Ye Macce Threade

[grawk]

unless sprint's network's been exploited you should be fine

[grawk]

Are you being targeted?

I think it's fair to say everyone's being targeted if you get on a network that's been hacked.  As to what you have to lose, well, it depends on what you use your computer for.  This one isn't minor.

[Voltron]

yes

 

more specifically:

 

immediately upgrade your iphone, and stop using safari on your mac.

 

I wonder if I have to worry using iOS 5.1.1.  Seems unlikely to target something a couple of years out of date...

[Dusty Chalk]

I disagree, Jacob.  Basically, SSL is broken.  That's pretty major.  Your fanboyism can only go so far.  You can't try to brainwash a security flaw away.
 

I don't know how far back the fault goes, but found this:

 

So goto fail was added before October 2013. It is in 10.9 but not 10.8.5; and it is in iOS 6.1 and iOS7...Ouch

...sounds like the fault itself doesn't go back that far, Al.

[grawk]

I don't get on networks that have been hacked, AFAIK.  It's not minor, but it's not the doomsday scenario that so many are puking, either.

it's the "afaik" that's important.  You don't know.  You have no way of knowing.  I personally won't use a mac except on my home network at this point.  Tho in all likelihood, the damage has been done, if it's going to be.  

That said, I'm not particularly worried about personal consequences so much as potential work consequences.  

 

I stopped using my work computer on non-work/home/mifi networks 2 years ago tho, and all traffic is vpn on it. 

[grawk]

Does UC have separate real and student networks?  Because I know at the university of alaska, the student network was a cesspit.

[grawk]

cool

 

My job has me so paranoid about network activity in general...

[Dusty Chalk]

Me too.  Can't trust fucking anyone any more.  A week ago Sunday an automatic backup that I forgot I installed started up right in the middle of something.  My performance dropped by 50%, and my first thought was that I'd been hacked.

 

Also, capitalone.com home page has a fault in the embedded css pages, where they try to run scripts on 127.0.0.1 and the gateway. 

[shellylh]

Would it be helpful, after upgrading ios7, to change important passwords or is that overkill?  I am hoping Sprint's network hasn't been exploited... 

[grawk]

It's probably never a bad idea to change important passwords, and enable 2 factor authentication whenever you can.

 

Do it from home or work tho...

 

Also, 15 character passwords, mixed for anything that matters.  There are lookup tables for almost anything less than that readily available in the black hat world. 

[shellylh]

In general, is it safer to use Rice's VPN when at home (assuming that I have a router setup with WPA2 and a very difficult pw) or not to use it?  I am always slightly worried that the university's network isn't so safe with all the students on it but I know very little about network security (and I am paranoid).  

[grawk]

if the students are on the network you use, I'd to the opposite, and VPN home

[shellylh]

 

I guess you are probably serious about this.  How difficult would this be to setup and make sure it is secure?  How would I be able to tell how secure it is to be on the network on campus?

Edited February 25, 2014 by shellylh

[HeadphoneAddict]

I use wifi at the local coffee shop a lot, as well as whenever I'm visiting my daughter for a weekend at CU Boulder or at my mother-in-law's house, to name a few.  I just worry about random people with wifi sniffers or packet sniffers (whatever) and them being able to steal my logins and such.

 

The thing is, I thought that anyone who can insert themselves into the pipe between you and the encrypted site you visit can get you, without targeting you by trying to get into your local network.  Do they have to be on the same network as you and target just you, or can they be out in the ether like the NSA and scoop up everything?

 

EDIT - link http://appleinsider.com/articles/14/02/24/apple-nearing-release-of-os-x-1092-with-support-for-facetime-audio-fixes-for-mail-safari

Edited February 25, 2014 by HeadphoneAddict

[grawk]

this exploit puts "the adversary" in the middle of your encrypted connections (and anyone else's) if they've taken control of the network.  Network sniffing is a different problem.  Both are solved with a mifi.

[HeadphoneAddict]

this exploit puts "the adversary" in the middle of your encrypted connections (and anyone else's) if they've taken control of the network.  Network sniffing is a different problem.  Both are solved with a mifi.

 

I'm not sure I understand - do you mean mifi as in MiFi hotspot on a cell provider?  The cell providers are safe in this case?  Why is that any different from connecting via ethernet or secured wifi at home?

[grawk]

it isn't.  That's what I'm recommending.  Don't use your computer on any public network.

[Dusty Chalk]

What's really alarming about this bug is how bad Apple's security engineering is.

A code review would have caught this bug.
A sensible C style guide would have prevented this bug.
Lint would have caught this bug.
A static analyzer would have caught this bug.
A unit test would have caught this bug.
An integration test would have caught this bug.

Apparently Apple is following none of these established engineering practices. That's bad in general, but for a critical security library it's outright negligence.

 

Not doing this to cause Jacob an aneurysm, just sharing with anyone who cares about the finer details of the flaw.  It's really pretty horrendous.  Any Freshman level programmer would immediately be able to see the flaw.

[Cankin]

Restored my Air back to Mountain Lion. I use public Wifi a lot.

[shellylh]

Ugh, I hope Apple isn't going to turn into the security nightmare that Windows seems to be.  I don't really want to switch to Linux... of course, I am only assuming that Linux is more secure than Mac OS X. 

[shellylh]

Also, capitalone.com home page has a fault in the embedded css pages, where they try to run scripts on 127.0.0.1 and the gateway. 

 

Should we avoid this page for now?  Not sure if this is a real problem or not.  

[Dusty Chalk]

I refuse to use capitalone.com on my computer until they fix it.  I mean, that's the login page.

 

I noticed this because I use noscript, and the only domain I should have to open up for that page is capitalone.com, yet for some reason (that I have been too lazy to track down), it also wants 127.0.0.1 and...whatever your router is.  Feel free to double-check for yourselves, I would love to have outside corroboration.  And if it is just me, I'd like to know that, too, for obvious reasons.

[grawk]

This is a privacy/security problem (that may be more widespread than is currently being reported).  There is a separate ball of wax that is the windows malware situation. 

[Dusty Chalk]

Ugh, I hope Apple isn't going to turn into the security nightmare that Windows seems to be.  I don't really want to switch to Linux... of course, I am only assuming that Linux is more secure than Mac OS X. 

Yeah, not a safe assumption.  There's no such thing as no risk, there's only manageable risk.

[grawk]

the insidious thing about the openssl problem is that the man in the middle attack could be coming from ANYWHERE in the middle.  The more I think about it the more I want to go back to face to face banking.  The scope of this could end up being bigger than the backdoor that was in the openssl libraries for over 10 years.