I still say that if you're using good password security practices already, you've got little to worry about. Just rotate your passwords on your accounts and keep your eye on things. If you're not, then panic slightly and start using good password practices (which you should be doing anyway).
I still disagree that the sky is falling.
I also disagree that I was guilty of reductio ad absurdum
Reductio ad absurdum is a mode of argumentation that seeks to establish a contention by deriving an absurdity from its denial, thus arguing that a thesis must be accepted because its rejection would be untenable.
I was simply stating that there wasn't proof (at the time) that this exploit was being used in the wild in any significant way before the disclosure. Now there is, thus I can understand being more concerned about things.
Also, you're just being a condescending prick now Myrm.
So this bug alone isn't going to expose everyones password and burn the Internet to the ground. It's a serious bug, and people should be concerned, but we don't need to resort to hysterics.
In short, the sky is not falling. Security on the 'net is not dead because of this bug.
Also, the juxtaposition between these two phrases is great:
I also disagree that I was guilty of reductio ad absurdum
Throughout your posts, you have established a tenet that you must be 'right,' and whoever disagrees with you must believe the sky is falling (to head you off at the pass, I recognize that you aren't insinuating that literally, but 'the sky is falling' is used to suggest that someone believes the system/world/whatever is going to collapse. Kind of... absurd, right?).
As for condescending prick, the way I see it is that you came to the exact same conclusion regarding this thing I did. However, you did it in such a manner as to somehow make it look like you were disagreeing with me. If the sum of your posts come to the exact same conclusion but still attempt to discredit the other guy, I can only imagine you do it to IRRITATE the other guy.
If I've misunderstood and you meant to steal my argument and and condescend to me by calling me hysterical for another, less toxic reason, I apologize. Otherwise, you'll forgive me if I return your initial condescension.
You made the claim that, because 66% of the Internet uses openssl there was a 66% chance that any time you logged into a secure site it had this vulnerability. That is a false assertion as I pointed out. Many distros, especially the slower moving (aka - enterprise grade) ones still don't use openssl 1.0.1, which is the only branch this bug exists in. Not to mention that this statement is an abuse of statistics since people don't visit a random distribution of websites on the 'net, they typically visit a small handful of sites. The 66% number is based off a random sampling of servers, not indicative of real people's usage patterns.
You made the claim that "There is an EXTREMELY good chance that many of your passwords have been leaked in plaintext"... once again, not true. There is a somewhat increased chance that SOME of your passwords MAY have been intercepted and decrypted. That's not the same thing.
Those two flawed claims appeared, to me, to be the basis of your original post, and they are hyperbolic. That's what I took issue with. Your original post painted an unnecessarily dire picture of the situation. Sure, you've gone back and edited your original post since then and added a more tempered view of things which I don't disagree with. I was just attempting to provide what I view as a more levelheaded opinion of the situation, based on the facts available at the time I was writing the post, and not on assumptions or misreadings of statistics.
So, yes, I generally agree with your "ANOTHER EDIT" section. However, I maintain that your original post was blown out of proportion and flawed.
I'll concede the 66% bit - I was under the impression that folks running enterprise servers would keep up to date on security stuff like openssl, even if it wasn't part of the package manager (i.e., 'compile your own shit').
I still maintain that there is an extremely good chance that your password was leaked. To say that's 'not true' when there's no evidence backing up whether it's true or false is, as they say, 'just, like, your opinion, man.' To be fair, 'extremely good chance' is also MY opinion. You'll notice I posted my source so that people can decide for themselves. With the added info that people have been actively using heartbleed since at least March 24th, I think my statement has even more validity.
If you don't want to be condescended to, be more respectful with your responses (hysteria, reductio ad absurdum) and try to keep accounts of events accurate (I'm NOW talking about "Sure, you've gone back and edited your original post since then and added a more tempered view of things which I don't disagree with," which makes it sound like I have edited the tone of my post in addition to adding the extra note. I have not).
Comments
I still say that if you're using good password security practices already, you've got little to worry about. Just rotate your passwords on your accounts and keep your eye on things. If you're not, then panic slightly and start using good password practices (which you should be doing anyway).
I still disagree that the sky is falling.
I also disagree that I was guilty of reductio ad absurdum
I was simply stating that there wasn't proof (at the time) that this exploit was being used in the wild in any significant way before the disclosure. Now there is, thus I can understand being more concerned about things.
Also, you're just being a condescending prick now Myrm.
I call bullshit on that picture, @pirateninja. Cat's thrive off of rage and chaos.
.
Also, the juxtaposition between these two phrases is great:
Throughout your posts, you have established a tenet that you must be 'right,' and whoever disagrees with you must believe the sky is falling (to head you off at the pass, I recognize that you aren't insinuating that literally, but 'the sky is falling' is used to suggest that someone believes the system/world/whatever is going to collapse. Kind of... absurd, right?).
As for condescending prick, the way I see it is that you came to the exact same conclusion regarding this thing I did. However, you did it in such a manner as to somehow make it look like you were disagreeing with me. If the sum of your posts come to the exact same conclusion but still attempt to discredit the other guy, I can only imagine you do it to IRRITATE the other guy.
If I've misunderstood and you meant to steal my argument and and condescend to me by calling me hysterical for another, less toxic reason, I apologize. Otherwise, you'll forgive me if I return your initial condescension.
You made the claim that, because 66% of the Internet uses openssl there was a 66% chance that any time you logged into a secure site it had this vulnerability. That is a false assertion as I pointed out. Many distros, especially the slower moving (aka - enterprise grade) ones still don't use openssl 1.0.1, which is the only branch this bug exists in. Not to mention that this statement is an abuse of statistics since people don't visit a random distribution of websites on the 'net, they typically visit a small handful of sites. The 66% number is based off a random sampling of servers, not indicative of real people's usage patterns.
You made the claim that "There is an EXTREMELY good chance that many of your passwords have been leaked in plaintext"... once again, not true. There is a somewhat increased chance that SOME of your passwords MAY have been intercepted and decrypted. That's not the same thing.
Those two flawed claims appeared, to me, to be the basis of your original post, and they are hyperbolic. That's what I took issue with. Your original post painted an unnecessarily dire picture of the situation. Sure, you've gone back and edited your original post since then and added a more tempered view of things which I don't disagree with. I was just attempting to provide what I view as a more levelheaded opinion of the situation, based on the facts available at the time I was writing the post, and not on assumptions or misreadings of statistics.
So, yes, I generally agree with your "ANOTHER EDIT" section. However, I maintain that your original post was blown out of proportion and flawed.
> @Teramona said:
That's fine, I've now resorted to this instead of cats:
@Pirateninja, I got you guuuurl...
I'll concede the 66% bit - I was under the impression that folks running enterprise servers would keep up to date on security stuff like openssl, even if it wasn't part of the package manager (i.e., 'compile your own shit').
I still maintain that there is an extremely good chance that your password was leaked. To say that's 'not true' when there's no evidence backing up whether it's true or false is, as they say, 'just, like, your opinion, man.' To be fair, 'extremely good chance' is also MY opinion. You'll notice I posted my source so that people can decide for themselves. With the added info that people have been actively using heartbleed since at least March 24th, I think my statement has even more validity.
If you don't want to be condescended to, be more respectful with your responses (hysteria, reductio ad absurdum) and try to keep accounts of events accurate (I'm NOW talking about "Sure, you've gone back and edited your original post since then and added a more tempered view of things which I don't disagree with," which makes it sound like I have edited the tone of my post in addition to adding the extra note. I have not).
K, we can probably just lock this, now.
Thanks for the info guys, done warn'd all I know.
Well I guess if we have come this far.