Episode 2208 – The Bleedin’ Internet’s Broken

Michael Wolf is on the show helping Tom deal with the post Heartbleed vulnerability trauma we all are feeling today. Plus he’s got some good news for folks in the wearables industry. As a bonus Steve Gibson helps us understand what we should do about Heartbleed.



Or you can download the MP3 version here.

Headlines

 * The entire Internet has been reporting on the Heartbleed vulnerability in SSL/TLS today. Heartbleed is a bug in the OpenSSL cryptographic library version 1.01 that as been in the wild since 14 March 2012. The bug would allow an attacker to recover up to 64 kilobytes of memory from the server or client computer, repeatedly. OpenSSL has issued a patch which is OpenSSL 1.01g. The nasty part of the bug is it could not only allow an attacker to get things like passwords in memory if they’re lucky, but also recover primary and secondary SSL keys, which means the bad guys could impersonate the good guys and you’d never be able to tell. Many sites do not use OpenSSL and are unaffected. Apple, Google and Microsoft appear to be unaffected, along with the major e-banking services. Before you log into a sensitive service check filippo.io/Heartbleed/ to see if the site has updated to SSL 1.01g, although beware some false negatives have been reported. But if it says it’s updated it is. Then you should also check to make sure any previously vulnerable site has updated its ssl certificate which you can do at https://sslcheck.globalsign.com/ or do several of these tests at https://www.ssllabs.com/


 * The Verge reports Twitter profile pages are showing up with a fundamental redesign. The Twitter blog announced the change Tuesday morning saying the changes will be rolled out to select users first then globally over the next few weeks. Main changes include user and friend photos in a tile layout on the lower left, size adjustment to posts based on how popular they are and the ability to pin a tweet to the top of the page.


 * If you plunked down for a 4K TV, you finally have something to watch. CNET reports Netflix confirmed it has begun streaming 4K versions of its original series House of Cards as well as a few nature documentaries. Not working on your 4K TV? That’s because it has to be a TV with the built-in H.265/HEVC codec, which is pretty much on TVs shipping now. Sorry. Oh unless you have the Samsung UNF9000 which is upgradable.


 * XP says goodbye, and 8.1 update says hello. OK XP users, this is it. The final four security updates for Windows XP and Office 2003 for Windows XP were released today. Download. Install. Enjoy. You’re on your own now. Godspeed. On the other end of the scale, Windows 8.1 Update aka 8.1 (1) or the new 8.1 or whatever arrived today.


 * Recode reports Comcast made their 180-page case for why the government should allow them to merge with Time Warner Cable and grab 30% of the US cable market. There’s a lot in those pages about video competition, citing Apple, Microsoft, even Facebook as big competitors to little ol’ Comcast. They don’t point out so clearly that those services all have to run over pipes which would become dominated by Comcast. They also didn’t mention they beat Monsanto in the Consumerist’s Worst Company in America poll. This is only the beginning of the review. Tomorrow, a Senate panel will examine the deal. Justice Department officials are starting to evaluate any competitive threats and the FCC plans to focus on whether it’s in the public interest.


 * Like Microsoft Office on your iPAd? Thank Steve Ballmer. During a Reddit Ask Me Anything session, the Office for iPad and Mac team revealed “the decision to ship Office for iPad was made before Satya Nadella became CEO.


 * I bet Stephen Elop is relieved. China’s regulators have approved the acquisition of Nokia’s handset division by Microsoft, taking away the last significant hurdle to the deal being completed. With US and EU approval already complete, Nokia feels confident the deal can still close in April.

News From You

 * Draconos posted the story from Gizmodo about scientists at the University of Louisville’s Kentucky Spinal Cord Injury Research Center, fitting four wheel-chair-bound men with an array of electrodes in the lumbosacral region of the spinal cord. The implant restores what in healthy people would be the resting potential of the spinal cord, the baseline electrical activity that keeps the cord alert. All four patients can move their legs and toes, and some can even lift up to 100 kilograms with their legs. The research is published in Brain.


 * metalfreak pointed out the PC World story thatthe European Court of Justice ruled Tuesday that laws requiring communications providers to retain metadata are invalid because they seriously interfere with fundamental privacy rights. The current EU Data Retention Directive requires telecommunications and Internet providers to retain traffic and location data as well as related data necessary to identify the subscriber or user. The court acknowledge the value of the data in fighting crime but identified several ways in which the law exceeded the limits of proportionality. IN toher words it went farther than it needed to. The CJEU’s ruling is binding for national courts who have to dispose of cases in accordance with the Court’s decision.


 * And tsukiri posted the NBC News story about the US Navy planning sea trials for an electromagnetic railgun that can fire a low-cost, 10-kg projectile at seven times the speed of sound. Yeah rail guns. Like in your video game, except real. In related news the Navy says it’s making final adjustments on a new prototype of a Laser Weapons System — dubbed LaWS — that will be deployed into the real world in late summer. So yeah. Electromagnetic railguns and lasers. At sea.

Heartbleed Heartburn

 * http://heartbleed.com/
 * http://www.kb.cert.org/vuls/id/720951
 * https://www.grc.com/sn/sn-450-notes.pdf
 * http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
 * http://krebsonsecurity.com/2014/04/heartbleed-bug-exposes-passwords-web-site-encryption-keys/
 * http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/
 * https://www.openssl.org/news/secadv_20140407.txt
 * http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet
 * http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
 * http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
 * http://ssllabs.com/

Wearables

 * http://www.forbes.com/sites/michaelwolf/2014/04/03/heres-whats-wrong-with-the-guardian-article-on-wearables/
 * http://www.theguardian.com/technology/2014/apr/01/wearables-consumers-abandoning-devices-galaxy-gear

Pick of the Day

 * Lastpass.com - because of this blog post.