The Heartbleed bug is one of the more serious computer security vulnerabilities I have seen. It was discovered yesterday and is just starting to hit mainstream media now, so I will summarise my understanding of it.
It affects some web sites that use HTTPS secure connections. The purpose of HTTPS is, among other things, to encrypt data sent between your computer and the web server, so that anyone who sees the data in transit across the internet cannot read it. So it is used whenever you log in to a web site or enter personal information. You know you are using it when your web browser displays a little padlock icon somewhere.
The bug is in a software library that implements HTTPS, called OpenSSL. Not all web sites use this library, but many do. The bug affects certain versions of the library. Importantly, though, the bug has been in the library since December 2011, and has only recently been detected and fixed.
During this time, an attacker who knew about the bug could send a request to a web server, and get back some random information from the server’s memory that should not be public. This information could be almost anything known by the web server software. It is a lucky dip: the attacker can not choose what information he will get. Importantly, though, it can include server certificates, and user names and passwords of the web site’s users.
Having obtained a certificate, an attacker could spy on data transferred from the user to the web site, including passwords and any information entered. This is not trivial, but can be quite easy in certain circumstances. For example, anyone can sit in a coffee shop and intercept WiFi traffic of other customers using WiFi in the shop, but they will only get information about the other coffee shop customers. On the other hand, the NSA can presumably spy on all data sent to any web site. There will be attackers with levels of sophistication between these extremes. Normally a web browser will shout warnings at you if a HTTPS connection has been intercepted. Having a web site’s certificate enables an attacker to silence such warnings.
User names and passwords can also be obtained directly using the Heartbleed bug. This only happens on certain web sites, and the details retrieved are random. It is not possible to quickly obtain all details of all users. Rather, every time the attack is made, one or two users’ details might be revealed. That said, the attack can be repeated, and in two years it can be repeated a lot. So a determined attacker could gather details of many people in this time. This is real. Users on Reddit were claiming to have seen Yahoo Mail passwords as recently as a few hours ago. Right now, Yahoo Mail is fixed.
So what can you do? Realise that you are affected, but don’t panic. There is a very good chance none of your details have leaked. You can not be certain, but you already were not certain. There are likely many more security holes that are not yet common knowledge. However, on services that you have particularly sensitive information, it would be wise to first check that the bug has been fixed, and then change your password.
You can check if the bug currently affects a given service with an online tool. If the service is at all high profile, it is a fairly safe bet that it is already fixed. But you can not tell if your details or a service’s certificate have been leaked in the past. Unless a service takes action, credentials and certificates obtained in the last two years can still be used by attackers to log in or spy on communications. Hopefully web administrators will communicate whether they have been affected and whether they have changed their certificates, so watch for announcements.
When you change your passwords, now is a good time to stop using the same password for every service you use. Start using a password manager such as LastPass, 1Password or Password Safe. All of these are acceptably safe in my opinion, but there is some interesting discussion on this topic. The great thing is that a password manager will generate a different, random, impossible to guess password for each site you use, meaning that if someone does find out your password to one service, the damage is limited to that service.
If a service offers two factor authentication, where you use a smartphone app which generates an ever-changing code, use that, because it means knowing your password alone is useless to an attacker.
If you run a web server that uses HTTPS and handles users’ information, educate yourself, upgrade, and inform your users.
More generally, if you can possibly arrange to live your life under the assumption that everything you have ever done on the internet could become public knowledge tomorrow, you could save yourself a lot of trouble. Keeping secrets is hard.
The government lost the crypto-wars. Crypto is now freely available, but in a sense they won because there are so many ways at people’s data that bypass the cryptography. What we’re learning from the Snowden documents is not that the NSA and GCHQ can break cryptography but that they can very often render it irrelevant… They exploit bad implementations, bugs in hardware and software, default keys, weak keys, or they go in and break systems and steal data.
- Bruce Schneier
There is an interesting article in the Guardian titled US and UK spy agencies defeat privacy and security on the internet:
- NSA and GCHQ unlock encryption used to protect emails, banking and medical records
- $250m-a-year US program works covertly with tech companies to insert weaknesses into products
- Security experts say programs ‘undermine the fabric of the internet’
The second point is to me the most interesting as it suggest that open source is really the only way to fight back against this and as a result, I fully expect Open Source to eventually become illegal in the more panoptic parts of the world.
The first point however will be the driver of effective and widespread counter measures. The internet is simply too important to too many economic interests to allow the US and UK governments to have the ability to embed what will be catastrophic weaknesses in its underpinning architecture
The spooks are not stupid. There are two ways they can respond to this in a manner consistent with their current objectives. They can try to shut down the press — a distinct possibility within the UK, but still incredibly dangerous — or they can shut down the open internet, in order to stop the information leakage over that channel and, more ambitiously, to stop the public reading undesirable news.
I think they’re going for the latter option, although I doubt they can make it stick. Let me walk you through the early stages of what I think is going to happen.
In the UK it’s fairly obvious what the mechanism will be. Prime Minister David Cameron has thrown his weight behind mandatory opt-out porn filtering at an ISP level, to protect our children from a torrent of filth on the internet. (He’s turned to Chinese corporation Huawei for the tool in question.) All new domestic ISP customer accounts in the UK will be filtered by default, unless the owner opts out. There’s also the already-extant UK-wide child pornography filter operated by the Internet Watch Foundation, although its remit is limited to items that are probably illegal to possess (“probably” because that’s a determination for a court of law to make). And an existing mechanism — the Official Secrets Act — makes it an offense to possess, distribute, or publish state secrets. Traditionally newspapers were warned off certain state secrets by a process known as a Defense Advisory Notice, warning that publication would result in prosecution. It doesn’t take a huge leap of the imagination to foresee the creation of a law allowing for items subject to a DA-Notice to be filtered out of the internet via a national-level porn filter to protect the precious eyeballs of the citizenry from secrets that might trouble their little heads.
On the other hand, the UK may not have a First Amendment but it does have a strong tradition of press freedom, and there are signs that the government has already overreached itself. We’ll know things are really going to hell in a handbasket when The Guardian moves its editorial offices to Brazil …
- Charlie Stross
A comment piece over at the Guardian has compelled me to write my first post on this fair blog. I have been mulling over the idea about writing something about rent seeking and fixed lined broadband rollout in the UK for some time, but BT’s great broadband scam has pushed me over the edge finally.
The Guardian writer blames the market, competition and Margaret Thatcher for the fact that BT has won all of the government contracts to build fixed line broadband in the UK.Though most Guardian writers blame this triumvirate for most things, this writer makes a tenuous link between BT and competition ultimately calling for the renationalisation of broadband in this country. (He sounds much like Susan Crawford over in the US, but that is a post for another time) But what he gets so very wrong about blaming competition for the inability for the government to rollout broadband is that it is BT’s rent seeking behaviour coupled with a centrally planned project that has contributed to the so far unsuccessful UK broadband rollout project called BDUK.
There are so many reasons that BDUK has not succeeded that it hard to know where to begin. But for the purpose of this post it is important to understand that the broadband targets and rules for entering into procurement as a provider changed over the course of the last three years. Initially, the project was to provide next generation access (NGA) to 100% of the UK by 2015 and now it may only succeed in delivering 90% by 2017. Fibre to the home (FTTH) was the initial target and eventually fibre to the cabinet (FTTC) became the final and less optimal solution. The regional areas that divide up the entire BDUK project into smaller, sub-project areas were far too small to achieve economies of scale. The list goes on, but changeable rules against which companies and consortia were to pitch to be on the ‘approved’ list meant only risk and uncertainty for those businesses. In the end only BT survived and thus BT became the monopolist provider.
But if I ran BT I would make sure that I was the only procurer on that list through whatever means possible, including rent seeking. And that is precisely what they did. OFCOM, the telecoms regulator, DCMS, the department responsible for BDUK and BT have a cosy relationship with advisors and consultants making the rounds in contracts and positions among all three. But BT has a massive incentive to ensure that their fixed line broadband network became the only networked used to rollout new broadband services. If other vendors were chosen for BDUK then this old network, made up of traditional copper lines and some fibre, would be completely bypassed thereby rendering the network useless. Quite high stakes if you are that behemoth BT. Even an outsider’s attempt to petition DCMS to include wireless in its definition of ‘next generation access’ failed because it would mean using a new and probably non-BT network. Not allowing wireless as one of many ways to achieve rural broadband access is essentially absurd in this day in age. But the BDUK project stipulated only fixed line Internet access at delivery.
So while we do indeed have competition in urban areas and many rural areas for broadband access services (as most services like TalkTalk rent BT lines at wholesale prices) we have very little competition in broadband infrastructure and that is an important difference. BT has played their cards well in a centrally planned system created by civil servants who have made policy in order to achieve the delivery of fixed line broadband Internet access. No one person is to blame, but through bad policy making, EU regulations, rent seeking by BT, and no comprehensive oversight, we have a project that will be delivered well over time and budget and paid for by the taxpayer. True competition in services, diversified Internet access types, and infrastructure would have delivered far richer choices. Currently BDUK remains Hayek’s worst nightmare.
A new story from The Guardian, barely twelve hours after the last set of revelations: “NSA loophole allows warrantless search for US citizens’ emails and phone calls”.
Yes, this one is indeed far worse than the previous ones, unbelievable as that might seem.
Explaining why to those not following in detail is almost not worth it any longer, however.
A friend of mine long ago coined the term “Outrage Fatigue”, the condition in which so many awful actions by a set of State actors have been revealed that one can no longer hope to track the entire list of their offenses and crimes in one’s head.
I have long since passed that point for the Obama administration in general. Imprisonment without charge, war crimes, coverups, the silencing of whistleblowers and dozens of other acts have become so numerous that I cannot hope to remember them all.
However, I have now passed the point where, even as a putative subject matter expert, I could hope to remember even everything that has been revealed about just this one scandal.
It is painfully clear that the contempt of the Obama Administration and its minions for the rule of law is near total, that their contempt for the truth is near total, and that one’s confidence in anything they say in public whatsoever should be precisely zero.
NSA Nabs Cabbie!
Yes, folks, you heard it here first! The NSA, in the midst of a full-court press to capture our hearts and minds, has revealed the secret of one of its most important cases. It managed to catch a cab driver who was sending $8,500 to Somalia. Countless lives must have been saved in the process!
With impressive results like these, it is obvious why we need a Stasi-like total surveillance state, at a cost of [redacted] billon dollars per year.
Lavabit was, until a few hours ago, a secure email hosting company with something over 400,000 customers. One of their users was (apparently) Edward Snowden.
They have shut down, apparently because they refused to assist in spying on their own clients, as similar companies such as Hushmail are reputed to do.
Unfortunately, US law now makes it a crime to discuss requests from our masters for “assistance” of this sort, so we can only assume that this is what has happened. Presuming the guess to be true, I commend them for their sense of honor. Many would not ruin themselves when faced with a choice between keeping their promises and obeying the authority of a police state.
Quoting their “goodbye” page:
“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”
My last Friday of the month meetings are now under way again, and they are accomplishing everything I here hoped they would. Worthwhile thoughts are being thought. I am making new friends. I am also reconnecting with friends from way back, which is a bonus I should have seen coming but did not. The most recent meeting was especially fine. About it I will surely be saying more, by and by.
Meanwhile, however, I continue making my small living room into the best place that it can be for these evenings. What I need next is one of these:
I came across that in a Pret a Manger (it seems they allow you to forget about accents) near Waterloo Station. The Wi-Fi there proved unsatisfactory for my purposes, but the above item of seating is exactly the sort of thing I now want.
It seats three in comfort, as do many sofas on sale these days. But it also has two other features which seem to be harder to come by.
First, unlike most the sofas I am now looking at, this one is not too deep from front to back. This comes partly from this sofa not also being a sofa-bed. I already have a sofa-bed. The last thing I need is another sofa-bed. A sofa(-bed) that sticks out too far into my small living room is no good to me. But many sofas that are not sofa-beds also stick out into the room far too much for my purposes. A sofa like the one above is what I need.
Second, the above sofa does not have wide and rather squishy arm rests. Instead it has narrow wooden ones. So just as it economises on depth space, it also makes the most of sideways space, space that I need every inch of for more seating.
Such wooden arm rests, in between meetings, can be easily used to rest a big plank on, which is helpful for when I am battling with paperwork, which I am, now and always. Also, during meetings, the wooden arms would be good for resting drinks on, in the way that big squishy arm rests are not.
Nevertheless, I would definitely consider something which is the same shape as the sofa in the picture, but without any arm rests at all. The important thing about this sofa is how well it uses space, compared the usual lumbering monster sofas that are to be seen in every furniture shop or furniture website in such abundance. Pret a Manger presumably have a problem not unlike mine, that made them want what I want. I want one sofa that helps me get as many people into my small living room as I can. They want as many sofas as possible, to get as many people as they can get into a larger space.
The sofa I seek doesn’t have to be any particular colour, or in as good condition as the one above. Rather battered would probably be rather good, because cheaper. It just needs to be that particular sort of shape, or as near to it as I can find.
So, can any of my London friends, or for that matter anyone reading this and living in London, or, really, just anyone, help? All relevant information would be gratefully received. (Comment, or email me by going here and clicking where it says Contact, top left. (That needs to be a slightly complicated process, to deter spammers.))
In order to rescue this posting from being an unadulterated personal advert, let me adulterate it with a broader observation about modern life. Notice how much harder it would have been for me to get across what kind of sofa I am seeking, had I not been able, at zero additional cost to me, to include a photo in this posting of what I am looking for.
→ Continue reading: On the sort of sofa I am looking for – and on the impact of digital photography on trade
From a security point of view, the trouble with cloud-based applications and closed source software in general is that you can never tell whether there are flaws that will leak your information or even back doors put there deliberately to allow third parties to get at it.
Open source software gives you many advantages.
You can understand exactly what the software will do when run. Strictly speaking you can understand what any software does, but source code written in a high level language serves the purpose of both telling the computer what to do and telling humans what the program is intended to do. This is because classes, functions and variables in the program are given English names. Programmers may even write comments in the source code to annotate it. The names and comments may be misleading but this becomes apparent when you look at what code does as a whole. If you can not personally understand the program, you can be reasonably sure others do. One thing that gives me confidence is that previous flaws have been found and fixed.
You can be sure you are running the same software you have gone to the trouble of understanding because you can compile it yourself. You can compile the user applications, libraries, operating system kernel, drivers and even the compiler yourself if you want. More usually you will entrust most of this work to others such as Linux distributions. Programs downloaded from such sources are cryptographically signed. Becuase the source code is available anyone can check that the source code produces the same program that is provided pre-compiled.
So there is little likelihood of a back door in open source software. Linus’s Law states that many eyes make bugs shallow. This means that bugs in open source software, especially the most important and most widely used open source software, get fixed quickly. In The Cathedral and the Bazaar, Eric Raymond described how the Linux style of development leads to superior code quality. All this means there is less likelihood of accidental leakage of your secret information.
Should they decide they do not like us encrypting our files or obscuring our online activity, it would be very hard for authorites to take open source software away. The nearest they have got is the Consumer Broadband and Digital Television Promotion Act which was intended to protect music companies who wanted to put DRM into music by making trusted computing compulsory. The idea was that computers would be required to have a special chip that would only let them run programs that would be cryptographically signed by some authority. You would not be able to run your own programs.
The bill got nowhere and such laws are unlikely to because open source software is so ubiquitous. It runs the Internet. Samizdata runs on a computer running the Linux kernel using GNU libraries and uses an open source web server, database and blogging software written in languages compiled by open source compilers and interpreted by open source interpreters. So do everyone else’s web sites. Most of the electronic gadgets in the world that have any software at all have open source software in them, including phones and TVs. None of this is going away.
As much as Google and Microsoft have brands to protect, if the government makes laws big companies have to follow them. Governments have no such hold over open source programmers who are geographically, organisationally and ideologically dispersed.
The people who write GNU Privacy Guard or OpenSSL are not going to put a back door in their software. If they did it would be spotted and someone could simply fork the project.
It is possible that certain algorithms have mathematical back doors and that the NSA has hired all the people clever enough to find them. It is possible that the NSA tried this with a cryptographic random number generator and were caught out. We can be somewhat confident that the NSA can not break AES encryption. There are other encryption algorithms available.
Nothing is certain, but open source software gives us some control over our computers and some defense against governments that closed corporate software never can.
The dismal David Cameron wants to block people from accessing ‘porn’ from WiFi in public places and ‘semi-public’ places. Which presumably means all WiFi as almost every WiFi in the world is capable of being picked up in a ‘public’ place, such as the side walk in front of your house.
And the usual coercion addicted statists will smile and nod that ‘the children’ are being protected. And once the slope has been created, these are the people who will be working to make it as slippery as possible.
So of course once the notion that protecting ‘the children’ from stumbling across porn is accepted, next will be protecting them from seeing ‘hate speech’… and then from anything that is held not to be in ‘the public interest’. Held by who? Why by people like them, of course.
It is not about porn, it is about control. It always is.