Heartbleed

heartbleed

The Heartbleed vulnerability has been all over the news this past week. As usual, the media sometimes twists the facts, sometimes intentionally, other times inadvertently. For example, I’ve heard Heartbleed being called a virus, or being framed as something that was deliberately created to be malicious.  Also, from reading people’s comments on the online news articles and blog posts, it seems that many people don’t really understand what Heartbleed is or does.  From my point of view as a software developer, I would like to provide some information and resources that I believe are true and report the facts (but as I’m not an expert in the field of encryption/security, you may also want to take these with a grain of salt).

Heartbleed explained

What Heartbleed is simply a software bug. Sure, there are bugs in nearly all, if not all, software out there (obviously we developers try not to introduce bugs, but we humans are unfortunately imperfect :( ), but what makes this particular bug newsworthy?

  1. This particular bug is a vulnerability, which allows a malicious attacker to gain information that should not be accessible.
  2. The bug is in a library (called OpenSSL) that is used in a number of programs that in turn are run on a large number of computers worldwide.
  3. The vulnerability has been out in the wild for two years.
  4. There’s no trace left behind by a malicious attacker exploiting this vulnerability.

I came across this XKCD comic last night. I think it’s a pretty simple way to understand what the Heartbleed vulnerability allows a malicious attacker to do.

Heartbleed Explanation - XKCD comic

Heartbleed Explanation – XKCD comic

The comic illustrates the case where the victim is the “server” and the malicious attacker is the “client.”   This is the case that most people are concerned with, as it is likely that servers running the exploitable software are easier to find and will probably have more “interesting” data in the memory.  The data could potentially be usernames and passwords, credit card information, or encryption keys, but on the other hand it could also be just bogus data that happened to also be in memory.  The data that the attacker could gain really depends on what happens to be in adjacent memory at that time.

However, the vulnerability exists both ways (if the software on the “client” is using a vulnerable version of OpenSSL).  You could be owning a device or running a program on your computer that might allow a “server”, which has been maliciously programmed, to read memory off of your device using the same exploit.  For example,  Android 4.1.1 devices are susceptible to Heartbleed.

Although web servers are the most common targets being mentioned, there are other services that could possibly be affected by Heartbleed including FTP servers and mail servers.

If you are interested in the nitty gritty details behind how the exploit works, CloudFlare has an article on the low-level details (just disregard the fact that they say that private keys aren’t accessible because they were disproved on that point).  For higher level information on Heartbleed, the heartbleed.com site has very clear information and a nice FAQ.  Troy Hunt also has an informative FAQ about Heartbleed.

What to do about it

For end users

Since there is no trace when an attacker exploits Heartbleed compounded by the fact that Heartbleed has been vulnerable for over two years, it’s not possible to determine exactly what data has been compromised.  In addition, if encryption keys were gleaned from Heartbleed, it is possible for even more data to be compromised by decrypting historic logs (if they exist in the hands of the attacker).

So for end users, the precautionary recommendation is to change your passwords after the services that were affected have been patched.  Mashable has a running list of the status of popular web services that you can use to determine whether to change your password.  In case you use a service that isn’t listed there, you can check it yourself on Filippo Valsorda’s test site.  However, keep in mind that not only web services are affected.  There are recommendations not to login to services that are still known to be vulnerable because when you login there is a chance that your credentials will be placed in memory, which is susceptible to be read.  In addition, ensure that all the software and operating systems you are running are up to date.

For system administrators, developers and service providers

Obviously, ensuring that OpenSSL is up to date or patched is top priority. Troy Hunt provides some additional advice in his blog post.

Heartbleed and the goto fail and GnuTLS bugs

Heartbleed isn’t related to the Apple goto fail or the GnuTLS bug we’ve seen in the past couple months.  The goto fail and GnuTLS bugs are susceptible to man-in-the-middle attacks where a malicious intruder can pretend to be the trusted service you’re communicating with and intercept messages between you and the service.  Heartbleed on the other hand allows attackers to read parts of the computer’s memory that they should not have access to.

OpenSSL and open source projects

OpenSSL is an open-source project with eleven volunteer developers, maintaining one of if not the most used SSL/TLS libraries, probably on their own time.  I think they should be respected for taking on the heavy responsibilities of this project.

Open-source projects allow external developers to read the source code and even submit improvements and contributions.  Depending on the project, there are different procedures to getting contributions accepted, usually including a code review process where the core maintainers ensure that the contributions work as intended and meet the standards of the project (kind of like how a newspaper editor goes over the articles of his writers before they get published).  Since humans aren’t 100% perfect, bugs and mistakes unfortunately happen, as much as we try not to allow them.

While it is possible to order security audits of software, for open-source projects that usually don’t generate any profit, it is difficult to come up with the money.  I remember when we got a security audit for MyBB, it was in the order of thousands of dollars.

Conclusion

There is a lot of information about the Heartbleed vulnerability on the news and media, and from reading the comments on many of the blog posts and news articles I have read, many people don’t really understand what Heartbleed is and its implications.  I hope that this article sheds a little bit of light on that, and provides more resources for those who want to dig a little deeper in understanding it.

The hello world hackathon project

This past week, the co-op students at A Thinking Ape participated in an internal hackathon where they had two days to develop something to show the rest of the company.

Among the games and tools that resulted, one project stood out to me: a hello world app.  Yes, a hello world app. (For those not in the software development field, “hello world” is usually the first output that developers code when trying out a new platform or language.)

It had a white background, black text that said “Hello World,” and a green button that was labeled, “I am a button.”  It was built using Microsoft’s latest platform that supports writing universal Windows apps that can be run on Windows phones, tablets, and desktop computers.

What stood out to me was the way he presented this simple app.  He described the app not as any other hello world app, but one with a button and that it was green!  As he went on, he told us that the green button was also “self aware,” because it was labeled describing itself as a button.

Then he went on to clicking the button.  The text that appeared below said, “You clicked the button, ” or something to that effect.  He described this like predicting the future, but in reverse!

He finally proceeded to show us that how it looked on a phone simulator.

By the end of it, many of us were quite entertained by the way this seemingly simple and ordinary project was described.  This presentation reminded me of the  ”reality distortion field” Steve Jobs had when he presented his keynotes (here’s one when Steve Jobs revealed Safari for Windows in 2007).

This example is to show that no matter what kind of product you have, the way you present it to people and the way you market it has a great effect on what the audience will feel and remember about the product.

Happy April Fool’s Day

Today I pranked people who surf my T-Comm site every day looking for “special sightings” of buses that are assigned to routes which they normally aren’t assigned.  I swapped buses around such as putting articulated (long) buses on regular routes, changing the types of buses on particular routes, etc.  It turns out that what caught more attention was the fact that my ‘backup’ buses in the D40LF and LFS range were being randomly assigned as cover for buses that were already swapped, rather than the actual swaps that I had intended.

Here are some screenshots of some of the swapped buses:

Some technical detail went into planning this since it was critical to also keep a copy of the actual bus assignments so that it could be replaced after April Fools.  I came up of a short list of routes and buses to swap that wouldn’t completely break the rest of the system or make it completely obvious that the data was faked.  Then I created a separate copy of T-Comm on Sunday night and took a couple of hours to code the swapping modification.  Monday was the test day, which turned out to be very useful because there were a couple glaring bugs.  Then overnight I swapped the two T-Comms and went to sleep.  By the time I woke up, I already had messages of confusion in my inbox :)  Was it worth the effort?  Yeah I think so.  Lesson behind this?  There’s nothing like transit-fanning the traditional way of sighting buses in person.

Platform Signage at Granville SkyTrain Station

Comments on the new signage at SkyTrain stations

I was going through some of my photos and came across a set where I was comparing old and new signage on the SkyTrain.  Below is one example from Granville Station.  You can see the new sign in the foreground, with the existing sign further back.  What struck me is how complex the information is on the new sign.

Platform Signage at Granville SkyTrain Station

Directional signage at Granville SkyTrain Station

The primary emphasis (judging from the size of the text) of the new platform signs is placed on the platform numbers, as opposed to the direction of travel as is in the old sign.  In fact, the direction of travel isn’t even on the new sign at all.

I remembered reading the following guideline some months ago from an old New York City Transit Authority Graphics Standards Manual circa 1970.

The subway rider should be given only information at the point of decision.  Never before.  Never after.

The decision to be made at the faregates is whether I want to cross the faregates or not.  The information about the direction of the platforms is presented too early to the rider.  The information that I’d expect to see above the faregates to help me with that decision would be something along the lines of “To Trains – Expo & Millennium Lines – Westbound to Downtown; Eastbound to Burnaby, New Westminster, Surrey“.  This indicates that there are trains are behind the gates, which lines they run on, and where I could possibly go from here.  The information about the specific platforms doesn’t need to be shown at the point of the faregates.

After that, at the intersection where the old sign is, the rider can be shown information on the different platforms and destinations.  However, it would make more sense to me to emphasize the direction of travel, and the destination instead of the platform number, especially since most stations only have two platforms.  Platform numbers are only be useful for people following a trip plan, or if there are two or more lines at a station; they aren’t really useful in any other circumstance.

The effect of giving people information too early can also be seen on the signage at Burrard Station, depicted below.

New signage and fare gates at Burrard SkyTrain Station

New directional signage and fare gates at Burrard SkyTrain Station.  Notice the arrows pointing in a variety of directions.

There should actually be two decision points: one at the faregates whether to enter or not, and the second one at the intersection of the corridors to decide which train to take.  Since platform directions are given at the decision point of the faregates, the arrows pointing to the platforms go in all different directions.  The existing signs above the corridors to each of the platforms is the correct decision point (whether to enter into the corridor or not) to give platform information.

The guideline in the old NYCTA Graphic Standards manual makes a lot of sense to me now.  Putting relevant information only at the decision point makes signs less cluttered with information.

DennisTT.Net 10 years old

It’s hard to believe I’ve had this domain name for 10 years!

DennisTT.Net Domain Whois

Although I only got the domain in 2004, my first websites date back in 1999-2000 using services like Netscape Websites and Angelfire, and when <blink>, <marquee> and animated GIFs were the craze.

I created this blog back in my high school days, before the time of Twitter (now most of my day-to-day spam is there instead… :P).  That was the time while I was in IB, started transit-fanning, and developed MyBB.  Over the decade, some things have changed, some things haven’t.  I’ve since graduated from university, became a more active Catholic, and am still a transit fan and code monkey.

Here are some posts from the past 10 years that I’ve found interesting after looking back:

Dennis' little corner on the big big internet!