I have accounts on Google, Amazon, Apple, various financial institutions, work, and a lot of other lower-sensitivity sites, and I have had not a single email from any of them about Heartbleed, including those listed in various places as vulnerable. In fact, I would have written it off as a hoax but for seeing people like Bruce Schneier and Randall Munroe taking it seriously. Has this been other people’s experience also?
I have had not a single email from any of them about Heartbleed
This delayed my finding out about it. I discovered later that most of them had posted their notice someplace a little out of the way—on some blog that’s not even under their main domain name (Google did this and I think Microsoft may have done it), or in a little “news” box that you only see after signing in to the website. I don’t know what immunized me against the instinct to write it off as a hoax. Perhaps it was all of the security literature I’ve read and my daily experiences that have informed me that security is difficult and that flawed code can easily be written by accident.
This delayed my finding out about it. I discovered later that most of them had posted their notice someplace a little out of the way
This seems like a good strategy (for them). Answer the questions of those who have security concerns without drawing negative attention to yourself among naive customers.
If it weren’t for Munroe, I might not even know about it. I haven’t seen any non-internet news stories on it, and the only online news articles I’ve seen are ones from me specifically looking for information on it.
I did get a mail from my hoster one day after but at that time I already had updated ubuntu (after determining the openssl version and checking for rootkits). I didn’t hear from Google or other big sites but I reason that they rely on the news.
I have accounts on Google, Amazon, Apple, various financial institutions, work, and a lot of other lower-sensitivity sites, and I have had not a single email from any of them about Heartbleed, including those listed in various places as vulnerable. In fact, I would have written it off as a hoax but for seeing people like Bruce Schneier and Randall Munroe taking it seriously. Has this been other people’s experience also?
This delayed my finding out about it. I discovered later that most of them had posted their notice someplace a little out of the way—on some blog that’s not even under their main domain name (Google did this and I think Microsoft may have done it), or in a little “news” box that you only see after signing in to the website. I don’t know what immunized me against the instinct to write it off as a hoax. Perhaps it was all of the security literature I’ve read and my daily experiences that have informed me that security is difficult and that flawed code can easily be written by accident.
This seems like a good strategy (for them). Answer the questions of those who have security concerns without drawing negative attention to yourself among naive customers.
Think about their incentives while remembering that Heartbleed attacks are, generally speaking, invisible and leave no traces.
If it weren’t for Munroe, I might not even know about it. I haven’t seen any non-internet news stories on it, and the only online news articles I’ve seen are ones from me specifically looking for information on it.
I did get a mail from my hoster one day after but at that time I already had updated ubuntu (after determining the openssl version and checking for rootkits). I didn’t hear from Google or other big sites but I reason that they rely on the news.