To all you folks out there who think being tortured and nailed to a cross to die and have your carcass being picked apart by scavengers constitutes a “good” day, Happy Good Friday to you. To everybody else (who doesn’t work weekend, anyway), hey, every Friday is good, right? This past week, I didn’t take Monday off. That turned out to be a dreadful mistake, so I have next Monday off. That makes today an even better than “good” Friday.
So, I mentioned a password manager the other day, and I’ve come across another one that may actually be better (and freer). It’s called LastPass and while I haven’t tried it, it looks like it has some good features (including, for instance, auditing you passwords for ones you’re re-using, and which sites may be affected by, for instance, Heartbleed). So it might be worth checking out. There’s a “premium” version you can upgrade to for $12 a month if you want to support them. As I said, I haven’t used it, but I may just give it a try.
Speaking of Heartbleed, I’ve had a chance to look into it and it doesn’t appear to be quite as horrible as it was originally made out to be. Bloomberg reported that two NSA “insiders” claimed that the agency knew about this bug in OpenSSL for two years and had been exploiting it.
This could be true (wouldn’t put it past them), but it seems like bullshit. For one thing, it’s kind of a crappy exploit. As I mentioned before, you can only get a random 64 Kb of server memory every time you “ping” a vulnerable server. This could, in theory, be a username and password if a user just happened to be logging in at that time, but it’s also just as likely to be a nugget of a web page or something.
This means that in order to get useful info, you’d either have to get lucky in a hurry or be constantly pinging the server and collecting the info. From what I’ve read, it is possible to use this exploit to obtain a server’s private key (that’s the thingie that can decrypt anything sent to it that’s been encrypted using the server’s public key – which is how this stuff works), but from what I’ve read it’s not a trivial thing to do.
Also, the guy who put this but of code into the project (a Kraut, ironically enough, given that the Germans are some of the most pissed off folks at the US spying) has been identified and come forward and he says that he just failed to verify that a particular variable had a “realistic length” and the error slipped through and that the NSA had nothing to do with it.
Having fucked up my share of code, I find that to be pretty believable. And given that this is all open source stuff done by volunteers, I really think the for-profit companies that make use of these freely available software libraries ought to spend some time and money on reviewing the code. Maybe they’ll do that now.
The other reassuring thing is that there’s been no evidence of anybody scanning the Internet over the past two years looking for vulnerable servers (one guy I was listening to the other day was saying that if you had a decent setup, you could scan the entire Internet in about 20 minutes). Of course, once this flaw was announced, the scanning commenced almost immediately.
So, anyhow, it seems as though most of us won’t get bit by this one, though it’s not a bad idea to go and change all your passwords (it’s not a bad idea to do that periodically anyway). And if you can enable two-factor authentication at a website (especially something like your bank or PayPal or whatever), you should do that even if it is kind of a pain in the ass.
Oh well, I guess it’s time to see about getting some work done. Have a good Friday.