Gunnar_Zarncke comments on My Heartbleed learning experience and alternative to poor quality Heartbleed instructions. - Less Wrong

14 Post author: aisarka 15 April 2014 08:15AM

You are viewing a comment permalink. View the original post to see all comments and the full post content.

Article Navigation

Comments (31)

Comments (31)

You are viewing a single comment's thread.

Comment author: Gunnar_Zarncke 15 April 2014 09:28:45AM *  1 point [-]

The questions raised cry for a poll:

When you first heard about Heartbleed, did you fail to react? (Normalcy bias)

When you first learned about the risk, what probability did you assign to being affected by it? (enter 0.0 if not affected)

What probability do you assign now? (Optimism bias) (enter 0.0 if not affected)

Were you surprised to find out that someone in your life did not know about Heartbleed, and regret not telling them when it had occurred to you to tell them? (Bystander effect)

EDIT: The second option should read "I did tell other people delayed" (poll options cannot be altered later)

What did you think it was going to take to address Heartbleed? Did you underestimate what it would take to address it competently? (Dunning-Kruger effect)

After reading news sources on Heartbleed instructions, were you surprised later that some of them were wrong?

How much time did you think it would take to address the issue? Enter the time in days, enter 0.0 to see results.

Did it take longer? (Planning fallacy) Enter the ''factor'' it took longer than expected (e.g. if it took double as long enter 2.0; to see results enter 1.0).

Did you ignore Heartbleed? (Ostrich effect)

I would have posted this in Main because it is totally applicable to practical rationality and real risks and it is well written and sourced. That it is somewhat specialized and contains (very good!) technical advice shouldn't matter (this is still much better and more applicable that relaying purely personal experiences which were also OK earlier). But my judgement on this issue cannot be trusted.

Submitting...

Comment author: AngryParsley 15 April 2014 05:09:56PM 7 points [-]

For #1, "I reacted immediately" and "I reacted when the urgency became evident" are probably the same thing for most people. I heard about the bug 20 minutes after it was announced, from the Cloudflare blog of all places. Not even USN had posted about it. I patched my servers within an hour, and spent the next 5 hours waiting for my CA to respond to my revocation and re-key requests. Apparently they were inundated.

On the bright side, I prepared for security issues like this. I used multi-factor auth for our admin tools and perfect forward secrecy cipher suites for our TLS. Even with our private key, previously recorded traffic cannot be decrypted. And if an attacker got ahold of our passwords, they would still need to steal our YubiKeys to get access to our admin tools.

Hooray for being paranoid about security.

Comment author: Username 15 April 2014 05:49:16PM 2 points [-]

Note that a sysadmin might e.g. react immediately to patch their company's servers, revoke keys, etc., but be far more lax about changing their own passwords.

Comment author: Baughn 15 April 2014 03:17:48PM 1 point [-]

Meanwhile, and possibly distorting the poll, I still have not reacted despite wanting to do so because my internet connection is currently a wet piece of string (slow GPRS). Perhaps there should be an option for "I couldn't react"?

Comment author: Luke_A_Somers 15 April 2014 10:54:02PM 0 points [-]

Not offered answer 1: I acted immediately by not logging in to anything, but not really doing anything else Not offered answer 2: I thought I told someone, but she didn't remember later so maybe I didn't?

How long questions: The quickest folks would have it taken care of in hours, the slowest in years. When is it really taken care of?

Powered by Reddit Powered by Reddit