This And That
They have picked up more signals off the coast of Perth, Australia consistent with the data recorders on the missing aircraft, but they seem to be fading. The batteries are at the end of their useful life. The new captures are reducing the size of the search area.
——–
‘Heartbleed’ is causing heartburn at a lot of major sites. You have to fix the server software first, and then get a new Certificate. Until that happens having users change their passwords accomplishes nothing effective. This problem has existed since the first release of OpenSSL, so it has been around for a while.
——–
Also Downunder, the northeast coast is about to get smacked by Cyclone Ita, which is at category 4 and expected to be that strong at landfall. It is due to arrive Friday evening with the high tide, which will increase the storm surge. Been there, done that – I wish them well.
4 comments
Yeah, they are all bracing for Ita. thankfully, I am nowhere near it. We have had 3 days of steady non-stop rain which has caused some problems here. On the plus side, all the waterways and dam’s are at capacity, so farmers are somewhat happier, somewhat. 🙂
This is the latest report on Malaysia Airlines flight MH370:
Malaysia Airlines flight MH370: Aircraft detects another possible signal in search for missing plane
As stated in the article I linked to in another thread (More Fun), the OpenSSL flaw has actually existed since March 2012.
In November 2013, Peter Eckersley from EFF, tracked down at least one potentially scary example that could have been someone exploiting Heartbleed.
Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?
Despite the forecast winds, water is always the worst part of a cyclone/hurricane. Northern Queensland is in for a drenching. I wish them well, because it has never been a pleasant experience for me, and I have the advantage of sand that drains away the water quickly.
Using the P-3 and sonobouys is a quick way of locating a transmitter, but you need a much reduced target area than they originally had. They are going to run out of battery power pretty soon, but they are in the range that makes the submersible a rational choice. I think they’ll find it.
We know that NSA has subverted the SSL system, we just don’t know if they bullied CAs or broke in. With Alexander the Geek in charge, it was probably bullying.
Heartbleed actually stems from the UDP heartbeat functionality that was added into OpenSSL in version 1.0.1. See XKCD explanation. The exploit is limited to viewing 64K of stack memory, but since this 64K of stack memory often has local variables for critical routines including the one that holds the private key, it’s rather annoying.
The most interesting thing about Heartbleed is that it can only work as a man-in-the-middle attack to obtain the content of communications with compromised sites. It can also be used to impersonate compromised sites. While it is possible to use DNS poisoning or ISP-level routing table corruption to do a MiM or impersonation, access to physical infrastructure makes it even easier. Which makes one wonder about what did the NSA know, and when, since the NSA has access to most of the physical infrastructure of the Internet backbone. According to Bloomberg, their sources say that the NSA knew about the bug for at least two years and exploited it themselves. I would not be surprised. It’d be in keeping with Alexander the Geek’s mentality that he’d put gathering more data ahead of keeping America’s computing infrastructure secure.
NSA’s actions in this are bad, no matter what they knew. The Agency has a dual mission, and that seems to be forgotten. It was their job to discover things like this and get them fixed. They have been acting more like ‘black hats’ than the crackers and hackers.
They have engineered so many backdoors in the system, that they don’t really need Heartbleed. If they didn’t know about it, I hope that’s included in the stuff that Snowden copied.
Total Information Awareness by any other name is just as big a waste of resources.