If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(XKCD)   The best explanation of Heartbleed yet   (xkcd.com) divider line 109
    More: Scary  
•       •       •

7800 clicks; posted to Geek » on 11 Apr 2014 at 11:52 AM (23 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



109 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | » | Last | Show all
 
2014-04-11 10:31:00 AM
Of course XKCD would get this one right.

I've been reading on this for three days, and it's all either long complex attempts to explain wtf SSL is, written by journalists who barely know how to turn on a computer, or it's all quote from security experts along the lines of 'It's bad. Reaaaaaal bad. Like, you know this picture:

img3.wikia.nocookie.net

it's like that, only with a few nuclear bombs in the basement, and the asteroid from  Armageddon hurtling down as well. This is The Worst Bad Thing In The History Of The Internet.'

Neither is especially useful. But this is. Thank goodness. Now I can explain it to panicking parents/friends without watching their eyes glaze over.
 
2014-04-11 10:44:02 AM
Yeah. That's bad. That's. Wow. That's. That's really bad. And you know for a fact that several governments have known about this bug for about 2 years now.
 
2014-04-11 11:19:18 AM

bdub77: Yeah. That's bad. That's. Wow. That's. That's really bad. And you know for a fact that several governments have known about this bug for about 2 years now.


Me? No, I don't know that.
 
2014-04-11 11:23:13 AM
to be fair, it did take XKCD two tries to get it right. This was the first:
imgs.xkcd.com

Love me the Blade Runner ref.
 
2014-04-11 12:00:20 PM
It had me at "potato".
 
2014-04-11 12:00:58 PM
Tom Scott also gave a pretty good explanation of the bug.
 
2014-04-11 12:03:25 PM
How the hell does buffer overflow still happen, especially in software made for security?
 
2014-04-11 12:05:54 PM

impaler: How the hell does buffer overflow still happen, especially in software made for security?


It was an oopsie.
 
2014-04-11 12:07:17 PM

impaler: How the hell does buffer overflow still happen, especially in software made for security?


Malice or stupidity

[whynotboth.png]
 
2014-04-11 12:08:19 PM

impaler: How the hell does buffer overflow still happen, especially in software made for security?


Because some script-kiddy threw together the logic without defining bounds, and the quality assurance guys were asleep.
 
2014-04-11 12:08:38 PM

impaler: How the hell does buffer overflow still happen, especially in software made for security?


Well...

"...But around that time OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the protective malloc. You can find the comment in their sources ...

#ifndef OPENSSL_NO_BUF_FREELISTS
/* On some platforms, malloc() performance is bad enough that you can't just

OH, because SOME platforms have slow performance, it means even if you build protective technology into malloc() and free(), it will be ineffective. On ALL PLATFORMS, because that option is the default, and Ted's tests show you can't turn it off because they haven't tested without it in ages."
 
2014-04-11 12:12:15 PM

impaler: How the hell does buffer overflow still happen, especially in software made for security?


Did you miss the part where it was written in C?
 
2014-04-11 12:17:25 PM
On the plus side, Last Pass has been doing a great job for its users, letting them know which sites need password updates and when.
 
2014-04-11 12:18:32 PM
It's only 64K of memory, so the possibility of massive data thefts is unlikely.
 
2014-04-11 12:23:37 PM
That's some dumb farking coding.
 
2014-04-11 12:23:51 PM
I don't get it.
 
2014-04-11 12:25:24 PM

PIP_the_TROLL: On the plus side, Last Pass has been doing a great job for its users, letting them know which sites need password updates and when.


The site that mistakenly classified Fark and other sites as vulnerable, days after Fark patched everything here?  Because they keyed on a date field for no good reason?

Or perhaps that's the joke...
 
2014-04-11 12:32:24 PM

phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.


It's 64K per heartbeat, that can amount to a fair amount of data quite quickly
 
2014-04-11 12:33:06 PM
Waiting for all the "hurr durr XKCD sucks" from people who don't understand explanation, common sense, or the magic required to make the first seem like the second.
 
2014-04-11 12:33:15 PM
That was a horribly typed phrase. Good job, me
 
2014-04-11 12:34:14 PM

phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.


Except that there's nothing stopping an attacker from doing it as many times as they like, getting a different random chunk of 64K of heap space every time. Eventually, they're likely to get something important, like the server's private key.
 
2014-04-11 12:34:43 PM
I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.

/desperately need biometric security rolled out internet-wide
//we have the technology
 
2014-04-11 12:40:09 PM

JPSimonetti: I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.



it's time to stop posting...
 
2014-04-11 12:41:32 PM

acronym: JPSimonetti: I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.


it's time to stop posting...


I drunk better when I post.
 
2014-04-11 12:48:51 PM

JPSimonetti: I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.

/desperately need biometric security rolled out internet-wide
//we have the technology


When a database gets breached and my password gets stolen I can change my password.

When a database gets stolen and my finger print gets stolen I can... change fingers? I mean I guess you have 10 chances... 20 if we count toes...
 
2014-04-11 12:50:12 PM

BalugaJoe: I don't get it.

 
2014-04-11 12:54:48 PM

JPSimonetti: I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.

/desperately need biometric security rolled out internet-wide
//we have the technology


My work computer also reminds me that I have to change my password every two months and it starts reminding me 11 days ahead of time that my password is about to expire. And I can't use any of my five previous passwords. The end result is that I have a really shiatty work password.
 
2014-04-11 12:59:21 PM

error 303: JPSimonetti: I keep telling [...]

When a database gets breached and my password gets stolen I can change my password.

When a database gets stolen and my finger print gets stolen I can... change fingers? I mean I guess you have 10 chances... 20 if we count toes...


That's a really good point. I'd like to say, though, that typing 10 characters, and attempting to emulate a biometric device's input are on completely different levels. It can be done, absolutely. But the number of people who CAN steal and spoof a biometric data cluster (from gathering the data, to emulating it) is about 0.0001% of the amount of people that can simply jack a alphanumeric password. Its not perfect, though I think it's a better balance between security and convenience.

No one is going to steal your biometric data to put lemonparty as your desktop background at the office, where as just taking a typed password is indescribably easier with hundreds of ways to do it.
 
2014-04-11 01:02:00 PM
That does not answer my questions.  ARE MY CAT PICTURES SAFE?!
 
2014-04-11 01:06:17 PM

Saiga410: That does not answer my questions.  ARE MY CAT PICTURES SAFE?!


Easy - did your cat change her password after Picasa fixed its front-end?
 
2014-04-11 01:08:21 PM
Correct Horse Battery Staple
 
2014-04-11 01:13:09 PM

jfarkinB: Waiting for all the "hurr durr XKCD sucks" from people who don't understand explanation, common sense, or the magic required to make the first seem like the second.


While you're waiting, did you see that biatch over there eating crackers like she owns the place?
 
2014-04-11 01:16:36 PM

That Guy What Stole the Bacon: Correct Horse Battery Staple


I'll never forgive him for telling everyone my password like that.  I had just gotten it changed from hunter2.
 
2014-04-11 01:18:17 PM

MrEricSir: impaler: How the hell does buffer overflow still happen, especially in software made for security?

Did you miss the part where it was written in C?


Poor excuse though. Apparently they were doing their own memory management and had wrappers around free() and malloc().

The following code fixes what happened. Yes there is a performance hit, tough shiat. Buy a faster computer or improve the algorithms.

void *OpenSSLMalloc(int numBytes)
{
void *returnVal = malloc(numBytes);
memset(returnVal, 0, numBytes);
return returnVal;
}

void OpenSSLFree(void *ptr)
{
memset(ptr, 0, GetSize(ptr));
free(ptr);
}
 
2014-04-11 01:21:48 PM
Grumble grumble submitted this hours ago better headline grumble grumble....


But that aside, this is a pretty simple and accurate explanation for the Heartbleed issue - if you got someone complaining to you about changing passwords and whatnot, just use this comic to explain how all their stuff is pretty much out in the open.
 
2014-04-11 01:28:49 PM
it's always QAs fault.
 
2014-04-11 01:30:36 PM

phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.


Untrue.  64K of text is a lot of text.  64K per heartbeat can lead to a lot of sensitive data.
 
2014-04-11 01:37:01 PM

question_dj: phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.

Untrue.  64K of text is a lot of text.  64K per heartbeat can lead to a lot of sensitive data.


Especially as no one's logging heartbeats, and you can send them as frequently as you wish. Potentially, you get millions of heartbeats hitting, each looking for a nice chunk o' data. That's the scary part - there's no way to tell who's been harmed by this bug, or to what extent the harm has occurred, prior to the revelation & exploit testing. A nice distributed exploit, to minimize point spikes, and you're raping a server with ease.
 
2014-04-11 01:47:38 PM

That Guy What Stole the Bacon: Correct Horse Battery Staple


I tried to post that comic here in repy to other posts about bullshiat password requirements.  I probably forgot to confirm the post.

END COMMUNICATION
 
2014-04-11 01:57:51 PM

FormlessOne: question_dj: phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.

Untrue.  64K of text is a lot of text.  64K per heartbeat can lead to a lot of sensitive data.

Especially as no one's logging heartbeats, and you can send them as frequently as you wish. Potentially, you get millions of heartbeats hitting, each looking for a nice chunk o' data. That's the scary part - there's no way to tell who's been harmed by this bug, or to what extent the harm has occurred, prior to the revelation & exploit testing. A nice distributed exploit, to minimize point spikes, and you're raping a server with ease.


It's definitely a nasty-ass bug and probably the worst to be uncovered yet.  Lucky for me, all my applications are running OpenSSL 0.9.8.e =P
 
2014-04-11 02:19:03 PM
Wait, is this the real reason we all have TotalFark today? Somebody stole Drew's password?
 
2014-04-11 02:21:58 PM

JPSimonetti: /desperately need biometric security rolled out internet-wide
//we have the technology


Biometrics are hard, and still vulnerable to replay. Asymmetric cryptography is a solved problem and not vulnerable to replay.

/Certificates and SAML for everyone
//down with X.509 though
 
2014-04-11 02:23:00 PM

Lando Lincoln: JPSimonetti: I keep telling people it doesn't matter how super-unguessable your password is. No one is going to bother trying to guess it. They'll get it off a sticky note slapped on your monitor, pull it out of your Password Database app you forgot to close, ... or, the most likely, the people who own the website will screw up and leak millions of login/passwords.

But, no, be sure to force users to make different, unmemorable passwords with at least 1 number, 1 letter, 1 space, 1 underscore, 1 punctuation mark, 1 capital letter, and 2 smiley faces. For every single website. So they'll have to write them down for someone else to find. Top notch security.

/desperately need biometric security rolled out internet-wide
//we have the technology

My work computer also reminds me that I have to change my password every two months and it starts reminding me 11 days ahead of time that my password is about to expire. And I can't use any of my five previous passwords. The end result is that I have a really shiatty work password.


I can up with a way to generate my password algorithmically based on the month and year that I changed it (which solves the no-repeated password rule).

Strictly speaking, this is less secure that a truly random password, since an attacker could potentially get ahold of or guess my algorithm), but it's better than being forced to use sticky notes to keep track of the damned things.
 
2014-04-11 02:36:58 PM

Some 'Splainin' To Do: I can up with a way to generate my password algorithmically based on the month and year that I changed it


mmyypassword
 
2014-04-11 02:41:54 PM

JPSimonetti: desperately need biometric security rolled out internet-wide


. . . so the next time there's a security breach, we'll have to change our fingerprints and eyeballs instead of just our passwords?
 
2014-04-11 02:42:03 PM

the_sidewinder: phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.

It's 64K per heartbeat, that can amount to a fair amount of data quite quickly


Not to mention, whatever helpful information is gleaned from that 64k can then be used in other ways to gain other information or compromise something else.
 
2014-04-11 02:43:57 PM

Arkanaut: Wait, is this the real reason we all have TotalFark today? Somebody stole Drew's password?


He either had too much booze or not nearly enough, and changed his luggage locks instead of his password.
 
2014-04-11 02:47:50 PM
As a software developer - I hate how people keep talking about this on a technical level.  Regular people don't really care.  At it's core, this is an incredibly common type of bug.  Buffer overflow/missing bound check.  Meh.  It's covered in any decent Freshman/Sophomore level C class - even if it's not covered in depth, it's mentioned.

But it doesn't matter to end users.

What it really means is that your secure information is/was not secure.  It also illustrates how, no matter how much technobabble some nerd (like myself) throws at you, assuring you that your connection/data is secure you cannot ever believe it.   It also illustrates that open source doesn't guarantee security.
 
2014-04-11 02:53:15 PM

question_dj: phimuskapsi: It's only 64K of memory, so the possibility of massive data thefts is unlikely.

Untrue.  64K of text is a lot of text.  64K per heartbeat can lead to a lot of sensitive data.


I get that, however, unlike in the XKCD comic, SSL data is encrypted. Encrypted data takes up a LOT more space (bit wise) and thus would only get fragments and then try to put them back together. 

Also, a server can typically have anywhere from hundreds, thousands or millions of operations a second, grabbing 64K of memory from such a server would largely be gobbledty gook. The chance of putting together a coherent set is ... slight. Most servers have upwards of 64GB of memory, so you are talking about a billionth of a percent of possible memory being used.  Not only that, most servers also host many, many, many sites. 

Is it a bad problem? Yes, because it allows the SSL system to be bypassed. Is it a critical problem that requires people to go and change everything? No.
 
2014-04-11 02:59:50 PM

phimuskapsi: Also, a server can typically have anywhere from hundreds, thousands or millions of operations a second, grabbing 64K of memory from such a server would largely be gobbledty gook. The chance of putting together a coherent set is ... slight. Most servers have upwards of 64GB of memory, so you are talking about a billionth of a percent of possible memory being used.  Not only that, most servers also host many, many, many sites.


If I'm reading things right, OpenSSL did their own memory management, and it sounds like they allocated their own memory and worked within it. So all the data you get, is OpenSSL data.
 
Displayed 50 of 109 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report