HeartBleed Bug
Apr 10, 2014 at 8:44 AM Thread Starter Post #1 of 13
GasMaskMan

GasMaskMan

100+ Head-Fier
Joined
Mar 10, 2011
Posts
176
Likes
11
Apr 10, 2014 at 11:21 PM Post #2 of 13
Prudent advice.  However, I'd suggest waiting until after the admins apply the patch that addresses this vulnerability, before changing your password.
 
As a courtesy, many sites have released public notifications to their members that actions have been taken to address this problem.  I'd like to see an official announcement from the Head-Fi admin team that the vulnerability has been address on this site as well.
 
This is a serious issue.  I hope the admin team resolves the issue quickly.
 
Apr 11, 2014 at 11:38 PM Post #4 of 13
It's not just the web servers, there are *many* network/storage/server devices that use firmware versions of OpenSSL. So does much of the SW running on the network infrastructure. This hits a lot of the biggest names in technology:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29004&actp=RSS
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
https://library.netapp.com/ecm/ecm_get_file/ECMP1516404
http://supportkb.riverbed.com/support/index?page=content&id=S23635

You can't just patch the web server and call it a day - this could affect a significant portion of the hops a data packet travels all around the world.

I imagine the big hosting centers where sites like huddler are hosted are all frantically scrambling (or they should be!) I happen to know that Rackspace jumped on this almost immediately for their hosting customers.
 
Apr 14, 2014 at 12:05 AM Post #5 of 13
The Heartbleed bug has been in the headlines this week.  This is a serious problem.

What actions have been, or are being, taken by Head-Fi to address Heartbleed vulnerability?

What should Head-Fi members do to mitigate this vulnerability?
 
Apr 14, 2014 at 12:12 AM Post #6 of 13
Just posted this question over in Feedback & Bug Reports to see if this gets more visibility.  We may want to continue the discussion over there if there is a response.
.   
http://www.head-fi.org/t/714524/is-head-fi-susceptible-to-the-heartbleed-vulnerability
 
Apr 14, 2014 at 12:39 AM Post #7 of 13
I PM'd it to Jude (only easy admin i could figure out on here), no response.
 
Apr 15, 2014 at 7:20 PM Post #8 of 13
I merged the threads. The servers are run by Huddler. The active admins have nothing to do with either the back-end (nor the management of sponsors btw.) so we can't answer that because we don't know. 
 
However, while I have no doubt that Huddler are well aware of security issues, since large sites are often the target of intrusions where databases are stolen, I would follow the advice of numerous security professionals and simply NOT use the same password on any two sites. Even if passwords are one-way encrypted (like they are on your computer) it is easy to get enough computing power these days that 90% of them can be cracked through brute force (guessing billions of possible passwords).  As such I recommend using iPassword (50% off I heard because of Heartbleed) or Lastpass and having them generate 20-30 character random passwords for sites (or as long as is allowed by each site).
 
Apr 15, 2014 at 7:49 PM Post #9 of 13
FYI, Keepass is a great open source and free alternative cross-platform password manager:
http://keepass.info/index.html
 
I have no affiliation. Just a happy user.
 
Apr 17, 2014 at 11:59 PM Post #11 of 13
currawong said:
  I merged the threads. The servers are run by Huddler. The active admins have nothing to do with either the back-end (nor the management of sponsors btw.) so we can't answer that because we don't know. 
 
However, while I have no doubt that Huddler are well aware of security issues, since large sites are often the target of intrusions where databases are stolen, I would follow the advice of numerous security professionals and simply NOT use the same password on any two sites. Even if passwords are one-way encrypted (like they are on your computer) it is easy to get enough computing power these days that 90% of them can be cracked through brute force (guessing billions of possible passwords).  As such I recommend using iPassword (50% off I heard because of Heartbleed) or Lastpass and having them generate 20-30 character random passwords for sites (or as long as is allowed by each site).
Click to expand...

 
Thank you for responding to the concern.  I think it's important for everyone to realize that changing passwords alone in no way guarantees your information is now safe from being compromised.  All systems identified as being exposed to this vulnerability must first be patched, or reconfigured to mitigate the vulnerability.  Only after those actions have been taken can one be assured that personal data passing through those systems are safe from being compromised by the Heartbleed bug.

Note the following warning from a recent Forbes article - http://www.forbes.com/sites/jameslyne/2014/04/10/avoiding-heartbleed-hype-what-to-do-to-stay-safe/

Internet providers and hosts:
You should be making a statement about when you’ve successfully patched and mitigated the issues. Proactive customer notification would be logical, but at least a banner on your site would help. Forcing customers to guess or test themselves is just negligent.
 
With that in mind, please request a formal statement from Huddler detailing what actions have been taken, or are being taken, and ask that they officially acknowledge when their systems are secure.

I look forward to an update from Huddler on the status of their systems.  Thank you for taking action to keep Head-Fi a safe and secure community.
 
Apr 26, 2014 at 8:01 PM Post #12 of 13

To all concerned, today I received confirmation from Huddler that the vulnerability on Head-Fi's site was addressed shortly after the bug was made public.  As was previously mentioned, it would be wise to change your password now, if you haven't already done so.
 
You must log in or register to reply here.

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
Back
Top