Friday, April 11, 2014

Heartbleed

In case you've been living in a hole for the last couple days, there's been a massive bug found in the open-source (free) server software that handles secure connections. For the lay-person, the software behind the padlock you see in your browser:
ss.png

... had a bug that would happily offer up chunks of computer memory if someone sent it the right type of message over the network, with no record of having done it.

Here's XKCD's attempt at an explanation.

Some Q&A:

What does that mean to me?

We're not sure that anyone knew about this before it was found. Maybe NSA, maybe Chinese or Eastern Europeans, or internet crooks, or maybe nobody...

But if someone did know, in the best (most likely) case, they got very little if any of your info. In the worst case, they got your username and password and any other personal information from the websites (and other servers) you've logged into in the past 2 years.

How does this compare to past security bugs?

Catastrophic: 11 out of 10.

How will I know if they got my info?

This is the best question, nobody knows. Your best bet is to check your bank accounts to make sure there aren't any strange charges, check other accounts you log into to make sure there isn't any strange activity, then do the steps below.

Note, not all sites are affected, only the ones using the open-source version of the software (hurray for free and open source).

Is it fixed? What do I need to do?

Check the list of sites here, and reset passwords on any sites that are affected. My short list of sites using the affected software: Facebook-YES, Pinterest-YES, Apple-NO (yay), Amazon-NO (yay), Google-YES, Microsoft-NO, Yahoo-YES, Gmail-YES, Paypal/Target/Walmart-NO, Intuit/TurboTax-YES (doh!), most banks-NO, USAA-YES (doh!).

Then check your financial accounts to make sure there's nothing fishy going on. But you should be doing this regularly anyway (given that some e-commerce websites are zero-margin stores selling you cheap stuff just so they can get your credit card number to sell to crooks).

Oh, and be sure to use different passwords on different websites, and don't make them easily guessed. Apple's iCloud Keychain is a decent/free option for managing passwords for Mac users (though oddly it doesn't work with all websites, incl. Google). 1Password is a better option, but expensive (and I hate having to pay upgrade fees every year, feels like a subscription!).

So is the internet broken now? Should I stop trusting computers completely? Seems like we're always finding bugs like this...

No, the internet's not broken. But are people happy about this? Definitely not. We all hate changing passwords and not knowing who has what information about us.

What this means is that software isn't perfect, and memory bugs are pretty hard to recognize and track down. It may also mean that NSA is really sneaky about this kind of stuff, but the story sounds a little more innocent than that. On the plus side, anyone who knew about this is probably either chasing bank accounts much bigger than yours, or not interested in money...

But the same way armies learn where soldiers need more armor, the software-development communities learn how to better protect against not only this exploit, but this type of exploit, so I wouldn't expect us to have problems with these kinds of bugs for long. Coders are now looking for them, and stand to make a name for themselves finding them.

Hang in there, we'll get through this.

Does anyone read this thing?

views since Feb. 9, 2008