Jump to content

Ye Macce Threade


Recommended Posts

I disagree, Jacob.  Basically, SSL is broken.  That's pretty major.  Your fanboyism can only go so far.  You can't try to brainwash a security flaw away.
 

I don't know how far back the fault goes, but found this:

 

So goto fail was added before October 2013. It is in 10.9 but not 10.8.5; and it is in iOS 6.1 and iOS7...Ouch

...sounds like the fault itself doesn't go back that far, Al.

  • Like 1
Link to comment
Share on other sites

I don't get on networks that have been hacked, AFAIK.  It's not minor, but it's not the doomsday scenario that so many are puking, either.

it's the "afaik" that's important.  You don't know.  You have no way of knowing.  I personally won't use a mac except on my home network at this point.  Tho in all likelihood, the damage has been done, if it's going to be.  

That said, I'm not particularly worried about personal consequences so much as potential work consequences.  

 

I stopped using my work computer on non-work/home/mifi networks 2 years ago tho, and all traffic is vpn on it. 

Link to comment
Share on other sites

Me too.  Can't trust fucking anyone any more.  A week ago Sunday an automatic backup that I forgot I installed started up right in the middle of something.  My performance dropped by 50%, and my first thought was that I'd been hacked.

 

Also, capitalone.com home page has a fault in the embedded css pages, where they try to run scripts on 127.0.0.1 and the gateway.  :rolleyes:

Link to comment
Share on other sites

It's probably never a bad idea to change important passwords, and enable 2 factor authentication whenever you can.

 

Do it from home or work tho... :)

 

Also, 15 character passwords, mixed for anything that matters.  There are lookup tables for almost anything less than that readily available in the black hat world. 

Link to comment
Share on other sites

In general, is it safer to use Rice's VPN when at home (assuming that I have a router setup with WPA2 and a very difficult pw) or not to use it?  I am always slightly worried that the university's network isn't so safe with all the students on it but I know very little about network security (and I am paranoid).  

Link to comment
Share on other sites

I use wifi at the local coffee shop a lot, as well as whenever I'm visiting my daughter for a weekend at CU Boulder or at my mother-in-law's house, to name a few.  I just worry about random people with wifi sniffers or packet sniffers (whatever) and them being able to steal my logins and such.

 

The thing is, I thought that anyone who can insert themselves into the pipe between you and the encrypted site you visit can get you, without targeting you by trying to get into your local network.  Do they have to be on the same network as you and target just you, or can they be out in the ether like the NSA and scoop up everything?

 

EDIT - link http://appleinsider.com/articles/14/02/24/apple-nearing-release-of-os-x-1092-with-support-for-facetime-audio-fixes-for-mail-safari

Edited by HeadphoneAddict
Link to comment
Share on other sites

this exploit puts "the adversary" in the middle of your encrypted connections (and anyone else's) if they've taken control of the network.  Network sniffing is a different problem.  Both are solved with a mifi.

 

I'm not sure I understand - do you mean mifi as in MiFi hotspot on a cell provider?  The cell providers are safe in this case?  Why is that any different from connecting via ethernet or secured wifi at home?

Link to comment
Share on other sites

What's really alarming about this bug is how bad Apple's security engineering is.

A code review would have caught this bug.
A sensible C style guide would have prevented this bug.
Lint would have caught this bug.
A static analyzer would have caught this bug.
A unit test would have caught this bug.
An integration test would have caught this bug.

Apparently Apple is following none of these established engineering practices. That's bad in general, but for a critical security library it's outright negligence.

gotofail.png

 

Not doing this to cause Jacob an aneurysm, just sharing with anyone who cares about the finer details of the flaw.  It's really pretty horrendous.  Any Freshman level programmer would immediately be able to see the flaw.

Link to comment
Share on other sites

I refuse to use capitalone.com on my computer until they fix it.  I mean, that's the login page.

 

I noticed this because I use noscript, and the only domain I should have to open up for that page is capitalone.com, yet for some reason (that I have been too lazy to track down), it also wants 127.0.0.1 and...whatever your router is.  Feel free to double-check for yourselves, I would love to have outside corroboration.  And if it is just me, I'd like to know that, too, for obvious reasons.

Link to comment
Share on other sites

the insidious thing about the openssl problem is that the man in the middle attack could be coming from ANYWHERE in the middle.  The more I think about it the more I want to go back to face to face banking.  The scope of this could end up being bigger than the backdoor that was in the openssl libraries for over 10 years.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.