Important Security Announcement April 2014

Read-only messages from the Burning Man Staff
User avatar
trilobyte
Site Admin
Posts: 16452
Joined: Tue Mar 02, 2004 10:54 pm
Burning Since: 2004
Camp Name: Eridu Society
Location: San Francisco
Contact:

Important Security Announcement April 2014

Postby trilobyte » Fri Apr 11, 2014 7:43 am

You may have heard by now that recently a significant security vulnerability, named Heartbleed, was discovered in core software that affected a big piece of the internet's security structure. Burning Man's tech team has been working with it's service providers, and our servers have been patched. While we have no reason to believe that any data has been compromised, we recommend you consider changing your ePlaya password. To do that, click this link to go to your User Control Panel -> Profile Tab -> Edit Account Settings page.

Many thanks to the Burning Man tech team for all their efforts and support.

User avatar
FossaFerox
Posts: 784
Joined: Sun Jun 02, 2013 1:43 pm
Burning Since: 2013
Camp Name: Vinyl Bunker
Location: Los Angeles, California

Re: Important Security Announcement April 2014

Postby FossaFerox » Sat Apr 12, 2014 9:59 am

Thanks Trilo, I've been waiting for this announcement. Everyone, be sure the services you use have updated their security before you set new passwords or you'll just have to change them again to be sure once they fix the problem. The MAJORITY of the internet including most major sites are or were vulnerable over the last two years.
ygmir wrote:Everyone loves you there, and no one cares a shit about you..........all at once. and vice versa.

User avatar
BBadger
Posts: 5615
Joined: Wed Jan 19, 2011 10:37 am
Burning Since: 2018
Location: (near) Portland, OR, USA

Re: Important Security Announcement April 2014

Postby BBadger » Mon Apr 14, 2014 5:25 pm

That's the silly thing about so many of these "oh our site is fixed" announcements. They gloss over the fact that the fix was only applied after the vulnerability was discovered by mainstream sources. How many months have people clandestinely harvested data via exploiting this bug? Who could even know? It's not like every heartbeat packet was archived.

As above, probably the best use of these announcements is to inform people that it is now safe to change passwords now that the cabin has been repressurized.
"The essence of tyranny is not iron law. It is capricious law." -- Christopher Hitchens

Hate reading my replies? Click here to add me to your plonk (foe) list.

User avatar
trilobyte
Site Admin
Posts: 16452
Joined: Tue Mar 02, 2004 10:54 pm
Burning Since: 2004
Camp Name: Eridu Society
Location: San Francisco
Contact:

Re: Important Security Announcement April 2014

Postby trilobyte » Wed Apr 16, 2014 1:32 pm

It's impossible to know how many people exploited the vulnerability, and for how long they were doing it. I've seen a few claims, but those have largely been groups who went looking for it once the vulnerability had been publicized. Bloomberg recently reported that the NSA had knowledge of it, so there's that.

Changing passwords before a site has been patched carries risk - since the site is still vulnerable to whatever the bad guys may or may not have been catching and scooping. If you make (or made) changes on a site before they posted some kind of announcement, then you should definitely go back and make another change (using something you have not used on any site) they give the 'all clear'.


Return to “ePlaya Announcements”

Who is online

Users browsing this forum: No registered users and 1 guest