OneGuyFromBarlick

How the heartbleed bug works, the easy explanation :

http://xkcd.com/1354/

Google is my favoourite search engine, its fabulous, but do I trust them ? Not in a million years.

Tizer wrote:I see that `we' (well' not me, of course!) will now have the pleasure of being able to pay money from their bank account into someone else's bank account on their mobile phone by using the other person's name and mobile phone number. I wonder how long that will take to be compromised? Better keep a watch on this page: https://www.cl.cam.ac.uk/research/security/banking/

That's already possible with PayPal, however, now all I need to do to pay for food at McDonalds is put my phone over their card machines and scan my fingerprint! 3~4secs! Frightning, but I can't see how anyone can steal using that system.

Steven, any new security system is seen as a challenge by some weird people and believe me, sooner or later someone will crack a way of doing it. The only really secure way I have ever seen to transfer money is to smile at the recipient and shove the folding money in their hand. I noted the report about the new system and thought hello, here we go again!

Steven, read the info on that Cambridge Uni web site that I gave the link to, and keep an eye on it in the future. They're good at spotting IT problems that affect consumers - they warned of the chip & pin failings before they occurred but the banks took no notice and said the uni researchers must be wrong. But it was the banks that were wrong (why am I not surprised?). Also, did you see the reports about people having money taken from their accounts electronically because, without them realising, their handbag or pocket had brushed up against one of those RF machines in a shop?

Heartbleed...Mrs Tiz reports that when she went to log in on the Nationwide and Lloyds bank web sites they both put up a notice saying there was no need to change passwords, their sites were `safe'. I hope they're right, I don't have much confidence in their ability with IT! An expert (could have been one of the Cambridge people) recently said that the IT in our big banks had been `not fit for purpose' and a shambles for many years.

Its sites with out of date software that are susceptible to heatbleed. If they've kept their macines up to date, there isn't an issue. Theres a big kerfuffle going on about a rumour that the NSA (The Yank's spies) have known about the bug for the past 2 years and have been exploiting it and saying nothing about it. Officially they should be stopping stuff like this becoming an issue and reporting the holes so they can be fixed, but the NSA has been accused of putting spying above security, and keeping a hole like this open is good for spying. The NSA predictably are denying it.

Meanwhile since its been made public , there are lists of vulnerable sites being posted on the internet, so that interested parties can have a poke around......

Pluggy wrote:Its sites with out of date software that are susceptible to heatbleed. If they've kept their macines up to date, there isn't an issue. Theres a big kerfuffle going on about a rumour that the NSA (The Yank's spies) have known about the bug for the past 2 years and have been exploiting it and saying nothing about it. Officially they should be stopping stuff like this becoming an issue and reporting the holes so they can be fixed, but the NSA has been accused of putting spying above security, and keeping a hole like this open is good for spying. The NSA predictably are denying it.

Meanwhile since its been made public , there are lists of vulnerable sites being posted on the internet, so that interested parties can have a poke around......

http://www.engadget.com/2014/04/14/nsa- ... eed-fixes/

Tiz, not only that but the attitude in the big banks when their compliance and security department reports to them is "Will it affect trading and profits". Nothing else matters.

Mumsnet have said they've been hit by the Heartbleed problem and have told their members to create new passwords. But they made the mistake of sending the members a message with a web link and telling them to click the link to reset the password instead of advising them to go to the Mumsnet web site in the usual way and do the reset. Sending a Mumsnet look-alike email with a link is just what malicious types would do to get folk to go to their own web page.

It's a minefield out there.....

I see that Google have now come clean and admitted that they "scan" the G-mails. Not for any malicious intent but just so that they can "target" their advertising to better effect. So that's alright then. Soon Google and the supermarkets will know more about individuals than they know themselves.

...and certainly more than governments know about their citizens.

Mass Data is a major industry these days of course. A consequence of the capacity of modern systems to handle data. I suspect we'd be amazed if we knew how much they hold on us even if we avoid Nectar and 'Loyalty' cards and mobile phones....

Bleargh, I thought OGFB was down this afternoon but I was too busy to look into it at the time. Turns out my internet connection thinks its down, but when I tether my laptop to my mobile to get an alternative connection it works fine. No other sites seem to be affected, I'm wondering if EE/Orange have got issues again. Anyone else having problems with EE/Orange ?

Nothing to report here Plugs....

I haven't anything to report here today. Its back.

What Doc calls a 'brain fart'?

No, it wasn't me, OGFB definitely wasn't available on my Internet connection at the time. I could access the back end via 1and1's control panel, but not directly. Its been OK since.

Thanks to Canonical for 98mb of new OS and Unix printing system (whatever that is!).

Tizer wrote:Steven, read the info on that Cambridge Uni web site that I gave the link to, and keep an eye on it in the future. They're good at spotting IT problems that affect consumers - they warned of the chip & pin failings before they occurred but the banks took no notice and said the uni researchers must be wrong. But it was the banks that were wrong (why am I not surprised?). Also, did you see the reports about people having money taken from their accounts electronically because, without them realising, their handbag or pocket had brushed up against one of those RF machines in a shop?

Heartbleed...Mrs Tiz reports that when she went to log in on the Nationwide and Lloyds bank web sites they both put up a notice saying there was no need to change passwords, their sites were `safe'. I hope they're right, I don't have much confidence in their ability with IT! An expert (could have been one of the Cambridge people) recently said that the IT in our big banks had been `not fit for purpose' and a shambles for many years.

It isn't susceptible to the RF hacks. It doesn't broadcast your details until you swipe your fingerprint on the device itself.

Also, chip and pin isn't a bad system... It just isn't great. Also, you aren't required to even use chip and pin at all, you can just swipe and use your signature. We all also know how easy it is to purchase goods online without security at all (except visa debit transactions).

Thanks to Mozilla for a new version of Firefox downloaded this morning.I'm sure there are changes but the only thing I've noticed is that the page arrows in the top left hand corner are now black instead of yellow! (I know, but that's the level I work at!)

Mozilla have been busy again, a new version of Thunderbird this morning. It seems to me that Windows give patches to the basic systems while Linux based Ubuntu seems to simply replace the whole lot. Am I right?

More or less. All the open source stuff is kept in a repository and its all updated from there or in some cases bits are added on to the repository and its all done at the same time. In Windows, Microsoft only update the Microsoft stuff (The operating system, office and other bits and bats if you have them) Everything else is expected to look after itself.

Canonical do it again. Another new Linux OS this morning. 70mb of data.....

A lot of Ubuntu security updates...I wonder if Linux or Ubuntu is being targeted more often now?

Tizer wrote:A lot of Ubuntu security updates...I wonder if Linux or Ubuntu is being targeted more often now?

I would've thought debian? Closely related to Ubuntu, and most servers run Debian.