1 00:00:04,240 --> 00:00:07,240 Speaker 1: Get in touch with technology with tech Stuff from how 2 00:00:07,280 --> 00:00:14,640 Speaker 1: stuff works dot com. Hey there, and welcome to tech Stuff. 3 00:00:14,680 --> 00:00:17,680 Speaker 1: I'm Jonathan Strickland and I'm Lauren and we're going to 4 00:00:17,800 --> 00:00:23,160 Speaker 1: talk about a really bad day on the internet and 5 00:00:23,480 --> 00:00:28,840 Speaker 1: the terrible, horrible, no good, very bad day and actually 6 00:00:28,840 --> 00:00:30,480 Speaker 1: it's a it's a very bad day that lasted for 7 00:00:30,520 --> 00:00:33,160 Speaker 1: a couple of years before we knew about it. Oops. Yeah, 8 00:00:33,200 --> 00:00:36,240 Speaker 1: we're talking about heart bleed, which if any of you, 9 00:00:36,400 --> 00:00:39,040 Speaker 1: I'm assuming a lot of our listeners keep up with 10 00:00:39,120 --> 00:00:41,720 Speaker 1: tech news in general, and normally on tech stuff, we 11 00:00:41,760 --> 00:00:47,200 Speaker 1: don't cover things that are of the immediate uh past, 12 00:00:47,400 --> 00:00:51,720 Speaker 1: because often we record ahead of time and it's over. 13 00:00:51,920 --> 00:00:54,120 Speaker 1: We we often, in fact kind of kind of almost 14 00:00:54,120 --> 00:00:56,600 Speaker 1: avoid very breaking news so that we have a chance 15 00:00:56,680 --> 00:00:59,840 Speaker 1: to discuss more in depth exactly what has happened. However, 16 00:01:00,120 --> 00:01:03,720 Speaker 1: this is such a huge story and it's one that 17 00:01:03,920 --> 00:01:06,840 Speaker 1: is a little difficult for someone to to understand if 18 00:01:06,880 --> 00:01:09,200 Speaker 1: they don't really have a working knowledge of of what 19 00:01:09,319 --> 00:01:11,559 Speaker 1: actually is going on behind the scenes, that we thought 20 00:01:11,560 --> 00:01:14,640 Speaker 1: it was important to address this and actually talk about 21 00:01:14,680 --> 00:01:18,039 Speaker 1: what you guys can do in order to protect yourselves 22 00:01:18,040 --> 00:01:21,160 Speaker 1: as best as possible. It's not all gonna be a 23 00:01:21,200 --> 00:01:24,640 Speaker 1: happy story, folks. This is actually a pretty serious problem. 24 00:01:24,800 --> 00:01:29,800 Speaker 1: In fact, pretty serious is an incredible understatement. Um So, really, 25 00:01:29,880 --> 00:01:31,479 Speaker 1: what it gets down to is this is a story 26 00:01:31,640 --> 00:01:36,600 Speaker 1: all about encryption. So encryption pretty simple. I mean you've 27 00:01:36,600 --> 00:01:39,880 Speaker 1: probably heard the term. It's not not too simple. I mean, 28 00:01:40,120 --> 00:01:44,560 Speaker 1: the concept is simple. Execution is somewhat more complicated. But 29 00:01:44,720 --> 00:01:49,240 Speaker 1: the concept is that you are you are changing something 30 00:01:49,440 --> 00:01:54,400 Speaker 1: so that the content is not easily readable from anyone 31 00:01:54,440 --> 00:01:58,920 Speaker 1: else unless they have the key to decrypt that information. Right. 32 00:01:58,960 --> 00:02:02,320 Speaker 1: And this is really important for many different web related 33 00:02:02,360 --> 00:02:05,400 Speaker 1: purposes because you know, any any time that you don't 34 00:02:05,440 --> 00:02:08,520 Speaker 1: want everyone on the internet who chooses to to read 35 00:02:08,520 --> 00:02:11,919 Speaker 1: your emails or get your get into your bank account 36 00:02:12,200 --> 00:02:14,880 Speaker 1: or etcetera, etcetera. Yeah, you want to you want to 37 00:02:14,880 --> 00:02:16,720 Speaker 1: make sure that stuff is encrypted. So you know, you 38 00:02:16,800 --> 00:02:20,280 Speaker 1: probably have heard that when you log into sites that 39 00:02:20,320 --> 00:02:23,400 Speaker 1: are going to have a lot of access to to 40 00:02:23,639 --> 00:02:26,640 Speaker 1: secure what should be secure information like things like your 41 00:02:26,639 --> 00:02:30,760 Speaker 1: bank account or just shopping history or your medical information 42 00:02:30,880 --> 00:02:33,359 Speaker 1: that's a great example. Then you know that you want 43 00:02:33,400 --> 00:02:36,720 Speaker 1: to look for that HTTPS which tells you it's a 44 00:02:36,760 --> 00:02:41,000 Speaker 1: secure or it's supposed to be a secure connection right, 45 00:02:41,080 --> 00:02:43,320 Speaker 1: or that little padlock that will show up in your 46 00:02:43,320 --> 00:02:46,959 Speaker 1: in your web browser right exactly, and that tells you, hey, uh, 47 00:02:47,000 --> 00:02:50,480 Speaker 1: there's a there's a handshake that's going on between your 48 00:02:50,560 --> 00:02:55,080 Speaker 1: browser and that website that indicates the connection is secure 49 00:02:55,200 --> 00:02:58,280 Speaker 1: and encrypted, and that anyone looking in from the outside 50 00:02:58,360 --> 00:03:02,120 Speaker 1: should just see gibberish. And furthermore that the website that 51 00:03:02,200 --> 00:03:04,160 Speaker 1: you're that you're on is what it says it is, 52 00:03:04,520 --> 00:03:08,040 Speaker 1: that it's not an imposter for possibly nefarious purposes exactly 53 00:03:08,040 --> 00:03:11,520 Speaker 1: because there's an attack called the man in the middle attack, 54 00:03:11,600 --> 00:03:14,880 Speaker 1: which is where you have a hacker insert him or 55 00:03:14,919 --> 00:03:19,680 Speaker 1: herself in the middle of communication between you and whatever 56 00:03:20,080 --> 00:03:23,160 Speaker 1: service you actually want to use, and that way they 57 00:03:23,200 --> 00:03:26,000 Speaker 1: are able to access all the information you're sending and 58 00:03:26,040 --> 00:03:27,680 Speaker 1: you think you're sending it to the service, but you're 59 00:03:27,720 --> 00:03:30,800 Speaker 1: really sending it to the hacker. This security is supposed 60 00:03:30,840 --> 00:03:33,240 Speaker 1: to allow you to make you know, to be sure 61 00:03:33,720 --> 00:03:35,720 Speaker 1: that it's going exactly where it needs to go and 62 00:03:35,720 --> 00:03:39,760 Speaker 1: that no one is snooping on you. So it turns 63 00:03:39,800 --> 00:03:44,920 Speaker 1: out that the most popular online encryption software used on 64 00:03:44,960 --> 00:03:49,600 Speaker 1: the web today had a fundamental flaw and its security 65 00:03:49,760 --> 00:03:54,240 Speaker 1: in several recent builds of that software that have been 66 00:03:54,320 --> 00:03:57,040 Speaker 1: in use for the past two years or so. Yeah, 67 00:03:57,120 --> 00:04:01,080 Speaker 1: and that is heart bleed. So, first of all, the 68 00:04:01,120 --> 00:04:04,680 Speaker 1: software we're talking about is called open s s L. 69 00:04:05,120 --> 00:04:08,400 Speaker 1: This is an open source version of SSL. Yeah, it 70 00:04:08,480 --> 00:04:12,240 Speaker 1: stands for Secure Sockets Layer. Now it's it's a protocol, 71 00:04:12,320 --> 00:04:16,040 Speaker 1: so it's a set of rules that tell UH sites 72 00:04:16,080 --> 00:04:19,159 Speaker 1: how to encrypt information. And there are lots of different 73 00:04:19,160 --> 00:04:22,280 Speaker 1: ways you can implement this. SSL is just that's kind 74 00:04:22,279 --> 00:04:27,120 Speaker 1: of like the the the the specific category, but then 75 00:04:27,240 --> 00:04:30,640 Speaker 1: you can implement it in different ways. Open SSL is 76 00:04:30,680 --> 00:04:33,120 Speaker 1: one of those ways. Yeah, I would say proprietary, but 77 00:04:33,200 --> 00:04:34,960 Speaker 1: since it's open source, that might be kind of the 78 00:04:34,960 --> 00:04:38,560 Speaker 1: wrong word. So it's a specific version exactly exactly. So 79 00:04:39,279 --> 00:04:43,440 Speaker 1: you know, it's all about securing your transmissions across the 80 00:04:43,440 --> 00:04:46,719 Speaker 1: Internet so that they remain opaque to anyone else. They're 81 00:04:46,720 --> 00:04:49,640 Speaker 1: not gonna be able to see them, and UH in general, 82 00:04:50,000 --> 00:04:54,080 Speaker 1: to communicating parties are given encryption keys which allow each 83 00:04:54,160 --> 00:04:57,320 Speaker 1: party to encrypt and decrypt messages so that they can 84 00:04:57,360 --> 00:05:00,039 Speaker 1: send it back and forth and only in theory the 85 00:05:00,080 --> 00:05:03,039 Speaker 1: other party can see what's going on, and only for 86 00:05:03,080 --> 00:05:06,240 Speaker 1: the length of this particular communication session, right, because once 87 00:05:06,240 --> 00:05:09,400 Speaker 1: that session ends, then the session keys that's what you're 88 00:05:09,440 --> 00:05:13,880 Speaker 1: using to encrypt and decrypt are magically dissolve. So there's 89 00:05:13,880 --> 00:05:16,839 Speaker 1: actually two different types of encryption keys we're talking about here. 90 00:05:16,839 --> 00:05:20,200 Speaker 1: There's one that's called an asymmetrical key, and that's sort 91 00:05:20,240 --> 00:05:23,360 Speaker 1: of a long term key that's like the the overall 92 00:05:23,480 --> 00:05:28,480 Speaker 1: rules that guide the any individual session. The session key 93 00:05:28,640 --> 00:05:31,680 Speaker 1: is dependent upon lots of stuff. It's dependent upon the client. 94 00:05:32,279 --> 00:05:34,720 Speaker 1: That's the that would be you using your computer to 95 00:05:34,800 --> 00:05:37,000 Speaker 1: access whatever it is you want to access. Let's, for 96 00:05:37,080 --> 00:05:40,440 Speaker 1: the argument's sake, say it's your email. So your client, 97 00:05:40,839 --> 00:05:43,400 Speaker 1: your your computer is the client. You send out a 98 00:05:43,440 --> 00:05:47,640 Speaker 1: request to log into your email. The email exists on 99 00:05:47,720 --> 00:05:50,719 Speaker 1: a server. That's that's the server on the client server side, 100 00:05:51,279 --> 00:05:54,559 Speaker 1: and so the the session keys are going to depend 101 00:05:54,680 --> 00:05:57,240 Speaker 1: upon that asymmetrical key. They're going to depend upon the 102 00:05:57,279 --> 00:05:59,560 Speaker 1: fact that you're the client. It's going to depend upon 103 00:05:59,640 --> 00:06:03,440 Speaker 1: whatever server hosts the email that you access. It's going 104 00:06:03,480 --> 00:06:06,520 Speaker 1: to depend upon the session time when you've actually started this. 105 00:06:06,720 --> 00:06:09,839 Speaker 1: There are a lot of different factors that all uh 106 00:06:10,080 --> 00:06:13,560 Speaker 1: come into play, and then that is what determines the 107 00:06:13,600 --> 00:06:18,400 Speaker 1: individual session keys that then allow you to send information 108 00:06:18,400 --> 00:06:22,039 Speaker 1: that's encrypted and receive information that's encrypted then decrypted so 109 00:06:22,080 --> 00:06:24,200 Speaker 1: that you can read it, because if you just received 110 00:06:24,320 --> 00:06:27,120 Speaker 1: encrypted information, it would not be terribly useful for a 111 00:06:27,200 --> 00:06:30,520 Speaker 1: human being. Interesting maybe, but not useful. Yeah, exactly, you 112 00:06:30,640 --> 00:06:34,800 Speaker 1: just be thinking that while somebody let their cat walk 113 00:06:34,839 --> 00:06:37,239 Speaker 1: around on their keyboard for like an hour or something, 114 00:06:37,279 --> 00:06:41,479 Speaker 1: because it's just it's there's nothing meaningful here. So this 115 00:06:41,560 --> 00:06:44,080 Speaker 1: is the basic idea here. Those the session keys are 116 00:06:44,120 --> 00:06:47,880 Speaker 1: symmetrical and they're used in that encryption and decryption and 117 00:06:48,080 --> 00:06:52,800 Speaker 1: symmetrical keys in general are not uh, by themselves incredibly 118 00:06:52,839 --> 00:06:56,080 Speaker 1: secure because you've got one, you know how it all works. 119 00:06:56,080 --> 00:06:59,039 Speaker 1: But because it's based on the session and once the 120 00:06:59,040 --> 00:07:02,560 Speaker 1: sessions over it's no longer a factor, it's considered pretty 121 00:07:02,560 --> 00:07:05,040 Speaker 1: secure because it's not like it's something that lasts forever. 122 00:07:05,400 --> 00:07:08,919 Speaker 1: It's not that long term asymmetrical key that's the really 123 00:07:08,960 --> 00:07:13,400 Speaker 1: super important one. So yeah, this is used for um, 124 00:07:13,400 --> 00:07:16,800 Speaker 1: pretty much anything that involves sending information across the Internet, 125 00:07:16,840 --> 00:07:18,920 Speaker 1: which I don't know if you know this, that's what 126 00:07:19,000 --> 00:07:22,680 Speaker 1: the Internet's for. So everything really is what it boils 127 00:07:22,680 --> 00:07:26,440 Speaker 1: down to. We're talking web mail, we're talking we're talking 128 00:07:26,600 --> 00:07:31,280 Speaker 1: instant messages, web browsing voice over Internet protocol. So if 129 00:07:31,280 --> 00:07:34,160 Speaker 1: you happen to use a void phone, it involves that 130 00:07:34,240 --> 00:07:37,400 Speaker 1: as well. Uh. Even facts is for those of us 131 00:07:37,440 --> 00:07:41,960 Speaker 1: who still have to um, yeah, so and and on 132 00:07:42,000 --> 00:07:43,920 Speaker 1: and on every website, I mean, you know, and any 133 00:07:43,920 --> 00:07:46,960 Speaker 1: anything that you have to log into. So Netflix uses yeah, 134 00:07:47,000 --> 00:07:50,040 Speaker 1: oh yeah, exactly. Yeah. So here's the thing is that 135 00:07:50,200 --> 00:07:53,840 Speaker 1: open SSL is is one version of this implementation. Like 136 00:07:53,880 --> 00:07:57,080 Speaker 1: we said, right, it's not that uh it's the only one, 137 00:07:57,360 --> 00:08:01,240 Speaker 1: but it happens to be the most popular. And there's 138 00:08:01,720 --> 00:08:04,040 Speaker 1: part of that name is pretty interesting. Or we we've 139 00:08:04,040 --> 00:08:08,360 Speaker 1: talked about SSL, now it's time to talk about open right. 140 00:08:08,440 --> 00:08:10,920 Speaker 1: Like I said earlier, it's an open source version of 141 00:08:10,960 --> 00:08:14,320 Speaker 1: this right now. Open source, of course means that the 142 00:08:14,320 --> 00:08:17,600 Speaker 1: the source code is available for people to look at, 143 00:08:17,680 --> 00:08:22,280 Speaker 1: to modify, to update, to tweak. And it's important because 144 00:08:23,160 --> 00:08:26,320 Speaker 1: if there are two very different philosophies when it comes 145 00:08:26,320 --> 00:08:29,480 Speaker 1: to security, right, you have the one philosophy where the 146 00:08:29,560 --> 00:08:31,960 Speaker 1: idea is let's lock it all down, let's have a 147 00:08:32,080 --> 00:08:34,480 Speaker 1: let's have a secure room where we've got our own 148 00:08:34,520 --> 00:08:38,520 Speaker 1: experts developing this stuff. They are the one and only 149 00:08:38,880 --> 00:08:41,880 Speaker 1: group that can do it. And furthermore that if you know, 150 00:08:41,920 --> 00:08:44,600 Speaker 1: we only have these five people who know how this works, 151 00:08:44,640 --> 00:08:47,200 Speaker 1: then it's a very secure system because we trust those 152 00:08:47,240 --> 00:08:49,679 Speaker 1: five people and everything's going to be cool. Assuming that 153 00:08:49,760 --> 00:08:52,280 Speaker 1: none of those five people ever make a mistake, uh, 154 00:08:52,480 --> 00:08:56,520 Speaker 1: then we're awesome. The other approach is the open source approach, 155 00:08:56,600 --> 00:08:59,480 Speaker 1: where the idea is everyone who has the ability to 156 00:08:59,600 --> 00:09:02,080 Speaker 1: look at this and to improve it has the chance 157 00:09:02,120 --> 00:09:05,880 Speaker 1: to do so, and therefore you would in theory, end 158 00:09:06,040 --> 00:09:10,800 Speaker 1: up eventually with the strongest kind of security because you 159 00:09:10,840 --> 00:09:13,800 Speaker 1: would have some It wouldn't be limited to five people 160 00:09:13,840 --> 00:09:16,640 Speaker 1: that you've identified as being really good at it. It's 161 00:09:16,640 --> 00:09:19,640 Speaker 1: it's not limited at all. Anyone can start making tweaks 162 00:09:19,640 --> 00:09:22,440 Speaker 1: to it. It doesn't mean that the uh CO just 163 00:09:22,559 --> 00:09:24,560 Speaker 1: runs rampant and gets out of control. You do have 164 00:09:24,640 --> 00:09:27,640 Speaker 1: people in charge of making sure everything is still working, 165 00:09:27,720 --> 00:09:30,120 Speaker 1: everything is on the up and up right, But you 166 00:09:30,200 --> 00:09:33,440 Speaker 1: also have this entire network of checks and balances of 167 00:09:33,440 --> 00:09:36,160 Speaker 1: people who are who are looking for any problems and 168 00:09:36,200 --> 00:09:39,680 Speaker 1: trying to solve them and advancing them to that that 169 00:09:40,000 --> 00:09:43,120 Speaker 1: higher up system right exactly. So you know, again, two 170 00:09:43,160 --> 00:09:46,680 Speaker 1: different approaches to the same goal, and depending upon what 171 00:09:46,760 --> 00:09:49,080 Speaker 1: you're trying to accomplish. You might say one is better 172 00:09:49,120 --> 00:09:52,560 Speaker 1: than the other. Now, the web at large has said 173 00:09:52,559 --> 00:09:55,320 Speaker 1: the open SSL model was better. The reason I can 174 00:09:55,360 --> 00:09:57,400 Speaker 1: say that is because it's so popular. We'll talk more 175 00:09:57,480 --> 00:10:00,360 Speaker 1: about that a little later in the podcast. Right, but 176 00:10:00,400 --> 00:10:03,079 Speaker 1: so so versions of this are available for I mean 177 00:10:03,160 --> 00:10:06,760 Speaker 1: for for everything, for Unix Space systems, Linux Space Systems, uh, 178 00:10:07,120 --> 00:10:10,959 Speaker 1: Mac and also Windows. Yeah. And so you also have 179 00:10:11,160 --> 00:10:14,720 Speaker 1: server software using it. Yeah, yeah, some of the major 180 00:10:15,520 --> 00:10:18,280 Speaker 1: the two biggest types of our brands, I guess of 181 00:10:18,320 --> 00:10:23,560 Speaker 1: server software Apache and how do you say that other one? 182 00:10:23,800 --> 00:10:26,079 Speaker 1: Let's go with that, because here's the thing. A lot 183 00:10:26,080 --> 00:10:27,800 Speaker 1: of these are names that you see written out all 184 00:10:27,840 --> 00:10:30,000 Speaker 1: the time, but you don't ever have to say them 185 00:10:30,920 --> 00:10:35,520 Speaker 1: if you if you are communicating, it's basically by text. Yes, 186 00:10:36,000 --> 00:10:38,800 Speaker 1: uh so injinks, let's go with that one. Um uh 187 00:10:39,400 --> 00:10:41,880 Speaker 1: but but but right, But it's not totally universal, like, 188 00:10:42,120 --> 00:10:47,160 Speaker 1: for example, Microsoft has proprietary server software called Internet Information Services, 189 00:10:47,200 --> 00:10:49,839 Speaker 1: which does not use open SSL. Right. And in fact, 190 00:10:49,920 --> 00:10:52,360 Speaker 1: if you were to look at lists of sites that 191 00:10:52,400 --> 00:10:55,400 Speaker 1: have been affected by this heart bleed bug, you would 192 00:10:55,400 --> 00:10:58,960 Speaker 1: see that Microsoft Microsoft are not in Microsoft's are not 193 00:10:59,040 --> 00:11:03,880 Speaker 1: involved because are using a completely different security approach completely 194 00:11:03,880 --> 00:11:06,400 Speaker 1: different in the sense that it's it's a different implementation 195 00:11:06,640 --> 00:11:09,760 Speaker 1: of the same sort of uh security. It's again, like 196 00:11:09,800 --> 00:11:12,280 Speaker 1: I said, open SSL is a very specific one, so 197 00:11:12,800 --> 00:11:16,880 Speaker 1: heart bleed. The bug was announced on Monday, April seventh, 198 00:11:17,000 --> 00:11:20,640 Speaker 1: two thousand fourteen, and the day we're recording this is 199 00:11:20,679 --> 00:11:24,079 Speaker 1: April tenth, And of course this will be going live 200 00:11:24,200 --> 00:11:27,480 Speaker 1: the following week, so you guys are are hearing. Probably 201 00:11:27,559 --> 00:11:31,480 Speaker 1: I think this might be the most uh topical episode 202 00:11:31,600 --> 00:11:35,600 Speaker 1: I have recorded in recent memory. So is the open 203 00:11:35,760 --> 00:11:38,640 Speaker 1: SSL team, who said, all right, here's the news. Guys, 204 00:11:38,800 --> 00:11:42,400 Speaker 1: Uh it's bad, and prepare yourselves right. The bug was 205 00:11:42,440 --> 00:11:45,880 Speaker 1: actually discovered the previous week independently by UM by a 206 00:11:45,920 --> 00:11:49,760 Speaker 1: Google security employee named Neil Meta and researchers from a 207 00:11:50,080 --> 00:11:54,559 Speaker 1: finished security company called Kotonomicon, which best name. Ever, it's 208 00:11:54,559 --> 00:11:57,079 Speaker 1: pretty good. As soon as I saw Cotonomicon, I was like, 209 00:11:57,120 --> 00:11:59,240 Speaker 1: I'm gonna have to flip a coin to find out 210 00:11:59,280 --> 00:12:01,520 Speaker 1: which of us gets to say that first. I got 211 00:12:01,559 --> 00:12:04,880 Speaker 1: to it suck Lauren. Lauren took that one. Well done, 212 00:12:05,400 --> 00:12:08,319 Speaker 1: thank you. But so the notifications spread through a few 213 00:12:08,360 --> 00:12:11,880 Speaker 1: select organizations before the big announcement came out, so that 214 00:12:11,880 --> 00:12:15,360 Speaker 1: those organizations could begin working on updates and fixes kind 215 00:12:15,400 --> 00:12:19,200 Speaker 1: of quietly. This was because the disclosure would alert potential 216 00:12:19,240 --> 00:12:22,160 Speaker 1: attackers to the security flaw as much as it would 217 00:12:22,480 --> 00:12:26,160 Speaker 1: system administrators, so everyone was trying to be really careful. 218 00:12:26,480 --> 00:12:30,160 Speaker 1: The announcement might have even been delayed further if the 219 00:12:30,200 --> 00:12:32,960 Speaker 1: open SSL team thought that they could have gotten away 220 00:12:33,000 --> 00:12:34,840 Speaker 1: with it. Basically, they were afraid of leaks and so 221 00:12:34,880 --> 00:12:36,640 Speaker 1: they figured that they might as well go forward. Yeah. 222 00:12:36,679 --> 00:12:38,719 Speaker 1: I mean, if you're going to sit there and have 223 00:12:38,800 --> 00:12:42,680 Speaker 1: to alert presumably some of the really big names on 224 00:12:42,720 --> 00:12:46,160 Speaker 1: the Internet to this thing, then eventually you're going to say, well, 225 00:12:46,240 --> 00:12:48,560 Speaker 1: someone on one of those teams is going to say 226 00:12:48,559 --> 00:12:51,760 Speaker 1: something because this is such a huge issue, right Uh. 227 00:12:51,760 --> 00:12:54,000 Speaker 1: And you know this is this really reminds me a 228 00:12:54,000 --> 00:12:57,720 Speaker 1: lot about white hat hackers, the people who make it 229 00:12:57,800 --> 00:12:59,960 Speaker 1: there and sometimes you can call them gray hats too, 230 00:13:00,120 --> 00:13:03,720 Speaker 1: but these are people who will find security vulnerabilities, and 231 00:13:03,760 --> 00:13:08,280 Speaker 1: generally speaking there there m O tends to be alert. 232 00:13:08,400 --> 00:13:13,880 Speaker 1: Whatever organization is responsible for fixing that vulnerability, give them 233 00:13:13,880 --> 00:13:16,520 Speaker 1: a little time to do so, and if they haven't 234 00:13:16,520 --> 00:13:18,800 Speaker 1: done it, say listen. If you guys don't do it soon, 235 00:13:18,920 --> 00:13:21,720 Speaker 1: I'm gonna make this public because then you will have 236 00:13:21,840 --> 00:13:25,240 Speaker 1: to do it. You'll be obligated to because then everyone's 237 00:13:25,240 --> 00:13:27,320 Speaker 1: gonna know about and if you don't do anything, someone's 238 00:13:27,320 --> 00:13:29,720 Speaker 1: going to exploit it. And it's it's kind of this 239 00:13:29,920 --> 00:13:34,280 Speaker 1: crazy sort of almost like I guess blackmail is the 240 00:13:34,320 --> 00:13:36,400 Speaker 1: wrong word for it, but you're kind of holding a 241 00:13:36,840 --> 00:13:40,160 Speaker 1: virtual gun to the head of the responsible organization. But 242 00:13:40,200 --> 00:13:44,160 Speaker 1: you're doing so in order to keep security right forward, 243 00:13:44,320 --> 00:13:46,599 Speaker 1: right it's in the best interests of everyone involved, and 244 00:13:46,800 --> 00:13:49,439 Speaker 1: there's a really delicate balance involved there. There there is 245 00:13:49,440 --> 00:13:52,360 Speaker 1: a wee bit of controversy over who was notified when 246 00:13:52,720 --> 00:13:54,599 Speaker 1: you know, some of the big companies like Yahoo and 247 00:13:54,640 --> 00:13:58,320 Speaker 1: Amazon feel a little bit left out in the cold 248 00:13:58,400 --> 00:14:03,120 Speaker 1: because they were. To be fair, Amazon the store was 249 00:14:03,160 --> 00:14:07,640 Speaker 1: not affected, but Amazon as in the company that also, yeah, 250 00:14:07,679 --> 00:14:11,600 Speaker 1: the services that was affected. So it's it all depends 251 00:14:11,640 --> 00:14:14,440 Speaker 1: on how like chances are most of our listeners don't 252 00:14:14,440 --> 00:14:16,920 Speaker 1: have to worry about the Amazon side unless you happen 253 00:14:17,240 --> 00:14:20,600 Speaker 1: to use the Amazon services to host major apps or 254 00:14:20,760 --> 00:14:22,840 Speaker 1: or other sites or things of that nature, in which 255 00:14:22,840 --> 00:14:25,400 Speaker 1: case you need to look into it. Right So, so, 256 00:14:25,480 --> 00:14:28,120 Speaker 1: at any rate, I think that it's generally agreed upon 257 00:14:28,280 --> 00:14:31,560 Speaker 1: right now that the involved parties we're using responsible disclosure 258 00:14:31,600 --> 00:14:35,400 Speaker 1: to to mitigate damage as to the best of their abilities. 259 00:14:35,880 --> 00:14:39,040 Speaker 1: And the news then hit the public consciousness. I think 260 00:14:39,160 --> 00:14:41,960 Speaker 1: on Wednesday, April nine, that's the first time that I 261 00:14:42,080 --> 00:14:44,440 Speaker 1: heard stories about it. Of course I'm not assistant men, 262 00:14:44,600 --> 00:14:47,160 Speaker 1: so yeah, and that's the day before we record this. 263 00:14:47,240 --> 00:14:50,600 Speaker 1: So that's how how fast this stuff has really held Healy, 264 00:14:50,680 --> 00:14:53,960 Speaker 1: This news is broken. Yeah, So the bug is present 265 00:14:54,240 --> 00:14:58,880 Speaker 1: in only certain versions of open SSL. Like all great software, 266 00:14:59,640 --> 00:15:05,000 Speaker 1: open SSL has generations of versions, right, So if you 267 00:15:05,040 --> 00:15:09,720 Speaker 1: were to run open ss L one point zero point 268 00:15:09,840 --> 00:15:15,280 Speaker 1: to dash beta or any version that is uh involves 269 00:15:15,360 --> 00:15:19,200 Speaker 1: one point zero point one up to one point zero 270 00:15:19,280 --> 00:15:22,600 Speaker 1: point one F, those are all affected. One point zero 271 00:15:22,640 --> 00:15:26,720 Speaker 1: point one G and later perfectly fine because that's when 272 00:15:26,760 --> 00:15:29,960 Speaker 1: the vulnerability was patched. Or if you're running something that's 273 00:15:30,040 --> 00:15:33,360 Speaker 1: earlier than that, you're fine because the bug had not 274 00:15:33,440 --> 00:15:37,000 Speaker 1: been implemented into the code. So really we're looking at 275 00:15:37,040 --> 00:15:39,680 Speaker 1: one point zero point one through one point zero point 276 00:15:39,680 --> 00:15:43,360 Speaker 1: one F and that one point zero point to DASH beta. 277 00:15:43,600 --> 00:15:47,520 Speaker 1: Those are the ones that are um problematic. So some 278 00:15:48,280 --> 00:15:51,520 Speaker 1: companies that are using open SSL, they might not be 279 00:15:51,560 --> 00:15:55,920 Speaker 1: affected at all just because they never up updated the software, 280 00:15:56,360 --> 00:15:58,520 Speaker 1: which you know, a lot of people will say when 281 00:15:58,520 --> 00:16:00,120 Speaker 1: it comes to security, you want to keep yoursel up 282 00:16:00,120 --> 00:16:02,040 Speaker 1: whereas up to date as possible. This is not one 283 00:16:02,080 --> 00:16:04,680 Speaker 1: of those times. Yeah, could as could as to those 284 00:16:04,760 --> 00:16:09,040 Speaker 1: lazy ye maybe maybe they just felt something bad was coming. 285 00:16:09,600 --> 00:16:12,800 Speaker 1: But what exactly is going on? So this bug, we've 286 00:16:12,840 --> 00:16:15,720 Speaker 1: we've mentioned it a few times. This, this heart bleed bug, 287 00:16:16,240 --> 00:16:19,680 Speaker 1: is a severe memory handling bug in the implementation of 288 00:16:19,720 --> 00:16:23,640 Speaker 1: the tl S heartbeat extension. That's why it's called heartbleed 289 00:16:23,720 --> 00:16:29,160 Speaker 1: because it's involving this heartbeat. A heartbeat here we go, Um, 290 00:16:29,200 --> 00:16:33,080 Speaker 1: a heartbeat. I'm gonna try and avoid making any nineteen 291 00:16:33,120 --> 00:16:36,720 Speaker 1: eighties power ballad references here, but they're all going through 292 00:16:36,720 --> 00:16:39,400 Speaker 1: my mind, trust me. So a heartbeat in this case, 293 00:16:39,400 --> 00:16:45,000 Speaker 1: and the technology sense is a message sent from one 294 00:16:45,040 --> 00:16:47,760 Speaker 1: machine to another while they are connected in one of 295 00:16:47,800 --> 00:16:50,440 Speaker 1: these sessions. And the purpose of this message is really 296 00:16:50,480 --> 00:16:53,960 Speaker 1: just to say, hey, are you still there? Right? Yeah, exactly, 297 00:16:54,000 --> 00:16:57,320 Speaker 1: It's it's it's you know, saying I'm still here, are 298 00:16:57,320 --> 00:16:59,560 Speaker 1: you still there? And then the responses you still here, 299 00:16:59,600 --> 00:17:03,640 Speaker 1: let's keep fund trucking? So um, that's generally what it is. 300 00:17:03,680 --> 00:17:09,040 Speaker 1: But the way that heartbeats work is a little problematic. 301 00:17:09,280 --> 00:17:13,760 Speaker 1: So normally what happens is you have machine A send 302 00:17:13,800 --> 00:17:16,080 Speaker 1: a little message over to machine B, and if they 303 00:17:16,119 --> 00:17:19,080 Speaker 1: don't hear anything back after a few seconds, machine A says, okay, 304 00:17:19,200 --> 00:17:23,160 Speaker 1: Machine B has ended the session or as otherwise inoperable. 305 00:17:23,520 --> 00:17:27,120 Speaker 1: We will cancel the session on this side, and everything 306 00:17:27,200 --> 00:17:29,040 Speaker 1: is over, and then if we want to start up again, 307 00:17:29,080 --> 00:17:31,600 Speaker 1: we have to initiate a new session, all right, where 308 00:17:31,640 --> 00:17:34,680 Speaker 1: we're throwing away those session keys. Yeah, yeah, but now 309 00:17:34,840 --> 00:17:37,280 Speaker 1: now we know that we need to you know, re 310 00:17:37,480 --> 00:17:42,120 Speaker 1: up security. But these heartbeat bugs are the heartbeat could 311 00:17:42,200 --> 00:17:47,280 Speaker 1: reveal up to sixty bytes of data, and a heartbeat 312 00:17:47,320 --> 00:17:50,560 Speaker 1: does not need to be sixty four kilobytes in size. 313 00:17:51,080 --> 00:17:53,480 Speaker 1: And they found out that if you were to send 314 00:17:53,520 --> 00:17:58,000 Speaker 1: a heartbeat message, uh, and the actual file size is 315 00:17:58,080 --> 00:18:00,639 Speaker 1: pretty small. Let's say it's just to kill bite. So 316 00:18:00,680 --> 00:18:04,400 Speaker 1: you're just sending a one kilobyte message saying, hey, I'm here. 317 00:18:04,400 --> 00:18:07,960 Speaker 1: Are you still there? Now? Technically what's supposed to happen 318 00:18:08,440 --> 00:18:11,760 Speaker 1: is machine BE gets the message and sends an identical 319 00:18:11,840 --> 00:18:14,880 Speaker 1: message back to machine A, Yes I'm still here, or 320 00:18:14,960 --> 00:18:17,320 Speaker 1: technically it's hey, are you still there? Because it's whatever 321 00:18:17,320 --> 00:18:20,960 Speaker 1: the message was in the first case. But let's say 322 00:18:21,000 --> 00:18:24,640 Speaker 1: that machine BE gets the message and the actual file 323 00:18:24,680 --> 00:18:28,720 Speaker 1: size is one kilobyte, but for some reason, the stated 324 00:18:28,960 --> 00:18:32,359 Speaker 1: file size is larger. Let's say it's sixty k by, 325 00:18:32,480 --> 00:18:35,760 Speaker 1: so it's the maximum that a heartbeat can be. Now, 326 00:18:35,880 --> 00:18:39,639 Speaker 1: Machine B has to reply back to Machine A, and 327 00:18:39,680 --> 00:18:43,120 Speaker 1: it's doing it based on that stated file size, right, 328 00:18:43,200 --> 00:18:46,800 Speaker 1: So it's going to take that that one kilobyte of 329 00:18:46,840 --> 00:18:49,800 Speaker 1: the correct information and fill the rest of that up 330 00:18:49,840 --> 00:18:52,359 Speaker 1: with junk. With a junk. Yeah, it's kind of like, 331 00:18:52,400 --> 00:18:54,840 Speaker 1: you know, if you've ever heard people say when you dream, 332 00:18:55,000 --> 00:18:57,159 Speaker 1: it's just your brain making up junk to try and 333 00:18:57,200 --> 00:18:59,160 Speaker 1: get rid of it, kind of the same thing. It's 334 00:18:59,200 --> 00:19:02,880 Speaker 1: really the machine be starts to panic and says, oh, uh, 335 00:19:02,960 --> 00:19:05,080 Speaker 1: this message needs to be way bigger than what I 336 00:19:05,119 --> 00:19:07,280 Speaker 1: thought it need to be. Uh, let's just ship them 337 00:19:07,320 --> 00:19:09,840 Speaker 1: everything here. Uh. And And the thing is that when 338 00:19:09,840 --> 00:19:11,800 Speaker 1: you when you dream, that junk is made up of 339 00:19:11,880 --> 00:19:15,399 Speaker 1: I don't know, your your worries about passing chemistry in 340 00:19:15,480 --> 00:19:18,119 Speaker 1: high school. In this case, the junk is made up 341 00:19:18,160 --> 00:19:20,879 Speaker 1: of stuff from your computer's random access memory. Now, random 342 00:19:20,880 --> 00:19:23,920 Speaker 1: access memory tends to be pretty awesome stuff because it 343 00:19:23,960 --> 00:19:27,639 Speaker 1: allows you to uh to have quick access to data 344 00:19:27,720 --> 00:19:30,680 Speaker 1: that you use over and over again, and that means 345 00:19:30,680 --> 00:19:33,000 Speaker 1: that you don't have to have your computer access the 346 00:19:33,080 --> 00:19:35,879 Speaker 1: deep memory banks like the hard drive to try and 347 00:19:35,920 --> 00:19:38,560 Speaker 1: find this information. It stays there in the random access 348 00:19:38,560 --> 00:19:42,960 Speaker 1: memory makes things much faster Without it, everything which slow down. Right, 349 00:19:43,560 --> 00:19:47,080 Speaker 1: So here's the issue. Uh, normally random access memory, if 350 00:19:47,080 --> 00:19:49,920 Speaker 1: you turn off a machine, it erases it's it overwrites 351 00:19:49,960 --> 00:19:53,720 Speaker 1: itself all the time, and so nothing that stays in 352 00:19:53,840 --> 00:19:57,919 Speaker 1: random access memory will stay there for very long comparatively speaking. 353 00:19:58,600 --> 00:20:02,480 Speaker 1: So because of that, in general, it's considered to be 354 00:20:02,520 --> 00:20:06,679 Speaker 1: pretty safe to have cryptograph keys stored in random access 355 00:20:06,720 --> 00:20:09,760 Speaker 1: memory because one, you're going to need them all the time, right, 356 00:20:09,760 --> 00:20:12,359 Speaker 1: You're gonna need it in order to make these communications. 357 00:20:12,400 --> 00:20:15,199 Speaker 1: And secondly, because if you turn off the power to 358 00:20:15,240 --> 00:20:17,600 Speaker 1: your computer, it goes away, so you don't have to 359 00:20:17,600 --> 00:20:19,640 Speaker 1: work right, right, and it could be overwritten at any 360 00:20:19,680 --> 00:20:24,200 Speaker 1: given moment exactly. So the issue here is that since 361 00:20:24,240 --> 00:20:27,480 Speaker 1: it can be in random access memory, if you were 362 00:20:27,560 --> 00:20:30,240 Speaker 1: to if you were a hacker and you wanted to 363 00:20:30,280 --> 00:20:33,800 Speaker 1: exploit the system, you can send a heartbeat that is 364 00:20:33,880 --> 00:20:36,240 Speaker 1: the mimimum amount of information that you need to send, 365 00:20:36,480 --> 00:20:40,080 Speaker 1: but looks like the maximum amount of information. The server 366 00:20:40,280 --> 00:20:43,080 Speaker 1: that you target is going to send you that maximum 367 00:20:43,080 --> 00:20:46,560 Speaker 1: amount of information back, which may or may not include 368 00:20:46,600 --> 00:20:50,080 Speaker 1: within it one of these cryptograph keys. Yeah, yeah, whatever 369 00:20:50,200 --> 00:20:53,879 Speaker 1: John happens to be in the RAM, including potentially Yeah, 370 00:20:54,040 --> 00:20:56,240 Speaker 1: so it's it's a grab bag. It doesn't mean that 371 00:20:56,280 --> 00:20:58,120 Speaker 1: you're every single time you hit it that you're going 372 00:20:58,160 --> 00:21:00,920 Speaker 1: to end up with the jackpot of Now I can 373 00:21:01,000 --> 00:21:04,640 Speaker 1: decrypt everything that goes across your network, right, but with 374 00:21:04,880 --> 00:21:08,280 Speaker 1: enough of these heartbeat attacks, you can you can absolutely 375 00:21:08,320 --> 00:21:13,280 Speaker 1: put together in piece together, uh a lot of scary information. Yeah. Yeah, 376 00:21:13,320 --> 00:21:16,320 Speaker 1: you can get completely decrypted information. Maybe you didn't get 377 00:21:16,359 --> 00:21:18,760 Speaker 1: the key, but you might get some information that was 378 00:21:18,760 --> 00:21:21,600 Speaker 1: going through the server that's really important. Or maybe you 379 00:21:21,640 --> 00:21:23,640 Speaker 1: get a session key so you can see everything that's 380 00:21:23,680 --> 00:21:26,000 Speaker 1: going on in that session, or maybe you get like 381 00:21:26,040 --> 00:21:28,960 Speaker 1: the private key that the that's the golden goose that 382 00:21:29,000 --> 00:21:32,440 Speaker 1: would allow you to not only be able to snoop 383 00:21:32,560 --> 00:21:35,280 Speaker 1: on everything that's going through that server that normally would 384 00:21:35,280 --> 00:21:38,879 Speaker 1: be encrypted, you could also potentially pose as that server 385 00:21:39,359 --> 00:21:43,000 Speaker 1: and suddenly people think they are having a secure connection 386 00:21:43,040 --> 00:21:47,200 Speaker 1: with the service that they trust because all indications show 387 00:21:47,320 --> 00:21:51,000 Speaker 1: that they are, but in reality, it's going to a hacker. Now, 388 00:21:51,040 --> 00:21:55,239 Speaker 1: this is a fundamental flaw in internet security. There is 389 00:21:55,280 --> 00:21:58,880 Speaker 1: no way to overstate how bad this is. Yeah, and 390 00:21:58,880 --> 00:22:03,720 Speaker 1: and it's exists and since December one. Um, I mean 391 00:22:03,720 --> 00:22:08,200 Speaker 1: it's technically only been in distribution since March of so 392 00:22:08,200 --> 00:22:10,920 Speaker 1: so so that's much better. So here's here's the thing. 393 00:22:10,960 --> 00:22:13,320 Speaker 1: We know how long it's been since the good guys 394 00:22:13,600 --> 00:22:15,600 Speaker 1: found out about it. The problem is we don't know 395 00:22:16,000 --> 00:22:19,520 Speaker 1: if bad guys knew about it before then, because the 396 00:22:19,600 --> 00:22:23,119 Speaker 1: other issue here is that you can't tell when someone's 397 00:22:23,200 --> 00:22:26,760 Speaker 1: using this. They're completely untraceable. This is not like some 398 00:22:26,840 --> 00:22:30,400 Speaker 1: sort of vulnerability where you have to have someone install 399 00:22:31,160 --> 00:22:34,760 Speaker 1: a trojan backdoor program onto their computer. There's no need 400 00:22:34,840 --> 00:22:37,720 Speaker 1: for that because it's it's a vulnerability, it's a bug 401 00:22:37,760 --> 00:22:44,080 Speaker 1: within the security software itself. So yeah, this is bad, 402 00:22:44,119 --> 00:22:47,960 Speaker 1: bad news. And um we're going to talk about more 403 00:22:48,760 --> 00:22:51,880 Speaker 1: why it's bad bad news. But wait, it gets worse. Yeah, 404 00:22:51,920 --> 00:22:55,400 Speaker 1: So before we really dive into all that, let's take 405 00:22:55,440 --> 00:23:00,199 Speaker 1: a quick break to thank our sponsor. Okay, law Ran 406 00:23:01,160 --> 00:23:03,760 Speaker 1: We've talked about that this is seriously bad news. I 407 00:23:03,760 --> 00:23:08,000 Speaker 1: think we we managed to communicate that the consequences are dire. 408 00:23:08,600 --> 00:23:13,840 Speaker 1: But do we have a rough percentage of how many 409 00:23:14,320 --> 00:23:17,680 Speaker 1: machines and services out there on the web actually use 410 00:23:17,800 --> 00:23:24,920 Speaker 1: open ssl? H Yeah about six? Okay, so you're telling 411 00:23:24,960 --> 00:23:31,160 Speaker 1: me that two out of every three sites, services, apps, etcetera. 412 00:23:31,320 --> 00:23:35,800 Speaker 1: Are working on a compromise security system. That that is 413 00:23:35,840 --> 00:23:38,679 Speaker 1: exactly what I'm saying. Wow, that I mean, you know 414 00:23:38,720 --> 00:23:40,600 Speaker 1: that's that's the estimate. That is that is what open 415 00:23:40,720 --> 00:23:44,800 Speaker 1: ssl themselves have have have guessed. Yeah, yeah, that is 416 00:23:47,560 --> 00:23:50,080 Speaker 1: m M. There are no words at this point. So 417 00:23:50,480 --> 00:23:53,879 Speaker 1: I ended up creating an analogy. And this is a 418 00:23:54,000 --> 00:23:59,080 Speaker 1: drastic oversimplification, as all my analogies are, but I was 419 00:23:59,119 --> 00:24:02,440 Speaker 1: an English lit major and I like them. So here 420 00:24:02,440 --> 00:24:05,720 Speaker 1: we go. All right, Now, imagine that you have just 421 00:24:05,800 --> 00:24:09,080 Speaker 1: purchased an old house. It's a gorgeous old house that 422 00:24:09,200 --> 00:24:12,240 Speaker 1: you you have managed to buy, but you have no 423 00:24:12,400 --> 00:24:15,760 Speaker 1: knowledge whatsoever of what the previous owners were like, or 424 00:24:15,960 --> 00:24:18,040 Speaker 1: the kind of people that they hung out with, who 425 00:24:18,080 --> 00:24:20,639 Speaker 1: they might have given keys to. So so you do 426 00:24:20,680 --> 00:24:23,080 Speaker 1: the logical thing when you move in and you you 427 00:24:23,119 --> 00:24:26,040 Speaker 1: have a locksmith come out and put new locks in 428 00:24:26,080 --> 00:24:28,560 Speaker 1: the house. Yeah, so you have the keys to the 429 00:24:28,560 --> 00:24:31,480 Speaker 1: new locks. You're feeling pretty confident. Why you don't know 430 00:24:32,200 --> 00:24:35,760 Speaker 1: is that that locksmith, uh not necessarily through any kind 431 00:24:35,800 --> 00:24:40,080 Speaker 1: of malicious behavior, is just not the not the sharpest 432 00:24:40,160 --> 00:24:43,560 Speaker 1: knife in the drawer. And so the locksmith keeps copies 433 00:24:43,960 --> 00:24:47,240 Speaker 1: of all the keys that he or she makes in 434 00:24:47,680 --> 00:24:51,959 Speaker 1: uh in in like a box that's easily found by 435 00:24:52,000 --> 00:24:54,959 Speaker 1: anyone who happens to know where to look, completely accessible 436 00:24:55,040 --> 00:24:58,160 Speaker 1: to the to the public. Yeah, And so that means 437 00:24:58,200 --> 00:25:01,199 Speaker 1: that while you feel that your box are completely secure 438 00:25:01,200 --> 00:25:04,840 Speaker 1: because you have changed them all, in reality people can 439 00:25:04,880 --> 00:25:07,879 Speaker 1: get access to copies of the sink keys that you 440 00:25:08,040 --> 00:25:10,760 Speaker 1: use and us just walk right on into your house. 441 00:25:11,680 --> 00:25:15,760 Speaker 1: That's not good. So now I think that two thirds 442 00:25:15,760 --> 00:25:21,359 Speaker 1: of the internet has that same problem. That's not great either. 443 00:25:21,720 --> 00:25:25,960 Speaker 1: So including I'm talking like your email, your instant messaging, banking, 444 00:25:26,520 --> 00:25:29,360 Speaker 1: all your user names and passwords, which are the kind 445 00:25:29,359 --> 00:25:32,800 Speaker 1: of the clients side of this handshake we keep talking about, 446 00:25:33,520 --> 00:25:35,560 Speaker 1: all of this can be read in plain text by 447 00:25:35,600 --> 00:25:38,359 Speaker 1: someone who can exploit this bug. So and and it 448 00:25:38,440 --> 00:25:42,440 Speaker 1: really only takes like like basic programming skills and a 449 00:25:42,520 --> 00:25:45,199 Speaker 1: desire to do mischief or harm or to you know, 450 00:25:45,240 --> 00:25:49,159 Speaker 1: impress your bosses at the n s A. But Lauren, 451 00:25:49,520 --> 00:25:52,119 Speaker 1: come on, let's let's get some bright bright spots and 452 00:25:52,320 --> 00:25:56,560 Speaker 1: bright sunshine shining through the dark clouds. What can the 453 00:25:56,680 --> 00:25:59,840 Speaker 1: average person do to protect him or herself more bad? 454 00:26:00,119 --> 00:26:04,480 Speaker 1: Is not much? Oh those dark clouds. Yeah. Basically, the 455 00:26:04,560 --> 00:26:10,000 Speaker 1: responsibility here lies not on you probably, but on the web. Yeah. 456 00:26:10,080 --> 00:26:15,080 Speaker 1: So the administrators of the various sites, services, apps, people 457 00:26:15,080 --> 00:26:19,280 Speaker 1: who develop operating systems, you know, everything that you encounter 458 00:26:19,320 --> 00:26:21,919 Speaker 1: on the web that requires this kind of security. That 459 00:26:22,000 --> 00:26:24,600 Speaker 1: stuff has to be rolled out in the background on 460 00:26:24,720 --> 00:26:27,359 Speaker 1: that back end, the stuff behind the scenes of the 461 00:26:27,359 --> 00:26:30,359 Speaker 1: websites and apps that you use. That's where this needs 462 00:26:30,400 --> 00:26:34,479 Speaker 1: to happen. So it's the The nice news is that 463 00:26:34,520 --> 00:26:39,080 Speaker 1: this vulnerability has been patched. There is a solution out there, right, 464 00:26:39,200 --> 00:26:41,280 Speaker 1: and it's right. It's it's just up to those system 465 00:26:41,320 --> 00:26:44,200 Speaker 1: means to take that patch and implement it on their systems, right. 466 00:26:44,320 --> 00:26:46,360 Speaker 1: They have to be the ones to distribute it. And 467 00:26:46,840 --> 00:26:48,879 Speaker 1: as of the recording of this podcast, some of them 468 00:26:48,920 --> 00:26:51,320 Speaker 1: have done it. Some of them, of course, knew ahead 469 00:26:51,359 --> 00:26:54,800 Speaker 1: of time by however many days, and they implemented the change. 470 00:26:54,840 --> 00:26:59,480 Speaker 1: Then others are implementing it now. Others we hope will 471 00:26:59,520 --> 00:27:03,119 Speaker 1: implement it soon. Right. So, so the responsibility of the 472 00:27:03,240 --> 00:27:06,520 Speaker 1: of the user of you guys here is really too. Um. 473 00:27:07,240 --> 00:27:10,160 Speaker 1: Just just watch out for getting messages from any kind 474 00:27:10,200 --> 00:27:12,880 Speaker 1: of services that you use online about when to change 475 00:27:12,880 --> 00:27:15,200 Speaker 1: your password, right, because it doesn't do you any good 476 00:27:15,200 --> 00:27:17,919 Speaker 1: to change your password right now. Yes, don't just go 477 00:27:18,200 --> 00:27:20,359 Speaker 1: run out and change all of your passwords. Really niling 478 00:27:20,520 --> 00:27:23,280 Speaker 1: right if you know for a fact that one of 479 00:27:23,320 --> 00:27:26,160 Speaker 1: the services like Gmail, for example, Google is a great example. 480 00:27:26,240 --> 00:27:29,320 Speaker 1: Google has addressed this now. They've said that you don't 481 00:27:29,359 --> 00:27:31,600 Speaker 1: necessarily have to change your password. I'm telling you change 482 00:27:31,600 --> 00:27:35,320 Speaker 1: your password. This is coming from me, guys, change your password. Uh, 483 00:27:35,400 --> 00:27:37,399 Speaker 1: it's better to be safe than sorry. And Google has 484 00:27:37,440 --> 00:27:41,000 Speaker 1: already addressed the vulnerability so that it's safe for you 485 00:27:41,040 --> 00:27:43,080 Speaker 1: to change your password there, but in other places it 486 00:27:43,119 --> 00:27:45,960 Speaker 1: may not be. And to go back to my locksmith analogy, 487 00:27:46,440 --> 00:27:49,159 Speaker 1: Let's say that you have figured out that people have 488 00:27:49,280 --> 00:27:51,000 Speaker 1: copies of your keys, so you go back to that 489 00:27:51,080 --> 00:27:53,760 Speaker 1: same locksmith and have brand new locks put in and 490 00:27:53,800 --> 00:27:56,760 Speaker 1: the old ones, the ones you had, the replacement ones 491 00:27:56,800 --> 00:27:59,520 Speaker 1: you have thrown away new new locks are put in, 492 00:27:59,800 --> 00:28:02,680 Speaker 1: the locksmith is still following that same protocol of keeping 493 00:28:02,720 --> 00:28:05,600 Speaker 1: everything out in plain site. Then you haven't really solved 494 00:28:05,600 --> 00:28:07,680 Speaker 1: the problem. All you've done is just changed your locks 495 00:28:07,720 --> 00:28:10,080 Speaker 1: one more time. So that's the same sort of thing. 496 00:28:10,080 --> 00:28:12,480 Speaker 1: If you were to change your password before one of 497 00:28:12,520 --> 00:28:16,920 Speaker 1: those sites, services, apps, etcetera. Was to implement this this 498 00:28:16,960 --> 00:28:20,439 Speaker 1: this patch, you're still vulnerable. So it doesn't matter how 499 00:28:20,520 --> 00:28:23,200 Speaker 1: much times you change your password, that password is still 500 00:28:23,280 --> 00:28:25,359 Speaker 1: vulnerable to one of these attacks. Yeah, and and it 501 00:28:25,400 --> 00:28:28,040 Speaker 1: could be it could be days or potentially even longer 502 00:28:28,160 --> 00:28:30,720 Speaker 1: for some sites that you use to to get with 503 00:28:30,720 --> 00:28:33,239 Speaker 1: the program. Yeah, So the best thing to do is 504 00:28:33,320 --> 00:28:37,040 Speaker 1: to use there are lots of different utilities online to 505 00:28:37,320 --> 00:28:42,200 Speaker 1: check and see what which sites have addressed this already. 506 00:28:42,480 --> 00:28:44,800 Speaker 1: In fact, I think the heart bleed dot org has 507 00:28:44,840 --> 00:28:47,480 Speaker 1: a link to a tool where all you do is 508 00:28:47,480 --> 00:28:49,760 Speaker 1: you put in the u r L for the website 509 00:28:49,760 --> 00:28:52,720 Speaker 1: that you're concerned about, and it'll do a little ping 510 00:28:52,920 --> 00:28:56,280 Speaker 1: of that website and determine which version of open SSL, 511 00:28:56,400 --> 00:28:59,560 Speaker 1: if any, is running on that site, and then it 512 00:28:59,600 --> 00:29:01,880 Speaker 1: will give you a message saying whether or not it's 513 00:29:01,880 --> 00:29:03,560 Speaker 1: okay for you to change your password, or if you 514 00:29:03,600 --> 00:29:07,800 Speaker 1: need to or if you can't, then it may tell you, hey, 515 00:29:07,880 --> 00:29:10,600 Speaker 1: you might need to send an email and say hey, 516 00:29:10,600 --> 00:29:13,080 Speaker 1: could you could you guys get on this because it's 517 00:29:13,080 --> 00:29:17,520 Speaker 1: really important. So you can be a little proactive in 518 00:29:17,560 --> 00:29:21,760 Speaker 1: that sense, but honestly you are dependent upon those those 519 00:29:21,800 --> 00:29:25,360 Speaker 1: administrators doing their job to make sure that they're running 520 00:29:25,400 --> 00:29:30,240 Speaker 1: the latest of the open SSL protocols right there. There 521 00:29:30,280 --> 00:29:33,240 Speaker 1: are some sites that have said that they were never vulnerable, 522 00:29:33,240 --> 00:29:36,600 Speaker 1: and those include uh, Microsoft sites, as we stated earlier, 523 00:29:36,800 --> 00:29:40,360 Speaker 1: a O L and LinkedIn, So they're safe unless, of course, 524 00:29:40,480 --> 00:29:43,720 Speaker 1: you use the same password across multiple sites, which you 525 00:29:43,760 --> 00:29:46,720 Speaker 1: should not be doing. No, don't do that. Um really, 526 00:29:47,480 --> 00:29:52,719 Speaker 1: and I've recommended these before. Get yourself a password vault program, 527 00:29:52,880 --> 00:29:55,960 Speaker 1: something like last pass or dash lane is what I use. 528 00:29:56,640 --> 00:30:00,200 Speaker 1: UM dash Lane, uh does use open s sl old, 529 00:30:00,280 --> 00:30:03,520 Speaker 1: but it doesn't at all involve the passwords in your 530 00:30:03,600 --> 00:30:07,400 Speaker 1: vault or your even your master passwords. So according to 531 00:30:07,480 --> 00:30:10,120 Speaker 1: dash Lane, it's still safe, which was a big relief 532 00:30:10,160 --> 00:30:12,560 Speaker 1: to me. Yeah. Yeah, last Pass has come out and 533 00:30:12,560 --> 00:30:15,320 Speaker 1: said the same thing. And last Pass also has the 534 00:30:15,320 --> 00:30:19,200 Speaker 1: benefit of it's telling users when to go in and 535 00:30:19,280 --> 00:30:23,720 Speaker 1: change passwords. As we get updates about this security implementation 536 00:30:24,080 --> 00:30:26,520 Speaker 1: right as as of the recording of this podcast, which 537 00:30:26,600 --> 00:30:30,120 Speaker 1: which again is Thursday, April tenth. Sites that were vulnerable 538 00:30:30,200 --> 00:30:32,680 Speaker 1: at some point but are currently safe to change your 539 00:30:32,680 --> 00:30:37,480 Speaker 1: passwords for now include Google, Facebook, Tumbler, Dropbox, and Yahoo, 540 00:30:37,600 --> 00:30:40,080 Speaker 1: among the really big ones that are probably going to 541 00:30:40,080 --> 00:30:43,000 Speaker 1: affect lots of people um and and Again as of 542 00:30:43,120 --> 00:30:46,000 Speaker 1: right now, other sites are still working on fixes. Um 543 00:30:46,160 --> 00:30:48,880 Speaker 1: and And probably will send you a message when it's 544 00:30:48,880 --> 00:30:51,800 Speaker 1: safe to get back in the digital water. But um, 545 00:30:51,840 --> 00:30:53,600 Speaker 1: you know, yeah, if you if you want to check 546 00:30:53,600 --> 00:30:56,320 Speaker 1: the status Jonathan talked about that, yeah, using last pass 547 00:30:56,440 --> 00:30:58,400 Speaker 1: or using They're also blog posts out there that are 548 00:30:58,480 --> 00:31:01,920 Speaker 1: kind of keeping a running alley of which sites have 549 00:31:02,400 --> 00:31:05,480 Speaker 1: addressed it, because in some cases, you know, I would 550 00:31:05,480 --> 00:31:08,040 Speaker 1: hope that any service at least at least has your 551 00:31:08,080 --> 00:31:10,360 Speaker 1: email address is going to send you a message saying, hey, 552 00:31:10,560 --> 00:31:14,120 Speaker 1: change your password. But in in other cases you may 553 00:31:14,200 --> 00:31:17,480 Speaker 1: have companies that do this through a blog post, which 554 00:31:17,920 --> 00:31:20,200 Speaker 1: you know, maybe you see it, maybe you don't. I 555 00:31:20,280 --> 00:31:23,720 Speaker 1: don't visit the blogs of most of the services I use. 556 00:31:24,040 --> 00:31:25,920 Speaker 1: I know that a lot of them have blogs, but 557 00:31:26,000 --> 00:31:28,120 Speaker 1: you know, I've only got so many hours in a day. 558 00:31:28,200 --> 00:31:31,240 Speaker 1: So there are blog posts run by other people who 559 00:31:31,280 --> 00:31:34,160 Speaker 1: are just kind of keeping a list as these different 560 00:31:34,240 --> 00:31:37,560 Speaker 1: companies are upgrading and announcing it, so that you can 561 00:31:37,640 --> 00:31:39,720 Speaker 1: just go to a master list and take a look 562 00:31:39,720 --> 00:31:42,080 Speaker 1: at all of them. Uh, it is important for you 563 00:31:42,080 --> 00:31:44,200 Speaker 1: to actually change your passwords at that point when it 564 00:31:44,200 --> 00:31:47,280 Speaker 1: tells you it's time to do so. Other bad news. 565 00:31:48,320 --> 00:31:52,320 Speaker 1: I hate to do this, but anything that was done 566 00:31:52,440 --> 00:31:56,120 Speaker 1: on those old open SSL channels that still out there 567 00:31:56,160 --> 00:32:00,000 Speaker 1: is still going to be vulnerable. So for two years 568 00:32:00,200 --> 00:32:03,320 Speaker 1: this was going on, so anyone who can access any 569 00:32:03,360 --> 00:32:07,160 Speaker 1: of that older information will be able to do so. 570 00:32:08,400 --> 00:32:12,960 Speaker 1: From this point forward, things will be fine. But yeah, 571 00:32:13,120 --> 00:32:16,400 Speaker 1: I mean, this is this is why when when security 572 00:32:16,400 --> 00:32:22,640 Speaker 1: experts who were not prone to being um, hyperbolic, say 573 00:32:22,680 --> 00:32:24,479 Speaker 1: to go to the hyper Bowl every year like we 574 00:32:24,560 --> 00:32:29,080 Speaker 1: like to, they said, when you make this, uh you know, 575 00:32:29,120 --> 00:32:30,680 Speaker 1: if you were to say, is this on the scale 576 00:32:30,720 --> 00:32:34,000 Speaker 1: one of ten, how bad is secure? Yeah, this was 577 00:32:34,120 --> 00:32:37,760 Speaker 1: all spinal tap on our butts here people. This was 578 00:32:37,880 --> 00:32:41,800 Speaker 1: not a good thing. So one other thing I recommend 579 00:32:41,840 --> 00:32:48,000 Speaker 1: doing is if the service you use offers to factor authentication, 580 00:32:49,280 --> 00:32:52,720 Speaker 1: do it. You know, usually it's a an option you 581 00:32:52,760 --> 00:32:55,880 Speaker 1: don't have to use to factor authentication, and a lot 582 00:32:55,920 --> 00:32:57,719 Speaker 1: of these services, some of them require it, but not 583 00:32:57,760 --> 00:33:02,560 Speaker 1: all of them. Google has this, Facebook has it as well. Uh. 584 00:33:02,600 --> 00:33:05,320 Speaker 1: And by the way, both Google and Facebook have addressed 585 00:33:05,320 --> 00:33:07,480 Speaker 1: this issue. And you could go in and change your passwords, 586 00:33:07,480 --> 00:33:10,680 Speaker 1: which I did just before I came in here. Um, 587 00:33:10,720 --> 00:33:13,840 Speaker 1: but yeah, you can. You can activate two factor authentication, 588 00:33:13,840 --> 00:33:19,800 Speaker 1: which requires a secondary uh piece of log in information 589 00:33:19,840 --> 00:33:23,000 Speaker 1: beyond just your user name and password that's generated specifically 590 00:33:23,040 --> 00:33:25,480 Speaker 1: when you try to log in. So usually you get 591 00:33:25,480 --> 00:33:27,560 Speaker 1: like a text message or an email that has a 592 00:33:27,680 --> 00:33:30,120 Speaker 1: numeric code that you have to also enter in ord 593 00:33:30,200 --> 00:33:33,280 Speaker 1: to log in. Once you've cleared a machine, usually it 594 00:33:33,520 --> 00:33:38,000 Speaker 1: stays clear. Sometimes it will expire, which means that eventually 595 00:33:38,000 --> 00:33:40,800 Speaker 1: you'll have to do it again. But as irritating as 596 00:33:40,840 --> 00:33:43,520 Speaker 1: you may find that, it's so much better than knowing 597 00:33:43,560 --> 00:33:46,000 Speaker 1: that your stuff could be open for anyone to see 598 00:33:46,000 --> 00:33:50,160 Speaker 1: at any time. So yeah, this, UM, this was definitely 599 00:33:50,200 --> 00:33:53,760 Speaker 1: a topic that we felt we had to address um 600 00:33:53,880 --> 00:33:58,040 Speaker 1: right away, because it's it's such a fundamental part of 601 00:33:58,080 --> 00:34:00,400 Speaker 1: how the Internet works. I mean, really, the only thing 602 00:34:00,440 --> 00:34:03,080 Speaker 1: that I can think of that would be more monumental 603 00:34:03,280 --> 00:34:06,160 Speaker 1: is if, for some reason uh t c P i 604 00:34:06,240 --> 00:34:09,040 Speaker 1: P protocol stopped working, in which case we wouldn't have 605 00:34:09,040 --> 00:34:11,080 Speaker 1: a job. I just I just had like a like 606 00:34:11,120 --> 00:34:16,600 Speaker 1: a shiver. Um. Yeah, and I mean it's affecting everyone. Yeah, 607 00:34:16,680 --> 00:34:20,880 Speaker 1: I mean everyone. This is across the globe. Um and 608 00:34:20,880 --> 00:34:23,279 Speaker 1: and and it's complicated enough that yeah, yeah, we you know, 609 00:34:23,320 --> 00:34:26,359 Speaker 1: we we really wanted to talk about what SSL does 610 00:34:26,360 --> 00:34:30,440 Speaker 1: and what open ssl particularly does and yeah, so so 611 00:34:30,520 --> 00:34:33,200 Speaker 1: we we We hope that you are at least um 612 00:34:33,640 --> 00:34:37,160 Speaker 1: more comfortable in your knowledge of the doom. It's definitely 613 00:34:37,200 --> 00:34:39,400 Speaker 1: better to know than not know. I mean, it is 614 00:34:39,960 --> 00:34:42,680 Speaker 1: not a happy story by any means. We have top 615 00:34:42,719 --> 00:34:45,200 Speaker 1: men working on it, and women as well, of course, 616 00:34:46,040 --> 00:34:48,920 Speaker 1: But you know, in Indiana Jones's day, they only they 617 00:34:48,920 --> 00:34:52,799 Speaker 1: only acknowledge the men. Well that's yep. Hey, at least 618 00:34:52,840 --> 00:34:55,640 Speaker 1: we don't live in Indiana Jones time. That's that's true. 619 00:34:55,920 --> 00:34:58,680 Speaker 1: I have not had to outrun any boulders in days, 620 00:34:59,360 --> 00:35:01,960 Speaker 1: so that's good. But yeah, this is a This was 621 00:35:02,000 --> 00:35:05,440 Speaker 1: a topic. We thought it was interesting enough and important 622 00:35:05,520 --> 00:35:07,080 Speaker 1: enough that we had to cover it right away. But 623 00:35:07,160 --> 00:35:09,640 Speaker 1: if you guys have suggestions for topics that we should 624 00:35:09,640 --> 00:35:12,720 Speaker 1: cover next, whether it's something that's happened in the news recently, 625 00:35:12,800 --> 00:35:15,680 Speaker 1: or maybe there's that one piece of technology dating back 626 00:35:15,719 --> 00:35:18,640 Speaker 1: to twelve fifty a d that you've always wanted to 627 00:35:18,680 --> 00:35:21,799 Speaker 1: know more about and we're afraid to ask. I'd say 628 00:35:21,800 --> 00:35:25,240 Speaker 1: to you, do not be afraid ask us your silly question, 629 00:35:25,480 --> 00:35:28,120 Speaker 1: because we will give you a silly answer, probably in 630 00:35:28,200 --> 00:35:30,800 Speaker 1: podcast form. But in order to ask that question, you 631 00:35:30,840 --> 00:35:33,960 Speaker 1: need to send us email. It address is tech stuff 632 00:35:34,239 --> 00:35:37,719 Speaker 1: at Discovery dot com. You can also get in touch 633 00:35:37,719 --> 00:35:41,840 Speaker 1: with us via various social media networks. Those are Twitter, Tumbler, 634 00:35:41,920 --> 00:35:45,120 Speaker 1: and Facebook. In all three places, our handle is tech 635 00:35:45,160 --> 00:35:49,160 Speaker 1: Stuff HSW and we will talk to you again. True 636 00:35:49,280 --> 00:35:55,719 Speaker 1: encryption really soon. For more on this and thousands of 637 00:35:55,760 --> 00:36:00,919 Speaker 1: other topics. Does it has stuff works dot com check 638 00:36:02,680 --> 00:36:03,440 Speaker 1: checks