A Couple Security-Related Issues

Posted on: April 11th, 2014 by Craig Rairdin 6 Comments

HeartbleedJust a couple brief comments  on two unrelated security issues. You’ve probably heard about the Heartbleed vulnerability that affected many websites this week. For some reason, the media didn’t mention that the affected servers are running Linux. (There are issues with certain programs running on other servers, but the primary impact was for those sites running Linux-based servers.) They’re quick to jump on Microsoft when it comes to security flaws in Windows, but I guess Linux doesn’t get the same treatment. Weird.

Anyway, we run Windows servers here and don’t appear to be affected by Heartbleed. This blog is on a Linux box, but there’s nothing valuable here except for my rambling a on various topics, and those are only mildly worth stealing.

Coincidentally, we were working on another security-related issue when we heard about Heartbleed. A few of you have given us grief in the past for sending password reminders in email. While your Laridian password doesn’t expose any personal information of import, except perhaps your mailing address — which is widely available elsewhere — it was still disconcerting to see your password show up in clear text.

So we’ve made some changes now so that we don’t send out passwords but instead send a link to a page where you can reset your password.  This should provide a little more security, especially if you’re in the habit of using the same password everywhere. 🙂

Tags: , ,

6 Responses

  1. Mark Hambridge says:

    Hi Craig – I welcome the password procedure change. However may I suggest you put a tool on the ‘my account’ page which allows me to voluntarily trigger a password change (the present log-in page works for ‘forgotten password). I use LastPass to manage passwords and usually log in through their tool, so I bypass the usual log-in and type-your-password function; when a strong password is used, putting it in manually is a chore! This would be a useful addition to your change.

    • Craig Rairdin says:

      You can already change your password from My Account. Also keep in mind that changing your Laridian password is a bit of a chore anyway since you have to update your credentials in PocketBible on each of your devices. The point being that it isn’t something you want to do out of some false sense of maintaining security. Use an obscure password for your Laridian account and leave it alone. There’s no credit card info exposed with that password (unlike, say, your Apple ID which lets a person charge things to your account if they know your password).

  2. JT says:

    Thanks for the update, Craig, nice work.

  3. Jon Morgan says:

    As you are probably aware, the problem is not with Linux, but with a tool running on Linux (most commonly Apache with OpenSSL). While it is much more common on Linux, and IIS is much more common on Windows, people do still run Apache servers on Windows.
    The security problems in Windows are much more directly a Windows flaw with a number of factors involved. For a few factors: Windows historically had much of the UI code running in the kernel level (helps performance, but insecure by design), Windows encouraged users to run with administrator level privileges (also insecure). Also, Windows was more popular, making it a bigger target, and was largely a desktop system with less attention to hardening the system and protecting it than dedicated server environments (also easier to trick less sophisticated users to do the wrong thing).

  4. Matthew says:

    So glad my password won’t get sent via email anymore! I know that you shouldn’t share passwords between sites, but many people do (in my case, this site’s password is unique), so sending it via email is a bad idea.

    Thanks again!

    • Craig Rairdin says:

      Actually, sharing passwords is the bad idea. The fact that some sites send them back in clear text is one reason it’s a bad idea. 🙂

©2018 Laridian