Fed2 Star - the newsletter for the space trading game Federation 2

The weekly newsletter for Fed2
by ibgames

EARTHDATE: April 13, 2014

Fed2 Star last page Fed2 Star: Official News page 10 Fed2 Star index

WINDING DOWN

An idiosyncratic look at, and comment on, the week’s net, technology and science news

by Alan Lenton

Given the high profile and high level of panic in the air over the ‘Heartbleed’ bug, I decided to change the format this week to explain what’s going on. Unless you know what’s involved you can’t make a decision about what to do. Writing it took rather longer than I intended, and turned out to be almost a full issue’s worth of words all by itself. So this week is just the one piece. It’s not highly technical, even though it’s about a hi-tech thing.

Next weekend is Easter. Someone asked me the other day why Easter moves around so much. So, for those of you who don’t know:

Easter falls on the first Sunday...
...after the first full moon...
...following the vernal equinox.

Nothing to do with pagan rites, of course. Regardless, I won’t be producing an issue next weekend, since I’ll be trying to catch up on my sleep after the time change a couple of weeks ago.

And now for...

Heartbleed:

So everyone is in a tizzy from the ‘Heartbleed’ bug this week. (I guess I’d better add it to my spelling check dictionary. This one will run and run...)

OK. First of all for Federation 2 players the good news. The Federation server has been, and is, using a version of SSL/TLS that isn’t vulnerable to the Heartbleed bug. That means that none of your information has been compromised through the Federation server, and neither have the server’s encryption keys.

However, it is entirely possible, given how widespread the problem is, that the servers you use for other purposes have been compromised. So what should you do? Well, you should change your passwords regularly anyway, and I bet most of you reading this haven’t changed your passwords for a very long time! So, my advice? Change your password in the near future, as a matter of course.

Not immediately, do I hear you say? Well you need to make a judgment call on this one. Because, if you do change your password, and then log onto a site looked after by someone who hasn’t updated their compromised software, you could end up with your new password compromised! This could well be a lose/lose situation.

The best advice I can give you is this: All the major commercial sites should be updated by now. The smaller sites, that maybe don’t have full time sysadmins, will probably be updated over the weekend. Anything that’s not updated by Monday is probably not going to be updated, because either the owners are too lazy, or, more likely, they don’t know enough to realize they should update.

Thus, I would start updating my passwords on Monday, the important (involving money or vital personal info) ones first, and the lesser ones as and when you next log on to them - which should be reasonably soon.

So, what is Heartbleed, and how did it happen? The best explanation of what happens that I can point you to is this cartoon from the excellent xkcd site: http://xkcd.com/1354/.

Basically, when you log on to a secure site, newer versions of the secure connection software send a request at intervals to make sure the link to the server is still working. This is called a heartbeat request (hence the ‘Heartbleed’ name of the bug).

If you tell the computer the return you want is larger than the size of the actual return, then the computer will grab a chunk of memory the size you specify, fill the first bit with what you wanted to hear, and send you the contents of the whole chunk whose size you gave it. It’s easier to understand with an example. Let’s say the word you wanted back was ‘here’, but you told the computer ‘here’ was 1024 characters long. In that case the computer would grab a new chunk of memory 1024 characters long, fill the first four spaces with the word ‘here’ and then send you the whole 1024 characters.

Still with me? If you are, you may be wondering why sending the whole 1024 matters. And that, my friends, is a matter of how operating systems allocate memory. In the old days (walking barefoot through the snow, punched tape, punched cards, programming with switches on the front of the computer, etc.) programs had to have all the memory they were going to need, all the time they were running. You could still do it that way, but it’s pretty wasteful, since it’s likely that most of the time they won’t be using all of that memory. So, modern systems allow programs to ask for more memory when they need it, and let them give it back when they’ve finished with it, so the system can give it to another program.

However - there always is a ‘however’, isn’t there - one important thing to realize is that to save time and processing the operating system doesn’t clear out memory that’s returned. Whatever it was used for last time is still there when it hands out the memory again. So let’s imagine a scenario where Alice (Remember Alice? She owns the restaurant!) wants to change her password, so she logs on and tells the server what she wants to do. The server asks the operating system for 1024 bytes (characters) of memory, and as the new password comes in it puts some identifiers in the first half dozen characters, and then places Alice’s password in the next part of the memory.

The server then checks the password for length etc, and stores a hash of the password in the password file (you don’t need to know what a hash is). Then it hands back the memory to the operating system.

Shortly afterwards, Eve, who is an eavesdropper, logs in and sends a heartbeat request with the word ‘here’ and a length of 1024. The server asks the system for 1024 bytes and gets back the block it used for Alice’s password, which, you will recall, still has Alice’s password in it.

Now, what the programmer should have done, but forgot to do (and as a result no one will ever trust his code again) was to clear out the memory by setting everything in it to zero. But he didn’t. So when the server sends back the 1024 characters asked for, there in the middle is Alice’s new password!

Not good. Definitely not good.

Of course this is a simplified version of what happens, and things are not quite as easy as they sound. To do this and get away with it, you would need a difficult to trace large network. That is possible, but really only for states and large criminal organizations. Not to say that someone won’t eventually figure out a way around that.

I think that’s enough about Heartbleed. If you want to know more, here is the official notice of the problem, and also a short further piece on the implications.
https://www.us-cert.gov/ncas/alerts/TA14-098A
http://www.darkreading.com/informationweek-home/more-than-a-half-million-servers-exposed-to-heartbleed-flaw/d/d-id/1204318

Acknowledgements

Thanks to readers Barb and Fi for drawing my attention to material for Winding Down.

Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Thunderbird spam filter...

Alan Lenton
alan@ibgames.com
13 April 2014

Alan Lenton is an on-line games designer, programmer and sociologist, the order of which depends on what he is currently working on! His web site is at http://www.ibgames.net/alan/index.html.

Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html.

Fed2 Star last page   Fed2 Star index