Heads Up - Heartbleed & DropBox

[Legacy_Tarot Redhand]

               

The BBC produces a weekly magazine program on all things computer related, called "Click". In this weeks edition it was mentioned that there is a list of websites that it would be wise to change your password(s) for. This list can be found here. While going through the list I came across the fact that dropbox is one the sites you should immediately change your password to be on the safe side. As I know that a lot of people on here use dropbox I thought a heads up was in order.

 

As I have written a simple little program (purely for my own use) to (pseudo-)randomly generate passwords I can report that db will accept passwords that are 32 (it may well be more) characters long. Also that not only will it accept upper and lower case letters and the digits 0-9 but also certain commonly used (by those password systems that accept them) symbols. I only mention this last paragraph as it can be a pain finding out just what is acceptable for a password for any given site.

 

TR

               
               

               
            

[Legacy_rjshae]

               

Thanks for the head's up.

               
               

               
            

[Legacy_Tarot Redhand]

               

It's just a thought but you might want to post a link to this message on the most appropriate NwN2 board.

 

TR

               
               

               
            

[Legacy_Bannor Bloodfist]

               

The only reason Dropbox would be susceptible to this particular type of virus would be if one of the people you have given the link to your drop box ultimately becomes infected AND posts something to your dropbox.  The same would be true for ANY file linking system, skydrive, dropbox, whatever google's name for their version is, etc.  No more of a worry than any other virus infecting your computer unless you post links to your dropbox on a widely open set of forums that can be crawled by the various web spiders out there.  Yahoo, Google, Bing and all of the other search engines do have very powerful and pervasive spiders crawling the web to discern their returns for their search engines.

 

Basically, a baseless so-called web-expert reporting an issue that they truly know nothing about and expanding fears about the virus which has already been defeated by most of the anti-virus software's out there, including the ones that come by default from Microsoft for free.  SO, no worries at all.

               
               

               
            

[Legacy_Lord Sullivan]

               

Winodws XP Rules! no virus here.

               
               

               
            

[Legacy_Bluebomber4evr]

               

The only reason Dropbox would be susceptible to this particular type of virus would be if one of the people you have given the link to your drop box ultimately becomes infected AND posts something to your dropbox.  The same would be true for ANY file linking system, skydrive, dropbox, whatever google's name for their version is, etc.  No more of a worry than any other virus infecting your computer unless you post links to your dropbox on a widely open set of forums that can be crawled by the various web spiders out there.  Yahoo, Google, Bing and all of the other search engines do have very powerful and pervasive spiders crawling the web to discern their returns for their search engines.

 

Basically, a baseless so-called web-expert reporting an issue that they truly know nothing about and expanding fears about the virus which has already been defeated by most of the anti-virus software's out there, including the ones that come by default from Microsoft for free.  SO, no worries at all.

It hasn't been "defeated" by antivirus software because Heartbleed isn't a virus, it's a bug in the OpenSSL code that leaves unencrypted info exposed in a server's memory. This means not only passwords, but even private encryption keys to web certificates were exposed on at least 2/3rds of the internet. Antivirus software cannot and does not protect you from this. EVERYONE's Dropbox info was vulnerable because Dropbox had used the bugged code. Changing your password is not only prudent, but strongly advised by Dropbox itself.

 

More info:

http://www.cnet.com....s-339347086.htm

http://arstechnica.c...-eavesdropping/

http://arstechnica.c...ut-web-at-risk/

http://arstechnica.c...ivate-keys-too/

http://arstechnica.c...authentication/

http://www.zdnet.com...ice-7000028435/

               
               

               
            

[Legacy_Bannor Bloodfist]

               

It hasn't been "defeated" by antivirus software because Heartbleed isn't a virus, it's a bug in the OpenSSL code that leaves unencrypted info exposed in a server's memory. This means not only passwords, but even private encryption keys to web certificates were exposed on at least 2/3rds of the internet. Antivirus software cannot and does not protect you from this. EVERYONE's Dropbox info was vulnerable because Dropbox had used the bugged code. Changing your password is not only prudent, but strongly advised by Dropbox itself.

 

More info:

http://www.cnet.com....s-339347086.htm

http://arstechnica.c...-eavesdropping/

http://arstechnica.c...ut-web-at-risk/

http://arstechnica.c...ivate-keys-too/

http://arstechnica.c...authentication/

http://www.zdnet.com...ice-7000028435/

 

Well, thanks for the updated info, but it doesn't really mean anything unless you mistakenly use the same password for drop box that you use elsewhere, and surely you are not doing that, right?

 

With all of the password management systems available now, you can easily create and use truly random passwords for everything anymore, as long as you keep your master key file on a USB stick or something like that, you should be safe.

               
               

               
            

[Legacy_Pstemarie]

               

 

Well, thanks for the updated info, but it doesn't really mean anything unless you mistakenly use the same password for drop box that you use elsewhere, and surely you are not doing that, right?

 

With all of the password management systems available now, you can easily create and use truly random passwords for everything anymore, as long as you keep your master key file on a USB stick or something like that, you should be safe.

 

Wow, they've automated that stuff  Cool, I can stop using my username for my password  '>

 

Sorry, Bannor couldn't resist a little brevity...

               
               

               
            

[Legacy_Bluebomber4evr]

               

Well, thanks for the updated info, but it doesn't really mean anything unless you mistakenly use the same password for drop box that you use elsewhere, and surely you are not doing that, right?

 

With all of the password management systems available now, you can easily create and use truly random passwords for everything anymore, as long as you keep your master key file on a USB stick or something like that, you should be safe.

Of course not, but your Dropbox password was still exposed along with everyone else's even if it was unique. I have unique passwords for every site I go to, and I had to change at least 25% of them because of this bug. 

 

Even password management systems like LastPass were vulnerable to it.

 

But the problem is that it wasn't just passwords exposed. All sorts of information that should have been secure weren't, and haven't been for the last two years. OpenSSL was not only used on servers, but also things like routers and Android phones. It really is a huge mess.

               
               

               
            

[Legacy_rjshae]

               

               
               

               
            

[Legacy_Bannor Bloodfist]

               

Yeah, well, it IS the digital age, and you have thousands, probably 10's of thousands of folks dedicated to stealing data, I have seen applications for job positions where idiots believe that because they are 'black hat' hackers, it makes them more valuable for certain types of security related information system jobs etc.  I know that anytime anyone has sent me an application that includes that sort of thing, I typically black flag that person, and never consider them for a job in the first place. 

 

In my opinion, about the only place folks like that belong is behind bars, however there may be a legitimate job that they can perform, likely with homeland or some other government position used to spy on folks.  We all know those folks exist, and homeland has been caught on many occasions of deliberately crossing the lines, so I would expect them to have lots more things that would upset the general public if it became known. 

 

Nothing transmitted across the ether is safe, nothing at all.  No matter your so called encryption strength, as the folks that claim 512 bit encryption is unbreakable in normal lifetime, yet, things have been hacked so many times that we know there is nothing safe anywhere.

 

All of your social media types of interfaces state in their legalese crap somewhere buried in the pages of things you are agreeing to whether you understand it or not, ALL of them claim ownership of whatever data crosses their domains.  Things that they use for targeted marketing are bad enough, but there are thousands of other uses for that data that would not be considered 'freely given' regardless of the legalese that is used to hide what they are doing.

 

What upsets me more and more is the fact that you can not get a working copy of any software anymore, nothing you can download is 'up to date' and always requires you to connect to internet to re-download stuff that should have been included in the original download you purchased.  All that software wants to install some sort of background tracking system that claims to only be wishing to check for updates... yet runs continuously in your computer's memory.

 

Oh well... just another piece of very buggy, supposedly secure, software that is required to communicate in this world now.

               
               

               
            

[Legacy_Pstemarie]

               

Yeah, well, it IS the digital age, and you have thousands, probably 10's of thousands of folks dedicated to stealing data, I have seen applications for job positions where idiots believe that because they are 'black hat' hackers, it makes them more valuable for certain types of security related information system jobs etc.  I know that anytime anyone has sent me an application that includes that sort of thing, I typically black flag that person, and never consider them for a job in the first place. 

 

In my opinion, about the only place folks like that belong is behind bars, however there may be a legitimate job that they can perform, likely with homeland or some other government position used to spy on folks.  We all know those folks exist, and homeland has been caught on many occasions of deliberately crossing the lines, so I would expect them to have lots more things that would upset the general public if it became known. 

 

Nothing transmitted across the ether is safe, nothing at all.  No matter your so called encryption strength, as the folks that claim 512 bit encryption is unbreakable in normal lifetime, yet, things have been hacked so many times that we know there is nothing safe anywhere.

 

All of your social media types of interfaces state in their legalese crap somewhere buried in the pages of things you are agreeing to whether you understand it or not, ALL of them claim ownership of whatever data crosses their domains.  Things that they use for targeted marketing are bad enough, but there are thousands of other uses for that data that would not be considered 'freely given' regardless of the legalese that is used to hide what they are doing.

 

What upsets me more and more is the fact that you can not get a working copy of any software anymore, nothing you can download is 'up to date' and always requires you to connect to internet to re-download stuff that should have been included in the original download you purchased.  All that software wants to install some sort of background tracking system that claims to only be wishing to check for updates... yet runs continuously in your computer's memory.

 

Oh well... just another piece of very buggy, supposedly secure, software that is required to communicate in this world now.

 

I blame Obama - he's watching us you know...

               
               

               
            

[Legacy_henesua]

               

 

SINFEST - Alpha Formation (of a flock of drones)

               
               

               
            

[Legacy_3RavensMore]

               

For a minute there I was thinking I was on some political blog site... 

               
               

               
            

[Legacy_Bannor Bloodfist]

               

For a minute there I was thinking I was on some political blog site... 

 

Ok Folks, see ^^^^^^ there ARE spies among us!  Harumph... thinking that any topic is NOT politcal?  Gah... just where are people's minds these days anyway?