I'm paranoid.

Scrub EVERYTHING.

Don't take any chances.

Once the gap is plugged and you know it is safe, change your password immediately.

More important, NEVER NEVER EVER place any risky information online no matter how secure the system. It is 100% certain that if someone wants it, it can be had. Don't speak it aloud on a telephone, 100% of international calls are recorded and domestic calls can be. Don't even think about it, they are working on brain wave interpreters that will tell them what you are thinking. Bury it in the deepest darkest part of your brain and leave it there forever. Yes, I'm definitely paranoid.

[QUOTE=Fusion_power;370719]More important, NEVER NEVER EVER place any risky information online no matter how secure the system.[/QUOTE]So you mean I can't mention that my password is "Squeamish Ossifrage". Okay, noted. Thanks.[QUOTE=Fusion_power;370719]Once the gap is plugged and you know it is safe ...[/QUOTE]How will I know when it is safe? I guess I can just trust the website to tell me that it is safe. Yeah, that seems reasonable. I trust them to protect me. It's not like they've ever failed me before or anything.

[QUOTE=ewmayer;370711]Comments from the cryptic and spooky folks appreciated.[/QUOTE]I'm taking a multi-layered approach.

My internet-facing systems have already had their SSL upgraded, not that I provide many services to the world. The systems behind them will be updated over the next week or two when the time is convenient.

"Trivial" services, where I really don't care whether our friends in Cheltenham, Maryland, etc, as well as their enthusiastic but amateur colleagues know my passwords, are accessed as normal and I'll change passwords in a few weeks, earlier if the service provider advise me.

Others I'm accessing as little as possible and keeping a close eye on relevant information such as bank and CC statements. Password changes will be made according to the procedure outline above.


Further, and IMAO, good advice is given towards the bottom of [URL="http://www.bbc.co.uk/news/technology-26954540"]this article on the BBC technology site[/URL].

[url]http://www.dailykos.com/story/2014/04/10/1290915/-What-the-MSM-Did-Not-Report-About-Edward-Snowden-s-Testimony-Before-the-Council-of-Europe[/url]

[QUOTE]Edward Snowden provided more than a half-hour’s worth of [U]truly stunning testimony[/U] to the [URL="http://en.wikipedia.org/wiki/Parliamentary_Assembly_of_the_Council_of_Europe"]Parliamentary Assembly[/URL] of the [URL="http://en.wikipedia.org/wiki/Council_of_Europe"]Council of Europe[/URL] (PACE), in Strasbourg, France on Tuesday, only a few details of which made it through to the general public via the mainstream media; and, then only via a handful of media outlets, most of which are not even based in the United States.
What was widely reported from the event were the many statements made by Snowden regarding how the National Security Agency has been spying—and continues to do so--upon human rights groups, throughout the world, including right here at home.
More about those aspects of Snowden’s statements on Tuesday, plus significant and (and, yes, I'm going to use the word again) stunning info about what was [U]not[/U] widely reported (from TechDirt's Mike Masnick, the [I]Guardian's[/I] Luke Harding, Marcy Wheeler and yours truly) farther below the complete, 35-minute video of Snowden’s testimony, via RT.com and [URL="http://www.youtube.com/watch?v=QRcl4vuWh_w"]YouTube[/URL] (many copies of this have appeared online in the past 12+ hours), that is available immediately below…
[/QUOTE]

[QUOTE=ewmayer;370711]Most of you have likely already heard about the Heartbleed OpenSSL vulnerability, but here's a link to Bruce Schneier's piece on it anyway:

[url=https://www.schneier.com/blog/archives/2014/04/heartbleed.html]Bruce shneier: Heartbleed is a catastrophic bug in OpenSSL[/url]

The first question that popped into my head on first hearing the news was "might this bug have something to do with the NSA's long-term efforts to backdoor all web cryptography?"[/QUOTE]

Well, lookee here:

[url=http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html]NSA Said to Have Used Heartbleed Bug, Exposing Consumers[/url]
[quote]The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.[/quote]

The guy who wrote the offending code has weighed in that it was a mistake on his part and not some sinister plot. Regardless, to know of a critical security vulnerability and deliberately leave the door open is in my opinion a criminal act. NSA should have acted but did not.

[url=bits.blogs.nytimes.com/2014/04/16/study-finds-no-evidence-of-heartbleed-attacks-before-the-bug-was-exposed/?_php=true&_type=blogs&_r=0]Study Finds No Evidence of Heartbleed Attacks Before the Bug Was Exposed[/url]
[quote]Ever since the Heartbleed bug was exposed last week, the question everyone has been asking is: Did anyone exploit it before a Google researcher first discovered it?

The worry is that in the two years since the bug was accidentally incorporated into OpenSSL — a crucial piece of free security software used by governments and companies like the F.B.I. and Google — attackers could have exploited Heartbleed to take sensitive information like passwords and the virtual keys used to decipher any scrambled information stored on a web server.

What’s more, they could have done so without leaving evidence detectable by the normal methods used to track who has gained access to a server.

But security researchers at the Energy Department’s Lawrence Berkeley National Laboratory, which conducts unclassified scientific research, say that it is still possible to look for past Heartbleed exploitations by measuring the size of any messages sent to the vulnerable part of the OpenSSL code, called the Heartbeat, and the size of the information request that hits a server.

In an attack, the size of the response would be larger than the size of the request. And because the Heartbleed flaw can expose only a small amount of information at one time — 64 kilobytes — an attacker would probably have to use it repeatedly to collect valuable data, producing even longer responses.

For the last week, researchers at the Berkeley National Laboratory and the National Energy Research Scientific Computing Center, a separate supercomputer facility, have been examining Internet traffic they recorded going in and out of their networks since the end of January, looking for responses that would indicate a possible Heartbleed attack.

They found none, said Vern Paxson, a network researcher at Berkeley Lab and associate professor of electrical engineering and computer science at the University of California, Berkeley.

The research does not rule out the possibility that Heartbleed was exploited before January. Because the Heartbleed bug was first introduced in March 2012, would-be attackers would still have had 18 months to exploit the flaw. It also does not rule out the possibility that the bug was used in an attack beyond what Berkeley Lab and the National Energy scientific computing center monitor.

The network traffic for both Berkeley Lab and the scientific computing center touch thousands of Internet systems and both facilities had maintained comprehensive logs going back a few months. Mr. Paxson said that if there were widespread scanning for the Heartbleed vulnerability, that would have been picked up by those important Internet hubs.[/quote]
Interesting -- Let's hope it's true.

[url=www.theguardian.com/commentisfree/2014/apr/18/corporations-google-should-not-sell-customer-data]As we sweat government surveillance, companies like Google collect our data[/url]: [i]Unless we demand changes, Big Tech will continue to profit off our personal information – with our benighted permission[/i]

Aside: The author of the above, [url=http://en.wikipedia.org/wiki/Dan_Gillmor]Dan Gillmor[/url], was the leading tech writer at Silicon Valley's major newspaper when I moved here 15 years ago:
[quote]From 1994 to 2005, Gillmor was a columnist at the San Jose Mercury News, Silicon Valley’s daily newspaper, during which time he became a leading chronicler of the dot-com boom and its subsequent bust. Starting in October 1999, he wrote a weblog for the Mercury News, which is believed to have been the first by a journalist for a traditional media company.[2] Gillmor's eJournal archives were believed to be lost but have been found in the Internet Archive and are now restored at Bayosphere.com.[/quote]

In another major boost to the non-US economy, a US judge has ruled that US companies must turn over data held outside the US. Fuller report here: [url]http://news.yahoo.com/u-judge-rules-search-warrants-extend-overseas-email-224124047--finance.html[/url]

Way to go guys! Help build up the European and Asian owned cloud providers.

Vaguely related to this thread:

[url]https://www.eff.org/privacybadger[/url]

[url]https://panopticlick.eff.org/[/url]

Glenn Greenwald's new book "No place to hide" is just out - and even the Dutch version is already available!
[URL]http://www.glenngreenwald.net/[/URL]