[mythtv-users] the heartbleed openssl bug and mythtv

Gary Buhrmaster gary.buhrmaster at gmail.com
Thu Apr 10 02:39:22 UTC 2014


On Thu, Apr 10, 2014 at 2:02 AM, Ian Evans <dheianevans at gmail.com> wrote:
...
> If we do have an ssl-protected web-facing mythweb right now and don't have
> time in the next day or so to take additional steps, should we at least
> shutdown apache?

Ultimately, this is a risk/benefit trade off that only you can answer.
One should evaluate things like this as probability, and impact
(to reputation, bank account) and cost to recover if you happen
to be a chosen one.

There are people looking for vulnerable servers, and the results
for some, publically posted.  That said, there are millions of
servers out there.  Unless you get unlucky (or are Yahoo!), most
likely you will not be chosen.  Does not mean you will not be
chosen (and my WAG says Yahoo! was), but unless you have
a high value service, even the (past) collected information is
not likely to be used right now.

As far as impact, if one is using a throw-away password
like "password", and is using it only on their mythweb server,
the impact is low (the worst someone could do is probably
delete your recordings, and it is only just TV :-).  On the
other hand, if it is using the same password as you use
at your bank, or your secret password to access your
evil lair, the impact could be higher.  You can mitigate
against that impact by changing your bank password
(note: Unless your bank says they have fixed it already,
you get to do it now, and then again after they have
applied the patch), and change your password to access
your secret lair from which you plan to launch the plan of
world domination.

A mitigation strategy is to to shutdown apache.  But note
that the info could have been acquired anytime in the past,
just waiting for (later) analysis.  So you can fix the future,
but not the past (this is why PFS is also important).

That mitigation has a cost (no remote mythweb (well,
not remote mythweb via apache; you can still use vnc
over ssh, or ssh X tunneling, or many other solutions)).
How important that is to you is also only something you
can decide.

Given that for most people the probability of being chosen,
and the impact is likely low, the mitigations may not be
worth it.

That all said, it took me less time to apply the fix to
all my running systems (a dozen or so) than it took to
write this email.  I would just do it.  And then change
all your passwords (now, that, I have not yet finished
doing across all the sites I have accounts on, since
some are still verified as vulnerable (I refer you to my
reference of available tools for investigation :-), and
some are essentially throw-away accounts and
passwords anyway.  For some sites I have had to
"suggest" to the sysadm to update their site....).
I have changed all my local passwords (which were
never the same as external passwords anyway) even
though I have not run an externally accessible SSL
web server for a bit, and used a different set of passwords
for the web than login.  But, to be honest, it is just the
push that I needed.  Those passwords had not been
changed for a bit too long.  So, I cannot claim to be
as much virtuous, as to claim to be late changing my
passwords.....


More information about the mythtv-users mailing list