The Human Side of Heartbleed

4th June 2014 17:56

Original source

The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere.

It was a software insecurity, but the problem was entirely human.

Software has vulnerabilities because it’s written by people, and people make mistakes — thousands of mistakes. This particular mistake was made in 2011 by a German graduate student who was one of the unpaid volunteers working on a piece of software called OpenSSL. The update was approved by a British consultant.

In retrospect, the mistake should have been obvious, and it’s amazing that no one caught it. But even though thousands of large companies around the world used this critical piece of software for free, no one took the time to review the code after its release.

The mistake was discovered around March 21, 2014, and was reported on April 1 by Neel Mehta of Google’s security team, who quickly realized how potentially devastating it was. Two days later, in an odd coincidence, researchers at a security company called Codenomicon independently discovered it.

When a researcher discovers a major vulnerability in a widely used piece of software, he generally discloses it responsibly. Why? As soon as a vulnerability becomes public, criminals will start using it to hack systems, steal identities, and generally create mayhem, so we have to work together to fix the vulnerability quickly after it’s announced.

The researchers alerted some of the larger companies quietly so that they could fix their systems before the public announcement. (Who to tell early is another very human problem: If you tell too few, you’re not really helping, but if you tell too many, the secret could get out.) Then Codenomicon announced the vulnerability.

One of the biggest problems we face in the security community is how to communicate these sorts of vulnerabilities. The story is technical, and people often don’t know how to react to the risk. In this case, the Codenomicon researchers did well. They created a public website explaining (in simple terms) the vulnerability and how to fix it, and they created a logo — a red bleeding heart — that every news outlet used for coverage of the story.

The first week of coverage varied widely, as some people panicked and others downplayed the threat. This wasn’t surprising: There was a lot of uncertainty about the risk, and it wasn’t immediately obvious how disastrous the vulnerability actually was.

The major Internet companies were quick to patch vulnerable systems. Individuals were less likely to update their passwords, but by and large, that was OK.

True to form, hackers started exploiting the vulnerability within minutes of the announcement. We assume that governments also exploited the vulnerability while they could. I’m sure the U.S. National Security Agency had advance warning.

By now, it’s largely over. There are still lots of unpatched systems out there. (Many of them are embedded hardware systems that can’t be patched.) The risk of attack is still there, but minimal. In the end, the actual damage was also minimal, although the expense of restoring security was great.

The question that remains is this: What should we expect in the future — are there more Heartbleeds out there?

Yes. Yes there are. The software we use contains thousands of mistakes — many of them security vulnerabilities. Lots of people are looking for these vulnerabilities: Researchers are looking for them. Criminals and hackers are looking for them. National intelligence agencies in the United States, the United Kingdom, China, Russia, and elsewhere are looking for them. The software vendors themselves are looking for them.

What happens when a vulnerability is found depends on who finds it. If the vendor finds it, it quietly fixes it. If a researcher finds it, he or she alerts the vendor and then reports it to the public. If a national intelligence agency finds the vulnerability, it either quietly uses it to spy on others or — if we’re lucky — alerts the vendor. If criminals and hackers find it, they use it until a security company notices and alerts the vendor, and then it gets fixed — usually within a month.

Heartbleed was unique because there was no single fix. The software had to be updated, and then websites had to regenerate their encryption keys and get new public-key certificates. After that, people had to update their passwords. This multi-stage process had to take place publicly, which is why the announcement happened the way it did.

Yes, it’ll happen again. But most of the time, it’ll be easier to deal with than this.

This essay previously appeared on The Mark News.

“Where did this idea come from— that if you raise the minimum wage, there’ll be an economic disaster?…”

17:55

Original source “Where did this idea come from— that if you raise the minimum wage, there’ll be an economic disaster? That if you give poor people money they’ll just hoard it, that the money just disappears into a black hole and everybody stops hiring and unemployment soars because it’s too expensive to hire people…?
You know what happens when you give poor people a bigger cash flow?
Suddenly we’re not living paycheck to paycheck. We don’t have to choose between paying the electric bill and the groceries, we can actually cover both. Suddenly we’re not nervously eyeballing the first of the month, because covering rent is no big deal.
We get that funny noise in the car engine fixed even if it’s several hundred dollars, instead of just putting up with the knocking and driving to work with our teeth gritted and fingers crossed every day waiting for the car to just up and die (and then end up spending several thousand on a new used car— being poor can actually be very expensive). We get the house’s leaky windows patched up and hey, the heating bill just went down, look at that. We’re less tempted to rack up debt on credit cards buying— not luxuries, but essential things like food or medicine.
We’ll pay for nannies and babysitters for our kids so we can show up to work that job flipping your burgers. We’ll pay for after-school programs and extracurricular activities so our kids are happy, socialized, and well-rounded.
We’ll funnel that money into more books, movie tickets, weekend getaways, art supplies, a hobby vegetable garden, community involvement, whatever— things that enrich our lives and take away the stress of the working day, because we’re no longer sinking all our time and energy into two or three jobs just to scrape up enough to make the most meager of ends meet. We’ll buy gifts for our loved ones on holidays. We’ll go out to eat more, shop for clothes more— patronizing the businesses that hire minimum wage workers. (How ‘bout that.)
We might put some money in a savings account, yes, but eventually spend it— on major purchases like college or a house, or spend it when retirement rolls around. But by and large all that extra money gets fed right back into the local economy— by workers who are more likely to be happy, less likely to be stressed and exhausted.
I’m not saying having more income will magically fix all problems min-wage workers have. But it will take care of the biggest ones, and enable us to take care of many more.
And you can be damn sure if you give us more income the one thing we won’t be doing with it is hiding it in a mattress and never spending it.
Rich people do that.”

Wear Many Hats: Minimum wage, maximum use  (via miranoire)

Starlings

07:51

Original source

Starlings

I was watching this video and was wondering: How many birds there would need to be for gravity to take over and force them into a gargantuan ball of birds?

—Justin Basinger

The video shows starlings, birds which …
  • • gather in giant flocks of sometimes more than a million animals
  • • can talk
  • • sound like R2-D2, though not as much as bobolinks do
The gravitational force between adjacent starlings is small. If two birds were flying half a meter apart and tried to go perfectly straight, they would fly for over a thousand kilometers before the gravitational force between them finally steered them into colliding. Side note: The following is the first sentence from a journal article on starling metabolism:
We trained two starlings (Sturnus vulgaris) to fly in a wind tunnel whilst wearing respirometry masks.
I really think the paper should have stopped there; no matter what their results were, they can’t possibly improve on the achievement they opened with. Anyway, back to gravity. To calculate the gravitational force from a whole flock of starlings, we need to know the flock’s density. Conveniently, a 2008 paper in Animal Behavior gathered some detailed statistics on starling flocks. The highest density they saw was about half a starling per cubic meter.[1] 0.54 (•)>m-3 If the birds weigh about 85 grams each, that means the air in a starling flock weighs 25 times more than the starlings themselves.[2] This makes a certain intuitive sense. If they were that much heavier than the air between them, it’s hard to imagine how they’d be able to stay airborne by pushing off of it with their wings. This means that the air’s gravity is 25 times stronger than the starling cloud’s gravity, and it’s the air’s gravity that will dominate the collapse. The collapse of giant clouds of gas or birds is governed by the equation for the Jeans instability. It suggests that in order to undergo collapse, a cloud of uniform room-temperature air full of starlings would have to be much larger than the Earth to collapse. The gas cloud’s gravity would be very weak, so the starlings would probably have a hard time flying until they got used to it. (Birds can fly in zero g—or, at least, they flap around in confusion. But, to be fair, that’s how I’d react if I were abruptly and without warning yanked from my bed and tossed into the air in a zero g airplane cabin.) Such a cloud wouldn’t form in the first place without some outside compression. To collapse naturally under its own gravity, the starling cloud would need to be so large that it would engulf the Solar System. When it did collapse, it would heat up, and the starlings … … would become a star.

FCC Website Hobbled By Comment Trolls Incited By Comedian John Oliver

07:51

Original source An anonymous reader writes “In a recent segment of his new HBO show, Last Week Tonight, comedian John Oliver delivered a commentary (video) on the current net neutrality debate. He ended the segment by calling on all internet comment trolls to take advantage of the FCC’s open comments section on the topic. ‘We need you to get out there and for once in your lives focus your indiscriminate rage in a useful direction,’ he said. ‘Seize your moment, my lovely trolls, turn on caps lock, and fly my pretties! Fly! Fly! Fly!’ While the true impact of John Oliver’s editorial cannot be confirmed, the FCC nevertheless tweeted shortly after it aired that its website was experiencing technical difficulties due to heavy traffic. They accept comments via email as well at openinternet@fcc.gov.”

Read more of this story at Slashdot.








Gallery: Froome, Cavendish ride Tour de France cobble stage

2nd June 2014 22:38

Original source

<div class="gallery-slider"><div class="carousel-nav">
    <label class="counter-text">1 of {count}</label><a class="p-prev carousel-prev" href="http://ift.tt/1c4znwx"></a><a class="p-next carousel-next" href="http://ift.tt/1c4znwx"></a>
    <div><a href="http://ift.tt/1c4znwx" title="Back To Start">Back to Start</a></div>
    </div><div class="marquee marquee-330566"><ul class="slider" id="post-slider-secondary"><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1rDzUmA" rel="gallery" title="The Tour de France will hit nine pave sectors in stage 5, running from Ypres to Arenberg Porte du Hainaut. GC contenders like Chris Froome (Sky) are unlikely to win the Tour that day, but they could certainly lose it. Both Sky and Omega Pharma-Quickstep hit the stones on Monday for a bit of recon. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1u9NLir" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team Sky
        </h2><div><p>The Tour de France will hit nine pave sectors in stage 5, running from Ypres to Arenberg Porte du Hainaut. GC contenders like Chris Froome (Sky) are unlikely to win the Tour that day, but they could certainly lose it. Both Sky and Omega Pharma-Quickstep hit the stones on Monday for a bit of recon. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1rDzUmE" rel="gallery" title="Mark Cavendish (Omega Pharma-Quickstep) on the cobbles. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1u9NLiv" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>Mark Cavendish (Omega Pharma-Quickstep) on the cobbles. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NLiy" rel="gallery" title="Richie Porte (Sky) will be a key lieutenant for Chris Froome in July. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWuX" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team Sky
        </h2><div><p>Richie Porte (Sky) will be a key lieutenant for Chris Froome in July. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NJao" rel="gallery" title="Geraint Thomas proved his worth on the pavé of northern France this spring, finishing in 7th at Paris-Roubaix. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWLf" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team Sky
        </h2><div><p>Geraint Thomas proved his worth on the pavé of northern France this spring, finishing in 7th at Paris-Roubaix. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1rDzUmP" rel="gallery" title="Michal Kwiatkowski (Omega Pharma-Quickstep) in the Arenberg forest. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWLh" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>Michal Kwiatkowski (Omega Pharma-Quickstep) in the Arenberg forest. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1rDzWLj" rel="gallery" title="Kwiatkowski and Cavendish on the stones. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1u9NJav" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>Kwiatkowski and Cavendish on the stones. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1rDzWLl" rel="gallery" title="And the crowd goes wild. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1u9NLyY" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>And the crowd goes wild. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NM5T" rel="gallery" title="Michal Kwiatkowski will have some serious muscle to keep him safe on the cobbles, including this year's Paris-Roubaix winner Nikki Terpstra and strongman Gert Steegmans. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWLr" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>Michal Kwiatkowski will have some serious muscle to keep him safe on the cobbles, including this year's Paris-Roubaix winner Nikki Terpstra and strongman Gert Steegmans. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NLz0" rel="gallery" title="Porte isn't exactly built for the cobbles, but he'll have to stay up front to help team leader Chris Froome. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzUDf" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team Sky
        </h2><div><p>Porte isn't exactly built for the cobbles, but he'll have to stay up front to help team leader Chris Froome. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NLz2" rel="gallery" title="Mark Cavendish will look to hang on through the cobbles and sprint to victory. But with the final sector, Wallers, coming just 6km from the finish line, that could be a tough ask. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWLt" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>Mark Cavendish will look to hang on through the cobbles and sprint to victory. But with the final sector, Wallers, coming just 6km from the finish line, that could be a tough ask. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NLz5" rel="gallery" title="The Arenberg forest is a bit greener in June that is in April. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzUDn" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>The Arenberg forest is a bit greener in June that is in April. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NM5X" rel="gallery" title="Enough cobbles for Froome and Steegmans, the path is much nicer. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzWLv" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team Sky
        </h2><div><p>Enough cobbles for Froome and Steegmans, the path is much nicer. Photo: Tim De Waele</p></div></li><li class="slide"><div class="viewLargerImage"><a class="fancybox" href="http://ift.tt/1u9NM5Z" rel="gallery" title="The Hell of the North just wouldn't have the same cachet if it was run in June with flowers all over the place. Photo: Tim De Waele">View Larger Image.</a></div><a class="p-next-img" href="http://ift.tt/1c4znwx"><img class="cover secondary" src="http://ift.tt/1rDzX1L" /></a><h2 class="slideHed">Cycling: Training Tour de France stage 5 / Team OPQS
        </h2><div><p>The Hell of the North just wouldn't have the same cachet if it was run in June with flowers all over the place. Photo: Tim De Waele</p></div></li><li class="slide"><a href="http://ift.tt/1lMTszF"><img src="http://ift.tt/1hR4hB1" /></a></li></ul></div></div>

The post Gallery: Froome, Cavendish ride Tour de France cobble stage appeared first on VeloNews.com.