Stanley Tan
About    ·    Archive   ·    @stnly

Heartbleed

Heartbleed

This is an apocalypse. The world is on fire. The sky is falling. Everything you hold sacred has now turned to dust.

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Heartbleed

Earlier today, a bunch of security researchers unleashed CVE-2014-0160 (CODENAME: Heartbleed) into the world. It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). It powers about 66% of internet connected devices. I can guarantee that everyone who uses the internet would use it at some point in their day to day activities.

What’s frightening is that this bug has been around for more than 2 years. It is extremely likely that it has been exploited by multiple intelligence agencies and blackhats. Exploitation of this bug also leaves no traces of anything abnormal happening in the logs.

Note that both servers and clients are affected. This means that a malicious server could dump the secrets in your client’s memory without you knowing.

In short, the vulnerability disclosed allows an attacker to read the memory of the affected system. Memory is where an attacker would find passwords and private keys as well as other decrypted and sensitive information.

Don’t understand the severity of this problem? Imagine walking up to any stranger and saying “Hey, how’s it going?”. Immediately, he/she will share with you whatever was on their mind at that point in time. It could likely be a private thought, a secret they do not want anyone else to know about. You could keep asking as many times as you wanted and the stranger would tell you new things each time. On top of that, the stranger would not have a clue of it occuring.

As an end user, there’s nothing much you can do. Except, turn the internet off and go for a walk until the bug is patched. Do not use any web services that are vulnerable as they may leak your username and password, or worse credit card information. More importantly, do not visit sites that you do not trust.

Change your passwords and API keys only after web services fix the issues. Prematurely changing them could be riskier than leaving them unchanged. Information used most recently are the ones being leaked. For example, private keys are leaked on the first request after a restart.

If you own a server that runs OpenSSL, here’s a list of things you should do.

  1. Update OpenSSL. Your distribution most likely would have patched and tested the package.
  2. Recompile everything that is linked to the old version of OpenSSL. Pacakges such as Nginx and Ruby do so and you’ll have to recompile them.
  3. Reboot the server. Ensure everything is running on the patched version.
  4. Generate a new private key, Certificate Signing Request (CSR) and get a new certificate. Consider your old keys compromised and revoke them. Get a brand new set.
  5. Change any passwords you use on the servers. Passwords are kept in memory and could have been leaked.
  6. Generate and switch to a new secret if you’re using cookie based sessions in Sinatra or other web frameworks. Expire all active user sessions.
  7. Get your users to change their passwords. Passwords should be considered compromised as the server leaks memory and past traffic can be decrypted.
  8. Check your SSL configurations. Don’t support older protocols and broken SSL ciphers. Enable Perfect Forward Secrecy (PFS) and HTTP Strict Transport Security (HSTS). You can also choose to cache SSL sessions for improved performace.

Some PoCs have since been released.

Getting Serious

Serious

I wish I had known this when I was much younger, and now I try to tell it to almost everyone I know who is younger than me. Even if I know they won’t get it and continue doing what they used to.

Young people, like you, especially these days, do not do much. They do their school work to get by in school and not much more. They spend their free time on social networks, partying, shopping, watching TV and playing computer games. Young people think that they should act or behave a certain way. They know that they aren’t adults. As such, they think that there is a dotted line that they can’t cross. However, the fact is that this dotted line doesn’t exist. Anyone can behave like an “adult” at any point in their lives. After a while, people do realise it. Unfortunately, most of the time, it is just a bit too late.

A manifestation of this behaviour is the keenness on life after graduation. People think that after they graduate, they are able to cross the non-existent line and finally start behaving like adults. Except, that doesn’t happen. It’s not difficult to observe that when people graduate, most of them have no idea what to do. They just limp along towards adulthood, getting jobs they don’t like with no concrete plans. Some even yearn to go back to school. The earlier you find out that you are not bound by any sort of constraints, the earlier you’ll be able grow.

Since most young people don’t do anything, any sort of achievement will put you under the spotlight. Get serious and spend a couple of hours a day on creating something, anything. Start a business, learn to play the piano, write a book, build a web application, anything impressive. The thing you end up with is almost immaterial. What matters is the process. By trying to do something challenging and deciding to be serious about it, you will learn a lot about resilience and drive. I would argue that these are the two important skills any self-reliant person should exhibit, among others. And when you get good at it, you’ll be more confident and start realising that you can do anything.

If you are serious about something and start talking to others about it, no one will say “Oh but you are just a kid, you are not allowed to do this.”. Quite the contrary, you’ll impress them as no one that young is that serious about anything. And you can’t fake this stuff. They will know because if you are actually serious, they can see it in your eyes and hear it in your voice.

Getting good at something also negates the power of certification. You will realise that any sort of certification is not representative of how good a person is at a particular skill. Certificates in some cases represent knowledge. Yet most of the time, it only represents test taking ability.

I’m not saying that you should be serious about everything not have fun. Going out with friends is also important as it lets you bond with them and create memories that you can look back on. Additionally, having fun when young is an entitlement. It stops you from feeling like you never had a childhood. Everyone else is having lots of fun and not being serious. Give yourself an advantage, spend a couple of hours a day being serious, and spend the rest of the day having fun.


Photograph is of a beautiful duck in Dunedin, New Zealand. I managed to get extremely close to it for the shot. It was at a pond near a public duck feeding area.

Asyndicate

We have something in common. We both have something at the we’d like to do and we think about it all the time. Instead of doing what needs to be done, we procrastinate by reading blogs, books and talking to people. Doing everything except what we are supposed to.

We also believe that our greatest breakthroughs and innovations resulted from conversations with other like-minded people. Imagine that you could have these conversations at anytime as well as get a peer advisory board, a brainstorming group, a personal accelerator and incubator all rolled into one.


Introducing Asyndicate (No, that’s not a typo, it is one word).

It is a community of people that do not want to get stuck working a job they don’t like. A place that was okay to do things differently, to take the road less travelled. In fact, we would encourage each other to do so. As well as set an example to inspire others. The fastest way to do things you think can’t be done, is to surround yourself with people already doing them.

“You are the average of the five people you spend the most time with.”

― Jim Rohn

You can choose to be around the people that tell you that it can’t be done, and tell you that you’re stupid for trying. Or surround yourself with the people that inspire possibility.

Each week, you’ll be requested to submit and update the group on your progress. This will include, what you’ve achieved since the last week, what you intend on achieving the next and the things you need help on. It’s very likely that someone else has got through what you’re going through now. If not, wouldn’t it be great to talk about it and share your journey?

Outside of the weekly updates, we can talk about anything and everything under the sun. We share a stories of things that worked, and things that didn’t. We also share resources that we believe the others will appreciate knowing about.

Every member brings a fresh perspective as well as their own unique experiences. By keeping each other accountable, we would be more likely to get things done, you sure as hell wouldn’t want to let the team down.

If you’re interested, head over to the landing page and sign up. Oh, and if you know someone who would love to be involved in something like this, please share it with them. If you don’t want to join Asyndicate, that’s totally fine by me, why not start your own?


If you’re curious about what other people say about a mastermind group, or wonder what else can it do for you, here are some links.

I started Asyndicate as I had trouble finding such a group that I could join. Never did I realise that there was a term for such an organisation, a mastermind group. And they say that it is almost impossible to chance upon the best mastermind group, so I decided to make my own.