Possible band name.  Not.

We have Bruce Schneier weighing in on this.

Heartbleed is a catastrophic bug in OpenSSL:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.

The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

This article is worth reading. Hacker News thread is filled with commentary. XKCD cartoon.

I’m sure that Bruce knows more about security than I do.

Here are the knowns, unknowns and my ruminations. This vulnerability has been around for two years.  The attacker can get 64K of information, a RANDOM 64K of information.  Nowadays, that isn’t a whole lot.  It’s certainly not the millions of cards in the Target hack.  It’s untraceable, so we really don’t how many times an attempt has been successful.  We don’t even know if any of the attempts have been successful.  But I have questions about the data that is retrieved. OK, SSL keys, both private and user.  User IDs I guess as well.  Anything?  I’m not sure anything is a valid concern.  User IDs are easy, for at least you know that they are in ASCII or Unicode/UTF-8.  They’ll be easy to pick out of the mess that gets retrieved.  The SSL keys, on the other hand, I think are problematic.  Unless there is some ASCII string that declares “Private key->” followed by the key, I’m not sure that the key can actually be located.

Looking at some recovery files, I see the Microsoft User Account recovery file starts off with RSA2.  The other recovery file has “Microsoft Enhanced Cryptographic Provider v1.0 and something that looks like UID, only in hex.  So, maybe.

As to getting anything?  I’m not sure anything is a valid concern. Again, unless it’s in ASCII, I can’t see how a random 64K block is going to give anything away.  Possibly.  Password hashes?  How are you going to tell if something is a hash, let alone a password hash.  I would hope that any passwords given to a program are hashed, and the original values destroyed.  Still vulnerable, but then it’s a matter of timing and how lucky the attacker is.  Getting the correct 64K block at the time that the password is still visible in memory.

I am NOT going to change my passwords on all of my sites again.  Only when forced to (domaintools.com, I’m looking at you, there’s nothing anybody would want to do with my login there!).  My financial site does not have the flaw.  Google’s stuff does not have the flaw.  That’s good enough for me right now, unless I hear about real damage from this bug.

Second edit:  I really have no clue as to what happened to the first edit.  And I could have sworn it was published, and it wasn’t.  And that’s kind of pissing me off.

Also, I will probably update this as I think more about it.

OK, the facts, as they currently are.

Mozilla hires Brendan Eich as CEO.  Because of a $1,000 donation supporting California’s Proposition 8, certain individuals, homosexuals in this case, get upset with Mozilla, which I will point out, they are free to do, with.some people outside of Mozilla, and some people inside Mozilla.  Mr. Eich makes a decision to resign the position, for whatever reason, and again, it must be noted that this was his decision, there was not a board vote to fire him, although there may well have been board pressure for him to do so.  Still, ultimately, it was his decision.

It can be argued that the amount donated, $1,000 isn’t really all that much.  It can be argued that people need to be a little more thick skinned.

But I’m not arguing those here.

Dave writes about it here, and comments are closed.

Dave is correct in that politics are by their very nature divisive.  Although I could argue that, in the US, once you go just under the skin, the differences are gone, and what is divisive is pretty fucking trivial, only minor details are different between Democrats and Republicans, but politics being politics, molehills can be made to appear as Mount Everest. And that really only has to do with Republicans and Democrats.  Libertarians, big or small l, and other parties certainly would not fit that, but, for whatever reason, the political reality is that >95% of the elected officials are going to be a D or an R.  But exactly where they become divisive, that is the issue.

I think Dave is wrong.

My argument is about differences of opinions that lead to inclusivity, and those that lead to exclusivity.  Those are differences that matter.

As an example of inclusivity, say a CEO is an atheist, but that CEO has no problems with others being theists, Catholics, Muslims, Pagans, and encourages them to practice their religion by make sure that the Catholics are able to worship on Sunday, giving time for Ash Wednesday, the Muslims praying on their time schedule, and the pagans doing whatever it is the pagans do.  Dance naked at the solstices for all I know or care.  Or the reverse can be true, a Catholic CEO can be tolerant of other different theists and atheists.

Exclusivity would be where an atheist CEO has people working on Sundays in a regular matter for Christians or Friday night and Saturday for the Jews, having award luncheons during Ramadan.  I think you see the picture at this point.

Those are two different approaches.  I would hope that people see the inclusivity as the better option.  And it certainly is an option.

Back to the Mozilla and Eich issue.  Proposition 8 is an exclusive type of choice that was forced upon the entire state of California.  Yes, it was passed by a sufficient number of voters in California to be made into a state amendment, but it has been found to be in violation of both California and US constitutions.  I guess it can be argued that by making it an amendment, it would supercede what is written in the state constitution, but considering what I’ve seen just here in Florida and the overturning of amendments for not following the Florida constitution, that is not a viable argument.  It also shows that just because a majority of people vote for something, doesn’t necessarily make it the correct thing to do, even in a democracy/republic/representative what-the-hell…

My question to Dave would be, if there was a company that had a considerable number of Jews as workers had a board that decided to hire a CEO that wasn’t just a Holocaust denier, but had actively given money, amount not being a detail, to a Holocaust denier organization, what does Dave think the outrage would be, both internally and externally?  Does Dave think that the Jews should just shut up about the issue?  Yes, this is treading very close to Goodwin’s Law.

Dave also talks about another political point, specifically Republican and Democrat, and starts his post with a Democrat switching parties to Republican.  The difference here is that neither the Republicans or the Democrats can put language into a law or amendment to blatantly outlaw the other party from doing such things as raising money, spending money on advertising, vote for a particular party, or preventing the other party from actually registering to be put on the ballot.

The last two are problematic, because Republicans certainly are trying to affect Democrat votes with their Voter ID laws.  And sorry, it’s up to the Republicans to show that there is real voter fraud going on, preferably that fraud that isn’t being committed by those in the Republican Party to try and show that it is going on.  Also, since the two major parties control who does get on the ballot, third parties will never be a major force in US elections anyway.  Despite what the libertarians think.  And maybe that’s why people think that something like Proposition 8 was valid because it only affected such a minor number of people.  But the fact still remains that even those laws do not name the people that they are trying to harm/disenfranchise/whatever.  Proposition 8 did name names.

In the end, Mr. Eich bet wrong on putting his money on that proposition, despite thinking that it was a real win at first.  And when you consider that the states are falling down like dominoes in their efforts to keep such laws and amendments on the books, it makes his bet look even worse.

But then, if Mr. Eich had bet on inclusivity and lost, would anybody really care at that point?

Slashdot picks up the conversation.

Some of the comments are good reading as well.

Especially the one about race, and how today, if a CEO was racist and was all about treating blacks as second class citizens, would they even be in any kind of management position, regardless of how brilliant they might be otherwise?  Not in today’s supposedly post-racial society.

 

I see that the pope has decided to weigh in on economic issues:

“Some people continue to defend trickle-down theories which assume that economic growth, encouraged by a free market, will inevitably succeed in bringing about greater justice and inclusiveness in the world,” Francis wrote in the papal statement. “This opinion, which has never been confirmed by the facts, expresses a crude and naive trust in the goodness of those wielding economic power and in the sacra­lized workings of the prevailing economic system.”

A few reactions:

First, throughout history, free-market capitalism has been a great driver of economic growth, and as my colleague Ben Friedman has written, economic growth has been a great driver of a more moral society.

Second, “trickle-down” is not a theory but a pejorative used by those on the left to describe a viewpoint they oppose. It is equivalent to those on the right referring to the “soak-the-rich” theories of the left. It is sad to see the pope using a pejorative, rather than encouraging an open-minded discussion of opposing perspectives.

Third, as far as I know, the pope did not address the tax-exempt status of the church. I would be eager to hear his views on that issue. Maybe he thinks the tax benefits the church receives do some good when they trickle down.

From Mr. Mankiw’s blog.

Mr. Mankiw is horribly wrong.

First, Mr. Mankiw is wrong on his first assumption. There is no free-market capitalism, never has been. And by going off such a tangent doesn’t really get to the point that the Pope was trying to make. Equal economic growth, however has been a great driver of a moral society. What he considers to be free-market capitalism, certainly what the hell is going on today if he thinks the US has it today, certainly is not equal economic growth.

Second, “trickle down” may be a pejorative for Mr. Mankiw, so call it by its original name as “supply side” economics, but the fact remains, whatever the label, it’s been shown not to work as advertized. As designed, it may very well be a different thing, especially if that design was to make the rich even richer. There is news for Mr. Mankiw. The rich are always going to pay more in taxes (or at least they should) because they have more money. Flatten the rate, reduce deductions to nothing, and the rich are still going to overwhelmingly pay more taxes. Especially if there are no way to manipulate the rate with deductions.

Third, the talk about tax-exempt is again, a point that Mr. Mankiw I think does not want to go where the big issues are. Should we address the tax exempt status of Crossroads GPS as well? The tax exempt status of Goodwill, Red Cross, the Salvation Army? All of the churches? Other foundations?

 

If Obama Wins

My wish if Obama wins tomorrow is that he start building a cross-party coalition with his new buds Chris Christie and Bill Clinton. Go to a Jets game maybe. Ask Christie which Repubs are fun to party with. Bring them along too. Start a new informal Cabinet of advisers, people the President hangs with to talk sports or drink a beer or (privately) smoke some reefer. Then they plot out new ways to get the whole country working, not just the tri-state area. We have something much bigger than Sandy to recover from, that is if Obama wins.

Ain’t going to happen.

Chris Christie still has endorsed Romney over Obama.

The TEA Party will make sure that it never happens.

Obama tried to be bipartisan early in his term.  I suggest the gloves come off and that he should be partisan as possible.

http://www.theglobeandmail.com/news/national/a-radical-pessimists-guide-to-the-next-10-years/article1321040/?page=all

 

Dude! /Bill & Ted

I have modified my Links to Monitor in a way that is pleasing to my eye.

I have figured out how to center the heading over the maximum length of my stuff (hand calculated right now, but oh well) instead of centering over the whole window.

It took some JavaScript to do it, and it looks like this:

<script>
var wanted = 1070, winw;
if (window.innerWidth && window.innerHeight) {
winW = window.innerWidth;
}
if (winW < wanted) { wanted = winW; }
document.writeln('<div style="width:' + wanted + 'px">');
</script>
<noscript><div></noscript>

Which basically makes the maximum width to be 1070 pixels for the header stuff.  And if there is no javascript, I just put up a dummy <div> to match up with the </div> that is buried elsewhere.

It’s probably absolutely ridiculous for most web slingers, but I like this.  I have really been thinking about how to get it to look like this for awhile, I’m glad I came up with a way that I was able to incorporate in less than 30 minutes.  And most of those 30 minutes were recovering from the crash that I was forcing Firefox to go through (for some unknown reason, I sent debug reports…) in search of a way to get what I wanted.

I may have to adjust the pixel amount every now and then, but at least, if anything, it’s at least close to what it should be!

Let me state this up front.  Windows 8 Consumer Preview has been one of the worse beta experiences from Microsoft that I have experienced.  This from somebody who has beta’ed Windows 95 and Windows 7.

I’m pretty much ignoring the Metro UI.  That still needs a lot of work, especially for keyboard and mouse.  What would work by touch isn’t even close to be replicated by the mouse, and I think that this is a problem.

Unfortunately, just working with the desktop can be infuriating.

Programs tend to stop working, and it’s certainly not the hardware, not when I can move the mouse and interact with other programs, at least for awhile.  I give up, and I hit the reset switch.

Installing programs test the patience of Job.  I installed the latest Ultraedit 32.  It seems to do nothing, but on the second try, I just let it sit there.  Eventually, itDID install.  Now why did it take half an hour?  Same thing with the drivers for my printer.  Which didn’t even work after it was done.

I tried to make a Windows to Go on a USB hard drive.  The instructions for that fail for me.

In fact, after already installing one new video driver, MS decided to push another video driver on me. The same day!  The second time, it failed.  Bad download? At 150mb, I sure hope not!

I’m seriously thinking about just going back to Windows 7, and leaving it at that.  At least most of my PowerShell programs seem to be working under V3.  One wasn’t working, because I didn’t dispose of an object when I should have, which under V2 was fine, but not V3 has issues, which is fine, I shouldn’t have done what I did.  And it now works as it is supposed to.

I’ve seen my system reboot in the single digits of minutes.  I’ve seen it take half an hour.  I really do not believe that it’s my (new) hardware that is at fault.

Microsoft really needs to issue an update I think, if they want this to be a success.  There just are simply too many bugs.

Oh, the problem with the video driver not installing?  I’m given a link, which says it’s deprecated, and to go any further, I have to have a company account.  WTF Microsoft!

Also a problem, it should be a one click decision to put things like graphic, video and music files under Metro or under the usual suspects in the desktop world.

Update: It most certainly was hardware that was the trouble.  I had a hard drive that was failing.  Not that SMART disk could tell me much about any issues the hard drive was having, but yes, there was little doubt that the hard drive was falling over.  Of course, that was after I replaced the motherboard, since the previous motherboard wouldn’t even get to POST.  And what I found out later after going back to Windows 7 (which I’m currently running as I update this in April 2014) was that the support chip in my new motherboard was problematic with Windows 8 CP.  Release was fine, but they never released an update to CP to fix the problem with that support chip.  Also, you had to be running Windows 8 Enterprise to get Windows to Go.

Follow

Get every new post delivered to your Inbox.

Join 756 other followers