Welcome to Gaia! ::

Gaia Forums » GAIA Online » Site Questions & Assistance
<3 </3
Reply
1 2 >

heatleech's Significant Otter

Witty Dabbler

27,250 Points
  • Bookworm 100
  • Partygoer 500
  • Marathon 300
Offline
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?

Skilled Genius

Offline
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Dunno. It depends on if Gaia's patched their OpenSSL version, but then again who would want to break into Gaia. The site is on a drastic decline and it doesn't even store your credit card information, it uses Paypal to bill you.

Sparkling Dragon

18,890 Points
  • Elocutionist 200
  • Tycoon 200
Offline
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

SSL is that fence around gaia. HeartBleed is a fancy name for a hole in this fence that hackers could potentially use. It's not a virus, and it's not infecting servers, or spreading. There is also no reported instances yet that I have seen of anyone exploiting it. SSL is fairly solid technology and holes like this are rare. It's relatively easily repaired by applying an update.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.

O.G. Gaian

Offline
Raine Dragon
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.


Hate to be the paranoid parrot, but... *looks at link* I'm hesitant.

But like Yoshi said, there's no point in breaking into Gaia. No financial incentive -- cash purchases go through PayPal, so there's no credit card numbers or access codes on the Gaia servers, anyway. The only justification would be the long shot chance that users here are using the same handles and passwords for their Gaia accounts and their bank accounts, and the demographic -- teens and young adults -- means there'd be little profit to be found there, anyway.

Determined Trash

51,950 Points
  • Alchemy Level 10 100
  • Cool Cat 500
  • Confectioner’s Sweetest Confession 100
Offline
I was actually worrying about that just now because Tumblr sent out a site wide 'suggestion' to change our passwords because they patched their hole. I suppose we're fine here unless the higher ups say anything, as long as we're all practicing our usual safe password habits (which mean you should be changing your password every so often anyway, without a reason). But that's just me making a sleepy guess, I still don't quite understand this whole 'heart bleed' thing except it sounds real scary.

Relentless Glitch

17,250 Points
  • Beta Consumer 0
  • Beta Explorer 0
  • Beta Voter 0
Offline
If it's such a concern, I hope the Gaia staff will look into matters and release some sort of advisory.

Sahdomi's Princess

Fistpumping Pumpkin

31,700 Points
  • Jack-pot 100
  • Hairspray Heaven 500
  • Conventioneer 300
Offline
I want to know why staff hasn't addressed this yet. I was just thinking about this, checking other sites.

Darkshimmer's Husbando

Devoted Gaian

38,700 Points
  • Miasmal Lake Champion 500
  • Fan Before It Was Cool 500
  • Partygoer 500
Offline
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


User Image
If you are using chrome you can download chrome bleed from the app store
User Image

7,225 Points
  • Tycoon 200
  • Conversationalist 100
  • Forum Sophomore 300
Offline
Raine Dragon
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

SSL is that fence around gaia. HeartBleed is a fancy name for a hole in this fence that hackers could potentially use. It's not a virus, and it's not infecting servers, or spreading. There is also no reported instances yet that I have seen of anyone exploiting it. SSL is fairly solid technology and holes like this are rare. It's relatively easily repaired by applying an update.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.


I also tried a few of the tests that are out and it came back with these results

User Image - Blocked by "Display Image" Settings. Click to show.

and

User Image - Blocked by "Display Image" Settings. Click to show.

Sparkling Dragon

18,890 Points
  • Elocutionist 200
  • Tycoon 200
Offline
Menstrual Cramps
I want to know why staff hasn't addressed this yet. I was just thinking about this, checking other sites.


This is a really weird case. Sysadmins patch and update things on their servers frequently and it's almost never announced to the public (save for perhaps when they need to reboot the server and there will be an outage). Also, many companies do not handle servers on the systems level internally. Many companies pay for web hosting from a third party. That third party handles the server software (which this is an issue with), hardware, physical environment, and connectivity to electricity and internet.

In this case, the risk was considered high enough that there has been a lot of news coverage with the hope that people who may not be as proactive in following security trends would see and update their systems accordingly. HeartBleed impacts an estimated 2/3 of webservers, which is a massive number of systems, and larger hosting companies may not be able to roll out a fix for a few days due to the sheer number of machines they would need to have their sysadmins work on.

Some sites will tell you "hey we fixed this", because they know the public has been scared by the news coverage, but typically, things like this wouldn't be announced.

That said, for those wondering, your best bet is to change your password on sites in a couple days (allowing for a few days for most sites to have fixed this), even if you changed your password just now.

Sparkling Dragon

18,890 Points
  • Elocutionist 200
  • Tycoon 200
Offline
Lumilys
Raine Dragon
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

SSL is that fence around gaia. HeartBleed is a fancy name for a hole in this fence that hackers could potentially use. It's not a virus, and it's not infecting servers, or spreading. There is also no reported instances yet that I have seen of anyone exploiting it. SSL is fairly solid technology and holes like this are rare. It's relatively easily repaired by applying an update.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.


I also tried a few of the tests that are out and it came back with these results

User Image - Blocked by "Display Image" Settings. Click to show.

and

User Image - Blocked by "Display Image" Settings. Click to show.


I'm just going to flat out say I'm not a sysadmin, so while I understand most of this on a very, very basic level, I absolutely do not know it all on a detail level and I may not be right here.

However, I just looked up SSL 2, and it looks like IE6 only understands SSL 2. IE6 was shipped with Windows XP, which still has a fairly high market share. IE6 only hit it's End Of Life on the 8th, and as of Jan still had about 4% usage.

Studies in teen web statistics have shown that kids and teens are more likely to have hand-me-down computers from their parents and so are often in the same bracket as the elderly where their systems lag behind the average. If that is the case here, then Gaia is likely to have a higher percentage of IE6 users than the average.

While I never would recommend using IE6, I would not be surprised if Gaia is trying to support it. I work as a web developer for a university and we just dropped IE6 support on pages deeper than our homepage (it has a simple fall back version for unsupported browsers) in the last couple years.

So, that said, I'm fairly optimistic about these results even though it's an F? sweatdrop

Sahdomi's Princess

Fistpumping Pumpkin

31,700 Points
  • Jack-pot 100
  • Hairspray Heaven 500
  • Conventioneer 300
Offline
Raine Dragon
Menstrual Cramps
I want to know why staff hasn't addressed this yet. I was just thinking about this, checking other sites.


This is a really weird case. Sysadmins patch and update things on their servers frequently and it's almost never announced to the public (save for perhaps when they need to reboot the server and there will be an outage). Also, many companies do not handle servers on the systems level internally. Many companies pay for web hosting from a third party. That third party handles the server software (which this is an issue with), hardware, physical environment, and connectivity to electricity and internet.

In this case, the risk was considered high enough that there has been a lot of news coverage with the hope that people who may not be as proactive in following security trends would see and update their systems accordingly. HeartBleed impacts an estimated 2/3 of webservers, which is a massive number of systems, and larger hosting companies may not be able to roll out a fix for a few days due to the sheer number of machines they would need to have their sysadmins work on.

Some sites will tell you "hey we fixed this", because they know the public has been scared by the news coverage, but typically, things like this wouldn't be announced.

That said, for those wondering, your best bet is to change your password on sites in a couple days (allowing for a few days for most sites to have fixed this), even if you changed your password just now.


Actually, to nullify your point in the past Gaia has said they or their partners are safe in past internet frenzies. That's why I'm surprised why with such a highly televised media scramble, gaia wouldn't stop the cash announcements for one minute just to say people's information is safe.

Kawaii Kitten

Offline
Lumilys
Raine Dragon
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

SSL is that fence around gaia. HeartBleed is a fancy name for a hole in this fence that hackers could potentially use. It's not a virus, and it's not infecting servers, or spreading. There is also no reported instances yet that I have seen of anyone exploiting it. SSL is fairly solid technology and holes like this are rare. It's relatively easily repaired by applying an update.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.


I also tried a few of the tests that are out and it came back with these results

User Image - Blocked by "Display Image" Settings. Click to show.

and

User Image - Blocked by "Display Image" Settings. Click to show.


Lol this is great.

The exact thing that gives the F grade is the same reason it's not heartbleed susceptible. lol

Obsolete software FTW! (for once)

O.G. Partier

Offline
faolan
Raine Dragon
Kiyuki Darko
I've been reading about how rampant this thing is on the internet. Is Gaia updated and protected?


Heartbleed is not a virus.

Heartbleed is a security hole. Imagine you have a yard and you put a fence around it. You gave it a quick look and everything is fine.

Later, you learn that part of your fence is made of paper, and if someone dumps water on that one part, they might be able to get in.

However, if no one comes and dumps water on it before you put a new piece of fence in, you are ok.

That said, hackers who would exploit this hole are more likely to be targeting sites like financial institutions today. Gaia has a low benefit payout compared to most other targets.

I tried to test it using the test here: http://filippo.io/Heartbleed/

And it returns a timeout, which, while not a clean bill of health, does indicate that the gaia server probably could not be easily accessed.


Hate to be the paranoid parrot, but... *looks at link* I'm hesitant.

But like Yoshi said, there's no point in breaking into Gaia. No financial incentive -- cash purchases go through PayPal, so there's no credit card numbers or access codes on the Gaia servers, anyway. The only justification would be the long shot chance that users here are using the same handles and passwords for their Gaia accounts and their bank accounts, and the demographic -- teens and young adults -- means there'd be little profit to be found there, anyway.




You could use it to gain access to someone's gaia account though if gaia is using the vulnerable code.

And while that's pretty petty compared to the big stakes that are lying around vulnerable to this, anyone who thinks pettiness will keep people from doing this aren't realizing how extremely easy this vulnerability is to exploit. This is s**t I was literally taught in a 200-level course. Even if you're self-taught and stupid, someone has already written the code to test for the exploit which can totally be used to do the actual exploit. (Obviously not all of those actually print the leaked data. Several, however, very obviously do.)

The danger of this bug is not just the people who are experienced and insightful enough to have been potentially exploiting it for the last two years - it's all the idiots who are just smart enough to figure out how to prey on sites that failed to update their openssl as soon as the exploit was announced. You don't have to be anyone big-time right now to use this, if you get what I mean. The skill level of the people writing test code for it, writing articles breaking down why the bug exists - these are not the kind of geniuses people are thinking they are. Finding it in a lump of messy, haphazardly updated code was the hard part, understanding how this can be used doesn't take a genius or industry pro.


The good news is that as this isn't a man-in-the middle like apple's goto fail so even the simplest types of two-factor authentication like the ip verification should reduce compromise rates.


For what it's worth, Lastpass believes Gaia is using openssl and hasn't updated recently. But take any heartbleed-tester with a grain of salt if you can't personally confirm it's veracity. But the fact that they haven't updated means you shouldn't change your password to any passwords you plan on using (on other sites or in the long term) until it's confirmed secure. I don't know if the lack of information on whether or not they're safe means anything, but I do know that there was a big flashing banner at the employee portal at my job to confirm that our code was not and had not at any point been vulnerable to this exploit (not that bankers can read as several still called in to ask if we were safe).
Gaia Forums » GAIA Online » Site Questions & Assistance

Quick Reply

Submit
Manage Your Items
Other Stuff
More
Get GCash
Offers
More
Get Items
More Items
More
Where Everyone Hangs Out
Other Community Areas
  • Guilds
    fan clubs for the stuff you love
  • Chat
    chat in real time with other Gaian's
  • Art Arenas
    browse & rate gaian art galleries
  • Clans
    play zOMG with others
More
Virtual Spaces
Fun Stuff
More
Gaia's Games
Mini-Games
More
Play with GCash
Play with Platinum
More