homepage
  roll on christmas  
click here to find out more about ship of fools click here to sign up for the ship of fools newsletter click here to support ship of fools
community the mystery worshipper gadgets for god caption competition foolishness features ship stuff
discussion boards live chat cafe avatars frequently-asked questions the ten commandments gallery private boards register for the boards
 
Ship of Fools


Post new thread  Post a reply
My profile login | | Directory | Search | FAQs | Board home
   - Printer-friendly view Next oldest thread   Next newest thread
» Ship of Fools   »   » Oblivion   » Heartbleed.

 - Email this page to a friend or enemy.    
Source: (consider it) Thread: Heartbleed.
luvanddaisies

the'fun'in'fundie'™
# 5761

 - Posted      Profile for luvanddaisies   Email luvanddaisies   Send new private message       Edit/delete post   Reply with quote 
Heartbleed
Do we all need to change all our online passwords (or at least soonish, once security patches have been sewn on ).

Is it something that was inevitable, maybe caused by the big websites relying on a little group of part-time programmers rather than spending money on it ?

How much do we need to worry? What's caused it?
Are there interesting technical things about it?

I know virtually nothing about the Heartbleed security flaw. I'm interested to know more, and I'm pretty sure there'll be people here who do, and who have opinions on how to protect oneself (and how websites could have protected themselves) against it, and what could have been done to prevent it.

Is it the end of the world, or a minor blip?
Was it inevitable or could nobody have predicted it?
Should everyone be changing their passwords now, in a week or so, or not bother?

--------------------
"Twenty years from now you will be more disappointed by the things you didn't do than by the ones you did do. So throw off the bowlines, sail away from the safe harbour. Catch the trade winds in your sails. Explore. Dream. Discover." (Mark Twain)

Posts: 3711 | From: all at sea. | Registered: Apr 2004  |  IP: Logged
Taliesin
Shipmate
# 14017

 - Posted      Profile for Taliesin   Email Taliesin   Send new private message       Edit/delete post   Reply with quote 
Chris Evans said change your password, so I did.

Guess I'll change them again next week...
So tempted to just give up on internet.

Posts: 2138 | From: South, UK | Registered: Aug 2008  |  IP: Logged
Higgs Bosun
Shipmate
# 16582

 - Posted      Profile for Higgs Bosun   Email Higgs Bosun   Send new private message       Edit/delete post   Reply with quote 
Bruce Schneier, who knows a thing or two about computers and security says that
quote:
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Attacks on affected systems are undetectable. While the attacker cannot deliberately target information - the attack gives access to some random chunk of computer memory - those who have tried it on their systems have found passwords and encryption keys being returned. The flaw has been around for a couple of years, and we just don't know if malicious folk have known about it for any time before it was reported at the start of this week.

Of course, after Snowden, there are those who will say this is an NSA plant.

Change your passwords? Probably a good idea (when the service has been fixed - test it here)

I write as someone who works for a software company which has OpenSSL in its products, and has been working hard for the last few days to get updated versions of our software out to customers.

One advantage of open source software like OpenSSL is that such bugs do get out in the open. If something like this was found by a proprietary vendor, they would have tried to keep it quiet. As a result we would have been vulnerable and not known it.

Posts: 313 | From: Near the Tidal Thames | Registered: Aug 2011  |  IP: Logged
Jay-Emm
Shipmate
# 11411

 - Posted      Profile for Jay-Emm     Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by luvanddaisies:
Are there interesting technical things about it?

A pretty picture (in the style of your sewing patches) of what actually goes on*

Imagine we're pen pals, but rather disconnected. To check we're still alive we've agreed for me to send letters to you (the heartbeat), you put them to one side and when you're ready you send them back.
"Hello, L&D, I've sent you 3 pages of letters"
"[page 1] what I did in my hols"
"[page 2] about childrens 13452 A** gcse's"
"[page 3] etc.. "
(I'm not fully sure what the benefit of the extra pages is, it might be so that the other messages don't stand out)

The problem arises if I my message doesn't add up, and you aren't careful where you put my pages.
"Hello, L&D, I've sent you 5 pages of letters"
"[page 1]"
"Your bank statement" (whoops, you shouldn't have sent that)


Not sure about the implications on our level, if it was a total accident (which as your article points out is quite likely) it depends if bad guys have managed to find this first and how long they've had (the reports suggest it hasn't taken long to get valuable data from e.g. yahoo, so really any time is bad news). Now definitely companies need to get fixing last week...but I don't think we'll ever know if it really was a 11.

If it was deliberate (which needn't be the intention of the person who actually committed it, he had supervisors) then someone's had the full two years, plus other bad guys may have done the first.

I suspect after waiting, once having changed the passwords and being vigilant. The problem isn't really ours. But don't really know.

*assuming the accounts I've read elsewhere are accurate,

Posts: 1643 | Registered: May 2006  |  IP: Logged
*Leon*
Shipmate
# 3377

 - Posted      Profile for *Leon*   Email *Leon*   Send new private message       Edit/delete post   Reply with quote 
Jay-Emm: Brilliant description of the issue
(But here's an explnation with pictures for people who like pictures

This is a good time to suggest that people use things like lastpass. It lets you keep track of very strong and completely unmemorable passwords. I strongly recommend it.

luvanddaisies:
A lot of the people working on OpenSSL are in fact working for big companies and being paid to work on OpenSSL. Basically a lot of companies need a real OpenSSL expert, and the best way of getting someone who really knows their stuff is to pay someone to work on it. They can also look for bugs themselves instead of relying on the people who write it; in this case the bug was found by a Google employee who doesn't work on OpenSSL (but there are Google employees who do work on OpenSSL) This model seems to work, in that it creates a better product than you can get by directly buying software.

It's inevitable that things like this will happen because humans make mistakes. This is a bad one, but I'd still say that OpenSSL is usually the best security package for most applications. The advice 'Use OpenSSL and trust it' will still solve far more problems than it creates.

And the good thing about using something like OpenSSL is that when there's a problem, you find out the details. Here we are on a religious discussion forum, and several people really understand what happened. With proprietary software, what we'd know about the problem would be a short statement cleared by marketing and PR.

Posts: 831 | From: london | Registered: Oct 2002  |  IP: Logged
Drifting Star

Drifting against the wind
# 12799

 - Posted      Profile for Drifting Star   Email Drifting Star   Send new private message       Edit/delete post   Reply with quote 
Adding to the questions rather than the answers here I'm afraid.

As soon as I read the news item about Heartbleed I changed all my passwords that were protecting important stuff, on the basis that it's rarely a bad thing to do. I then checked the relevant sites using the filippo test link. Most of the results were inconclusive, but one found a definite problem, and reported back with a sample of the info they had obtained (so clearly I will be changing that password again soon).

However, when I logged onto that site this morning there was a message saying that they take security very seriously, and there was never a threat to any of their customers.

Can this be true?

--------------------
The soul is dyed the color of its thoughts. Heraclitus

Posts: 3126 | From: A thin place. | Registered: Jul 2007  |  IP: Logged
*Leon*
Shipmate
# 3377

 - Posted      Profile for *Leon*   Email *Leon*   Send new private message       Edit/delete post   Reply with quote 
Drifting star:
Based on what you've said, it's possible that what they say is true. For instance, the front-end server may have been vulnerable, but it's possible that they have good reasons to know that no interesting information was on that server and no interesting servers were vulnerable. For instance,lastpass responded saying that they had been 'vulnerable' but it made no difference in practice.

It's also possible that what they say is not true (either because they've made a mistake, they're being more optimistic than they should be, or because they're lying). But I'd need more information to say with certainty.

I find the statement 'we take security very seriously' less than completely reassuring; it's the sort of thing that a PR person would say, not the sort of ting a cryptographer would say. But it's not cause to panic on its own.

Posts: 831 | From: london | Registered: Oct 2002  |  IP: Logged
Drifting Star

Drifting against the wind
# 12799

 - Posted      Profile for Drifting Star   Email Drifting Star   Send new private message       Edit/delete post   Reply with quote 
Thanks *Leon*. They're an organisation I'm inclined to trust, and if they were lying it could be truly catastrophic for them.

--------------------
The soul is dyed the color of its thoughts. Heraclitus

Posts: 3126 | From: A thin place. | Registered: Jul 2007  |  IP: Logged
Jay-Emm
Shipmate
# 11411

 - Posted      Profile for Jay-Emm     Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by *Leon*:
Jay-Emm: Brilliant description of the issue
(But here's an explanation with pictures for people who like pictures

Oh thanks, (in all honesty the technical details I posted had been cribbed from the xkcd forum post discussing the cartoon before (or links from it).
My homely spin is original I think (although it's pretty reusing the Alice&Bob metaphor).

Posts: 1643 | Registered: May 2006  |  IP: Logged
no prophet's flag is set so...

Proceed to see sea
# 15560

 - Posted      Profile for no prophet's flag is set so...   Author's homepage   Email no prophet's flag is set so...   Send new private message       Edit/delete post   Reply with quote 
I tested every web service I use. Only one failed and it was not a site dealing with financial info.

--------------------
Out of this nettle, danger, we pluck this flower, safety.
\_(ツ)_/

Posts: 11498 | From: Treaty 6 territory in the nonexistant Province of Buffalo, Canada ↄ⃝' | Registered: Mar 2010  |  IP: Logged
no prophet's flag is set so...

Proceed to see sea
# 15560

 - Posted      Profile for no prophet's flag is set so...   Author's homepage   Email no prophet's flag is set so...   Send new private message       Edit/delete post   Reply with quote 
The Programmer Behind Heartbleed Speaks Out: It Was an Accident

quote:
Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.
The bug went up in Dec 2011. You can test websites here: heartbleed test

--------------------
Out of this nettle, danger, we pluck this flower, safety.
\_(ツ)_/

Posts: 11498 | From: Treaty 6 territory in the nonexistant Province of Buffalo, Canada ↄ⃝' | Registered: Mar 2010  |  IP: Logged
Crœsos
Shipmate
# 238

 - Posted      Profile for Crœsos     Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by Higgs Bosun:
Of course, after Snowden, there are those who will say this is an NSA plant.

That is not a totally unrealistic concern. For example:

quote:
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

<snip>

The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter, and it became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.

The NSA has faced nine months of withering criticism for the breadth of its spying, documented in a rolling series of leaks from Snowden, who was a former agency contractor.

The revelations have created a clearer picture of the two roles, sometimes contradictory, played by the U.S.’s largest spy agency. The NSA protects the computers of the government and critical industry from cyberattacks, while gathering troves of intelligence attacking the computers of others, including terrorist organizations, nuclear smugglers and other governments.

At least part of the NSA's mission is supposed to be protecting American internet users from cyber-attack. At some point you'd think this would occur to them after discovering a massive security vulnerability.

--------------------
Humani nil a me alienum puto

Posts: 10706 | From: Sardis, Lydia | Registered: May 2001  |  IP: Logged
mousethief

Ship's Thieving Rodent
# 953

 - Posted      Profile for mousethief     Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by Crœsos:
The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter

Warning! Warning! Anonymous source alert. From Bloomberg, who can't possibly have any reason to attack Obama through the NSA, but still.

--------------------
This is the last sig I'll ever write for you...

Posts: 63536 | From: Washington | Registered: Jul 2001  |  IP: Logged
An die Freude
Shipmate
# 14794

 - Posted      Profile for An die Freude   Email An die Freude   Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by mousethief:
quote:
Originally posted by Crœsos:
The agency found the Heartbleed glitch shortly after its introduction, according to one of the people familiar with the matter

Warning! Warning! Anonymous source alert. From Bloomberg, who can't possibly have any reason to attack Obama through the NSA, but still.
I'm pretty sure that given how non-anonymous sources (Snowden, Manning) have been treated in Obama's America, the days of Ellsbergs and other public sources are over for now.

--------------------
"I too am not a bit tamed, I too am untranslatable."
Walt Whitman
Formerly JFH

Posts: 851 | From: Proud Socialist Monarchy of Sweden | Registered: May 2009  |  IP: Logged
bib
Shipmate
# 13074

 - Posted      Profile for bib     Send new private message       Edit/delete post   Reply with quote 
I was having problems with emails in that for about one week I received no emails even though I was expecting them. Took my computer to the computer hospital and they found some low life had hacked into my email set up with an instruction to only deliver emails to my inbox if they included the word 'f...'. Any emails sent to me in this period are now lost forever. The technician felt that this was part of the heartbleed attack. I have now made everything much more secure with a very strong password.

--------------------
"My Lord, my Life, my Way, my End, accept the praise I bring"

Posts: 1307 | From: Australia | Registered: Oct 2007  |  IP: Logged
Mad Geo

Ship's navel gazer
# 2939

 - Posted      Profile for Mad Geo   Email Mad Geo   Send new private message       Edit/delete post   Reply with quote 
"Do we all need to change all our online passwords?"

Yes. IT security experts are saying this was an 11 on a 10 scale.

But more importantly, one should do it anyway, fairly regularly, and use a hard password. One that involves letters, numbers, caps, and special characters. Longer is better.

--------------------
Diax's Rake - "Never believe a thing simply because you want it to be true"

Posts: 11730 | From: People's Republic of SoCal | Registered: Jun 2002  |  IP: Logged
Sioni Sais
Shipmate
# 5713

 - Posted      Profile for Sioni Sais   Email Sioni Sais   Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by Mad Geo:
"Do we all need to change all our online passwords?"

Yes. IT security experts are saying this was an 11 on a 10 scale.

But more importantly, one should do it anyway, fairly regularly, and use a hard password. One that involves letters, numbers, caps, and special characters. Longer is better.

In short, the harder it is to remember, the better it is. [Biased]

--------------------
"He isn't Doctor Who, he's The Doctor"

(Paul Sinha, BBC)

Posts: 24276 | From: Newport, Wales | Registered: Apr 2004  |  IP: Logged
Cartmel Veteran
Shipmate
# 7049

 - Posted      Profile for Cartmel Veteran   Author's homepage   Email Cartmel Veteran   Send new private message       Edit/delete post   Reply with quote 
If you can remember a password - it's not good enough.

There are plenty of good password programs to help you manage and use passwords. Lastpass is very popular. I use KeePass on my PC and Android devices.

I have hundreds of passwords, all very complex, all different. I couldn't tell you a single one of them. I just have one master password I use to access the KeePass encrypted database.

For those who think this kind of thing is too complex for them - it's easier than having to remember two passwords. If you have to remember at least two passwords now, then make the change to a password program.

Posts: 1041 | From: Dorset | Registered: May 2004  |  IP: Logged
M.
Ship's Spare Part
# 3291

 - Posted      Profile for M.   Email M.   Send new private message       Edit/delete post   Reply with quote 
I'm completely un-techie, but one thing I've never understood about password keepers is, how are they more secure than other websites/programs?

M.

[ 17. April 2014, 16:20: Message edited by: M. ]

Posts: 2303 | From: Lurking in Surrey | Registered: Sep 2002  |  IP: Logged
Cartmel Veteran
Shipmate
# 7049

 - Posted      Profile for Cartmel Veteran   Author's homepage   Email Cartmel Veteran   Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by M.:
I'm completely un-techie, but one thing I've never understood about password keepers is, how are they more secure than other websites/programs?

M.

There are several reasons.

1, They use very strong encryption. Lots of sites claim to have good security but then store passwords as plain text or very simply encoded forms. A proper password service really locks your passwords up tight.
2, Password programs allow you to use very complicated passwords with punctuation and other features - stuff hard to remember. You'd struggle to remember even one password like this, let alone a different one for every site.
3, They make it easier to use the sites than not using such a program, so you're happy to keep things secure because it is not a burden to you when you sign up to a new site.
4, Some password programs exist offline. I use Keepass, the database is stored on my computer not on a website. Even if someone got the database the encryption is too strong to crack. I do back the database up in Dropbox so it is easily synced to my mobile devices. But I have Dropbox set up with two-factor authentication so it's not possible to break into with just a password - someone would need my phone or email (also having two factor) to get in.

I'm not suggesting there's no way through any of this. But once you've used something simple like Keypass - that stores usernames, passwords, urls, any notes you want to add - it'd be hard to go back. I just need my master password (not used anywhere else) to open Keepass, I then see lists of sites such as

Amazon
BT
Gmail

all I have to do is right-click and choose copy username. Then paste that into a site I want to login to. Then right click for password. Keepass will clear my clipboard after a short period so even if someone tried to use my computer to paste a password it wouldn't be there. It's so simple to use.

The built-in password generator ensures a new, very strong password is created every time I add a new site to the system. It's so easy.

Posts: 1041 | From: Dorset | Registered: May 2004  |  IP: Logged
Cartmel Veteran
Shipmate
# 7049

 - Posted      Profile for Cartmel Veteran   Author's homepage   Email Cartmel Veteran   Send new private message       Edit/delete post   Reply with quote 
Just wanted to add that Keepass is completely free. You can download it here.
Posts: 1041 | From: Dorset | Registered: May 2004  |  IP: Logged
Martin60
Shipmate
# 368

 - Posted      Profile for Martin60   Email Martin60   Send new private message       Edit/delete post   Reply with quote 
I was an Aldingham Animal! Furness.

And yeah, Keepass is very good.

[ 17. April 2014, 21:33: Message edited by: Martin PC not & Ship's Biohazard ]

--------------------
Love wins

Posts: 17586 | From: Never Dobunni after all. Corieltauvi after all. Just moved to the capital. | Registered: Jun 2001  |  IP: Logged
Mama Thomas
Shipmate
# 10170

 - Posted      Profile for Mama Thomas   Email Mama Thomas   Send new private message       Edit/delete post   Reply with quote 
I hate changing passwords. Sort of like saying "I hate diarrhea." No body likes it. Mostly all variants of variants which I can't remember anyway so have to change the whole thing on some sites every time I log in. Some with a capital, some with a number or two or three or a symbol or all the above. I STILL know people who keep them printed and pinned to the wall or in a Word or Pages document.

How on earth do they expect us to keep track of all our passwords and change them all the time?

They are almost as fun as CAPTCHAs.

--------------------
All hearts are open, all desires known

Posts: 3742 | From: Somewhere far away | Registered: Aug 2005  |  IP: Logged
Mertseger

Faerie Bard
# 4534

 - Posted      Profile for Mertseger   Author's homepage   Email Mertseger   Send new private message       Edit/delete post   Reply with quote 
quote:
Originally posted by Mama Thomas:

They are almost as fun as CAPTCHAs.

And nearly as useful.

--------------------
Go and be who you are:
The Body of Christ,
The Goddess of Body,
The Manifest Song of Faerie.

Posts: 1765 | From: Oakland, CA, USA | Registered: May 2003  |  IP: Logged
M.
Ship's Spare Part
# 3291

 - Posted      Profile for M.   Email M.   Send new private message       Edit/delete post   Reply with quote 
Cartmel Veteran, thank you. I even understood some of it!

M.

Posts: 2303 | From: Lurking in Surrey | Registered: Sep 2002  |  IP: Logged
Martin60
Shipmate
# 368

 - Posted      Profile for Martin60   Email Martin60   Send new private message       Edit/delete post   Reply with quote 
I have a simple mnemonic system for a unique password for EVERY environment. Because I have so many. Necessity will do that for you!

--------------------
Love wins

Posts: 17586 | From: Never Dobunni after all. Corieltauvi after all. Just moved to the capital. | Registered: Jun 2001  |  IP: Logged
Martin60
Shipmate
# 368

 - Posted      Profile for Martin60   Email Martin60   Send new private message       Edit/delete post   Reply with quote 
I use Keepass corporately. Passpack too.

Keypass for us techies, Passpack for the rest.

[ 18. April 2014, 09:00: Message edited by: Martin PC not & Ship's Biohazard ]

--------------------
Love wins

Posts: 17586 | From: Never Dobunni after all. Corieltauvi after all. Just moved to the capital. | Registered: Jun 2001  |  IP: Logged


 
Post new thread  Post a reply Close thread   Feature thread   Move thread   Delete thread Next oldest thread   Next newest thread
 - Printer-friendly view
Go to:

Contact us | Ship of Fools | Privacy statement

© Ship of Fools 2016

Powered by Infopop Corporation
UBB.classicTM 6.5.0

 
follow ship of fools on twitter
buy your ship of fools postcards
sip of fools mugs from your favourite nautical website
 
 
  ship of fools