Four weeks on, huge swaths of the Internet remain vulnerable to Heartbleed:
Some 300,000 systems remain susceptible to catastrophic exploits, one scan shows.
With the media off (most) companies’ backs there’s just no way/reason that these remaining companies are going to patch the heartbleed vulnerability. One can only hope that civil suits are launched against these remaining companies to show via the market that patching is a requirement for contemporary digitally-enabled businesses.
Stage tickets for tomorrow’s surveillance debate!
Students who acquire large debts putting themselves through school are unlikely to think about changing society. When you trap people in a system of debt, they can’t afford the time to think.
Noam Chomsky (via zeitgeistrama)
Post-secondary education is neither necessary nor sufficient to change society. Those of us with degrees need to stop acting like university uniquely equips us to improve or transform the institutions in which we operate. On average, we’re less indebted and more able to pay off that debt as a share of our income than those without degrees, so I’d suggest their debt loads are more of an urgent problem.
(via jakke)
I think that the problem is less “time to think” than “time to act.” If you believe that highly educated people can bring useful skills to bear on pressing problems, but that there are often minimal financial resources to pay educated workers to bring those skills to bear, then debt loads may preclude spending time focusing on those particular problems. In effect, if you can’t pay people to do the work then the socially-pressing work may not be done by those best suited to do it.
To contextualize: when I finished my degree there was a minimum amount of income I had to make to service my debt loads while simultaneously surviving in whatever city I ended up living in. That minimum income immediately meant that a series of jobs that would have been politically and intellectually engaging had to be set aside on the basis of insufficient monetary remuneration. It’s this kind of issue that Chomsky is getting at.
Ethical hackers say government regulations put information at risk:
Why “white hat” hackers – who cyber security experts argue are vital to security research – are sometimes leery of reporting vulnerabilities.
…according to Parsons, reporting those findings to vendors risks bringing on defamation or SLAPP (Strategic Litigation Against Public Participation) suits – a long and costly legal endeavour.
“Let’s say you discovered that there was vulnerability in something the CRA was running separate to Heartbleed – the CRA purchased that from a vendor, so the vendor would have an interest in that not becoming public because it could damage them,” he said.
“They will say if you disclose this we will sue you – and it might be a SLAPP case, but unless you are well-off financially the cost of defending yourself against a SLAPP suit could cost hundreds of thousands of dollars.”
Global News contacted Shared Services Canada, the agency responsible for IT infrastructures for all government departments, for comment regarding whether outside researchers would be allowed to report vulnerabilities found within government websites without risking legal action.
Shared Services Canada did not immediately respond to a request for comment.
The chilling effect of vulnerability disclosure stems from potential legal liability for reporting vulnerabilities to software vendors. While it’s often (though not always) the case that technical staff understand the problems and may work to mitigate them, things can go to hell pretty quickly once non-technical staff such as legal or public relations get involved.
In effect, the incentive model for White Hats to come forward to help the commons of software users breaks down incredibly quickly in the face of harsh penalties for individuals ‘breaking digital locks’ or found to violate terms of service, penalties that corporate vendors can (and do) leverage in order to maintain their public reputations.
Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA:
Technically, the Canadian Prime Minister shouldn’t have to worry about being snooped on. Declassified information on the so-called Five Eyes partnership—an intelligence-sharing agreement between America, Canada, the United Kingdom, Australia, and New Zealand—supposedly forbids the five friendly governments from snooping on each other. But we don’t know what caveats exist in that agreement, because it’s kept top secret. We do know, however, that the NSA was operating in Toronto during the G8 and G20—and that CSE knew about it. That sort of cooperation, Parsons says, is to be expected by the Five Eyes partners.
“There is of course a concern that in the Five Eyes agreement there is an proviso that members of the Five Eyes network can engage in surveillance on other partners if it’s in their sovereign interest,” Parsons said.
It’s certainly interesting (and newsworthy) that Canada is buying cryptographically-secure systems from the NSA, though not necessarily surprising: the NSA is recognized as a leader in this technical space and has economies of scale that could reduce the cost of the equipment. These isn’t, however, any indication whether CSEC examines or tests the devices for backdoors. Presuming that the math hasn’t been compromised, and the phones and faxes aren’t being compromised by our close ally, then there are presumably (relatively) few worries with the Canadian procurement strategy and lots of benefits.
Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL:
OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.
This is really excellent news: the large companies and organizations that rely on open-source critical infrastructure projects need to (ideally) contribute back through either code contributions of financial support. Hopefully we’ll not just see money but efforts to improve and develop the code of these projects, projects which often are the hidden veins that enable contemporary Internet experiences.
I think the link between absurdist theatre and SSL certificate revocation checking is a (bit) tenuous, but nevertheless Dan Goodin’s article over at Ars Technica does a good job in describing (in less technical language than Adam Langley’s post) why having your browser check for revoked SSL certificates really isn’t all that effective.
Google is researching ways to make encryption easier to use in Gmail:
In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.
PGP, or Pretty Good Privacy, is an encryption utility that historically has been difficult to break. But Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.
If Google is actually going to throw engineers and designers (most important: lots, and lots, and lots of UI and UX designers!) towards improving the basic usability of PGP that would be incredible. However, given people’s suspicion of the company given the NSA disclosures I have to wonder whether any public offering from Google will be regarded as some kind of a trojan horse by some civil liberties groups and the cynical public alike.
Some real gems in that post. Highly recommended if you want to understand why researchers/journalists complain vociferously about the hell of FOIA/ATIP laws.
Using Heartbleed, the name for a flaw in security that is used in a wide range of web servers and Internet-connected devices, the attacker was able to break into an employee’s encrypted virtual private network, or so-called VPN, session.
From there, the hacker or hackers used the Heartbleed bug about 1,000 times until successfully extracting information like passwords to get broader access to the victim’s network, said researchers at Mandiant, a cybersecurity firm.
The targeted company only noticed the attack in its later stages. When it began analyzing what happened, it realized the Heartbleed bug was used as the entry point, said Christopher Glyer, an investigator at Mandiant.
It’s a statement from Mandiant and so some mindfulness should be taken when reading their comments. (The same is true when parsing statements from other for-profit security companies.) Still, that Heartbleed is not only weaponized (that happened almost immediately after it was integrated into Metasploit) but is showing up in the wild prominently enough to warrant a response from Mandiant demonstrates why Heartbleed is going to be a problem for years going forward. For a good, if technical, discussion of why the hurt is just going to continue (like all things that involve breaking SSL…) see Adam Langley’s recent post titled “No, Don’t Enable Revocation Checking.”
Also: even if you don’t read Adam’s post you can follow the lesson he provides in the title of his technical post. If in the aftermath of the Heartbleed vulnerability you enabled Revocation Checking in Chrome then disable it, ASAP.
Excited Pixels