General Chat

Sorry if I have failed to spot this subject elsewhere on the site,but does anybody know if GenesReunited was affected by the Heartbleed Bug and if so have they applied the required patches yet ???????

Although the subject was discussed amongst ourselves a few days ago, there wasn't a mention of GR.

If you are concerned, you could always contact them direct at

[email protected]

Confused.com :-S

Now I understand

:-D :-D

Am I right in thinking that if I haven't an Android device I won't be affected?

Hi all, I'm still not sure on the GR site.Maybe will have to take +++DetEcTive+++ advice and contact GR direct.Its inconclusive on the Heartbleed checker I tried from McAfee.
As for Androids the info I read yesterday said only Android version 4.1.1 was affected.
Elizabeth2469049, in answer to you,and I'm no techy, but yes,we COULD all be affected if we visit a site that is vulnerable and hasn't been patched.
This may explain it better than I could. http://heartbleed.com/
It just seems for something apparently so big to happen in Internet security there is so little info from individual sites regarding their vulnerability and whether patches have been used. :-|
Might be an idea for a show for future generations...........Hack the Ancestors.??? ;-)

Do GR use OpenSSL?
I don't think they even have Apache capability.

Unless they actually get hacked (and they will then inform all members of this) I do not see the need to be overly worried at present.

Of course if you are concerned then all you need to do at present is to change all your passwords used.

As Errol says GenesRU is hosted on a web server running Microsoft IIS 7.0 (Internet Information Service) which does not have this particular security problem. It has others mostly related to timeouts which is why the ads have disappeared ...

Android Jelly Bean does have the vulnerability but there is not much that can be done about it except to install non-rooted firewall app and be picky about what you let connect. For the most part fixing the problem lies with the server side. The larger well known sites will already have it fixed and small sites hosted by 1&1 etc will also be ok.

The biggest hole will be government services running on Apache as the public sector tends to lag badly on fixing bugs including security. As nearly all HMG services run on Microsoft software no need to get into much of a sweat.

Passwords should be changed fairly often anyway, 90 days max.
For mathematical reasons this kind of password is difficult to crack with the dictionary attacks most often used:
hTe6aCt&7hTe8iFddle9
though no password can hold out indefinitely from brute force attack.

There is also a function in windows which will issue a GUID similar to the ones whch Microsoft use for software keys. These are 16 digits long and excellent password but you'll never remember one by heart.


There are flaws in the public key / private key (PSK) security used with https and mobile phones such that there are ways to crack passwords without using brute force.

Additionally "man in the middle" attacks are popular especially with gaining access to bank accounts etc.

For that reason high level security as used by CHAPS, SWIFT, BACS and most defense systems have moved on to other methods.

I highly recommend that you don't use your mobile phone as a gateway to any bank current account or credit card either directly or via a payment service such as PayPal. It is not so difficult to restore a lost/stolen IMEI blocked data wiped smartphone to life as the ISPs and phone makers would like you to believe. A tactical approach is to get one of those VISA cards which you can top of with cash for holidays etc. They can also be used for online transactions.

Android phones are to a large extent at the mercy of the app providers playing nicely and if even if they do play nice having bug free software, plugins etc. Pigs may fly.

Many popular routers are also susceptible to the PSK attack. The best defenses are (a) stop the router broadcasting its network ID and (b) turn off the easy connect feature. If you can use 5.0GHz only that also helps as the range is much less than 2.4GHz.

Oh dear. I'm finding most of this thread completely unintelligible. :-(

For those of a zero technical bent there is a suitable solution for all things computer tablet and smart phone related. Not cheap though.

Apple :-)

Microsoft is a bit like going out with a guy with a nice suit but from a broken family who can be very unpredictable. Gets on fine with Obama. Birds of a feather ...

Android is quite a lot like going out with a ferret up your trousers or skirt dead keen to get at your wallet. No dress sense at all.
btw Android is a wayward child of Linux and has some cousins - Kindle is best known.

Linux is fond of showing off his cool friends on Facebook but never mentions that he is the gun smith for all the serious black hats. Likes GAP.
Microsoft have a contract out on Linux which makes many respectable people nervous of associating with him. Frau Merkel is happy though. Then she would be.

Yer pays yer money and yer takes yer choice. ( Bill Sykes )

DazedConfused - changing your password if you are concerned is the worst thing you can do.

errol - please explain why it would be so risky to change a password :-S :-S :-S

Why would you change a password for a site that has not been patched?

If you change the password for vulnerable sites that haven't been patched yet, then your new password will be as at risk as the previous one.

If you use that same password for several sites (not advisable) then you would be even more vulnerable.

There may well be additional techy reasons why it's not a good idea, but the reason I've just stated is just basic logic (I think?)

Oops, was typing whilst you posted, Errol.

No worries - and you are absolutely bang on.

Errol is 100% correct.

It has been known for yonks that there are vulnerabilities in the SSL component of Linux even though it was not widely known by the average system admin, webmaster or users. It is not especially easy to exploit a 64 K sliding window which only exists for a brief moment of time.

So why has it not been fixed before now ?

The primary reason is that once fixed on the server the fix is no darn good unless the site certificate itself is updated and that usually costs good money. Now of course putting it off to a later date has had the usual result and thousands of sites need to be updated all at once. They can't be without bringing the net to a crawl. The process will take weeks. Updating yr password in the meantime significantly increases the chance that it will be compromised through the https / pks traffic. Brer fox he lay low, he ain't sayin' nuffin.

Second reason is that the update will "break" many applications relying on https. The head honcho of Linux Mr Linus Torvalds still controls the OS and he is very conservative about system updates. Besides which linux is entrenched in another security battle with Microsoft/Intel over EUFI. Apple and Microsoft code does not have the bug.

Third reason is that the public key/private key encryption is in any case not as secure as it once was 'cos of errors (?) in the random number generator. Some say that the errors were inserted by NSA/GCHQ. In any case those needing really watertight security eg SWIFT have moved on to other methods. Thus there has been no real commercial pressure to get the problem fixed.

So forget about bleeding heart and worry a lot more about just how much of your life is on your mobile and what would happen if it is lost/stolen. A much more significant risk.

One of my ancestors owned the Red <3 Heart Inn. He was alleged to be a highwayman. The Inn is still there but owned by the Chinese as are most things these days. Such as Huwei the Chinese telecoms maker which is equipping BT's internet backbone in the UK.

"So forget about bleeding heart and worry
a lot more about just how much of your life
is on your mobile and what would happen if
it is lost/stolen. A much more significant risk".

Now that's good advice, RtR: glad now
that I followed my instincts on acquiring
an Android mobile phone. I've steered clear
of mobile banking and only use one of my
email addresses on it, not the one I use for
serious stuff like writing to the Council etc.