Heartbleed. Oh my. by SIGNYM

REAL WORLD EVENT DISCUSSIONS

Heartbleed. Oh my.

POSTED BY: SIGNYM
UPDATED: Saturday, April 12, 2014 08:54
SHORT URL:
VIEWED: 1064
PAGE 1 of 1

Friday, April 11, 2014 10:29 AM

I believe in solving problems, not sharing them.

You may have heard of Heartbleed, the security flaw that has exposed EVERYONE to hacking by making any server at all which uses encryption (eg your bank, your doctor's office, your online retailer) open to exploit.

The best explanation I could find was here, at the New Yorker

Quote:
Heartbleed is a bug in OpenSSL’s implementation of a small part of the T.L.S. protocol, called the heartbeat extension. A “heartbeat,” in this context, is like the “beep… beep…” of a hospital heart monitor: a quick way to check that the other end of a secure connection is still there. One side sends the other side a small piece of data, up to sixty-five kilobytes long, along with a number indicating the size of the data that has been sent. The other side is supposed to send back the exact same piece of data to confirm that the connection is still active. Unfortunately, in OpenSSL the replying side looks at the stated size of the data rather than at the actual size, and it always sends back the amount of data that the request asked for, no matter how much was sent. This means that if the stated amount of data is more than the amount actually provided, the response contains the data that was sent plus however much additional data, drawn from the contents of the computer’s system memory, is required to match the amount requested.

Here is why this is so bad: the heartbeat response can contain up to sixty-four kilobytes of whatever data happens to be in the server’s random access memory at the moment the request arrives. There is no way to predict what that memory will contain, but system memory routinely contains login names, passwords, secure certificates, and access tokens of all kinds. System memory is temporary: it is erased when a computer is shut down, and the data it holds is written and overwritten all the time. It is generally regarded as safe to load things like cryptographic keys or unencrypted passwords into system memory—indeed, there is little a computer can usefully do without temporarily storing pieces of sensitive data in its system memory. The Heartbleed bug allows an attacker to “bleed” out random drops of this memory simply by asking for it. Heartbeat requests aren’t usually logged or monitored in any way, so an attack leaves no trace. It’s not even possible to distinguish malicious heartbeat requests from authentic requests without close analysis. So an attacker can request new pieces of system memory over and over again; it’s almost impossible for the victim to know they’ve been targeted, let alone to know what data might have been stolen.

http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-t
elltale-heartbleed.html

The article goes on to describe OpenSSL: it's a volunteer project. The code on which the ENTIRE NETWORK depends is maintained by four people, on a volunteer basis. It's not sexy: it's not a videogame or retail or investment software, so there's no money in it. It's our internet infrastructure, and just like our sewage pipes and watermains and roadways and bridges, it gets no resources at all. (Yep, capitalism works so well!)

Even worse, it appears the NSA knew about since November. https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-age
ncies-using-heartbleed-november-2013 But, of course, didn't actually warn anybody or do anything about it, except exploit it for their own purposes. Hubby, who is a computer expert, had this to say

Quote:
Here is a situation that is really disturbing. A major security issue that concerns everyone and exposes everyone to financial and social jeopardy is known to the security agencies of the government as early as November 2013.
Do they inform the banks and others that hold millions of peoples personal and financial information?
Do they send a warning for people to take defensive measures?
Do they try and fix the problem as quickly as possible?
If you answered no to all of the above you would be correct.

Instead they make use of the exploit themselves and leave everyone out there to be exploited by others from around the world.

Are not these agencies there to defend us from those who would do us harm?

I guess not. They are too busy watching personal communications to worry about such simple problems as national security or your personal safety. At what point will the public realize that they are not considered in the least bit important to these agencies and stop constantly quipping that they are not worried since they have nothing to hide. Well for one example maybe your bank accounts and related passwords might not be something you wish to share with the rest of the world. Do you really think that it was only the NSA that was using this exploit?

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:35 AM

WHOZIT

"Heartblled"? And you people are always bitching about my spelling.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:36 AM

WHOZIT

Oh good you fixed it, I thought it would be awhile until you noticed.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:42 AM

CHRISISALL

I guess I should empty my bank account so no one steals my $75 right now, eh?

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:54 AM

SIGNYM

I believe in solving problems, not sharing them.

Yes, right now!

A new secure version is being distributed even as we "speak". But banks, being banks.. I dunno. Our bank (Chase) switched over from OS/2 - a wildly secure OS, to Microsoft - a wildly insecure one. Banks apparently don't do stuff that makes sense (just look at the meltdown) so I have no idea how long they're going to take to implement the patch.

I hate to keep referring to hubby, but he IS the expert after all. Basically, he refuses to use smart phones or do almost anything online. And the electronic record process that Obamacare is mandating is a security nightmare, since they TOO are using Microsoft [which - the joke goes- describes Bill Gates' penis as well as software security.]

Anyway, when I read stuff like this, the saying "Cluster is only half a word" pops into mind.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:56 AM

NEWOLDBROWNCOAT

OK, the explanation makes sense, Sig.
But you (or maybe they) lost me when they wrote of " a small bit of data" being 65K. I remember when 64 K was ALL the RAM you had to work with and when a small amount of data to check communication reliability was a single parity bit, present only about 50 % of the time, to make the total number of bits either odd or even.

'Course, in those days, nothing was secure, and successful communication of any sort, of anything, was a miracle in itself.

Ahh yes, I remember those good old days, me and Flintstone communicating by banging rocks together, and walking 20 miles to school every day, in the snow, uphill both ways. Yepper...

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 10:59 AM

NEWOLDBROWNCOAT

Quote:
Originally posted by SIGNYM:
since they TOO are using Microsoft [which - the joke goes- describes Bill Gates' penis as well as software security.]

I hadn't heard that one, but I always did wonder what his personal problem was. But that answer may be TMI, too much information.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 11:09 AM

CHRISISALL

We are so humped.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 5:32 PM

SIGNYM

I believe in solving problems, not sharing them.

NSA SAYS "FUCK YOU!" LOUD AND CLEAR TO ALL OF USA

NSA Said to Exploit Heartbleed Bug for Intelligence for Years
Quote:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests...

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbl
eed-bug-exposing-consumers.html

WTF??? WTF??? WTF???

Hang the NSA. Strip them of their funding and disband them.

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

Friday, April 11, 2014 5:47 PM

AURAPTOR

America loves a winner!

Quote:
Originally posted by chrisisall:
I guess I should empty my bank account so no one steals my $75 right now, eh?

Put all your money into Little Damn Hero Maquettes, like I did.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, April 12, 2014 1:06 AM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.

from the link

Quote:
Originally posted by SIGNYM:
NSA SAYS "FUCK YOU!" LOUD AND CLEAR TO ALL OF USA
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbl
eed-bug-exposing-consumers.html

The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers. Open-source protocols like OpenSSL, where the flaw was found, are primary targets.

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

In contrast, the NSA has more than 1,000 experts devoted to ferreting out such flaws using sophisticated analysis techniques, many of them classified. The agency found Heartbleed shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

To argue with a man who has renounced the use of reason is like administering medicine to the dead. - Thomas Paine The American Crisis

OONJERAH - We are too dumb to live and smart enough to wipe ourselves out.

"You, who live in any kind of comfort or convenience, do not know how these people can survive these things, do you? They will endure because there is no immediate escape from endurance. Some will die, the rest must live."

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, April 12, 2014 1:41 AM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.

So, aside from the analysis about the NSA's roll in all this, I have a serious quibble with their analysis about open source.

Who do they THINK is going to do better? Obviously not business - it's too busy trying to squeeze as much profit as possible from everything around it to make the investment. There's a reason they use the FREE (as in beer) SSL code. Besides, if business wrote the stuff, it would be behinds walls, and walls, AND walls of patents, copyrights, and IP. No one would be able to even look at it, let alone study it for flaws. So, is this something business would do better? I'd laugh, but the idea hurts too much.

Then, there's the government. The only problem with that is, besides keeping it all behind the shroud of government security, is that if the government has all the power ... well then, it has all the power.

The last is the academic world. The problem with that is the education system has totally bought into one of two paradigms: publish or perish (making it unsuited to the unsexy job of maintenance and review), and IP/ patents/ and SELL! SELL!! SELL!!! those technology licenses!!!!

The fact that the code was out there for anyone to study is the shining strength of FREE (as in freedom) software.

To argue with a man who has renounced the use of reason is like administering medicine to the dead. - Thomas Paine The American Crisis

OONJERAH - We are too dumb to live and smart enough to wipe ourselves out.

NOTIFY: N | REPLY | REPLY WITH QUOTE | TOP | HOME

Saturday, April 12, 2014 8:54 AM

SIGNYM

I believe in solving problems, not sharing them.

Well, I both agree and disagree with the analysis.

The problem in Open SSL isn't a problem with "free" software development, it's a problem with software development in general: it's tough to do right. Knowing a commercial software developer, I know that the emphasis is on speed. and (in the commercial world) profit.

Looking at the screens in my doctors' offices, and banks, I know that commercially-written software is worse. I know that the software that they're running (Microsoft) is not only a coding nightmare (code not written as modules but one giant accretion of patches and features since DOS 3.1) but has also been DELIBERATELY flawed by the request of the NSA, and protected from prosecution by the so-called DoJ. (This may sound like a paranoid rant, but it's not. I could go back and explain the history of the encryption flaws, the NSA_KEY, and the prosecutions and pathetic settlements by the DOJ against MS for monopolistic activity- which even Republican Federal judges disagreed with- but it would just bore everyone to tears. Suffice to say, it was a quid-pro-quo conspiracy: MS got to continue its monopolistic practices, as long as it gave the NSA easy access to its encryption keys. MS made billion$, and the NSA got to snoop everywhere. What's not to like?? )

OTOH, anything that is free (either "free, as in freedom", or "free, as in beer") suffers in this nightmare of an economy, where EVERYTHING is from the birth of your child to the zits on your face is "monetized" and turned into units of profit.

That profit-driven, monetizing model doesn't work well. It turns our attention and effort away from the important and to the activities which benefit economic piracy. So we've become an economy of "financialism", not an economy which benefits people. What a dystopia!

NOTIFY: Y | REPLY | REPLY WITH QUOTE | TOP | HOME

YOUR OPTIONS

SHARE THREAD

NEW POSTS TODAY

USER	POST DATE

USER

POST DATE