ad: Flexradio-1

QRZ and the Heartbleed Bug

Discussion in 'Amateur Radio News' started by AA7BQ, Apr 12, 2014.

Thread Status:: Not open for further replies.

Page 1 of 3

ad: L-HROutlet

ad: l-rl

ad: Radclub22-2

ad: abrind-2

ad: Left-3

ad: L-MFJ

ad: Left-2

AA7BQ QRZ Founder QRZ HQ Staff QRZ Page

If you watch the news you're probably heard a bunch of talk recently about the so-called Heartbleed bug. The Heartbleed bug was a programming mistake that made its way into mainstream security encryption programs about two years ago. Contrary to what some people are saying, it's not a virus, not a trojan, not malware, none of the above. Instead, its a previously unknown vulnerability in system software that until now has gone undetected.

Here's an analogy of how a software vulnerability works: Suppose there was a coke machine at work that everybody used on a daily basis without any problems whatsoever. It took your money and delivered drinks as it should. Then, one day, someone discovers that if you press the Coke button three times, the Dr Pepper button once, and the Sprite button five times, the machine would then give you anything you wanted, for free. Before yesterday, nobody knew that a special sequence of buttons would do this, not even the original programmer of the machine because it wasn't intentional, it was a bug, a programming mistake.

That describes how the Heartbleed bug came to be. QRZ was notified of the bug yesterday and we immediately applied all of the latest patches on the system. These security patches included new software, and new SSL Encryption Certificates. Everything went smoothly and so we're now our system no longer contains the bug.

The heartbleed bug was on nearly every system on the internet. Yahoo, Google, you name them, they all had the bug. QRZ was lucky because we only had to patch 4 machines. Some of the bigger firms have thousands of machines to patch and some of them aren't finished yet.

There is no evidence that anyone actually used the Heartbleed vulnerability to gain unauthorized access to QRZ or to our user accounts. None. Frankly, internet criminals who might have used this trap door would probably go after much more popular and rewarding targets than QRZ.

To be on the safe side, however, everybody should change their passwords NOW. Heartbleed made it possible for criminals to get passwords and we don't know if they got any of ours. Your password could have been compromised on some other site too. It's always a good time to change passwords and you should do it today.

The following cartoon talks about what makes a password really hard for a computer to guess. It's probably not what you think. The cartoon speaks of entropy. Entropy is "randomness" and the more entropy a password has, the more difficult it is for a computer to guess. Ideally, you want a password that would take even a fast computer several, if not hundreds of years to guess at random.

Here's the cartoon:

73, -fred

AA7BQ, Apr 12, 2014

#1
AG2AA Ham Member QRZ Page

xkcd.com is the best cartoon series. EVER.

AG2AA, Apr 12, 2014

#2
K1JNT Ham Member QRZ Page

The guys at GitHub posted this list which is 3 days old, but if you use anything on the vulnerable list, you should DEFINITELY update your password on that site. Here's the list...https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

K1JNT, Apr 12, 2014

#3
W0AEW Ham Member QRZ Page

So, bottom line: no free sodas?

W0AEW, Apr 12, 2014

#4
SQ3TQM Ham Member QRZ Page

Good guidance is to change password once you know the bug is fixed.
73!

SQ3TQM, Apr 13, 2014

#5
NN5AA Ham Member QRZ Page

AA7BQ said: ↑

Contrary to what some people are saying, it's not a virus, not a trojan, not malware, none of the above. Instead, its a previously unknown vulnerability in system software that until now has gone undetected.

73, -fred
Click to expand...

In software parlance, that is what is known as an "exploit". Here's a good link to an article on it:

http://www.eweek.com/security/slide...=EWKNLEDP04112014A&dni=117348479&rni=24577201

73, Vince -- NN5AA

Last edited: Apr 13, 2014

NN5AA, Apr 13, 2014

#6
AF6LJ Ham Member QRZ Page

Actually the Heartbleed bug was known about two years ago, I read a piece discussing the bug just short of eighteen months ago. Why it took so long to patch is another matter altogether.
This IS a problem with open source there is little to know quality control built in the system and it can sometimes take years for bugs to get fixed.

People who own and operate websites cannot be held accountable for stuff like this, it is hard enough to stay ahead of security issues let along to be put in the position to take on faith that a piece of software is secure enough.

AF6LJ, Apr 14, 2014

#7
KT1F Ham Member QRZ Page

AF6LJ said: ↑

Actually the Heartbleed bug was known about two years ago.
Click to expand...

I've read a few articles about it including a threads on Reddit, Slashdot etc and I have not seen anyone else suggest that.

It was accidently created about two years but it was only discovered this month.

I know there are all sorts of conspiracy theories but I think it's quite believable that it was an innocent bug. Buffer overflow is a classic problem in unmanaged code such as C.

KT1F, Apr 14, 2014

#8
K5TRI XML Subscriber QRZ Page

AF6LJ said: ↑

This IS a problem with open source there is little to know quality control built in the system and it can sometimes take years for bugs to get fixed.
Click to expand...

Just like with comments in forums on the web.

K5TRI, Apr 14, 2014

#9
KF7PCL Ham Member QRZ Page

This IS a problem with open source there is little to know quality control built in the system and it can sometimes take years for bugs to get fixed.
Click to expand...

There is plenty of commercial software with known bugs that take years to fix. No need to point the finger at open source software.
You could always fix it if you are an experienced programmer...

KF7PCL, Apr 14, 2014

#10
AF6LJ Ham Member QRZ Page

Here is some more interesting news on the subject; seems nothing was safe.

[h=2]Private Keys Stolen Within Hours From Heartbleed OpenSSL Site[/h]

AF6LJ, Apr 14, 2014

#11
LA3OUA Ham Member QRZ Page
Heres the comic that explains how the exploit works (simplified obviously)
Attached Files:
- heartbleed_explanation.png
  
  File size:
  
  229.1 KB
  
  Views:
  
  41
LA3OUA, Apr 14, 2014

#12
KA9JLM Ham Member QRZ Page

AF6LJ said: ↑

Here is some more interesting news on the subject; seems nothing was safe.
Click to expand...

It is kind of funny how a April Fools joke has so many people jumping thru hoops.

Check out the Red Moon, Without using the Internet.

KA9JLM, Apr 14, 2014

#13
AF6LJ Ham Member QRZ Page

KA9JLM said: ↑

It is kind of funny how a April Fools joke has so many people jumping thru hoops.

Check out the Red Moon, Without using the Internet.
Click to expand...

Actually I will be photographing the Blood Moon this evening, just like I did back in 2009, weather permitting....
I've known about the Blood Moon since I was in elementary school.
As for April Fools jokes, show me a link.
The only Fools are those who don't believe how long this crap software has been on the net and how long hackers and governments have been taking advantage of the shoddy quality control of Open Source Software.

AF6LJ, Apr 14, 2014

#14
AF6LJ Ham Member QRZ Page

LA3OUA said: ↑

Heres the comic that explains how the exploit works (simplified obviously)

Click to expand...

Simplified to the point of making for more confusion.

AF6LJ, Apr 14, 2014

#15

Page 1 of 3

Thread Status:: Not open for further replies.

Share This Page

ad: Flexradio-1