April 2014

Possible band name.  Not.

We have Bruce Schneier weighing in on this.

Heartbleed is a catastrophic bug in OpenSSL:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.

The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.

This article is worth reading. Hacker News thread is filled with commentary. XKCD cartoon.

I’m sure that Bruce knows more about security than I do.

Here are the knowns, unknowns and my ruminations. This vulnerability has been around for two years.  The attacker can get 64K of information, a RANDOM 64K of information.  Nowadays, that isn’t a whole lot.  It’s certainly not the millions of cards in the Target hack.  It’s untraceable, so we really don’t how many times an attempt has been successful.  We don’t even know if any of the attempts have been successful.  But I have questions about the data that is retrieved. OK, SSL keys, both private and user.  User IDs I guess as well.  Anything?  I’m not sure anything is a valid concern.  User IDs are easy, for at least you know that they are in ASCII or Unicode/UTF-8.  They’ll be easy to pick out of the mess that gets retrieved.  The SSL keys, on the other hand, I think are problematic.  Unless there is some ASCII string that declares “Private key->” followed by the key, I’m not sure that the key can actually be located.

Looking at some recovery files, I see the Microsoft User Account recovery file starts off with RSA2.  The other recovery file has “Microsoft Enhanced Cryptographic Provider v1.0 and something that looks like UID, only in hex.  So, maybe.

As to getting anything?  I’m not sure anything is a valid concern. Again, unless it’s in ASCII, I can’t see how a random 64K block is going to give anything away.  Possibly.  Password hashes?  How are you going to tell if something is a hash, let alone a password hash.  I would hope that any passwords given to a program are hashed, and the original values destroyed.  Still vulnerable, but then it’s a matter of timing and how lucky the attacker is.  Getting the correct 64K block at the time that the password is still visible in memory.

I am NOT going to change my passwords on all of my sites again.  Only when forced to (domaintools.com, I’m looking at you, there’s nothing anybody would want to do with my login there!).  My financial site does not have the flaw.  Google’s stuff does not have the flaw.  That’s good enough for me right now, unless I hear about real damage from this bug.


Second edit:  I really have no clue as to what happened to the first edit.  And I could have sworn it was published, and it wasn’t.  And that’s kind of pissing me off.

Also, I will probably update this as I think more about it.

OK, the facts, as they currently are.

Mozilla hires Brendan Eich as CEO.  Because of a $1,000 donation supporting California’s Proposition 8, certain individuals, homosexuals in this case, get upset with Mozilla, which I will point out, they are free to do, with.some people outside of Mozilla, and some people inside Mozilla.  Mr. Eich makes a decision to resign the position, for whatever reason, and again, it must be noted that this was his decision, there was not a board vote to fire him, although there may well have been board pressure for him to do so.  Still, ultimately, it was his decision.

It can be argued that the amount donated, $1,000 isn’t really all that much.  It can be argued that people need to be a little more thick skinned.

But I’m not arguing those here.

Dave writes about it here, and comments are closed.

Dave is correct in that politics are by their very nature divisive.  Although I could argue that, in the US, once you go just under the skin, the differences are gone, and what is divisive is pretty fucking trivial, only minor details are different between Democrats and Republicans, but politics being politics, molehills can be made to appear as Mount Everest. And that really only has to do with Republicans and Democrats.  Libertarians, big or small l, and other parties certainly would not fit that, but, for whatever reason, the political reality is that >95% of the elected officials are going to be a D or an R.  But exactly where they become divisive, that is the issue.

I think Dave is wrong.

My argument is about differences of opinions that lead to inclusivity, and those that lead to exclusivity.  Those are differences that matter.

As an example of inclusivity, say a CEO is an atheist, but that CEO has no problems with others being theists, Catholics, Muslims, Pagans, and encourages them to practice their religion by make sure that the Catholics are able to worship on Sunday, giving time for Ash Wednesday, the Muslims praying on their time schedule, and the pagans doing whatever it is the pagans do.  Dance naked at the solstices for all I know or care.  Or the reverse can be true, a Catholic CEO can be tolerant of other different theists and atheists.

Exclusivity would be where an atheist CEO has people working on Sundays in a regular matter for Christians or Friday night and Saturday for the Jews, having award luncheons during Ramadan.  I think you see the picture at this point.

Those are two different approaches.  I would hope that people see the inclusivity as the better option.  And it certainly is an option.

Back to the Mozilla and Eich issue.  Proposition 8 is an exclusive type of choice that was forced upon the entire state of California.  Yes, it was passed by a sufficient number of voters in California to be made into a state amendment, but it has been found to be in violation of both California and US constitutions.  I guess it can be argued that by making it an amendment, it would supercede what is written in the state constitution, but considering what I’ve seen just here in Florida and the overturning of amendments for not following the Florida constitution, that is not a viable argument.  It also shows that just because a majority of people vote for something, doesn’t necessarily make it the correct thing to do, even in a democracy/republic/representative what-the-hell…

My question to Dave would be, if there was a company that had a considerable number of Jews as workers had a board that decided to hire a CEO that wasn’t just a Holocaust denier, but had actively given money, amount not being a detail, to a Holocaust denier organization, what does Dave think the outrage would be, both internally and externally?  Does Dave think that the Jews should just shut up about the issue?  Yes, this is treading very close to Goodwin’s Law.

Dave also talks about another political point, specifically Republican and Democrat, and starts his post with a Democrat switching parties to Republican.  The difference here is that neither the Republicans or the Democrats can put language into a law or amendment to blatantly outlaw the other party from doing such things as raising money, spending money on advertising, vote for a particular party, or preventing the other party from actually registering to be put on the ballot.

The last two are problematic, because Republicans certainly are trying to affect Democrat votes with their Voter ID laws.  And sorry, it’s up to the Republicans to show that there is real voter fraud going on, preferably that fraud that isn’t being committed by those in the Republican Party to try and show that it is going on.  Also, since the two major parties control who does get on the ballot, third parties will never be a major force in US elections anyway.  Despite what the libertarians think.  And maybe that’s why people think that something like Proposition 8 was valid because it only affected such a minor number of people.  But the fact still remains that even those laws do not name the people that they are trying to harm/disenfranchise/whatever.  Proposition 8 did name names.

In the end, Mr. Eich bet wrong on putting his money on that proposition, despite thinking that it was a real win at first.  And when you consider that the states are falling down like dominoes in their efforts to keep such laws and amendments on the books, it makes his bet look even worse.

But then, if Mr. Eich had bet on inclusivity and lost, would anybody really care at that point?

Slashdot picks up the conversation.

Some of the comments are good reading as well.

Especially the one about race, and how today, if a CEO was racist and was all about treating blacks as second class citizens, would they even be in any kind of management position, regardless of how brilliant they might be otherwise?  Not in today’s supposedly post-racial society.