Heartbleed and why you should change your password

This is true however if you change your password before Heartbleed has been patched on these or any other servers that are vulnerable then it and other information can just be stolen again.

Is there some official confirmation on if stardocks servers are effected?

The problem is its hard to detect if there is a problem with it on the stardocks servers exactly because of the nature of the attack being near undetectable, but it's better to be safe than sorry in my opinion. It's more of a general PSA to people who share my concerns for security.

But you are right, Find out if/when a server is/will be patched when wanting to update your security.

Not entirely true Stardock can easily tell us if they have been running vulnerable webservers, just not if the vulnerability has been exploited. Heartbleed after all did not affect all webservers.

They need to tell us if they are vulnerable and when the vulnerability has been patched if so. Then I agree at that point we need to change our passwords.

Thing is even if you're not using HTTPS with open SSL on Stardock any account that uses similar log in information anywhere is at risk because a lot of people do use the same password in many places, against standard password advice. These are the people who should change their passwords. Not just on this site, but every site. 

Someone logs into a compromised service, then the attacker get their email, they log into that and then can Hijack any service that person signed up for that sends email re-verification for password/account information. It doesn't have to directly affect Stardock, I'm saying anyone who thinks they might be at risk, and there are a lot of them, should be going through the process of updating their personal E-Identity security everywhere.

Start with securing your email accounts, then from there secure everything else starting with any service that uses your payment information.

If you use a Symantec product, such as Norton Internet Security, Norton 360, or others, Symantec has a tool that can tell you whether or not a network address you use is safe. I used this tool and checked the Galciv3 and StarDock web sites and received a confirmation that they were safe.

That wouldn't have helped if you used a compromised service before the announcement of the SSL defect, Norton would have just said, "Open SSL? You're good buddy, go on in and enjoy this site, it's 'Safe'!"

Because SSL is the Encryption that makes the website "Safe" the problem is the security had a flaw, so Norton is about as useful as a brick in knowing if your information was leaked from any site that you visited and logged into in the past few weeks. They may be safe now but you wouldn't know where or when your information was taken. What part of this is a MASSIVE GLOBAL problem that affects 2/3 of then entire internet.  its not just GavCiv or Stardock, its potentially ANY WEBSITE YOU'VE BEEN LOGGED INTO FOR THE PAST MONTH OR SO!

Do you not grasp how easy it would be fore anyone who has a single piece of information such as an email log in to take all your stuff, all your accounts, your steam, your WoW accout, possibly even direct access to your bank accounts. like if your email provider was a victim of the bug, it would be a cake walk when they get done with the person before you on their list of stolen accounts to hop on yours and start resetting all your passwords for you Hope you liked spending $1000 on all your steam games just so someone else could transfer them to their computer.

It's not hard to just go change every password you have EVERYWHERE and then you know you will be safe, cause Norton wont let you know that all your account have been hijacked when you don't.

This sounds more like fear-mongering than anything else, but I appreciate the warning. Someone might take my Planetside 2 account!

You should know if you reuse the same password across multiple sites, if so then yes you should change them all, personally I've only used my current password on this site.

However changing them all before half the site you visit have patched is a bad idea especially if your going to reuse the same password again, I thought that when that news article came out I still think it.

Don't get me wrong this is a really bad security flaw, but resetting all your passwords at this point may actually not reduce your exposure may even increase it by making you visit all the sites you normally use a password on thus creating just the sought of encrypted traffic that this bug allows people to intercept.

P.S. Does anyone else think this is obviously one of the backdoors the NSA built into internet security protocols then got nervous about when Snowden started to expose them and decided to have some security researchers "discover it"...

It is not safe to change your password on a site that does not have the fix for heartbleed or to use that site. The Norton tool I referenced is to check that the site has the the fix installed, and you have to use it manually.

The recommendation given by Symantec is to check each site you use first, change your password on sites that have the fix, and to not use the sites without the fix (or at least, do not change your password on those sites). I think it would be a good idea to notify the failing site's administrator if possible that they need to install the fix.

Obvious? Until they come out with factual statements to this affect it is useless to speculate, and certainly spreading rumors like this is more harmful than useful, but it is worthwhile to pressure the federal administration to check it out.

As far as the involvement of the nsa is concerned their is no way it's in the interest of the us government to admit to it if ot was. But this does look like exectly the type of backdoor weakening of vital internet security snowden talked about.

The truth is we will never know for sure. The nsa have already officially denied it for what that is really worth.

The truth is that we MAY never know for sure. Pressure on Senators or Congressmen by their constituents is the only way of forcing accountability.

Another duplicate post. Please ignore.

True however it's not in the interest of anyone in the American government for it to be confirmed as true, indeed that would be very damaging to the nations credability, preassure on Senators or Congressmen would just lead to an closed door investigation followed by another public denial.

Ultimatley it doesn't really matter but it does fit the profile of the sort of security law Snowden's leak suggested they had been intentianally building into key internet security protocols.

I'm a cynic so for me this is a bit too much co-incidence, but if the NSA is watching it's not like I plan to do anything about it .

And I thought I was cynical.

Anyway, cynic or not, no pressure produces no results. If one feels strong enough about it apply the pressure regardless of what results you think it may get. At least you will be able to say "at least I tried."

Heartbleed is NOT the kind of backdoor or compromise someone like the NSA would try to inject into an Open Source project like OpenSSL.  The possibility of other spy agencies discovering it would be far too great, leading to not only the NSA being able to monitor things, but agencies the NSA doesn't like also being able to monitor stuff.

An NSA-style attack would be one of two things: 

(1) discover a vulnerability that existed in the current codebase - whether due to a code flaw or some new advanced crypto technique developed in-house at the NSA - and NOT report that, under the presumption that they are far better positioned to discover that kind of vulnerability than anybody else, and thus would have exclusive access, or

(2) Inject a piece of code into the project that looks otherwise completely harmless, but, given certain NSA crypto advancements, turns out to be a severe weakening of the crypto, but doesn't change things for people who don't know the secret NSA technique. 

Heartbleed was neither - it was a coding mistake that, once someone finally got around to analyzing the particular putback, is an obvious error. The issue is lack of sufficient code review.

There's suspicion (but ONLY suspicion, no real factual basis) that the NSA might have known about this particular weakness awhile ago. But that's entirely different than the NSA deliberately breaking OpenSSL with a code exploit.  And there's serious debate about how much responsibility the NSA should have to notify the general public about when they find security leaks. It's not cut-and-dried.