Heartbleed

In case you've been living in a hole for the last couple days, there's been a massive bug found in the open-source (free) server software that handles secure connections. For the lay-person, the software behind the padlock you see in your browser:

... had a bug that would happily offer up chunks of computer memory if someone sent it the right type of message over the network, with no record of having done it.

Here's XKCD's attempt at an explanation.

Some Q&A:

What does that mean to me?

We're not sure that anyone knew about this before it was found. Maybe NSA, maybe Chinese or Eastern Europeans, or internet crooks, or maybe nobody...

But if someone did know, in the best (most likely) case, they got very little if any of your info. In the worst case, they got your username and password and any other personal information from the websites (and other servers) you've logged into in the past 2 years.

How does this compare to past security bugs?

Catastrophic: 11 out of 10.

How will I know if they got my info?

This is the best question, nobody knows. Your best bet is to check your bank accounts to make sure there aren't any strange charges, check other accounts you log into to make sure there isn't any strange activity, then do the steps below.

Note, not all sites are affected, only the ones using the open-source version of the software (hurray for free and open source).

Is it fixed? What do I need to do?

Check the list of sites here, and reset passwords on any sites that are affected. My short list of sites using the affected software: Facebook-YES, Pinterest-YES, Apple-NO (yay), Amazon-NO (yay), Google-YES, Microsoft-NO, Yahoo-YES, Gmail-YES, Paypal/Target/Walmart-NO, Intuit/TurboTax-YES (doh!), most banks-NO, USAA-YES (doh!).

Then check your financial accounts to make sure there's nothing fishy going on. But you should be doing this regularly anyway (given that some e-commerce websites are zero-margin stores selling you cheap stuff just so they can get your credit card number to sell to crooks).

Oh, and be sure to use different passwords on different websites, and don't make them easily guessed. Apple's iCloud Keychain is a decent/free option for managing passwords for Mac users (though oddly it doesn't work with all websites, incl. Google). 1Password is a better option, but expensive (and I hate having to pay upgrade fees every year, feels like a subscription!).

So is the internet broken now? Should I stop trusting computers completely? Seems like we're always finding bugs like this...

No, the internet's not broken. But are people happy about this? Definitely not. We all hate changing passwords and not knowing who has what information about us.

What this means is that software isn't perfect, and memory bugs are pretty hard to recognize and track down. It may also mean that NSA is really sneaky about this kind of stuff, but the story sounds a little more innocent than that. On the plus side, anyone who knew about this is probably either chasing bank accounts much bigger than yours, or not interested in money...

But the same way armies learn where soldiers need more armor, the software-development communities learn how to better protect against not only this exploit, but this type of exploit, so I wouldn't expect us to have problems with these kinds of bugs for long. Coders are now looking for them, and stand to make a name for themselves finding them.

Hang in there, we'll get through this.

Password-less ssh logins

I'm not sure where else to post this, so I thought I might as well post it here.

We have a process for logging into a remote Mac or linux computer using ssh without a password. It looks something like this in the terminal:

Create a pair of rsa keys:

cd; mkdir -p .ssh; ssh-keygen -N '' -C '' -f .ssh/id_rsa

... then copy that .ssh folder to your home directory on the remote machine. Easy as pie.

But one of our users couldn't make it work. His .ssh folder contents and permissions were identical to the other users, but it still wouldn't work. We even tried copying another user's .ssh folder over and using that. Still no joy.

An obscure posting on some unix help website gave us the answer: his home directory was group-writeable. Once we did a "chmod g-w ~" in his account, and rebuilt the .ssh folder (who knows why we had to do that), everything was back in business. SSH is notoriously particular about the permissions in the .ssh folder, but apparently it is also particular about the user's home directory as well.

Somebody out there needs this, I hope they find it here.

Ubuntu day 2

Awhile back I signed up for the "Employee Purchase Program" at work, which means you can buy a 3-year old PC that they're getting rid of for $50. It's a lottery, so once you sign up, they throw your name in a hat, and if they pull it, you get one.

Well, last week my name was drawn.

I get headaches just looking at "Start" buttons, so immediately after plugging everything in I downloaded supposedly the most user-friendly linux build -- Ubuntu -- burned a CD and booted up. After a little trouble with ATA1 errors (I had to pull the jumper off the hard drive), it booted up just fine. Install was easy, updating software was easy, adding a bunch of games and cool apps was easy. Didn't come with tcsh or nedit, but nothing a "sudo apt-get" couldn't fix. Otherwise very smooth.

My assessment: eh.

Not because of Ubuntu, mind you. Ubuntu appears to be a fairly clean and easy to use version of linux -- if you have a PC lying around, I highly recommend giving Ubuntu a shot. My problem is with linux itself -- it seems almost like a new dog that with a little training will do a bunch of cool little tricks. But in the end, that's all you've got -- a dog that does tricks. Where are MS Office, Quicktime, AppleScript, iTunes, iPhoto, Photoshop? They're replaced by clunkier versions that yes, are free (very cool), but feel like they're duct-taped together (bad). What else do I use a computer for? Turns out, not much.

So in the end I have a computer that my girls can use to play on pbskids.org, and I don't have to worry about them getting a virus or messing up the OS.

I guess that's worth $50.