The Internet's Bleeding Heart

Comments

1
I just read of this via Jacob Appelbaum and Reddit. Thanks for disclosing the severity and omnipresence of the exploit, and reminding us to change passwords.
2
Changing your password is not going to help if the vulnerability is in the OpenSSL security layer of the server your using... which more than likely your various server providers will take their sweet time fixing. It will only help AFTER the server is fixed.

Though having different passwords is obviously a good idea.
3
Panic in the executive lounge.

It's been a fun, fun week(end) for everyone in IT.

"Thanks" to all the mid-level and wanna-be execs for calling, texting, emailing, etc. to let us know that you read something online. If you find that all of your accounts and devices have been locked or suspended, it's purely a coincidence. We'll get right on that ASAP just like you told us.

So, how many security certificates did you have to revoke? You know it's a competition, right?
4
eh. please steal whatever you want from me. I'm pretty sure you will be disappointed. I do feel for people that actually have things to care about.
5
Google is good.

Yahoo should be good by end of day.

Online banking is largely unaffected because they lag behind the rest and/or use proprietary software.

Online shopping sites that use OpenSSL may be a hit or miss at the moment. Give them a week (or two) to upgrade and to replace certificates.

And, like Anthony said change your passwords, use strong passwords (no words in the dictionary, use good mix if letters, numbers and symbols). Don't use the same password across all your logins; using the same password across multiple logins defeats the purpose of having one. And, if it's available, use 2-step authentication for additional login security.

What is 2-step authentication?
After providing your user name & password to log in, a security server sends a 5 or 6 digit number as a text message or automated voice call to the phone you chose during setup. You enter the code like a second password to complete the login process. Both Google and Yahoo offer this added layer of security, please use it.
6
@2 - True. For critical stuff - banking, email, etc., - you should check with the provider that they've fixed the problem before changing your passwords, and if they haven't, log out and don't go back until they do. If anything, it's MORE likely for your info to be compromised now, since everybody in the world now knows how.

Here's a tool to check if a particular server is vulnerable: http://filippo.io/Heartbleed/
7
Layman's explanation of the vulnerability: you can ask a ssl server to let you know that it's alive ("heartbeat") by sending it a message and asking it to repeat it back to you. You say: here's my message - it's X bytes long. The server stores your message in memory, and then responds with (starting location of your message + X) bytes of data.

The problem is that the server BELIEVES you when you tell it how long your message is. If you send it a 1-byte message, but tell it that your message is 65000 bytes long, it returns your byte plus the next 64999 bytes of WHATEVER was nearby in RAM.

The fix was, unsurprisingly, to CHECK the length of incoming heartbeat messages against their advertised length.
8
The two people who work on openssl don't get minimum wage, and you all use it, so you support slave wages, and are oppressor assholes.

I think.
9
Bah. Fuck it. Privacy is dead. If it's in electronic form somewhere (even on your home computer), it's accessible by someone. It doesn't mean put your social security or bank account numbers on facebook to make it any easier, but let's get real. If someone competent wants your personal info, it's theirs for the taking. (Fortunately most of us lead mundane, inconsequential lives not worth meddling with.)
10
horray for running software too old to be vulnerable :sheepish grin:

11
VPNs used by businesses everywhere are one of the most affected applications that use OpenSSL to establish secure network connections. It may take a few days before most have been corrected.

So, assume any/all remote access and connections over VPN are not secure until you've verified with your IT dept. and/or network service providers that the network has been fully upgraded and that new security certificates have been installed.

If you access a remote corporate server from your local business or from home, this problem probably affects you.
12
@7 - Great explanation. Here's a nice video too: http://info.elastica.net/2014/04/openssl…
13
@9: "Privacy is dead," says someone leaving a comment pseudonymously.

Strong cryptography works. Use it or don't, but please don't force your willingness to give up your rights on those of us who value the option for everyone to keep communications, locations, associations, and thoughts private more than you value those options.
14
What it means is that we should finally learn our lesson that the vast majority of stuff, and a basic encryption library is a prime example, should be written in a memory-managed language like Java or C#, not in C. Such languages do automatic bounds checking. The bounds check is optimized away when the compiler can prove that it is unnecessary, and the tools have long been available to compile these languages down to the metal, so no there is no JIT hit. So a quit your poser whining about performance with which you try to signal how l33t you are.
15
@14 It isn't as simple as that. Even in higher level languages things like encryption are generally handled by system libraries. Which isn't necessarily a bad thing since it means that encryption is handled by one team rather than being coded again and again by the C# team, the VisualBasic team, the IIS team, etc.

Unfortunately the tradeoff is that many points of failure in something as difficult to get right as encryption is traded for a single point of failure which makes an actual exploit that much more painful.

Big companies like Google, Yahoo, Chase, etc. which are raking in billions using open source software should step up to the plate and ensure that the packages they rely on are secure. This is doubly important right now since we know that in addition to inadvertent bugs we also have to ferret out intentional NSA backdoors. It's past time for this code to be hardened.

As for changing your passwords. It's a good idea for everyone to rotate their passwords every so often so now is a good time to do it.
16
Well, so much for the idea that open-source is so much more secure because there are a bazillion propeller-heads examining the code.
17
@15: There is no law that system libraries must be written in C. It all gets compiled down to CPU instructions. To call across languages all you need are binary layout conventions, and we have those.
18
The problem with security today is programmers just assume no one is evil and won't *try* to break their code. That's the longest running con in the history of the world... assuming people are all honest and pure.
19
@16

Microsoft abandoned millions of Windows XP users to fend for themselves yesterday.

Microsoft did so with the full intent of forcing people to either buy Windows 8.1 and Office 2013 or to buy a new computer with Windows 8.1 and Office 2013.

Not having to support the flawed product that they sold to their customers saves Microsoft lots of money, and since the product falls under intellectual property laws, they're liability for screwing over their customers is largely undefined or nonexistent.

Microsoft is not even required by law to offer the replacement product (Windows 8.1 and Office 2013) at a some discount for the affected parties.

Microsoft could have offered a $20 per year license for ongoing maintenance of Windows XP for its millions of users.

Microsoft could have created a foundation or helped create one to maintain Windows XP (NT) as an open source operating system. It didn't.

It's a greedy company that wants to see if it can get away with forcing millions of Windows XP users to pay for Microsoft's new software and/or to buy a new computer with their software already installed, regardless of whether the Windows XP users can afford it, need it, want it or not.

My last upgrade on my Mac was free, and the one prior to that was $20. To my knowledge, Apple hasn't abandoned anyone since introducing OS X; the updates are still being issued.

Ubuntu will be releasing yet another full version upgrade of its open-source Linux operating system next week...for free like every version since 1.0. Unlike Windows 8.1, Ubuntu will actually run on older Windows XP machines. And, Libre Office that comes with bundled with Ubuntu (again, it's open source and free) actually supports documents created with Microsoft Office 2003 through 2013, while Microsoft has abandoned Office 2003 completely.

If GM and Toyota have to pay for recalls of their products when they fail, why shouldn't Microsoft and their hardware partners like HP and Dell have to continue support their products, offer a replacement that works or release the abandoned operating system to the open source community?

For most of the last two decades, Microsoft's customers didn't get a choice in what software was installed on their PC. Even today, the choice is limited. In most cases, you have to pay for Windows on your PC, regardless of whether you want it.

When 27% of Windows users are still using Windows XP and when that percentage represents millions and millions of users, Microsoft should not have the freedom to just abandon them, especially to extort even more money out of their victims...I mean, customers.
20
@19: "To my knowledge, Apple hasn't abandoned anyone since introducing OS X".

Your knowledge is wrong. If you google "which os x versions are still supported?" the very first hit will tell you that AAPL supports approximately the last three versions released. I say approximately because, unlike MSFT, they make no explicit promises about what will be supported for exactly how long. Those sorts of clear policies are one reason that corporate IT likes MSFT.
21
@20

Thanks for the clarity.

Mavericks, the newest OS X, works on Macs back to 2007, which works for me.

So, your point of view is that Microsoft Windows and Apple Mac OS X are both guilty of abandoning their customers in a system of planned obsolescence.

Interesting.

We've got a variety of aging computers. The older Mac runs Mavericks without any problem; a simple RAM upgrade sufficed to keep it performing well. The older PCs have all been slowly converted to one Linux distro or another as Microsoft has moved on without them. We've even built a Raspberry Pi that runs Raspian.

Based on the performance of Ubuntu 14.04beta, I'm looking forward to having some fun with the final release. Linux machines all have their own interesting personalities, and have proven to be great operating systems for these computers.

At the moment I've grown really tired of Microsoft, though. And, with the millions and millions of Windows XP users that are out there, largely due to the huge failure of Vista, Microsoft should have either offered a annual license for continued support or donated XP's code to an open source foundation to be maintained. Windows 8.1 and Office 2013 simply aren't going to work on most of the machines still running Windows XP. And, many of these people simply cannot afford the upgrade path.

Windows 8.1 is confused about itself - a bit schizophrenic. Is it a tablet OS or a desktop OS? It doesn't seem to know for sure. And, Windows is as always just so incomplete; it always needs something else just to remain functional. Everything it needs just to work can really add to the costs and headaches of ownership.

It makes us want to support Ubuntu, Linux Mint, fedora, Arch, OpenSUSE and other Linux distros even more.

What do you think of elementary OS?
22
AFAIK, this only affects non Microsoft Web servers that use "open Source" software.
IIS on Win 2012 R2 SP1 is immune
23
Don't change your passwords just yet. Definitely wait until the fix has been applied. Just take a break from SSL for a while. Unplug a bit.
24
Which Password Managers are affected?
Sticky Password - http://blogen.stickypassword.com/sticky-…
LastPass - http://blog.lastpass.com/2014/04/lastpas…
RoboForm - https://www.facebook.com/RoboForm/posts/…
1Password - http://discussions.agilebits.com/discuss…
26
This is a bit OT, but I have just reinstalled Leopard 10.5 in my very old G4 Cube (2000 PPC machine) and a few days later the automatic updater popped up with security and software updates. It seems APPL is still supporting an OS that is really getting long in the tooth.