While I realize this forum is most probably low priority for any hackers, are there any concerns related to the Heartbleed bug here?

Jeanne

	Jeanne Hedge http://www.jhedge.com
"Never give up, never surrender!"

>While I realize this forum is most probably low priority for any
>hackers, are there any concerns related to the Heartbleed bug here?

Ironically, I don't think the Forum is even secure enough that a fault in a security protocol is an issue. I know Dave reset the server's host key for SSH/SFTP purposes, though.

--G.
-><-
Benjamin D. Hutchins, Co-Founder, Editor-in-Chief, & Forum Mod
Eyrie Productions, Unlimited http://www.eyrie-productions.com/
zgryphon at that email service Google has
Ceterum censeo Carthaginem esse delendam.

Infosec guy here.

Basically, no problem here.

This site:

http://possible.lv/tools/hb/?domain=www.eyrie-productions.com

provides a test for the heartbleed issue, and has proven reliable enough over the past week for me to recommend it.

There's a pretty good explanation for heartbleed and what it means for you here: http://r000t.com/what-heartbleed-means-to-you/

Basically, the advice I've been giving my clients and other people whom I'm responsible for is to be careful, make sure your browser checks for certificate revocation, and change all your passwords--because you should be changing them on a regular basis anyway.

Do NOT click on any email links to reset passwords; log into the site manually and change it there. There will be hundreds of phishing emails from this event.

If you have any questions, feel free to ask me; you can email me at my username at the gmails if you wish.

Heartbleed: This is probably the only thing that's ever made me glad my web applications at work are hosted by IIS on a Windows server. :)

Yeah, was talking with someone the other day who hosts via Tomcat, and we were amused that this is perhaps the only time ever that Java has been the MORE secure option.

This describes the bug in layman-friendly stick figure art and terms.

The bug actually works like that? It's not too much of a lies-to-children oversimplification? <headdesk>

--
Unable to save the day: File is read-only.

Pretty much, after you strip away some protocol bits, yeah. It's usually not a word like "potato" or "hat" or what have you, but some random numbers your computer generates.

This particular type of problem is nothing new; it's been an issue in programming for decades, but the people (staff of four, total, of which one is full-time) who develop OpenSSL are -extremely- underfunded and don't get a whole lot of time to audit for that kind of bug.

There's a LOT of software that's in extremely widespread use that has the potential to contain bugs this severe due to very similar circumstances.

For instance, for a number of years, THE database of time zone info was maintained almost entirely by one guy.

Things like browsers and word processors--the stuff people use--is sexy. Things like crypto libraries and the other stuff "under the hood" that people don't directly use? Not a lot of attention there.

I must admit, I'm no programmer - about the best I can lay claim to is some mucking about with object-oriented stuff in a MU* a couple times. So I kind of thought it probably *was* an oversimplification, but hey, it works for me as a general layperson. :)

>There's a LOT of software that's in extremely widespread use that has
>the potential to contain bugs this severe due to very similar
>circumstances.

It's not just open/free software either, you see a lot of similar bugs in commercial software; where you don't realise there aren't many devs working on stuff.

>Things like browsers and word processors--the stuff people use--is
>sexy. Things like crypto libraries and the other stuff "under the
>hood" that people don't directly use? Not a lot of attention there.

Sadly being sexy doesn't really help them, because most of the sexy-attention goes into new features and bling, and tends to leave the important core code looking like a pile of spaghetti left by ADHD monkeys as people poke it to put their new thing in.

In general software maintanence and checking is not interesting to most people.

S.

(who loves breaking software)

> In general software maintanence and checking is not interesting to
>most people.

Well, to be fair, there's a reason for that.

---

"Mathematics brought rigor to economics. Unfortunately, it also brought mortis."
- Kenneth Boulding

---

Yes, you're entirely correct--nonfree, nonopen software will have just as many bugs, but users will be at the mercy of a single entity to get it fixed, which entity may or may not prioritize security-related bugfixes (and, in some cases, will send the cops after people who report those kind of bugs) and who may demand you upgrade to the 'new version' after paying 'em.

And you are correct also about the nature of the non-fun-parts code, though that's less a concern in non-security-critical infrastructure and may occasionally benefit from professional-quality rewrites and audits.

And this would be why I have, up until very recently, stayed as far from dev work as possible: ops for life! ;-P