thewayne: (Cyranose)
The Wayne ([personal profile] thewayne) wrote2014-04-11 10:35 am
  • Add Memory
  • Share This Entry
Entry tags:

You've probably heard about the Heartbleed hack by now.

Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

Flat | Top-Level Comments Only

[identity profile] neefsck.livejournal.com 2014-04-12 12:14 am (UTC)(link)

The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information


Thank for your explaining this - Up until now, I *seriously* could not understand how the fuck it worked, or really the point of that godamned comic.
I am perhaps a little too slow to understand XKCD.

[identity profile] thewayne.livejournal.com 2014-04-12 01:18 am (UTC)(link)
My education background was mainly in programming (mainframes), whereas my professional background is sysadmin and DBA/reporting. One of the classics in programming is stepping beyond the end of an array and not knowing what the memory contents would be. It wouldn't be usable for an actual program, but could contain information valuable to criminals because they're getting in to an undefined/uninitialized area of memory, as demonstrated by Heartbleed.

Honestly, sometimes XKCD is too arcane for me. They occasionally get in to stuff that I know a smidgeon enough to catch the gist, even if I can't appreciate the specifics. Especially the physics stuff: I can appreciate it at the 'smile and nod at appropriate intervals' level because I don't have a clue what they're talking about.

[identity profile] thewayne.livejournal.com 2014-04-12 01:26 am (UTC)(link)
The basic problem is that the internet was designed by people who didn't think like criminals, and now the criminals have lots of little holes like this to play with. There's the old open source saw: many eyes make all bugs shallow, in this case those many eyes totally missed this one.
Flat | Top-Level Comments Only