FacebookTwitterGoogle+RedditEmail

The Internet is Alive and Well!

by

Some are calling it a “worst nightmare”. There have been dire predictions that it represents the end of the Internet or that there is, in fact, no real Internet security or that Free and Open Source Software is dangerous to use.

One thing is sure. The week-old saga of the Heart Bleed flaw (or bug) [1] and its potential exploits has shown more light on the Internet and its security issues than anything else in recent memory.

Like so much coverage of these security issues, however, this outcry is misdirected. In reality, the flaw gives us an excellent example of how the Internet works when it’s at its best. How Free and Open Source software is developed, how prominent and important it is, how well its development system works and why security is, in fact, simple and possible.

It also shows how our government doesn’t care about our security: ignoring major threats to the Internet and then apparently exploiting them to spy on us — for as much as two years.

These are valuable lessons demanding that we understand what really happened.

The Heart Bleed flaw affects servers — the machines that operate your Internet services: store websites, serve email and do whatever you need the Internet to do. It won’t directly expose the storage or memory of your personal or home computer.

It is a flaw in the code of a library of programs called “openssl”, the most popular programs for Internet encryption and security. Openssl works on most on-line credit card transactions, encrypted email, encrypted chat — anything you do on-line securely. That ubiquity affects us all because we all, at one time or another, communicate with a server using openssl and many of us do that very often.

The flaw affects the RAM (random access memory) [2] of a server. RAM is not disk storage. It doesn’t hold all your data or all the data on a server. It’s a part of a computer (most often on a circuit chip) that keeps a short-term record of what you just did so you can read what you just wrote or benefit from your interaction with a program you just interacted with. This isn’t easy to understand because we’re all used to viewing our computers as high-tech typewriters. But when you type a stroke into the computer, it doesn’t automatically appear on your screen. It goes through the computer’s processor and then into RAM so that the computer can then copy it from the RAM onto your screen.

RAM is lightning fast — much faster than storage devices — so it responds immediately. To be that fast, it must be relatively small and so information on it disappears quickly. If you’re doing a lot on a computer, it often over-writes itself. In any case, it doesn’t store anything permanently.

If you type something into an on-line environment (like a website form) that is supposed to be secure, openssl encrypts it and then sends it to RAM. For instance, when the server is checking your username and password to let you into a particular section of a site, it holds what you type in RAM while making its check.

That’s where Heart Bleed comes in.

When your web browser (or any computer program for that matter) contacts a server, it exchanges an initial “are you there?” signal called a “heartbeat” (that’s where the exploit’s name comes from). The flaw in the openssl code allowed a savvy user to send a request to the RAM of a server using openssl and fool the server into not only acknowledging the request but handing over a portion of its RAM. Now the exploiter has data that could include username/password combos that were just typed in or credit card information that was in the process of being verified as well as all kinds of other information.

This affects the operations of most of the world’s websites since security is so generalized on the Internet. What’s more, it directly affects sensitive information (like encrypted messages and credit card information) because that’s the kind of information we use openssl to protect.

It is a frightening and humbling development. If it had been discovered by hackers world-wide and then used heavily, this would have been a disaster.

But at this point there is no evidence that Heart Bleed was that kind of disaster. There is no significant evidence that it was universally exploited or even discovered by many hackers. Certainly, there are steps we must all take to secure our information but, at this point, it seems a major disaster has been avoided.

How did it happen? The analysis is ongoing but it’s clear that one of the hundreds of developers who work on openssl made a mistake and it was the kind of mistake that wasn’t easy to catch. While that seems like an exposed weakness, the entire episode ironically demonstrates how strong the Internet is, how important FOSS remains and how it differs from commercial or proprietary software.

The extensive nature of the program shows openssl’s strengths. The library is used on millions of servers around the world, certainly most Internet web and email servers. It is used on many programs — both FOSS and proprietary (since the library can be used by any software developer who wants it). It has such a large base of users because it’s free, because its code can be audited, because it works well and because its large community of developers (almost all volunteer) respond to these problems so quickly and effectively. If they didn’t, the program would never be as popular as it is.

The people who work on openssl have a public log (a viewable record) of exactly who submitted the faulty software, who approved the submission and when it was released. When the analysis is complete, we will know how it happened and can evaluate the response.

But it’s already clear that the response was remarkable. When the flaw was discovered, the developers issued a public warning, announced patches (that fix the bug) and a new version of openssl (that doesn’t have it) and then gave the world instructions about what to do (including changing passwords). They did this in countless languages world-wide within two days.

In comparison, the proprietary Apple software recently had a major security flaw, known as the “GOTO Fail” bug which was around for as long as Heart Bleed (according to Apple). But we know very little about it. We have no history, do not know who made the mistake and whether it was intentional and we have no idea what the company has done to fix it. We don’t really know if we’re now safe from that security flaw. We simply have to trust Apple to be honest about all that because it will never let us see its logs.

In another case, companies sometimes introduce flaws as part of a government assignment. There is evidence that the security firm RSA was paid millions of dollars by the NSA [3] to actually introduce a vulnerability in their security software. That was in place for 10 years. And that issue — government involvement — is one most media have steered clear of in the Heart Bleed controversy…until Bloomberg spilled the beans.

According to the Bloomberg News Service [4], the NSA knew about the exploit and was using it for at least two years. It was one of their methods of gathering data from citizens: spying on the people they are supposed to be serving.

While it’s not clear how the NSA discovered the flaw, finding flaws is a routine part of the Agency’s work. “The NSA and other elite intelligence agencies devote millions of dollars to hunt for common software flaws that are critical to stealing data from secure computers,” the Bloomberg article explains. “Open-source protocols like OpenSSL, where the flaw was found, are primary targets.”

The NSA has denied the reports but its disproven denials have been so frequent that they appear to be part of the agency’s playbook.

The pundits commenting on this story all seem to ask the same question: is it really that wrong for a spy agency like NSA to use faulty and dangerous code to get information? The assumption is that this is some kind of spy trade-craft. The mistake was made by programmers, after all, so why not take advantage of it?

But the controversy raises a critical question: Just who is the NSA protecting?

The Internet is the most popular form of human communication world-wide. It was built and developed so that people could communicate. It wasn’t built so the government could steal our personal data. Governments are supposed to take care of us. In fact, ours charges us huge amounts of money through taxes to pay for a system dedicated to protecting what they call “national security”.

So the question: Is security served when the NSA learns of a security bug that could be a disaster for most Americans and then not only keeps it secret from us but uses it to spy on us? In fact, the criminals who most aggressively exploited Heart Bleed seem to be the ones in the government and that is yet another reason to close off the exploit and protect yourself.

To wit…

Contact your provider (where you have your email or your website) and ask them whether they have upgraded openssl to the latest version. That closes off the vulnerability; Heart Bleed doesn’t work on the latest openssl version. So the only acceptable answer is “yes”. If they haven’t, you are still vulnerable and you should find another provider immediately. If they refuse to tell you, they are hiding something and you should leave.

While there’s no evidence this has been exploited heavily in the past, there is absolute certainty it will be exploited now because everyone knows about it. So identify theft hackers, who are among the most opportunistic of criminals, are going to rush to find servers that still have the vulnerability. Since that list is shrinking rapidly, if your server is on it, hackers will hit it. Do not stay with a tardy provider and force them to answer that question.

After you’re sure they have upgraded, change your password. You’re protected from the flaw from now on but if someone got your password in the past, they can use it until you’ve changed the password. Obviously, this is useless until they upgrade but it’s necessary once they have.

For the next two or three months, be especially vigilant for bad card or bank charges and other evidence of identify theft. You probably won’t see any but, if you’ve been compromised, it will show up in the next quarter of a year or so.

Most of all, continue to support and use Free and Open Source Software including openssl. Stories of Internet security’s death are exaggerated.

Finally, as a country and a people, let’s move to shut down the NSA’s illegal Internet spying programs. The NSA is a criminal enterprise. It does nothing for us and everything against us.

Note: Jamie McClelland of May First/People Link [5] contributed substantially to the analysis in this article.

Alfredo Lopez writes about technology issues for This Can’t Be Happening!

Alfredo Lopez writes about technology issues for This Can’t Be Happening!

More articles by:

CounterPunch Magazine

minimag-edit

bernie-the-sandernistas-cover-344x550

zen economics

February 27, 2017
Anthony DiMaggio
Media Ban! Making Sense of the War Between Trump and the Press
Dave Lindorff
Resume Inflation at the NSC: Lt. General McMaster’s Silver Star Was Essentially Earned for Target Practice
Conn Hallinan
Is Trump Moderating US Foreign Policy? Hardly
Norman Pollack
Political Castration of State: Militarization of Government
Kenneth Surin
Inside Dharavi, a Mumbai Slum
Lawrence Davidson
Truth vs. Trump
Binoy Kampmark
The Extradition Saga of Kim Dotcom
Robert Fisk
Why a Victory Over ISIS in Mosul Might Spell Defeat in Deir Ezzor
David Swanson
Open Guantanamo!
Ted Rall
The Republicans May Impeach Trump
Lawrence Wittner
Why Should Trump―or Anyone―Be Able to Launch a Nuclear War?
Andrew Stewart
Down with Obamacare, Up with Single Payer!
Colin Todhunter
Message to John Beddington and the Oxford Martin Commission
David Macaray
UFOs: The Myth That Won’t Die?
Weekend Edition
February 24, 2017
Friday - Sunday
Jeffrey St. Clair
Roaming Charges: Exxon’s End Game Theory
Pierre M. Sprey - Franklin “Chuck” Spinney
Sleepwalking Into a Nuclear Arms Race with Russia
Paul Street
Liberal Hypocrisy, “Late-Shaming,” and Russia-Blaming in the Age of Trump
Ajamu Baraka
Malcolm X and Human Rights in the Time of Trumpism: Transcending the Master’s Tools
John Laforge
Did Obama Pave the Way for More Torture?
Mike Whitney
McMaster Takes Charge: Trump Relinquishes Control of Foreign Policy 
Patrick Cockburn
The Coming Decline of US and UK Power
Louisa Willcox
The Endangered Species Act: a Critical Safety Net Now Threatened by Congress and Trump
Vijay Prashad
A Foreign Policy of Cruel Populism
John Chuckman
Israel’s Terrible Problem: Two States or One?
Matthew Stevenson
The Parallax View of Donald Trump
Norman Pollack
Drumbeat of Fascism: Find, Arrest, Deport
Stan Cox
Can the Climate Survive Electoral Democracy? Maybe. Can It Survive Capitalism? No.
Ramzy Baroud
The Trump-Netanyahu Circus: Now, No One Can Save Israel from Itself
Edward Hunt
The United States of Permanent War
David Morgan
Trump and the Left: a Case of Mass Hysteria?
Pete Dolack
The Bait and Switch of Public-Private Partnerships
Mike Miller
What Kind of Movement Moment Are We In? 
Elliot Sperber
Why Resistance is Insufficient
Brian Cloughley
What are You Going to Do About Afghanistan, President Trump?
Binoy Kampmark
Warring in the Oncology Ward
Yves Engler
Remembering the Coup in Ghana
Jeremy Brecher
“Climate Kids” v. Trump: Trial of the Century Pits Trump Climate Denialism Against Right to a Climate System Capable of Sustaining Human Life”
Jonathan Taylor
Hate Trump? You Should Have Voted for Ron Paul
Franklin Lamb
Another Small Step for Syrian Refugee Children in Beirut’s “Aleppo Park”
Ron Jacobs
The Realist: Irreverence Was Their Only Sacred Cow
Andre Vltchek
Lock up England in Jail or an Insane Asylum!
Rev. William Alberts
Grandiose Marketing of Spirituality
Paul DeRienzo
Three Years Since the Kitty Litter Disaster at Waste Isolation Pilot Plant
Eric Sommer
Organize Workers Immigrant Defense Committees!
Steve Cooper
A Progressive Agenda
FacebookTwitterGoogle+RedditEmail