Sonic Sounds

The musings of Audio Engineer, Victor Frost.

Security flatlines with Heartbleed

Whether we like it or not, we put a lot of trust and faith into the systems that carry our personal information. Our phones, our computers, and the ever evolving “cloud” are our repositories of the information we don’t want to memorize (phone numbers, calendar events, street directions, etc).

And they have become a space for us to look up for information we wouldn’t normally need (the atomic mass of ytterbium), and information we didn’t even know existed (like news).

Some of this information is private or, even if it isn’t, is guarded by security measures to restrict access to personal spaces in these services. So, in today’s highly integrated society, knowing access to those spaces is secure is a comfort that is enjoyed fairly implicitly.

We trust that the level of control we’re given will be enforced and maintained because we believe in the authentication model that has been in place for centuries. Passwords, which have been used as far back as ancient rome, are based on the simple idea to restrict access to a resource so that only people who are allowed are able use it. It was, literally, a word that let you pass through a barrier to entry. When the information age came around, we simply created a version of it in the digital world.

But, every now and again, we are reminded of the weakness built into the very foundation of that model. A password is nothing more than a piece of information and anyone, anyone with that token of knowledge has all of the privilege that goes with it.

With the recent outbreak of heartbleed, we need to change our system of authentication. Currently, passwords are the most common form of authentication. While the idea is genius in itself, technology has advanced past the idea of passwords.

Last week, companies and users around the world were given a wake up call when a vulnerability was discovered in a one of the most popular implementations of the technology that lets all of us use services like online banking, email, and online shopping with little fear for our privacy.

OpenSSL, an open source implementation of SSL, a the encryption standard computers use your computer uses to create a secure connections with each other services like GMail and Amazon.com, was found to have a bug in one of its most basic functions. For a better understanding of how this bug works, let’s walk through it step by step.

1. You tell your browser, “I’d like to connect to Gmail, please.” It says “okay” and hurries along to do your bidding, oh master.

2. It gets to GMail’s where it is told, “Listen, let’s communicate securely.” Your browser happily agrees and begins an encrypted connection using SSL. GMail uses On Google’s end, it uses OpenSSL to handle the connection, storing any data you want in the computer’s memory before sending it to you. This could be emails, images of cats, etc. 

3. While you’re looking at the emailed images of cats in your email, your computer and Gmail want to keep the connection open for you, . Things are just faster this way. To do that, they will periodically poking e each other saying things like “Hey, GMail. Are you still there? If so, say this four letter word: cats.”

4. Knowing that your browser is trying to keep the connection open, it’ll read the message, count all four letters, and send back “Cats”.

This step is called the “heartbeat” because, just as your heartbeat tells doctors you’re alive, so does this exchange between your browser and Gmail. If you are nefarious, though, you can do a little technical trickery to get more information than you ought to. Let’s jump back to step three.

3. Instead of sending a heartbeat message that makes sense, you send this: “Hey, GMail. Are you still there? If so, say this 500 letter word: cats.”

4. Knowing that your browser is trying to keep the connection open, it’ll read the message, count the four letters in “cats”… and then keep counting. It will count all of the letters next to “cats” in its memory until it hits the 500th character and send to you all of characters it counted to. So, instead of receiving “cats”, you might receive “cats. Bob logged in with the password ‘truffles’. Bob wants to send this email ‘Dear mom, thanks for all the cookies. Unfortunately, all of my roommates ate them…” and so on.

This is a big problem. Someone having the ability to read the memory of another computer remotely has tremendous security implications for everyone involved. And this isn’t a problem that was the result of a recent update.

This bug, dubbed Heartbleed, has been there waiting in the system since 2012 and there is no way to know if it was ever used. Now, before you decry technology and run off to live the Amish life, safe in the knowledge that nothing like this could ever affect you again, there is a measure of good news.

First, due to the importance of OpenSSL, most ojust about every major online services using it haves patched their servers to prevent the bug from working in the future. Second, most major financial institutions and online retailers  were did not use OpenSSL or were otherwise not vulnerable. And third, for users of services that were found to be vulnerable (but are no longer so), protecting yourself is as easy as logging in and changing your password. This bug’s problem was not the result of a malicious attack nor a devious ne’er do well putting a some kind of secret backdoor into the code of OpenSSL, it was just a programming error: no more malicious than a waiter forgetting your drink, just wider in scope.

But there is a deeper concern at play. Very few people would have cared if it just leaked the contents of random emails. That information is private, sure, but the effects aren’t long lasting. It’s no more earth shattering than someone getting a random page from someone’s diary. But the fact that authentication information may have been part of it is what lends it the skin crawling factor it has.

Which brings us right back around to passwords. Heartbleed wouldn’t be an issue if everyone used a different password for every service they used, but the simple fact is that most of us don’t. It’s hard keeping so many passwords in our heads and we’ve been told over and over not to write them down. So, we use the same password or batch of passwords and, thus, when one of those is leaked, it’s disquieting because it’s a fundamental breach in our sense of security.

What we need, then is something better than passwords. We could use biometrics but fingerprint readers are hardly foolproof and, for now, require a separate bit of hardware. Companies, like Google, have been pouring money into this problem, but it’s understandably difficult to think outside of a paradigm that’s been around for, literally millennia. There are ways to beef up the power of passwords, like two-factor authentication, but that’s just a stopgap. It’s going to take some truly revolutionary thinking to come up with something to replace passwords, but I hope it comes soon.

I tested a propeller I printed and here is the video of it. Also, news about why I’ve not been doing TotD videos. Long story short, it’s on hiatus until I graduate.

REMINDER: The people from Rooster Teeth are real human beings.

starexorcist:

simplycrazyhunter:

starexorcist:

thelindsaytuggey:

Except for Gavin. We built him from spare parts we found at a junkyard. His brain is actually just a bunch of coffee grounds shoved into an old transistor radio. We kind of fucked up.

I’m actually an Amazonian demigod. AH found me on Themyscira.

LINDSAY PLEASE. I THOUGHT THAT WAS A SECRET.

It’s a well known fact that I’m actually a half-cyborg so…

*WHINES* YOU GUUUUUUUYS. They’re call SECRET identities!!!!

Rooster Teeth is the Justice League? That explains… very little come to think of it.

I made this with an app on my phone while thinking about other videos. The only reason it’s up here is to see how it looks on YouTube.

Q
Hey, dude: What precautions can a musical ensemble take to make the work of engineers easier when performing live? By engineers, I mean the audio professionals in them clubs or bars... Lately I've been adjusting my instruments (synths, guitar effects processors, etc.) to output similar volume levels. Is this helpful? How can I ensure a smooth setup of our gear when I go anywhere for giggin'?
from:Anonymous
A

That’s probably among the best things you can do! The best thing, however, is to have them play through their set and tweak your setup from there. This is as much an art as it is a science, so make sure the levels make the band sound “right”. If the band plays music with a wide dynamic range, you may just need to sit there and ride the faders when necessary. 

If you are recording the session, try to record each instrument on it’s own track so you can master it in post.

Q
Hi! I'd like to ask you for a favor. I'm looking for a voice actor to read the text that goes into intro of my new indie horror game. I've found your "Untilted poem" recording and I love your voice. Would you be willing to help? Paulina (paulina@pabis pl)
A

I emailed you regarding this many months ago. You have yet to reply.

Q
your URL is amazing! would you sell it?
from:exprxss
A

Give me a million dollars and I’ll happily release this URL. It is, of course, up to you to secure the URL afterwards.

Q
IM GOING TO CRY I REALLY WANT THIS URL
from:pumpcin
A

Give me a million dollars and I’ll happily release this URL. It is, of course, up to you to secure the URL afterwards.

Q
hey man i noticed that you don't really get on a lot would there be anyway you would consider giving me your url to use or trading urls or anything like that?
from:xxxkit
A

Give me a million dollars and I’ll happily release this URL. It is, of course, up to you to secure the URL afterwards.

Q
(please reply privately, if you do) um!! i am sorry for asking since you might (actually probably do) get asked this a lot, but if you ever stop posting here, or decide not to, could i maybe have your username??? eheheh i really really like sonic the hedgehog, it's one of my favourite franchises ;w; i'm sorry for bugging you omg
A

Give me a million dollars and I’ll happily release this URL. It is, of course, up to you to secure the URL afterwards.