'high' severity OpenSSL and Flash Exploits

[mikeb]

You can catch lots of things from ANY kind of hamster related site now.... Just browse them using IE and give them your hotmail email address.

Mike

[8Geee]

ftp slackware had 1.0.1p ready before midnight. I did D/L it and the solibs.

Just waiting for the immediate opps that seems to be occuring, with a new D/L needed.

Carry on

[Bindee]

http://www.theregister.co.uk/2015/07/12 ... 2015_5122/

Flashplayer yet again.

[8Geee]

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.

When I D/L the 1.0.1p version, I did not initially see this. I went back today JIC something else got tweaked, and saw the above quote.[/quote]

[Bindee]

So people running the older version because they think the bugs do not apply is infact the patch does not apply or can be applied because it's no longer supported.

[mikeb]

Should I worry that I don't seem to worry...?
11 years is a long time without such problems...

mike

[Bindee]

Is that what they call Female Logic?

[mikeb]

Is that why women tend to be less prone to frown lines

on the other hand being paranoid is boring and I use tin foil for heat lamp reflectors.

mike

[Bindee]

So if the bank wants to give you a brand new credit card because thieves have just found a way of cloning the current one without anyone knowing about it until after the money has been stolen , your going to turn it down and carry on using the old one because you have never had your money stolen before and you see it as being paranoid?



What sort of Crazy Ass , Female , Dyslexic , Troll Logic is that?

[mikeb]

I would use the new bank card.

If anyone comes up with decent evidence of actual breaches and methods that can be EASILY used to hijack my system then I will indeed make suitable changes...I am still waiting.

Someone pointing at my front gate and saying 'that could be made into a weapon' will not make me rush out and by a new one. Perhaps a bad analogy but you might get the gist.

And if its feminine to not react unnecessarily to scaremongering then I will run out and buy a dress...you even suggested the register is internet trash journalism.

And thanks for the troll hint...considering some of the the utter crap you keep posting around here I find that comment hypocritical.

mike

[Bindee]

I would use the new bank card.

If anyone comes up with decent evidence of actual breaches and methods that can be EASILY used to hijack my system then I will indeed make suitable changes...I am still waiting.

Someone pointing at my front gate and saying 'that could be made into a weapon' will not make me rush out and by a new one. Perhaps a bad analogy but you might get the gist.

And if its feminine to not react unnecessarily to scaremongering then I will run out and buy a dress...you even suggested the register is internet trash journalism.

And thanks for the troll hint...considering some of the the utter crap you keep posting around here I find that comment hypocritical.

mike

So you've fallen out of love with my humour then.

Ps I like your topics ..they are silly but then so is puppy linux so you make a great team

mike

You seem to be showing signs of a menopause.

[mikeb]

Well us women have to stick together.....

Actually i believe one good insult deserves another...its a form of balance.

And I really am waiting for exploits...

When I hardened windows 98 I used to deliberately visit links in dodgy ecard emails and visit other dubious sites to see what happened... nothing or at worst a browser crash/seizure.
Its called 'testing in the field' as opposed to hypothetically in a lab scenario.
usually a valid approach with technical matters.
Designs do get off the drawing board and have to be road tested at some point I believe.

Me and the family have been field testing on windows and later linux for 11 years ..no antivirus and a general lack of paranoia... if this was for say a wing design then it would have got type approval by now.

I don't troll these threads..I am looking for any evidence of problems that may need dealing with...so I read the information and ask awkward questions like 'is this a serious threat or not?' rather than blindly in a sheep like manner spend all my days updating left right and centre.

So woman or sheep.... what a choice eh

mike

[Bindee]

Well us women have to stick together.....

Actually i believe one good insult deserves another...its a form of balance.

And I really am waiting for exploits...

When I hardened windows 98 I used to deliberately visit links in dodgy ecard emails and visit other dubious sites to see what happened... nothing or at worst a browser crash/seizure.
Its called 'testing in the field' as opposed to hypothetically in a lab scenario.
usually a valid approach with technical matters.
Designs do get off the drawing board and have to be road tested at some point I believe.

Me and the family have been field testing on windows and later linux for 11 years ..no antivirus and a general lack of paranoia... if this was for say a wing design then it would have got type approval by now.

I don't troll these threads..I am looking for any evidence of problems that may need dealing with...so I read the information and ask awkward questions like 'is this a serious threat or not?' rather than blindly in a sheep like manner spend all my days updating left right and centre.

So woman or sheep.... what a choice eh

mike

So your subversive hinting implicating humour is humour and to never be taken as an insult ( such as implicating preventive precaution is paranoia ) , but others direct humour is in fact as far as your concerned insults and needs levelling when it was just reactive humour to the style of humour you already started?

<headscratch>

Pot,kettle,back said the hypocrite to the hypocrite.

I still don't get your logic of waiting until your personally have a problem with SSL or flash before something needs to be done about it.

Does your house or car need to be broken into before you secure it?

[mikeb]

well i think you started the name calling ...I just threw it back... anyway

Does your house or car need to be broken into before you secure it?

If the house appears to be sufficiently secured then why alter that?

I never said I do not take security measures... I was questioning the validity/seriousness/need for some of the recent very hyperthetical stuff which appears to have no cases of actual breaches in the field. If something is a true threat then I would assume it would have been abused at some point or very soon after being 'highlighted'.
Or do we spend all our time on could/possibly/maybes ...note in this thread alone there have been 3 seperate 'security' flaws mentioned in the short space of its existance with various variations of what to do depending on what you did last time.

There are enough 'real' problems without adding 'highly unlikely' ones.

A buffer overload for example may be possible...but have you checked out the details of how you could actually use it to actually do anything with even a specific system let alone mass exploit in the way that such as systems with Internet explorer can be? Why try and hack a sophisticated burglar alarm system when the back door is left wide open...if you like analogies.

For the nice people who wish to spam and scam or simply mess us around, they go the easiest routes...unless its say the bank of englands mainframe they are after.....

I just like to keep some perspective in there...its a woman thing....

mike

[watchdog]

I don't think hackers use security flaws by manual work at a console. They use scripts, softwares (such the ones from italian Hacking Team...) scanning for known bugs, exploits, backdoors, routers' firmware flaws, bios backdoors, security holes. When the hacking software finds a breach on a targeted pc it uses it. There are thousands of possible exploits. I use to update my puppies for known security alerts but I think it's not enough. A determined "hacker" (maybe an "organization"...) can do what he want. I see holes everywhere in my house. The Hacking Team was hacked. I think mikeb was very lucky not being targeted: I was targeted several times with ssl exploits and I had several debit card frauds. The best thing is to hide yourself surfing the web thus no one pays attention to you.

[mikeb]

I don't really do luck

I was targeted several times with ssl exploits and I had several debit card frauds.

now the details of such as this would be of interest.

I assume they involved taken over websites at a guess...

I must note that if I was running a public server I would be in the front of the queue for security updates. indeed threads such as this are more of interest to web server admins...I hope no one in their right mind is using puppy for a public server.....

mike

[mikeb]

On a similar note we don't use any spam filtering..

instead i researched the causes and took appropriate steps to avoid being harvested...especially via our websites.

The result is little or no junk mail...the bonus is we don;t miss any either.

So not so much a case of burying my head in the sand while clinging onto a rabbits foot but applied acquired knowledge.

Only fly in that ointment was some spammer using one of our emails as their spoofed return address ...so nothing was exploited directly but it meant a pile of rejection emails and blocking by email servers...a change of address was the only way out of that one...as far as i know they 'guessed' the email based on our website domain at the time...a common trick but slightly unavoidable if you have a public domain...so in that case it is down to luck. We are not immune...just the odds are better.

mike

[watchdog]

I was targeted several times with ssl exploits and I had several debit card frauds.

now the details of such as this would be of interest.

I can suggest to you to be careful if you want to buy pharmaceuticals on the internet: it's very dangerous. Use a rechargeable debit card at your own risk recharging it of the very exact amount. I don't know if this is due for problems server-side: I was frauded as a consequence of buying pharmaceuticals on the internet. I think that closing some holes when you know them is not a bad thing. Is it enough? That's the question. I like the response of the test at:

https://www.ssllabs.com/ssltest/viewMyClient.html

of my updated wary. I feel a little more secure.

[mikeb]

I can suggest to you to be careful if you want to buy pharmaceuticals on the internet

hmm well I would consider that a very shady side of the net generally.... I do remember the barrage of drug sellers when we used to get spam.

We do make a lot of online purchases due to living in no mans land so local supplies are limited.

Paypal is used a lot and for some the debit card is used directly..but all reputable trusted places .

I suppose the trust thing is the only area which we seem to be vulnerable...dealing with anyone dodgy in any form has its risks..you could be scammed at say a market stall just as easily.
You could also get software for puppy laden with viruses ...you 'trust' the source would not do this.
In the case of trust it does seem to make technical security methods somewhat irrelevant or worse still lull you into a false sense of security...I have an airbag so its ok to drive at 70 in thick fog syndrome..

mike

[Bindee]

I must note that if I was running a public server I would be in the front of the queue for security updates.

This is like trying to reason with logic of someone that makes a public statement that people don't need a smoking patch and would be paranoid using one as they have never needed a smoking patch for the past 11 years.

Only to then find out that they don't bloody smoke , but would use one if they did smoke.

This is most definitely Troll LOL Logic.

So a public server needs to be more secure than logging into your personal bank account or purchasing online with a credit card? <even though as you already stated you would use a new credit a real life but oddly not a a patched version of SSL for online security for the exact same real life Money>

Or are you about to make this even more ridiculous and say you don't do online purchasing and banking? , but would if you did and take this back to Troll logic.

Anyhows stop typing already an go and install the damn updates.