Daemon Premium Member join:2003-06-29 Washington, DC |
to OSUGoose
Re: [Security] Do NOT use Safari on OS X for SSL - online banking, shopping, etc.!said by OSUGoose:My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown. Actually, every SSL connection is vulnerable. An attack would rely on a man-in-the-middle strategy. Anybody with a strong motivation to get your credentials could poison local DNS caching servers to redirect queries for, e.g. amazon.com, to a copy of the website using forged SSL credentials and you wouldn't know it. The reason home connections are more secure is that it would be more difficult to poison your DNS cache, as your local ISP's servers should be more secure against this type of attack. Open/unsecured wifi connections are actually no more secure than any other public wifi, because the attack doesn't rely on breaking/snooping traffic, it relies on man in the middle. If your local coffee shop owner wanted to redirect DNS servers to do this, they could do it just as easily with WPA enabled or not. |
|
|
to OSUGoose
said by OSUGoose:My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown. This is absolutely not true. The first-hop connection to the access point is only one part at the very beginning of a very long chain of components. This issue is indeed a big issue as it effectively renders https and any other ssl-based connection useless. SSL provides end to end security and validation. With this "bug" this protection and validation is lost. While public wifi is a primary concern it is by far not the only concern. Many other vulnerabilities and points of attack would otherwise be mitigated by SSL. Those issues become much more important now since these are these cases that SSL is meant to help protect against. Everything between you and the site you are communicating with becomes a potential point of exploit with this bug. Note the risk here is primarily one of theft, though well-crafted malicious actions could go further. There is a significant financial benefit for criminals to attempt to leverage this vulnerability quickly, and when successful the victim likely would not notice until it is too late. |
|
|
TexDave's not here Premium Member join:2012-10-20 1 edit |
Tex
Premium Member
2014-Feb-24 4:53 pm
And another day goes by and still no word from Apple. How difficult is it to change a few lines of code and put out an update? Edit - Found this link in the Security Forum: Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And MoreAnd this: Apple promises fix "very soon" for Macs with failed encryption |
|
AppleGuy Premium Member join:2013-09-08 Kitchener, ON |
to OSUGoose
said by OSUGoose:My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown. I was just about to ask the same thing after doing more research; The "take a breath, if you're on a secure network (like at home) you should be fine." |
|
·Verizon Wireless
1 recommendation |
to TAZ
» www.afterdawn.com/news/a ··· e_updateSomeone needs to go and shut all those Apple haters up! |
|
dfc888 Premium Member join:2003-07-22 San Bruno, CA |
dfc888 to Tex
Premium Member
2014-Feb-25 12:57 am
to Tex
I wonder if say a node out there was compromised, if they could grab my iCloud user name and password (since I'm always "logged on" to FaceTime, iMessage, etc...) |
|
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
to Shady Bimmer
said by Shady Bimmer:said by OSUGoose:My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown. This is absolutely not true. Naw it's pretty much it ... » www.reuters.com/article/ ··· 20140222The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed. |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
GuruGuy
Premium Member
2014-Feb-25 6:11 am
said by not quite right:said by Shady Bimmer:said by OSUGoose:My understanding is this is only a big issue if your on public wifi where the security of the connection is unknown. This is absolutely not true. Naw it's pretty much it ... » www.reuters.com/article/ ··· 20140222The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed. Naw, that's NOT it. Go over to the security forum. Already a new vulnerability out that even affects 7.0.6 » arstechnica.com/security ··· ers-say/ |
|
|
to not quite right
You may need to learn basic networking and security. This is definitely not "it". The media is highlighting public wifi, but the risk extends far beyond the first network hop. SSL provides end-end protection. This bug makes SSL ineffective. This in turn makes the entire path end-end at-risk. I'm not sure how much more simple I can make that. While you may be safer on a wired home network you are by no means safe |
actions · 2014-Feb-25 8:48 am · (locked) |
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
said by Shady Bimmer:You may need to learn basic networking and security. This is definitely not "it". Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half? |
actions · 2014-Feb-25 12:19 pm · (locked) |
TitusMr Gradenko join:2004-06-26 |
Titus to Tex
Member
2014-Feb-25 12:35 pm
to Tex
said by Tex:How difficult is it to change a few lines of code and put out an update? One line of reasoning is a wish to avoid as much Update Dribble as possible by releasing a comprehensive patch. Anyone thinking that this one block of GoTo code is the only problem is naive. |
|
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
to TAZ
And the Apple world is safe once more ... » 9to5mac.com/2014/02/25/a ··· l-fixes/ |
|
|
to Titus
said by Titus:Anyone thinking that this one block of GoTo code is the only problem is naive. it may not be the only security problem, but it was the only one reasonable for this exploit and the only one fixed in 7.0.6. On the OS X side, 10.9.2 was already nearing release so they decided to wait and roll it into there instead of creating a 10.9.2 that only lasted a few days, followed immediately by 10.9.3. |
|
TAZ join:2014-01-03 Tucson, AZ |
TAZ
Member
2014-Feb-25 2:07 pm
said by Thinkdiff:On the OS X side, 10.9.2 was already nearing release so they decided to wait and roll it into there instead of creating a 10.9.2 that only lasted a few days, followed immediately by 10.9.3. Yes, still completely inexcusable though. |
|
dfc888 Premium Member join:2003-07-22 San Bruno, CA |
to not quite right
Now they need iOS 7.1 beta update... |
|
GuruGuy Premium Member join:2002-12-16 Atlanta, GA |
to not quite right
Judging from the comments, it looks buggy. |
|
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
to dfc888
said by dfc888:Now they need iOS 7.1 beta update... They just need to release iOS7.1 already ... |
|
not quite right |
to GuruGuy
said by GuruGuy:Judging from the comments, it looks buggy. Works great for me that's all that matters ... |
|
|
to not quite right
said by not quite right:Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half? Without knowledge of networking and security, especially with respect to SSL, it is impossible to make a statement that this is being over hyped. You are entitled to your opinion, and you are also entitled to not educate yourself, but please don't pretend to be an expert and tell others they are safe when they are in fact not. It is not possible to identify how many may have been exploited by this - that is exactly the issue. The exploit would not be directly against SSL but rather would take advantage of the fact that SSL is not providing any protection. If you are unable to grasp this concept then you can not make a statement that this is being over hyped. There are years (perhaps two decades) worth of exploits that would be mitigated by SSL that would now once again be more viable. Without understanding SSL or the roles it fulfills you can not possibly make statements about the risks involved with this issue. |
actions · 2014-Feb-25 5:37 pm · (locked) |
Teasip join:2001-05-14 Plano, TX 1 edit |
to TAZ
Probably totally unrelated for reasons that I don't understand, but Safari is extremely slow in loading pages now as compared to G. Chrome. Not sure why this would be.
Update: Looks to be a FiOS issue as outlined in another thread. Safari back up to speed this morning. |
|
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
to Shady Bimmer
said by Shady Bimmer:said by not quite right:Not really any need to learn basic networking, and or security to realize that in some aspects, the news of this is over hyped. Please tell us in cold hard numbers how many have been exploited by this flaw that's been around for over a year and half? Without knowledge of networking and security, especially with respect to SSL, it is impossible to make a statement that this is being over hyped. You are entitled to your opinion, and you are also entitled to not educate yourself, but please don't pretend to be an expert and tell others they are safe when they are in fact not. It is not possible to identify how many may have been exploited by this - that is exactly the issue. The exploit would not be directly against SSL but rather would take advantage of the fact that SSL is not providing any protection. If you are unable to grasp this concept then you can not make a statement that this is being over hyped. There are years (perhaps two decades) worth of exploits that would be mitigated by SSL that would now once again be more viable. Without understanding SSL or the roles it fulfills you can not possibly make statements about the risks involved with this issue. You seem to be the one trying to come off as some type of expert. When in reality you're most likely someone who just geeks out on their security, and likes to fan the flames of hyperbole because Apple was involved. You can not prove that anyone was exploited any more than I can prove they weren't, so please tell me where expertise comes into play here? I will admit that while networking , or computer security are not of great interest to me, their points are not lost on me either. One does not need to know how electricity works to know a lamp turns on when you plug it in ... Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field. |
actions · 2014-Feb-26 3:34 am · (locked) |
|
to TAZ
said by not quite right:Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field. I was not being condescending and did not mean to come across that way. I was stating facts, having extensive personal knowledge of SSL, networking, and security; having decades of experience in the industry; and having reviewed the known details of the bug. I was refuting your statements that this is being overblown and is not a concern other than on public wifi. This is an incorrect statement that is dangerous advice to give out. By your own admission you do not know the technical details and you are not interesting in learning them, so it is not prudent to keep insisting that this was not a big deal and was only a problem with public wifi. Experts in fact do agree that this was a serious issue. If you have evidence from security experts (not clueless media) that show this was not serious could you please provide those references? In any case Apple has now released fixes for Mavericks and everyone should be sure to apply those updates if they have not already done so. |
|
not quite rightI'm not cool enough to be a Mac person join:2001-06-23 Puyallup, WA |
said by Shady Bimmer:said by not quite right:Your condescending attitude was neither appreciated nor warranted, I was simply passing on information obtained from known security experts in the field. I was not being condescending and did not mean to come across that way. I was stating facts, having extensive personal knowledge of SSL, networking, and security; having decades of experience in the industry; and having reviewed the known details of the bug. I was refuting your statements that this is being overblown and is not a concern other than on public wifi. This is an incorrect statement that is dangerous advice to give out. By your own admission you do not know the technical details and you are not interesting in learning them, so it is not prudent to keep insisting that this was not a big deal and was only a problem with public wifi. Experts in fact do agree that this was a serious issue. If you have evidence from security experts (not clueless media) that show this was not serious could you please provide those references? In any case Apple has now released fixes for Mavericks and everyone should be sure to apply those updates if they have not already done so. Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ... |
|
2 edits
1 recommendation |
said by not quite right:Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ... I'm far from a security expert. While I agree that this is now yesterday's news, that doesn't mean that this was a trivial matter. We no longer live in the age where crime is obvious (bank robberies with masked gunmen). Today's crimes, in many instances can go unnoticed for months or years (just look at Mt. Gox » www.reuters.com/article/ ··· 20140228). With the prevalence of identity theft, IRS refund theft, charge card data breach, etc., where the individual may never know that they've been the victim, the risk of having one's confidential data exposed is enormous. While there are no glaring headlines (" ...John used an iPhone and had his bank account wiped out because of Apple's 'gotofail' bug") that doesn't mean it isn't/wasn't a problem. IMHO |
|
|
said by haroldo:said by not quite right:Update ... 3 days later, the sky hasn't fallen, the NSA isn't reading your Facebook post, and everyone has pretty much forgotten "gotofail" already. Life goes on ... While I agree that this is now yesterday's news, that doesn't mean that this was a trivial matter. We no longer live in the age where crime is obvious (bank robberies with masked gunmen). Sadly many do not get this. The general media is a poor indicator of security issues and unfortunately there are those that do not want to understand this. Even more sad is that these are the same individuals that become victims and never know how/why. Details around NSA access have nothing to do with security and are more related to privacy. Security issues, such as the case here, are far more important since truce criminal activity (read: theft of both one's financial assets as well as one's identity) becomes very viable and completely undetectable (IE: it would never be known and never be publicized). As long as the public continues to leverage the clueless media as the source of official security-related risks the public will continue to be at serious risk. The true risks are those that more often do not receive significant attention (intentionally) |
|
|
Slight hijack, but, I figured, I'd ask. When ever they discuss Bitcoin in the news, they always show images of real coins (» www.google.com/search?q= ··· imgdii=_) What are these coins? I always thought Bitcoin was only a digital currency. Are these coins real? Are these all 'mockups' created for news presentation? Signed, Confused |
|
|
Mockups. There's no such thing as a bitcoin outside of the internet. I guess it's pretty hard for most people outside of tech to understand, so the media tries to make it seem familiar.
The round symbol with the B w/ double lines is a sort of unofficial logo used on various sites. |
|
|
Thanks! I'll bet some 'slick operators' will try and sell them to those 'unaware' |
|
BeesTeaInternet Janitor Premium Member join:2003-03-08 00000 |
to haroldo
There have been a few sources of physical bitcoins. These guys were the most famous. » www.casascius.com/I've held a few an they all had a valid hash imprinted on the coin. Granted, that doesn't prove that it's not in someones wallet as well. |
|
|
The physical item in those cases is mostly worthless (unless the coin itself is made out of a material that has value). The virtual coin that it "maps" to is what is valuable.
Like you said, the coin could've been sold to somebody else and you still have your physical, now meaningless "coin". It's akin to printing out your checking account number and saying it's worth 2,000 bucks. |
|