizer View Post
half those dudes are hotter than ,my GF.
Quote:
Originally Posted by RevYouUp View Post
reading this thread is like waiting for goku to charge up a spirit bomb in dragon ball z
Quote:
Originally Posted by Good_KarMa View Post
OH thank god. I thought u had sex with my wife. :cry:
underscore is offline   Reply With Quote
Old 04-11-2014, 09:22 AM   #20
Hacked RS to become a mod
 
SkinnyPupp's Avatar
 
Join Date: Feb 2002
Location: Sunny Hong Kong
Posts: 52,224
Thanked 23,775 Times in 8,169 Posts
Use this as a reminder to use 2 factor authentication whenever you can, and use a password manager. I already use 2FA for everything but am still researching password managers. Thinking of using Lastpass for $12 a year. Would like to use an open source if possible though

If you were wondering if RS is affected, it's not since we don't use SSL anyway. On low-risk sites like this (forums, blogs, etc) you should NOT be using the same password you'd use on a high risk site (banks, email, etc)
SkinnyPupp is offline   Reply With Quote
This post thanked by:
Old 04-11-2014, 09:29 AM   #21
2x Variable Nockenwellen Steuerung
 
Join Date: Oct 2002
Location: N49.2 W122.1
Posts: 6,176
Thanked 1,174 Times in 704 Posts
OpenSSL is an open source SSL library. Incidentally it is part of OpenBSD which is based out of Edmonton. There are different versions and makes of SSL libraries out there. Much like there are different V6 engines out there by different makes in cars. You can potentially swap in and out much like adult entertainment mogul Jason2000 does with his e36. OpenSSL is free and source is free, so it is easier to optimize it for one's particular system.

Banks use devices that use commercial SSL libraries, that's probably why they are not affected. (or more likely the manufacturers haven't let the banks know yet).

The advice is not to change the passwords UNTIL the site that is affected has reissue its SSL certificate. Since each site do their own thing at their own timing (some places probably won't give a flip), the easiest is to go to aggregate news site eg Lastpass to see if the site in question has been patched and has new SSL certs.



Quote:
Originally Posted by Ulic Qel-Droma View Post
can someone explain the diff between open SSL and what the banks use?

it seems like none of the banks were affected.

and i would assume banks have a very high security system in place... why wouldn't every place just use what they use?

inject me with education.
godwin is offline   Reply With Quote
This post thanked by:
Old 04-11-2014, 03:32 PM   #22
I contribute to threads in the offtopic forum
 
SpeedStars's Avatar
 
Join Date: Jul 2012
Location: Vancouver
Posts: 2,914
Thanked 4,450 Times in 1,027 Posts
Does anyone know when sites are going to resume as normal? Can't file my taxes still
Posted via RS Mobile
SpeedStars is offline   Reply With Quote
Old 04-11-2014, 09:10 PM   #23
The Lone Wanderator
 
Graeme S's Avatar
 
Join Date: Mar 2001
Location: Burnaby
Posts: 12,090
Thanked 4,367 Times in 1,137 Posts
For anyone who's interested in a (relatively) plain English explanation of what heartbleed is exactly, here you go:

Graeme S is offline   Reply With Quote
This post thanked by:
Old 04-11-2014, 09:15 PM   #24
MiX iT Up!
 
tiger_handheld's Avatar
 
Join Date: May 2006
Location: vancouver
Posts: 8,133
Thanked 2,066 Times in 865 Posts
What I dont comprehend is why the CRA trusts open source security while the largest bank in Canada does their own dev for security.

#mindblasted
__________________

Sometimes we tend to be in despair when the person we love leaves us, but the truth is, it's not our loss, but theirs, for they left the only person who couldn't give up on them.


Make the effort and take the risk..

"Do what you feel in your heart to be right- for you'll be criticized anyway. You'll be damned if you do, and damned if you don't." - Eleanor Roosevelt
tiger_handheld is offline   Reply With Quote
Old 04-11-2014, 11:38 PM   #25
My homepage has been set to RS
 
Join Date: Apr 2008
Location: Burnaby
Posts: 2,131
Thanked 801 Times in 132 Posts
Spoiler!


So.. Heartbleed used SQL with a little bit of brute force to decrypt the SSL certificates? They make it sound so simple.. Technically, then, the handshaking process was weak from the start and it was just a matter of a short time. (Decrypting SSL would usually take a billion years to decrypt by brute force, wouldn't it?) The guy sifting through the data must've been lucky as hell.

Last edited by typ.; 04-11-2014 at 11:43 PM.
typ. is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -8. The time now is 05:32 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
SEO by vBSEO ©2011, Crawlability, Inc.
Revscene.net cannot be held accountable for the actions of its members nor does the opinions of the members represent that of Revscene.net