I haven't seen a post on it, but there's a bug that affects quite a number of websites out there that has recently been discovered. Flaw in OpenSSL that lets malicious users read memory in 64k chunks. That means your password is vulnerable.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Has GRM been affected at all?
I think this thing is a much bigger problem in theory than practice. I won't be changing any passwords over it.
Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?
I also heard you SHOULDN'T change your password. Dunno.
Rusnak_322 wrote: Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?
Post pro-electic car & anti-Miata comments!
N Sperlo wrote: I also heard you SHOULDN'T change your password. Dunno.
You shouldn't change your password until you know that the site has made the required updates. Most of your big ones have, but one of the more common CMS systems for creating sites, Drupal, hasn't full patched yet.
If you change your password before a patch, you'll just have to do it all over again.
Flight Service wrote:Rusnak_322 wrote: Suppose some bad guys got my GRM forum password. What dastardly thing could they possibly do?Post pro-electic car & anti-Miata comments!
Oh, noes! Not THAT! 
We've confirmed DIYAutoTune was not affected by the bug. A couple of the test tools are giving false positives because we are running an (unaffected) openSSL variant, and our SSL certificate was generated in the affected timeframe. We're in the process of replacing the SSL certificate to prevent any false positives from popping up.
With a cheat sheet of over 100 passwords required to keep my life going, this is going to suck.
Remember when you could actually have a password that was possible to remember!?
In reply to Gimp:
Thanks for clearing that up.
What seems annoying from where I sit is that many providers are just reporting that they patched, without also talking about certificate changes or data exposure.
The thing about data exposure is that any that may have happened because of this already happened, and unless you're the NSA you're very unlikely to have the kind of systems needed to look back and find out what it was.
To be on the safe side they should do certificate changes, but I don't think any CA is going to give you a free new one, especially since the odds of getting a cert back through this vulnerability are quite slim.
how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing?
these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...
novaderrik wrote: how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing? these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...
Sorry to get sidetracked, but that work was a major part of the reason Y2K ended up not being a big deal...
novaderrik wrote: how many computer geeks are going to be gainfully employed for the next few months or years "fixing" this thing? these are the same computer geeks that are saying how bad this is.. probably mostly the same geeks that spent 5 years "fixing" the Y2K bug starting in the mid 90's...
I wish it were a nasty conspiracy to make us all filthy rich, but for me I just ran "yum update" on a couple of servers and called it a day. Total work time: 2 mins.
And Y2k wasn't a problem because of all the work geeks put in. Without it, yeah a lot of systems would have crashed or otherwise berkeleyed up.
Dear Lord, I'm tired of hearing about this. It is not NEARLY as large of a problem as the media makes it out to be.
First of all, no bank uses OpenSSL. None. Take a look at this list, where just about every major bank says "We weren't affected by this, because we weren't dumb enough to use an open standard for our encryption."
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Next, just because OpenSSL/HTTPS is vulernable, doesn't mean all your passwords and data are compromised. Heartbleed allows an attacker to read a random 64-Kb chunk of memory from a server. That's it. Memory is randomly accessed and always changing. So the chance of an attacker actually getting your private key is very, very small.
However, let's say that an attacker did manage to compromise the SSL transaction between you and Facebook (an example of a site that actually did use OpenSSL). The only way any meaningful data could come out of that attack is if the attacker could read the majority of the packets between you and Facebook's server(s). Because packets traversing the Internet take different paths, the attacker would either need to be (a) directly in your network (or directly outside your house using an air sniffer to obtain data from your WiFi) or (b) have a packet sniffer on a mirrored port in Facebook's intranet.
A good allegory would be to say that an attacker could listen in on your phone calls but only if he was in the house of either you or who you were talking to.
Was this a security issue? Yes. Did it need to be fixed? Yes. Was it as bad as the media made it out to be? NOT AT ALL.
Signed, Someone who does this E36 M3 for a living.
In reply to Sky_Render:
Thank you for that. As another person who does this for a living I have been inundated by people freaking out over this. Usually I can calm them down but not always.
I have had people bringing their computers in wanting us to fix them because of this. Some really have no concept. As mentioned above we updated our servers in all of a couple minutes.
Oh this is also not as big of an issue if you do not use the same username and password for everything.
The "problem" is that most people have no idea how the Internet works. And there's nothing wrong with that; not everyone is a geek/engineer/IT professional.
The problem is that the media, who apparently don't have much to report on right now, blow everything out of proportion in an effort to boost ratings.
And my post above completely ignored the multifactor authentication that many websites (especially banks) use now.
rebelgtp wrote: Oh this is also not as big of an issue if you do not use the same username and password for everything.
QFT!!
Strike_Zero wrote:rebelgtp wrote: Oh this is also not as big of an issue if you do not use the same username and password for everything.QFT!!
For lazy folks, I tell them to at least use a unique and stronger password for e-mail and banking. E-mail is the keys to the kingdom of your online accounts and banking is your berkeleying money.
Someone was actually hacked at work today, with the small amount they pay you think a multi-million dollar non-profit that teaches computer science could prevent it.
You'll need to log in to post.
