I’m much too easily distracted, need to get back to work on the home automation project that I keep picking up and putting down.
Oooh, the scary Heartbleed Bug. Actually, if you’ve been keeping up with the news, you may have heard of this and should know that it’s a pretty serious security issue impacting sites using OpenSSL. Right now, Google is returning almost two million search results for the term – so it’s being talked about. A lot.
So above I mentioned OpenSSL, what’s that? Simply put, it’s a cryptographic library that many websites and businesses leverage to secure communications between you and them, preventing outsiders from seeing the exchange. Think of it as being in a whispering gallery … where you don’t expect others would be able to overhear your conversation, but they can, should they choose to.
Enter Heartbleed, a nasty bug that’s been running undiscovered in the wild for over two years. So wait, what the heck is Heartbleed? Glad you asked, this is the technical description from http://heartbleed.com:The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
So in english please?
Basically, this bug has existed for the last two years, completely undetected. During that time, websites using a vulnerable version of OpenSSL could have exposed user data without even knowing it.
- Worst case scenario: sensitive information such as credit cards, bank statements, email passwords, etc. could have been stolen.
- Best case scenario: this bug wasn’t discovered or exploited. Don’t count on this.
How can I tell if a site I use has been exploited?
No way to know at this time, if you have concerns then you should contact the site in question.
What sites should I worry about?
Mashable has been compiling a list of popular sites, if they were vulnerable, what fixes have been applied and if you should need to take action:
It should be noted that this is not a completely comprehensive list, smaller sites may or may not have been impacted. You should contact those sites directly if you have concerns.
What about self-hosted sites, how can I check?
You can test any site for CVE-2014-0160 (Heartbleed) here:
Are you some sort of expert on this, can I contact you?
Nope, I’m not an expert on this particular security issue. Just a concerned netizen who felt compelled to post about it. There’s a vast wealth of information on the Heartbleed site: http://heartbleed.com/, I encourage you to review it. And of course if you have questions about a specific entity, you can always contact them directly.
A few years old, but still a great watch. If you’ve never seen it before, take a few minutes out of your day and see what happens when this hackers computer is stolen from his apartment.
A local retailer had this old scotch cask on display. I happened to mention it would make a interesting addition to my office, perhaps as an end table. Much to my surprise, they told me that since the promotion was over I could have it as long as I could move it myself. Challenge Accepted. Admittedly it did have a little weight to it- the shape and size posed a bit of a challenge while trying to get it in the house without destroying the hardwood floors.
It needs a little cleanup and is missing the two lower hoops, but overall it’s in decent shape. Not sure exactly what I’m going to do with it, perhaps with my Roost it might make a good standing desk.
This afternoon I decided to start fiddling with one of my Raspberry Pi’s, I’ve been collecting bits of hardware here and there for a small scale home automation project using some X10 gear. Small problem though, the thing won’t boot now, the SD card seems to be corrupt and won’t take a new image. Not just one card but two out of three.
The cards are a year or so old, purchased them all at the same time from a reseller on Amazon. Turns out, this may not have been a wise idea. After spending some time searching online for similar issues, I’ve found that counterfeit SD cards is a pretty big thing. Not sure if that’s the case here, they all have different serial numbers, but I’ll be reaching out to the Kingston folks later on to see if the cards can be verified.
Using a smaller capacity card seems to work fine, so no issues with the reader on my laptop or the Pi. SD card corruption has happened to me in the past when the Pi abruptly lost power without shutting down first but imaging it again was never a problem.
I think from here forward that purchasing direct from the manufacturer or a trusted reseller is the best way to go, google ‘fake sd card’ and check the results for yourself. In the meantime, card number three has an image and I’m going to try and start working on randomly blinking lights on and off in the house. Eventually I may try to hack my coffee maker.
Oh, and fun fact: raspberrypi.org is powered by WordPress. :)