View 819 Tuesday, April 08, 2014
Additional April 9
If a foreign government had imposed this system of education on the United States, we would rightfully consider it an act of war.
Glenn T. Seaborg, National Commission on Education, 1983
Open SSL vulnerability ("Heartbeat")
Dr. Pournelle:
This one, by all accounts, appears to be a serious vulnerability that should be implemented immediately. It is all a bit geeky, but the takeaway is that, if using OpenSSL to provide SSL security for a web site, there is a way to get the credentials of anyone visiting the site.
For impact, think of hackers grabbing credential information from a bank site.
The geeky part can be seen starting here (among other places) http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/ .
The Internet Storm Center has technical advice: https://isc.sans.edu/forums/diary/+Patch+Now+OpenSSL+Heartbleed+Vulnerability/17921
There is a way to test a web site for the problem; this one appears to be thorough and safe: https://www.ssllabs.com/ssltest/analyze.html .
The problem appears to be well-publicized, so most site admins already know about it, and hopefully they are into mitigation mode. End-users should be aware of it.
As for web site owners that have hosting companies for their sites; you can use the test link to check your site for the vulnerability (it only affects your site if you use SSL — the https: part of the link to pages on your site). Proactiveness would indicate the need to do a quick check via the above testing link, then contact your hosting company if the results indicate a vulnerability.
Note that Dr. Pournelle’s site (www.jerrypournelle.com ) is safe.
Regards,
Rick Hellewell
Security Dweeb
I received this later and am publishing it Wednesday evening:
.
Dr. Pournelle:
Further thoughts on the HeartBleed vulnerability, I think, in no particular order
– this vuln has been around for two years, I believe. And there is no logging available that would tell you that you got attacked.
– the Internet Storm Center guys did raise their alert level to yellow, and strongly encouraged all to check and fix
– media reports that tell you you must change all your passwords immediately are overblown. *If* a site was vulnerable, and *if* you logged into that system, and *if* an evildoer did the attack after you logged in, then you *might* have your credentials stolen. And *if* you changed your password on a vulnerable site during an attack, your credentials *might* be compromised. But that is a lot of *if’s* to worry about.
– ‘watchful waiting’ is probably the best action for individual users to take now. People should watch their financial accounts, perhaps change their passwords in a few days (which will let sites remediate as needed). And make sure that you don’t share credentials (user/pass) between sites.
– it is probably good that site owners make sure their sites are not vulnerable, and patch accordingly.
But there is some excitability going on, and perhaps the risk to the user is not as great as the media would make it seem. Still a risk, and ‘watchful waiting’ is a good idea, but "Don’t Panic".
Rick Hellewell, Security Dweeb
And there is this to think about.
Armed Fed Agents and Snipers? Nevada Rancher Is Taking on the Gov’t in a Battle That’s Reaching a Breaking Point
s
new alternate fuel – http://navylive.dodlive.mil/2014/04/07/energy-independence-and-the-warfighter/
I do think the US Navy may come up with some of the best alternative fuels. A dollar increase in a barrel of oil costs billions of dollars. More importantly it costs lives. Maybe there will be one "silver bullet" that fixes the problem or there will be many smaller solutions that may add up to a new way of life. There is even talk of an SPS.
http://www.wired.com/2014/03/space-solar/
I don’t care why, just that there are many possibilities being explored. There is a ocean buoy test off the coasts of Hawaii and Oregon, solar panels are sprouting up all over naval facilities, one of my personal favorites is the algae-generated diesel fuel. There are many hopeful projects out there.
I hope you are in ever increasing health.
V/r,
Rose
And I am still in the middle of getting my taxes done. There is some hearing return in my left ear: I can at least hear some sounds there. Friday morning I get my hearing aids reprogrammed. We’ll see.
As I post this the US Navy now thinks it has head some pings that might be the missing 777. We’ll see.
Stay well
Freedom is not free. Free men are not equal. Equal men are not free.