Skip to main content

Heartbleed

This bug will probably be taught in Comp Sci classes in years to come and the poor student Robin Seggelmann from T-Systems International who wrote this buffer bounds beauty, earned instant infamy.

It is a terrible, terrible bug - you send a request to a supposedly secure server and it returns up to 64KB of data, which on a busy mail service like Yahoo, could contain multiple user names, passwords and keys in each and every request.

The bad thing is that the heartbeat feature was not necessary.

A thing should be as simple as possible, but no simpler.
-- A. Einstein

T-Systems violated that principle and we are all paying the price.

Keepass

Give the good IT folks a few days to fix things and then change ALL your passwords everywhere and to preserve your sanity, do install Keepass (Windows), KeepassX (Linux, Mac) or KeepassDroid (Android).

For those worried about Keepass, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

Broken windows

The problem is actually not as widespread as feared.  According to Netcraft, while a good 70% of all servers use OpenSSL, about a quarter use Heartbeat, meaning that the total percentage of servers affected by Heartbleed, is under 20%, but for the next few days, you cannot trust anything.

Nevertheless, the broken windows fallacy means that some IT businesses will profit handsomely, especially the certificate vendors, at the expense of everyone else.

My site statistics graph shows that there are still many broken Windows out there too...
;)

Now that many people are starting to look critically at OpenSSL, they are bound to find many other issues.  The OpenBSD contributors already started to scratch at it.  So expect to see a slew of updates over the next few weeks as large numbers of bugs get fixed.  Thanks to the heartbeat bug, OpenSSL should end up being much more secure than it ever was.

Update: OpenBSD announced LibreSSL, their lean and mean fork of OpenSSL.
http://www.libressl.org/

Who Knew?

The big question is who knew?

In these matters the only certainty is that there is nothing certain. 
 -- Pliny the Elder

Did the NSA, GCHQ, CSE and others know about this bug for the past two years and happily collected logins and keys and does this explain why they could perform Man In The Middle attacks with such apparent ease?



Labels:

Comments

Post a Comment

On topic comments are welcome. Junk will be deleted.

Popular posts from this blog

Unlock CRA PDF Forms

Unlock Canada Revenue Agency PDF Forms It appears that there is a relatively new PDF feature to prevent casual copying and saving of a file and that some programs save PDF files with these foolish features active by default.  Many forms from the Canada Revenue Agency are locked in this way, which makes it difficult to do one's taxes, since one can fill the form, but cannot save it.  One can only print the form.  It should be possible to print to a file or export it to a new PDF file, but it is far better to reset the annoying anti-taxpayer flags, since the 'printed' form cannot be edited easily any more and I always manage to make a mistake or three that need to be corrected after review. If there is a Linux (virtual) machine handy, install qpdf and use it to reset the silly flags: $ su - password # dnf update # dnf install qpdf # exit $ qpdf --decrypt lockedfile.pdf unlockedfile.pdf One doesn't need a password to unlock these flags, so the fix is instant. La voila! He...
Post a Comment
Read more

Parasitic Quadrifilar Helical Antenna

This article was reprinted in OSCAR News, March 2018:  http://www.amsat-uk.org If you want to receive Satellite Weather Pictures , then you need a decent antenna, otherwise you will receive more noise than picture. For polar orbit satellites, one needs an antenna with a mushroom shaped radiation pattern .  It needs to have strong gain towards the horizon where the satellites are distant, less gain upwards where they are close and as little as possible downwards, which would be wasted and a source of noise.  Most satellites are spin stabilized and therefore the antenna also needs circular polarization, otherwise the received signal will flutter as the antennas rotate through nulls. The helical antenna, first proposed by Kraus in 1948, is the natural solution to circular polarized satellite communications.  It is a simple twisted wire - there seems to be nothing to it.  Various papers have been published on helix antennas, so the operation is pretty well ...
2 comments
Read more

OpenEMS with Octave and SciLAB

I wanted to do some advanced RF antenna development work and needed an electromagnetic field solver that is a bit more up to date than NEC2 .  Commercial solvers from Matlab , Ansys and others are hideously expensive (in the order of $20,000 to $50,000) and do not fit in the wallet of a hobbyist or a small consulting company.  Recently, openEMS became available and it fills the niche with a capable free tool.  In general, openEMS is a solver - a Finite-Difference Time-Domain (FDTD) numerical engine.  You interact with it through Octave , which is almost identical to Matlab .  You can watch a good video by Thorsten Liebig here: https://www.youtube.com/watch?app=desktop&v=ThMLf0d5gaE   Getting it to work is a little painful, but it is free, so bear with it - then save a backup clone, or a zipped copy of the whole virtual machine directory and NEVER update it, to ensure that it keeps going and doesn't get broken by future updates, right when you are ...
Post a Comment
Read more