The Heartbleed FAQ – Everything You Should Know About It

Heartbleed The interwebs is awash with reports and speculations about the Heartbleed. Post-Y2k it’s difficult to recall any occasion when a security vulnerability managed to gain such widespread attention. But, exactly what is Heartbleed? Here’s a quick summary of everything you need to know about Heartbleed.

What is Heartbleed?

Heartbleed is a critical vulnerability in the OpenSSL library. The official designation of this bug is CVE-2014-0160. SSL stands for Secure Sockets Layer and is a standard security technology for establishing an encrypted link between a web server and a browser. This bit of technology essentially ensures that no one can peek into the data sent between you and the webserver. Every website with an URL that begins with https:// (often indicated by a padlock in your browser’s address bar) uses SSL to keep data, including the authentication information that you key in, private. OpenSSL is an extremely popular open source implementation of this protocol.

Heartbleed is a bug in the OpenSSL code, which can be theoretically be leveraged by an attacker to gain access to data transmitted between you and the webserver. This means that theoretically the attacker can see all of the data that you enter into an affected website, including your username and password. There has also been speculation that the bug can enable the attacker to gain access to a server’s private key. This would essentially allow the attacker to impersonate any web service and conduct MTM (man in the middle) attacks. This would force every affected website to revoke and reissue their certificates. However, there’s still debate about whether this worst case scenario is possible or not. CloudFlare has declared that after extensive testing it has been unable to grab private SSL keys by exploiting Heartbleed.

Update: The CloudFlare challenge has been cracked. So, it’s possible to access a server’s key with this exploit.

How did this happen?

Contrary to the conspiracy theories buzzing around the social media websites and discussion boards, there is a very simple explanation behind how the Heartbleed vulnerability was introduced. It was a simple coder oversight.

The bug was introduced by Dr Seggelmann, a German contributor to the OpenSSL project. He was working on patching existing bugs and adding new features. Unfortunately, in one of the new features, he forgot to validate a variable containing a length. The same mistake was also overlooked by the code reviewer Dr Stephen Henson, and thus the bug made its way into the production code of OpenSSL.

How does this exploit work?

As mentioned earlier, the Heartbleed vulnerability is due to a missing validation on a variable size. One of the reasons why the bug has been named as Heartbleed is that it occurs in the heartbeat stage of the protocol. A heartbeat is essentially a technique that enables a computer at one end of the SSL connection to double check that the recipient is still alive. The following XKCD comic does a pretty good job at explaining the issue in simple terms. Essentially, the hearbeat mechanism sends a key and requests a response from the recipient to confirm that the recipient is still active. However, the length of the request isn’t validated. So, you can send a key that is just 3 characters long, but request an acknowledgement that is up to 65536 characters long. Since, the server isn’t checking the length of the response requested, it would send you all of the requested characters, which will include whatever characters that are stored in the memory after your key. With some luck and persistence, you can exploit this oversight to gain access to confidential information.

XKCD-Explains-Heartbleed-Bug

Who discovered it?

The Heartbleed bug was introduced two years ago; however, in a strange co-incidence, it was discovered and reported by two parties on the same day. One of those parties was Google’s Neel Mehta, who quietly reported the bug to OpenSSL. The other party was a Finnish security research firm called Codenomicon. Realizing that the discovered bug was extraordinary in its impact and severity, Codenomicon decided to create a campaign to make sure everyone took notice of the issue. They registered the domain heartbleed.com, came up with the compelling name, designed a logo, and created the initial narrative. Both researchers collaborated with OpenSSL to ensure that the vulnerability wasn’t disclosed before an official patch was released.

What can you do?

To be honest there isn’t much you can do. A fix for the vulnerability has already been issued by OpenSSL. Most major websites, including banks and other financial service providers, have already updated their OpenSSL installation. Given the massive publicity this bug has received, it’s likely that most websites will implement the patch in the coming days. Mashable has published a massive list of popular websites affected by this vulnerability. It’s wise to change your password at any website that was affected by the bug, but you should do so only after that website has patched the vulnerability. Otherwise, you risk exposing yourself further. As always, folks using unique passwords are considerably safer.

Lastpass, one of the most popular password managers, has updated its Security Challenge tool to include Heartbleed related information. It automatically scans websites in your vault and lists all the websites that have been affected. It also lets you know which websites have been patched, so that you can go ahead and change your password.

VLC Takes to Kickstarter to Fund Windows 8 App Development

2012 is probably going to go down as the year crowd funding grew up. Kickstarter projects reached unprecedented levels of success as the crowd funding service gained steam. Elevation Dock for iPhone became the first project to cross the million dollar mark in February 2012. Soon after, Pebble watch shattered all records and went on to raise more than $10 million, which was over hundred times its initial goal. Since then, we have seen numerous projects like Ouya, and Project Eternity surge past the million dollar milestone with ease. While initially most Kickstarter projects belonged to the art and media segment, this year saw hardware and software projects take the lead. Now, even established projects like VLC are also taking to Kickstarter to meet their goals.

VLC-Metro-App

The VideoLan team has started a funding drive on Kickstarter to back the development of Windows 8 User Experience (Metro) app for VLC. The team already has already built a working prototype with minimal features and is looking to raise at least £40,000. VLC is aiming to release a Windows Store compliant Metro app that will run on both Intel and ARM chipsets. The new app will be completely rewritten with the WinRT APIs and feature a touch optimized user interface, while retaining most of the best features of VLC including full-fledged equalizer, video filters and superior support for subtitles. Unlike the built-in media player, out of the box support for CDs, DVDs, as well as unencrypted Blu-Rays is also planned. VLC is hoping that the fund-raiser will allow it to hire professional designers to build a beautiful and clean user interface, in addition to allowing many of its experienced developers to work full-time on the project.

VLCs fund-raising drive will continue for a month, and you have a chance to get your name in the application by pledging as little as £3. If the fund-raising goal is met, VLC app for Windows 8 is expected to be released in the first quarter of 2013.

Debian Offers Help in a Messy World of Software Patents

We have already seen how Microsoft is ramming its 18,000 patents into all Android device manufactures and making them pay for technologies that Microsoft does not deal with even remotely. Microsoft is nowhere in the Android game and this is a questionable action from Microsoft. Owning a lobby of patents to raise hue and cry on every other Android related technology is not really an ethical business practice. If you want to know how exactly Microsoft is earning more from Android than its own Windows Phone 7 platform, read  this  coverage  by  Joel Fernandes.

us-patents

The world of software patents is getting ugly and the competition is extremely high. In such a world, it is extremely important to have a fair understanding of the technologies you are dealing with and the patent infringement it can cause. Generally, Open Source projects are not claimed against patent infringements because they are community efforts mostly and because they do not have the funding to pay hefty sums. However, prevention is always better than cure.

The Debian project has created an FAQ with some heavy legal aid that can give people an idea of patent liabilities pertaining to Community Distribution of Free and Open Source Software. It starts with the very basics of patents and explains the difference between patents and copyrights. Then, it goes on to explain infringements and the risk of patents to FOSS community projects and limitations of geographical boundaries on patents. If you are a developer working on a community project, you should absolutely know the risks and liabilities involved and  this FAQ  can offer good help to get started.

FOSS Friday: Ubuntu Coming To Asus Eee PC, OpenOffice.org Goes To Apache Foundation and More

This week, the main talking point in the world of Free and Open Source Software (FOSS) is Oracle giving OpenOffice.org to the Apache foundation. There has been interesting developments for Ubuntu as well. Let us take a look at some of the most the important FOSS news of the week.

Oracle Gives OpenOffice.org To Apache; The Document Foundation Not Happy About It

After alienating all the contributors in the OpenOffice.org community, Oracle has finally decided to call it a day and have ceded control of the OpenOffice.org codebase to the Apache Software Foundation. OpenOffice.org will now be developed as an Apache Incubator Project. You can read more about this story here.

Meanwhile, The Document Foundation is not happy with Oracle’s decision to ignore them and give control of OpenOffice.org to the Apache Foundation. Since the beginning, TDF has been asking Oracle to join them and donate OpenOffice.org to them. Read more about it here.

Ubuntu 11.10 Alpha 1 Released

The first alpha of Ubuntu 11.10 was released a few days back. Being the first development release, not much has changed from Ubuntu 11.04 which was released around a month back. The GNOME stack has been updated to GNOME 3, though. Find out more about it here.

Asus To Release Eee PC Netbooks with Ubuntu Pre-installed

Asus has announced that they are planning to release three Eee PC netbook models with Ubuntu installed. They also said that they plan to make more models available with Ubuntu by the end of the year. The Asus Eee PC will come with Ubuntu 10.10 and with Flash and other media codecs installed. More here.

Linus Torvalds Released Linux 3.0 RC

Ending the speculation as to whether the version number will be 2.8 or 3.0, Linus Torvalds has released the first release candidate of Linux 3.0. Despite the major bump in the version number, there are no big changes in Linux 3.0. Linus said that he does not want to break anything and that development will go ahead in the same manner they have been doing for Linux 2.6.x. Read more here.

Debian Wheezy, which is currently in development, has already decided to switch to Linux 3.0.

OpenPetra: Administer Your Organization With Open Source Advantage

open-petra-logoOften non-profit organizations or small scale businesses have to buy costly administrative software packages to run their organization. It is a heavy cost burden for such organizations with low budgets. Selected as the “Project of the Month” for the month of May by SourceForge, OpenPetra is an outcome of an effort keeping in mind such organizations.

OM International, a Christian mission agency, wrote a software called PETRA. Developed during the nineties, the package was used in 80 offices of the organization located worldwide. To take the advantage of the open source community and to use the tool for the benefit of others who needed it, OM decided to change it to Open Source development process, which motivated the existing developers and also increased the potential for the software. OpenPetra is the outcome of the newly adopted development process.

open-petra-main-window

The OpenPetra project offers a free and easy to use administrative software package for non profit-organizations. It has multi-user, multi-site, multi-currency, multi-language support and much more. It has six modules integrated into it . The following is a brief description of the modules:

1. Partner Module: The main functions of this module are to manage subscriptions, contacts and bulk mailing as well.

2. Finance Module: This module maintains general ledger, payable accounts, double-entry book keeping, budgeting and donation processing . It has the support for almost all currencies.

3. Personnel Module: This module manages personnel information for both short-term and long-term employees as well as process new job applications.

4. Conference Management: This module manages group assignments, accommodation and allocation, arrangement of arrivals and departures as well as attendance tracking.

5. Financial Development: This module manages project funding.

6. System Manager: This module is used by system administrator(s) to manage user accounts.

From 2004 to 2009, the code was developed code on .NET platform. In June 2009 OpenPetra was published under the GPLv3. Now OpenPetra has standard tools and open source databases for better development and implementation. OpenPetraSetup requires Windows XP (or later) or Linux, and uses about 24 MB of disk space. The backend must be a Relational Database Management System. Currently supported are PostgreSQL, MySQL and SQLite.

An important fact is that the software is modeled after an application that has been in use for an extended period of time in a sizable, global non-profit organization.

Though this promising project has areas of improvement, it has great potential for easing the administration of various kinds of organizations.

[via SourceForge Blog]

FOSS Friday – Fedora 15 Released, Linux Mint 11 Released And More

This week, we saw a lot of releases ranging from the release of Fedora 15 “Lovelock” to Puppy Linux Wary 5.1.2. Here are the main events that took place this week in the world of Free and Open Source Software.

Fedora 15 “Lovelock”

Six months after the release of Fedora 14, Fedora 15 “Lovelock” was released earlier this week. This is a very significant release not only for Fedora but for GNOME as well because it is the first major Linux distribution with GNOME Shell as the default desktop. Although, GNOME Shell is the most obvious change in Fedora 15, there are also a number of improvements under the hood such as the adoption of systemd, consistent network naming scheme etc. Read our coverage of the release for more details.

MeeGo to get Wayland this year

This is big news for both MeeGo and Wayland. The chief developer and creator of Wayland has announced that MeeGo might switch over to Wayland by October this year. Wayland is a replacement for the X Display Server which is more efficient and does not have the baggage that comes with X’s legacy supports. Refer this article for more details.

KDE SC 4.7 Beta was released for testing

KDE continues to develop the KDE platform at a very rapid pace. This week, they have released the first beta of KDE SC 4.7. The release has three important new features – improved offline search in Marble, GRUB2 integration in KDM and OpenGL-ES 2.0 support for KWin. The final release of KDE SC 4.7 is expected in June this year. Read this article for more details.

Linux 2.6.x series to end

Linus Torvalds has expressed his desire to end the current Linux 2.6.x series. The Linux 2.6.x series has been in development for more than seven years and has seen 39 releases till date. Torvalds said that the number has become too big and he is considering changing it to either 2.8 or 3.0. The suggestion to bump the version number to 3.x has been gaining good support as it can also mean the third decade of Linux development. More here.

Linux Mint 11 “Katya” Released – No Unity or GNOME 3

Linux Mint 11, codenamed “Katya” was released earlier this week. One of the main talking points of the release was not a new feature – rather the lack of it. Although Linux Mint is based on Ubuntu, Linux Mint 11 has been released with the classic GNOME desktop. Linux Mint 11 also comes with many improvements such as better software manager and update manager. Read more here.

Puppy Linux Wary 5.1.2 Released

Puppy Linux Wary is yet another Linux distribution that was released this week. Although it is not nearly as popular as Fedora or Linux Mint, Puppy Linux has its own dedicated followers. The release is based on Puppy Linux 5 and has better hardware detection and a new experimental non-root account. Read more here.

Real time strategy game, 0 A.D., reaches 5th Alpha

0 A.D. is a real-time cross-platform strategy game which has been in development for sometime. A fifth alpha of the game has been released and it has better lighting in the game, new map, new faction etc. You can read more about it here. You can also read our previous article on 0 A.D. here.

Run Linux In Your Browser

Linux is often considered as a geeky OS when compared to Windows and Mac OS X, however, over the past few years it has become much easier to use and almost emulates a desktop environment which is similar to Windows and Mac.

There are several popular Linux Distros like Ubuntu, Fedora,   JoliCloud, Linux Mint and more which are now widely used by people. If you want to try out Linux you can also dual-boot on your Windows machine (see Install Ubuntu in Windows). However, if you are someone who is afraid of installing additional software on your computer, you can now test out Linux from your web browser, albeit only the command prompt.

The Linux browser emulator was created thanks to a port of an emulator called QEMU to JavaScript.

QEMU is a generic and open source machine emulator and virtualizer.

When used as a machine emulator, QEMU can run OSes and programs made for one machine (e.g. an ARM board) on a different machine (e.g. your own PC). By using dynamic translation, it achieves very good performance.

When used as a virtualizer, QEMU achieves near native performances by executing the guest code directly on the host CPU. QEMU supports virtualization when executing under the Xen hypervisor or using the KVM kernel module in Linux. When using KVM, QEMU can virtualize x86, server and embedded PowerPC, and S390 guests.

The emulator has been written by Fabrice Bellard, a famous open source developer who has also developed several other popular projects in the past. The Linux PC emulator is written completely in JavaScript and was compiled using 2.6.20 Linux Kernel. The emulated hardware consists of the following things:

  • a 32 bit x86 compatible CPU
  • a 8259 Programmble Interrupt Controller
  • a 8254 Programmble Interrupt Timer
  • a 16450 UART.

 

Run Linux in Browser

Most of the modern browsers sport faster and smarter JavaScript engines. The Linux emulator for browsers goes on to show how powerful JavaScript has become and what it could be used to do.

The developer has tested Linux in browser in and 11. The beta version of Google Chrome is not yet supported. You can test out the Linux OS in the browser by visiting http://bellard.org/jslinux/. Also visit this technical notes page for more information on the Linux emulator for the browser.

Google and 16 Other Companies Come Together to Form the WebM Community Cross-License Initiative

WebMI have always advocated the use of royalty free codecs (first Ogg-Theora and then WebM) for the HTML5 <video> tag. The WebM movement has been slowly but surely gaining momentum since its inception. We have already seen almost all the the major desktop browser vendors (Google, Opera Software, Mozilla and Microsoft*) adopt Google’s open source and royalty free media format. Desktop media players like Winamp are beginning to embrace WebM. And, perhaps most crucially, chip makers like Intel are working to add WebM support at the hardware level.

One of the biggest challenges for WebM is the intellectual properties issue. It’s no secret that the patent system is seriously messed up. Some of the patents granted to the members of MPEG LA, the consortium that owns the patent pool for H.264, are so broad and ambiguous that it’s almost impossible to develop a media codec without violating them. Nevertheless, Google has maintained that WebM doesn’t infringe any existing patents, and is a clean and reliable royalty free alternative to H.264. A couple of months back, MPEG LA, the entity that stands to loose the most from the success of WebM, called upon its members to submit patents essential to the VP8 video codec specification, presumably in preparation of a patent infringement lawsuit..

With the threat of legal action looming, all the companies involved and interested in the growth of WebM have formed a cross-license initiative. It’s essentially a consortium that will freely share all patents related to WebM on a royalty free basis. Google was already working closely with Xiph (maintainers of the Ogg audio format) and Matroska (maintainers of the Matroska video container). Additionally, CCL includes the likes of AMD, LG, Mozilla, Opera Software, Samsung, and Texas instruments. The hope is that with the backing of these corporations, WebM will be able to tackle any legal challenge that it might have to face in the future.

*Internet Explorer 9 can play WebM videos provided that the required codecs have already been installed.

Firefox 4 Officially Released, Crosses One Million Downloads Within Hours

After a dozen betas, and two release candidates, Mozilla has finally released the public build of Firefox 4. It took nearly a year to come, but now that it’s here, expect it to break all records. With well over five thousand downloads per minute, at the moment, Firefox seems well poised to go past the ten million mark. You can tack Firefox 4 downloads in realtime from glow.mozilla.org.

Firefox Although, several planned features were dropped from Firefox 4, as it struggled to stay on schedule, Firefox 4 is a meaty update, which boasts of some pretty significant enhancements.

The user interface has been refined to give the website higher priority. Tabs are now on top (as they should be), and the menu bar has been replaced with a single “Firefox” button.

Firefox 4 is significantly faster than its predecessors, courtesy of the new JagerMonkey JavaScript engine, and should be able to hold its own against the likes of Opera 11, Chrome 10 and Internet Explorer 9. Also new to this build is hardware (GPU) acceleration and WebGL support. Unfortunately, hardware acceleration is currently not supported in Linux. WebGL compatibility means that Firefox is ready to meet the demands of the new age, graphics intensive web-applications and games.

Other new features in Firefox 4 include in-built synchronization option, “Panaroma” tab organization, app tabs, multi-touch support, DNT (Do Not Track) header support, WebM video playback, crash protection for popular plug-ins (Flash, QuickTime, Silverlight etc.), HTML 5 parser, and open type fonts support. The full changelog for Firefox 4 is available here.

Firefox-4-Download-Count

Firefox 4 for Windows, Mac and Linux is available in more than seventy languages from firefox.com.

Google Gets Aggressive About WebM, Decides to Drop H.264 Support from Chrome

WebM Google has announced that it will be dropping support for H.264 in future versions of Chrome, and instead focus on high quality open codecs. Although Google’s announcement is surprising, it’s not completely unexpected. Last year, Google spent a fair amount of cash to acquire On2, the startup behind VP8. Later, Google unveiled its own open source codec called WebM, based on On2’s VP8. Now that WebM has begun to witness increasing amounts of hardware support, as well as improvement in performance, Google obviously feels that the time is right to put its foot down.

The core issue with H.264 has been that it is proprietary. Last year, MPEG-LA made H.264 royalty free forever for free web broadcasts, in an attempt to counter WebM. However, even that move was deemed insufficient since it didn’t include applications that encode and decode video, as well as commercial broadcasts. It also didn’t alleviate the threat that some other patent holding body might come calling.

Chrome will now join Opera and Firefox as browsers supporting only open video codecs, i.e. Theora and WebM. Microsoft had earlier announced that it will be supporting both H.264 and WebM in Internet Explorer 9, provided that the codec for the latter is installed on the system. Apple, which has been pushing for HTML5 <video> as an alternative to Flash, has been a steadfast supporter of H.264. It will probably continue to do so for the foreseeable future as hardware decoding support (which is crucial for portable devices like the iPod and the iPhone) for WebM is still fairly limited.

Although Google’s decision to drop H.264 support from Chrome represents a major setback for H.264, don’t expect it to disappear immediately. Apple’s dominance over the mobile devices segment, and the lack of WebM support in tablets and phones is something Google will have to contend with.