thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
First, if you're a unix sysadmin or anyone running any web services that pass through a unix server, ow. Hope you've got overtime pay.

For anyone who cares to read more about the details of what the bug is and what it can do, etc, I refer you to Troy Hunt's post of yesterday ( ).

If you're a normal person hearing about this, then then there are a few things you can and should do:

1. Check that your home wifi router is not able to be accessed via the Internet (usually for administration purposes). If that is on, and your router runs Linux (and many of them do), it's potentially a problem. Check your instruction leaflet for whether this can be on or not and turn it off if it is. Then check how to download the latest "firmware" for your router, in a few weeks time you'll want to do that. If you have any other devices that are accessible "via the Internet", you probably want to find out if they're Linux based and turn that feature off too.

2. If you're a Mac OS X user, if your machine only ever joins networks with trusted machines on it, you're probably safe for now. But just in case or if you ever join public networks, open System Preferences - Sharing. If Printer Sharing is on, you want to turn it off. if you're using an old version of Mac OS, you may have Web Sharing turned on, you also want to turn it off. New versions of Mac OS don't have Web Sharing, unless you're running OS X Server. If you have Remote Login active, just check that you do not Allow Access for All Users. Other than that, wait for Apple to issue an OS Software Update that fixes the problem.

3. If you're a Linux user, you probably want to run your Linux version's package updater right now. And again in a few days time, as the bash maintainers have not actually released a patch that fully fixes the problem yet.

4. This is a similar situation to the Heartbleed bug ( my PSA from last time - ) in that web servers may potentially be broken into (it's even worse technically). You will need to confirm with website owners that they were either not vulnerable, or were vulnerable and have fixed the bug, then change your password on that service. Again. Yes, I know. Tiresome. Sorry. :-( It's probably best to just prioritise the important sites (net banking, and anything with serious personal consequences), and do those in a few days time.

5. If you use unique passwords for every site you log in to, that at least limits any potentially stolen passwords to sites that are vulnerable and lessens the urgency on changing every password you have. That's why, if you haven't already, now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good and free, otherwise I highly recommend 1Password ( ). LastPass ( ) showed themselves to be reasonably good at security (and they support Linux). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here:

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here:

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at and and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

If you have too many sites to check them all, you might want to prioritise. Here's [personal profile] skud on why You don’t need to change all your passwords.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' -

ETA: A "big sites" hitlist of who you *should* change your passwords with:

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April:
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Amongst a swathe of other "[Win]" security alerts from AusCERT, this one stands out:

AusCERT Security Bulletin: ESB-2009.1267 - ALERT [Win] Windows TCP/IP: Multiple vulnerabilities

Product: Windows TCP/IP
Operating System: Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Original Bulletin:

Why does this particular instance stand out to me? Because TCP/IP is the fundamental core of Internet communications - if your device does Internet, it does TCP/IP. The code to do it has been around for a few decades now, and pretty much everyone knows how to do it securely. Except, apparently, Microsoft.

This sort of security vulnerability can theoretically exist on other OS platforms, yes. That said, the only competing OS family these days is Unix - there are no extant OS platforms in common use that are not some type of Unix. Even Mac OS X is a version of Unix with a very shiny graphics layer on top.

Unix is designed from the ground up with a highly layered security approach, and in the layers where security is critical (i.e., the "kernel" - the part of the OS that deals with the computer hardware, and therefore can do things like snoop passwords, steal data from anyone on the machine, etc), the programmers tend to be very very careful, and most of the code is not actually new, and has been inspected heavily by many many people over the long decades that the technology has existed for, and tested by lots and lots of people who are pretty crazy about security, and think about it a lot.

Microsoft, fairly clearly, don't organise their code and their programmers to work that way. Every time they release a new OS version, they say "now more secure!" Every time they say that, they're proven wrong. Again. With several different hacks that break into the kernel layer, not just surface compromises. A Linux blogger describes the experience best:Windows Users - The Charlie Browns of Computing. Go on, kick the football. We promise it's secure this time. Really.

Don't get me wrong: You absolutely need to take security measures on other computers too. If you've got a Mac, you should still be purchasing anti-virus software, and if you've got Linux, or FreeBSD, or Solaris, or any other UNIX, you still need to be securing your computer in a variety of ways.

But on Windows - none of that matters. You can run all the anti-virus software you like, but if the Windows TCP/IP stack is open to a remote hacker, the remote hack will disable your anti-virus software, and install a bunch of stuff that will keep your computer broken and hacked, permanently.

If that happens to you, you can expect your computer to use all your bandwidth sending out spam email, attempt to crash and hack other computers on the Internet, send all your banking details to people who might be interested in stealing your money, send anything resembling personal data to the same people, and so on. Not good, not fun.

So, if you care about having a secure computer, don't use Windows. Ever. Really.

If you really do have to use Windows, then don't connect it directly to the Internet. Ever. Put that computer behind a secure firewall of some kind. If you don't know how to do that, find out from a tech-savvy friend. For your own sake.
thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
Oh hi. I forgot to mention. Macs are awesome. Your next computer should be a Mac, assuming you just want a computer where you can do general average day to day stuff and Get Things Done.

If you want to do a specific weird thing (yes, hardcore computer game nerds, that mostly does mean you), then alright, you have special needs, and probably need more thought than just buying a Mac will necessarily get you. You already have the mad skillz needed to go do that. This message isn't for you.

However, for everyone else, if you just want to get connected to the internet, do email, browse the web, maybe do some word processing, download pictures off your digital camera, maybe upload some pictures to the interweb, even have automated hourly backups done for you... then absolutely just get a Mac already.

Oh, and if you're a unix tech-head, you really want a Mac too. Just think, a real Unix OS with a consumer grade UI on top.


He says it better than I do.

April 2015

12131415 161718


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags