On 04/10/14 21:41, Cristian Rodríguez wrote:
Also banks are not known for staying on top of technology, in fact quite the opposite, they are in an state of fossilization..I doubt many run reasonable updated openSSL versions that contain the vulnerability.
That banks don't run distributions with not-yet-settled technology is one thing. With customer-facing IT, they shall not be on top of technology. They shall be conservative and use proven technology that has settled. To call that fossilization is ridiculous. (Internally, that's completely different thing. I know quite some banks that have their own patched kernels, especially when HFT is involved.) That banks don't patch their systems and don't update critical security infrastructure is far from the truth. Responsible persons in IT wouldn't survive the next internal audit. Patch processes and documentation are regular and mandatory items on audit check lists. BEAST and other vulnerabilities have triggered updates of OpenSSL-based products and have introduced respective versions that are now vulnerable against heartbleed. If one is lucky, F5s were used as load balancers; they are not vulnerable. As somebody who spent the last few days to help several banks to mitigate that problem, I can assure you: banks are not in a state of fossilization, they run reasonable updated openSSL versions, (sadly) most of them were vulnerable, and checking/patching the problem was a high-priority C-level-attention thing for all of them. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod, Roedermark, Germany Email: jschrod@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org