You've probably heard about the Heartbleed hack by now.

[thewayne]

Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

Comments

[droewyn.livejournal.com]

I'm telling my parents to change their passwords now, because I know for a fact they use a single login everywhere and need to correct that ASAP.

[thewayne.livejournal.com]

That's definitely not a good thing. I have three types of passwords: low security, medium security, high security. Low security is the same password on a number of sites that don't involve personal information or credit cards, medium is a stronger password but still no credit cards, high is a strong two-part password that is unique for every site. But a lot of people can't handle that even though I don't think it's in the least bit complex.

[neefsck.livejournal.com]

The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information


Thank for your explaining this - Up until now, I *seriously* could not understand how the fuck it worked, or really the point of that godamned comic.
I am perhaps a little too slow to understand XKCD.

[thewayne.livejournal.com]

My education background was mainly in programming (mainframes), whereas my professional background is sysadmin and DBA/reporting. One of the classics in programming is stepping beyond the end of an array and not knowing what the memory contents would be. It wouldn't be usable for an actual program, but could contain information valuable to criminals because they're getting in to an undefined/uninitialized area of memory, as demonstrated by Heartbleed.

Honestly, sometimes XKCD is too arcane for me. They occasionally get in to stuff that I know a smidgeon enough to catch the gist, even if I can't appreciate the specifics. Especially the physics stuff: I can appreciate it at the 'smile and nod at appropriate intervals' level because I don't have a clue what they're talking about.

[thewayne.livejournal.com]

The basic problem is that the internet was designed by people who didn't think like criminals, and now the criminals have lots of little holes like this to play with. There's the old open source saw: many eyes make all bugs shallow, in this case those many eyes totally missed this one.

[silveradept]

Go figure. It takes advantage of the idea that Internet requests are actually properly formed at all time.