Page 1 of 4 123 ... LastLast
Results 1 to 20 of 65
  1. #1

    Heartbleed OpenSSL vulnerability

    Haven't seen this anywhere on the site, and arguably gaming isn't the place to ask the question, except it does look like Steam may have been vulnerable to the heartbleed exploit, although they've now patched it.

    But I'm still kinda confused. According to some articles I read it seems SteamDB brought the issue to Valve's attention and they replied that any vulnerabilities had been closed but change your password blah blah. But I haven't had an actual email from Steam so it's still Chinese Whispers.

    I straight away disabled my Enhanced Steam extension just in case, since I can't see anywhere if it's vulnerable.

    It's the breadth of the potential problem that boggles me. I'm looking at about two hundred passwords in my KeyPass database and even narrowing it down to the ones with game accounts or credit card information it's still about three dozen. Jeeze.

  2. #2
    Secondary Hivemind Nexus Zephro's Avatar
    Join Date
    Aug 2011
    Location
    London
    Posts
    1,243
    Passwords aren't necessarily directly vulnerable from this. It allowed people to sniff 64K chunks of resident memory from the server. Passwords aren't usually stored in any decipherable way in memory, even in the DB they're usually not stored in a plain way. Also once it became available most people disabled the exploit on their OpenSSL.

  3. #3
    So, just avoid changing passwords until someone explicitly says different? I like the sound of that.

    As I get older, and slip into the Daily Mail's catchment, I'm probably just becoming more prone to hyped panic.

  4. #4
    Vector Jams O'Donnell's Avatar
    Join Date
    May 2011
    Location
    Burgh of Mussels
    Posts
    819
    Quote Originally Posted by frightlever View Post
    As I get older, and slip into the Daily Mail's catchment, I'm probably just becoming more prone to hyped panic.
    Oh no -- is there some kind of Daily Mail event horizon?

  5. #5
    Network Hub Spacewalk's Avatar
    Join Date
    Jun 2011
    Location
    Grandma's house, in the attic
    Posts
    475
    Quote Originally Posted by Jams O'Donnell View Post
    Oh no -- is there some kind of Daily Mail event horizon?
    Where we're going we won't need eyes. Or much brains come to think of it.

  6. #6
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    4,057
    Problem with this exploit is that there's no way to tell what information has been leaked - or even if information has been leaked - we'll never know.

    It's probably just a coincidence, but someone managed to login to my Facebook account last week - Facebook security blocked it because it was in the USA (I'm not) but they had my password.

    Thing is - my password is auto-generated nonsense which I don't even know. I use KeePass - which means either

    a - my KeePass database has been obtained (from Dropbox) and cracked
    b - Facebook has a security issue which is leaking passwords

    a is HIGHLY unlikely (not least because all my other accounts remain secure - to my knowledge) - so it's b then.

    As I say - may not be related but it's inside the window people think this vulnerability has been known.

  7. #7
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    4,057
    In other news - we really HAVE to move away from asking people for usernames and passwords - the system doesn't work, has never worked and the sheer number of these you need means no-one can really use them properly...

    I must have 300+ accounts I need to 'remember' somehow - not all of which I can automate with things like KeePass/LastPass - and I'm not using a 10+ character multi-case password on a mobile phone - so the system is weak and shit.

    There is a solution not dissimilar to the 'mobile authenticator' banks/Blizzard use - based on email addresses - which would work. The only problem is that a single system would attract so many potential hackers than it would be near-impossible to keep it up-and-running.

    It's the need to distribute 'security' to avoid this which makes that security weaker - ironically.
    Last edited by trjp; 10-04-2014 at 01:50 PM.

  8. #8
    Quote Originally Posted by trjp View Post
    There is a solution not dissimilar to the 'mobile authenticator' banks/Blizzard use - based on email addresses - which would work. The only problem is that a single system would attract so many potential hackers than it would be near-impossible to keep it up-and-running.
    Everything does seem to be moving towards your mobile phone being synonymous with your identity - which I'm not too happy about.

  9. #9
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    4,057
    Quote Originally Posted by frightlever View Post
    Everything does seem to be moving towards your mobile phone being synonymous with your identity - which I'm not too happy about.
    If you're going to say something like that, you might want to sat WHY or we're all going to assume you're a nutter ;0

    A mobile phone - in this case - is simply a device which can run the 'authenticator app' tho - doesn't have to be a phone, could be a PC/watch/e-glasses/dedicated gadget of some sort - all it needs is an (accurate-ish) clock and the ability to do a bit of maths and show a result somehow.

    Your 'id' is your email address (which is already your 'userid' for most websites anyway)
    Last edited by trjp; 10-04-2014 at 02:43 PM.

  10. #10
    Secondary Hivemind Nexus Zephro's Avatar
    Join Date
    Aug 2011
    Location
    London
    Posts
    1,243
    Quote Originally Posted by trjp View Post
    In other news - we really HAVE to move away from asking people for usernames and passwords - the system doesn't work, has never worked and the sheer number of these you need means no-one can really use them properly...

    I must have 300+ accounts I need to 'remember' somehow - not all of which I can automate with things like KeePass/LastPass - and I'm not using a 10+ character multi-case password on a mobile phone - so the system is weak and shit.

    There is a solution not dissimilar to the 'mobile authenticator' banks/Blizzard use - based on email addresses - which would work. The only problem is that a single system would attract so many potential hackers than it would be near-impossible to keep it up-and-running.

    It's the need to distribute 'security' to avoid this which makes that security weaker - ironically.
    It's based on secured keys though and is entirely open to the OpenSSL problem, which is way more likely to be leaking private keys than it is passwords.

  11. #11
    Quote Originally Posted by trjp View Post
    If you're going to say something like that, you might want to sat WHY or we're all going to assume you're a nutter ;0

    A mobile phone - in this case - is simply a device which can run the 'authenticator app' tho - doesn't have to be a phone, could be a PC/watch/e-glasses/dedicated gadget of some sort - all it needs is an (accurate-ish) clock and the ability to do a bit of maths and show a result somehow.

    Your 'id' is your email address (which is already your 'userid' for most websites anyway)
    Have you seen the plethora of payment, identification, security, boarding pass and more functions that are either being used with or developed for mobile phones? It's not tinfoil hattery, and the main reason I don't like it is because I'm just not a fan of mobile phones in general, it's not that I care about privacy or other nebulous concerns.

    In the specific case you mention, yes the phone is just an authenticator, but that's not even the tip of the iceberg for what your phone will be doing in the future.

  12. #12
    Secondary Hivemind Nexus gwathdring's Avatar
    Join Date
    Aug 2011
    Location
    Washington State, USA
    Posts
    3,118
    Quote Originally Posted by Zephro View Post
    It's based on secured keys though and is entirely open to the OpenSSL problem, which is way more likely to be leaking private keys than it is passwords.
    The distinction becomes more blurry when you consider the value of obtaining those keys.

    Once you have access to the data most vulnerable to heartbleed, you can decrypt secure web traffic going back as long as those keys have been used by that website. Saying you're less likely to get passwords than keys is somewhat like saying you're less likely to get dollar bills than keys out of someone's pocket. Sure, but the keys are kind of important to the security of websites.

    If a websites keys are compromised, you can no longer trust that website's security certificates, for example--anyone who acted on their compromised state could masquerade as secure traffic from the website to access further information and eavesdrop on important data, past and present. Including passwords.
    Last edited by gwathdring; 10-04-2014 at 06:54 PM.
    I think of [the Internet] as a grisly raw steak laid out on a porcelain benchtop in the sun, covered in chocolate hazelnut sauce. In the background plays Stardustís Music Sounds Better With You. Thereís lots of fog. --tomeoftom

    You ruined his point by putting it in context thatís cheating -bull0

  13. #13
    Secondary Hivemind Nexus gwathdring's Avatar
    Join Date
    Aug 2011
    Location
    Washington State, USA
    Posts
    3,118
    Quote Originally Posted by trjp View Post
    In other news - we really HAVE to move away from asking people for usernames and passwords - the system doesn't work, has never worked and the sheer number of these you need means no-one can really use them properly...

    I must have 300+ accounts I need to 'remember' somehow - not all of which I can automate with things like KeePass/LastPass - and I'm not using a 10+ character multi-case password on a mobile phone - so the system is weak and shit.

    There is a solution not dissimilar to the 'mobile authenticator' banks/Blizzard use - based on email addresses - which would work. The only problem is that a single system would attract so many potential hackers than it would be near-impossible to keep it up-and-running.

    It's the need to distribute 'security' to avoid this which makes that security weaker - ironically.
    User names and passwords are a great system.

    Think of it this way: you're effectively suggesting we use a single key for all of our locks. Once our key is compromised, our place of residence, our car, our safe, our place of business, our gym locker--everything we lock becomes accessible. With the username and password system, we can have tiered and redundant security. Ideally we would use a combination of public key encryption and this sort of modular password system to avoid how easy it is to forget user-names, but I think abandoning the concept of passwords entirely is a fool's errand. In theory moving everything to key-pair encryption and reputation systems is more secure. What comp-sci wizards forget to factor in is that people aren't good at secure practice. People won't store their keys properly just as people won't use secure passwords even if you try to force them to (they'll just use predictably secure passwords which are thus barely more secure than the ones they would have used otherwise if at all); switching to an all-in-one security system be it a private key on a mobile phone or a computer hard-drive or what-have-you just makes it easier to completely wreck every aspect of a person's life once you inevitably catch them not being properly secure.

    Best security practice simply is not practical. We can whine and moan about how insecure our systems are ... and it's legitimate to blame companies and people with means for that. But users will always find ways to screw up security because at some point security relies on vigilant practice. Most of us are just bad at the kinds of thinking essential to secure systems. Even speaking of best practice, though, all-in-one is a terrible idea. You should always have multiple levels of security--multiple passwords, multiple keys, multiple what-have-yous.
    I think of [the Internet] as a grisly raw steak laid out on a porcelain benchtop in the sun, covered in chocolate hazelnut sauce. In the background plays Stardustís Music Sounds Better With You. Thereís lots of fog. --tomeoftom

    You ruined his point by putting it in context thatís cheating -bull0

  14. #14
    Secondary Hivemind Nexus gwathdring's Avatar
    Join Date
    Aug 2011
    Location
    Washington State, USA
    Posts
    3,118
    Quote Originally Posted by trjp View Post
    Problem with this exploit is that there's no way to tell what information has been leaked - or even if information has been leaked - we'll never know.

    It's probably just a coincidence, but someone managed to login to my Facebook account last week - Facebook security blocked it because it was in the USA (I'm not) but they had my password.

    Thing is - my password is auto-generated nonsense which I don't even know. I use KeePass - which means either

    a - my KeePass database has been obtained (from Dropbox) and cracked
    b - Facebook has a security issue which is leaking passwords

    a is HIGHLY unlikely (not least because all my other accounts remain secure - to my knowledge) - so it's b then.

    As I say - may not be related but it's inside the window people think this vulnerability has been known.
    Every now and then a vulnerability is found in keepass at various points along the way. The passwords are hashed, sure, but as some point they have to be un-hashed** to be given to the relevant websites. Local security vulnerabilities or malicious URLs can make keepass useless--though the last time I heard of the later being specifically discovered to be a problem was a few years ago and I'm sure the specific exploits get fixed relatively quickly. But in any case, if you ever used Keepass (or Facebook) on a potentially compromised device, your password could have been obtained that way. This includes most mobile devices, anything with an outdated browser or operating system, and any public terminal.



    **Edit: The point stands regardless, but is it hashed AFTER generation or AS PART of generation or both? Depending on how it works, the sentence I typed might not make any sense. It probably doesn't make any sense. Unhashing the password is unlikely to be how both necessary and sufficient to get it into plain-text, in any case--my bad. I'm tired so I typed my thoughts unclearly. In any case, the point is that at some point the password ends up in plain-text.
    Last edited by gwathdring; 10-04-2014 at 07:24 PM.
    I think of [the Internet] as a grisly raw steak laid out on a porcelain benchtop in the sun, covered in chocolate hazelnut sauce. In the background plays Stardustís Music Sounds Better With You. Thereís lots of fog. --tomeoftom

    You ruined his point by putting it in context thatís cheating -bull0

  15. #15
    Secondary Hivemind Nexus somini's Avatar
    Join Date
    Jun 2011
    Location
    NEuro Troika Franchulate #3
    Posts
    2,094
    Quote Originally Posted by Zephro View Post
    It's based on secured keys though and is entirely open to the OpenSSL problem, which is way more likely to be leaking private keys than it is passwords.
    In that case we better stay off the Internet!

    OT, can someone move this to "Other Stuff"?
    Steam
    Bak'laag, why do you forsake me?

  16. #16
    Secondary Hivemind Nexus gwathdring's Avatar
    Join Date
    Aug 2011
    Location
    Washington State, USA
    Posts
    3,118
    Quote Originally Posted by somini View Post
    In that case we better stay off the Internet!

    OT, can someone move this to "Other Stuff"?
    It's relevant to PC Gaming for two reasons:

    1) Very important PSA, with this being the highest traffic area of the forums.

    2) Steam, Battle.net, Origin, Gamersgate, good old games, etc.

    Of particular note around these parts:

    2) Steam
    I think of [the Internet] as a grisly raw steak laid out on a porcelain benchtop in the sun, covered in chocolate hazelnut sauce. In the background plays Stardustís Music Sounds Better With You. Thereís lots of fog. --tomeoftom

    You ruined his point by putting it in context thatís cheating -bull0

  17. #17
    Secondary Hivemind Nexus somini's Avatar
    Join Date
    Jun 2011
    Location
    NEuro Troika Franchulate #3
    Posts
    2,094
    Quote Originally Posted by gwathdring View Post
    It's relevant to PC Gaming for two reasons:

    1) Very important PSA, with this being the highest traffic area of the forums.

    2) Steam, Battle.net, Origin, Gamersgate, good old games, etc.

    Of particular note around these parts:

    2) Steam
    We should really change our Steam passwords?
    I really don't want to, I'm lazy. Wake me up when someone is compromised.
    Steam
    Bak'laag, why do you forsake me?

  18. #18
    Secondary Hivemind Nexus gwathdring's Avatar
    Join Date
    Aug 2011
    Location
    Washington State, USA
    Posts
    3,118
    Quote Originally Posted by somini View Post
    We should really change our Steam passwords?
    I really don't want to, I'm lazy. Wake me up when someone is compromised.
    I mean ... you don't have to. Odds are it won't come back to bite you personally. It's up to you whether or not the exertion of changing your password in affected services is worth avoiding the risk of explicit compromise.

    But security has been compromised. Whether data was actually stolen maliciously on 1 or 3 or 100 or 0 or however many occasions through the bug isn't particularly important. We have no way of knowing. Sort of how an Earthquake might not happen in LA tomorrow, but it would be dumb as hell for LA developers not to at least try to build with Earthquakes in mind. You're welcome to go back to sleep, but I think it's important we wake people up now rather than after it's already a much more explicit problem so they have a chance to respond if they would like to and avoid the headaches.

    What you do with your own data is your affair; but it's still important that people be made aware so they can make informed decisions about their security habits. Preventative care is a good thing.

    What's particularly worrying about heartbleed is that if any old encryption keys were compromised, old traffic could still be decrypted months or even years from now without any new security breaches needing to occur first. The bug was exploitable for two years--it's very possible someone already figured it out before the google security team got to it. Your password could be compromised as a result of this bug *long after* the bug is repaired.
    Last edited by gwathdring; 11-04-2014 at 03:02 AM.
    I think of [the Internet] as a grisly raw steak laid out on a porcelain benchtop in the sun, covered in chocolate hazelnut sauce. In the background plays Stardustís Music Sounds Better With You. Thereís lots of fog. --tomeoftom

    You ruined his point by putting it in context thatís cheating -bull0

  19. #19
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    4,057
    Quote Originally Posted by gwathdring View Post
    User names and passwords are a great system.
    No they're not - because they rely 100% on someone remembering 2 pieces of information which should, ideally, be different for every place they use them and complex enough not to guess.

    An analogy with your 'one key for every lock' idea is that your house/car/work keys, in order not to be easily picked, should vary in shape/size ENORMOUSLY - so you have to carry at least one key which is 4' long and another shaped like a blowfish ;) No-one would do that - of course - and so all locks would be easily picked because they'd all use similar keys...

    End of the day, sites use user/password authentication for different reasons tho - some more relevant than others

    1 - so that sites can limit access and block trolls/spammers etc.
    2 - so that you can have personal settings/profile (which carries between devices perhaps)
    3 - to protect your information from other people

    Only 3 really needs to be 'secure' - the first 2 are just 'convenience' - if we had a better system for those we could remove some of the 'everyone uses "theirname" and "password123" and people need to realise they NEVER share username/passwords from 1s and 2s with a 3

  20. #20
    Secondary Hivemind Nexus
    Join Date
    Jun 2011
    Posts
    4,057
    Re-fielding the "mobile phone" thing - almost everyone owns a mobile phone and soon they'll all be 'smart' to some degree or other.

    That this has happened is an enormous opportunity for creating a 'digital key' - software which proves that "you" are "you" using the variety of sensors most phones offer (touch, movement, image and even heat and light in most models).

    I don't think that's a bad thing - that mobile phones have some privacy issues is a solveable problem - that we don't have an easy alternative to the 'digital key' thing is not.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •