WEBVTT - Our Heart Breaks From Heartbleed 0:00:04.240 --> 0:00:07.240 Get in touch with technology with tech Stuff from how 0:00:07.280 --> 0:00:14.640 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:14.680 --> 0:00:17.680 I'm Jonathan Strickland and I'm Lauren and we're going to 0:00:17.800 --> 0:00:23.160 talk about a really bad day on the internet and 0:00:23.480 --> 0:00:28.840 the terrible, horrible, no good, very bad day and actually 0:00:28.840 --> 0:00:30.480 it's a it's a very bad day that lasted for 0:00:30.520 --> 0:00:33.160 a couple of years before we knew about it. Oops. Yeah, 0:00:33.200 --> 0:00:36.240 we're talking about heart bleed, which if any of you, 0:00:36.400 --> 0:00:39.040 I'm assuming a lot of our listeners keep up with 0:00:39.120 --> 0:00:41.720 tech news in general, and normally on tech stuff, we 0:00:41.760 --> 0:00:47.200 don't cover things that are of the immediate uh past, 0:00:47.400 --> 0:00:51.720 because often we record ahead of time and it's over. 0:00:51.920 --> 0:00:54.120 We we often, in fact kind of kind of almost 0:00:54.120 --> 0:00:56.600 avoid very breaking news so that we have a chance 0:00:56.680 --> 0:00:59.840 to discuss more in depth exactly what has happened. However, 0:01:00.120 --> 0:01:03.720 this is such a huge story and it's one that 0:01:03.920 --> 0:01:06.840 is a little difficult for someone to to understand if 0:01:06.880 --> 0:01:09.200 they don't really have a working knowledge of of what 0:01:09.319 --> 0:01:11.559 actually is going on behind the scenes, that we thought 0:01:11.560 --> 0:01:14.640 it was important to address this and actually talk about 0:01:14.680 --> 0:01:18.039 what you guys can do in order to protect yourselves 0:01:18.040 --> 0:01:21.160 as best as possible. It's not all gonna be a 0:01:21.200 --> 0:01:24.640 happy story, folks. This is actually a pretty serious problem. 0:01:24.800 --> 0:01:29.800 In fact, pretty serious is an incredible understatement. Um So, really, 0:01:29.880 --> 0:01:31.479 what it gets down to is this is a story 0:01:31.640 --> 0:01:36.600 all about encryption. So encryption pretty simple. I mean you've 0:01:36.600 --> 0:01:39.880 probably heard the term. It's not not too simple. I mean, 0:01:40.120 --> 0:01:44.560 the concept is simple. Execution is somewhat more complicated. But 0:01:44.720 --> 0:01:49.240 the concept is that you are you are changing something 0:01:49.440 --> 0:01:54.400 so that the content is not easily readable from anyone 0:01:54.440 --> 0:01:58.920 else unless they have the key to decrypt that information. Right. 0:01:58.960 --> 0:02:02.320 And this is really important for many different web related 0:02:02.360 --> 0:02:05.400 purposes because you know, any any time that you don't 0:02:05.440 --> 0:02:08.520 want everyone on the internet who chooses to to read 0:02:08.520 --> 0:02:11.919 your emails or get your get into your bank account 0:02:12.200 --> 0:02:14.880 or etcetera, etcetera. Yeah, you want to you want to 0:02:14.880 --> 0:02:16.720 make sure that stuff is encrypted. So you know, you 0:02:16.800 --> 0:02:20.280 probably have heard that when you log into sites that 0:02:20.320 --> 0:02:23.400 are going to have a lot of access to to 0:02:23.639 --> 0:02:26.640 secure what should be secure information like things like your 0:02:26.639 --> 0:02:30.760 bank account or just shopping history or your medical information 0:02:30.880 --> 0:02:33.359 that's a great example. Then you know that you want 0:02:33.400 --> 0:02:36.720 to look for that HTTPS which tells you it's a 0:02:36.760 --> 0:02:41.000 secure or it's supposed to be a secure connection right, 0:02:41.080 --> 0:02:43.320 or that little padlock that will show up in your 0:02:43.320 --> 0:02:46.959 in your web browser right exactly, and that tells you, hey, uh, 0:02:47.000 --> 0:02:50.480 there's a there's a handshake that's going on between your 0:02:50.560 --> 0:02:55.080 browser and that website that indicates the connection is secure 0:02:55.200 --> 0:02:58.280 and encrypted, and that anyone looking in from the outside 0:02:58.360 --> 0:03:02.120 should just see gibberish. And furthermore that the website that 0:03:02.200 --> 0:03:04.160 you're that you're on is what it says it is, 0:03:04.520 --> 0:03:08.040 that it's not an imposter for possibly nefarious purposes exactly 0:03:08.040 --> 0:03:11.520 because there's an attack called the man in the middle attack, 0:03:11.600 --> 0:03:14.880 which is where you have a hacker insert him or 0:03:14.919 --> 0:03:19.680 herself in the middle of communication between you and whatever 0:03:20.080 --> 0:03:23.160 service you actually want to use, and that way they 0:03:23.200 --> 0:03:26.000 are able to access all the information you're sending and 0:03:26.040 --> 0:03:27.680 you think you're sending it to the service, but you're 0:03:27.720 --> 0:03:30.800 really sending it to the hacker. This security is supposed 0:03:30.840 --> 0:03:33.240 to allow you to make you know, to be sure 0:03:33.720 --> 0:03:35.720 that it's going exactly where it needs to go and 0:03:35.720 --> 0:03:39.760 that no one is snooping on you. So it turns 0:03:39.800 --> 0:03:44.920 out that the most popular online encryption software used on 0:03:44.960 --> 0:03:49.600 the web today had a fundamental flaw and its security 0:03:49.760 --> 0:03:54.240 in several recent builds of that software that have been 0:03:54.320 --> 0:03:57.040 in use for the past two years or so. Yeah, 0:03:57.120 --> 0:04:01.080 and that is heart bleed. So, first of all, the 0:04:01.120 --> 0:04:04.680 software we're talking about is called open s s L. 0:04:05.120 --> 0:04:08.400 This is an open source version of SSL. Yeah, it 0:04:08.480 --> 0:04:12.240 stands for Secure Sockets Layer. Now it's it's a protocol, 0:04:12.320 --> 0:04:16.040 so it's a set of rules that tell UH sites 0:04:16.080 --> 0:04:19.159 how to encrypt information. And there are lots of different 0:04:19.160 --> 0:04:22.280 ways you can implement this. SSL is just that's kind 0:04:22.279 --> 0:04:27.120 of like the the the the specific category, but then 0:04:27.240 --> 0:04:30.640 you can implement it in different ways. Open SSL is 0:04:30.680 --> 0:04:33.120 one of those ways. Yeah, I would say proprietary, but 0:04:33.200 --> 0:04:34.960 since it's open source, that might be kind of the 0:04:34.960 --> 0:04:38.560 wrong word. So it's a specific version exactly exactly. So 0:04:39.279 --> 0:04:43.440 you know, it's all about securing your transmissions across the 0:04:43.440 --> 0:04:46.719 Internet so that they remain opaque to anyone else. They're 0:04:46.720 --> 0:04:49.640 not gonna be able to see them, and UH in general, 0:04:50.000 --> 0:04:54.080 to communicating parties are given encryption keys which allow each 0:04:54.160 --> 0:04:57.320 party to encrypt and decrypt messages so that they can 0:04:57.360 --> 0:05:00.039 send it back and forth and only in theory the 0:05:00.080 --> 0:05:03.039 other party can see what's going on, and only for 0:05:03.080 --> 0:05:06.240 the length of this particular communication session, right, because once 0:05:06.240 --> 0:05:09.400 that session ends, then the session keys that's what you're 0:05:09.440 --> 0:05:13.880 using to encrypt and decrypt are magically dissolve. So there's 0:05:13.880 --> 0:05:16.839 actually two different types of encryption keys we're talking about here. 0:05:16.839 --> 0:05:20.200 There's one that's called an asymmetrical key, and that's sort 0:05:20.240 --> 0:05:23.360 of a long term key that's like the the overall 0:05:23.480 --> 0:05:28.480 rules that guide the any individual session. The session key 0:05:28.640 --> 0:05:31.680 is dependent upon lots of stuff. It's dependent upon the client. 0:05:32.279 --> 0:05:34.720 That's the that would be you using your computer to 0:05:34.800 --> 0:05:37.000 access whatever it is you want to access. Let's, for 0:05:37.080 --> 0:05:40.440 the argument's sake, say it's your email. So your client, 0:05:40.839 --> 0:05:43.400 your your computer is the client. You send out a 0:05:43.440 --> 0:05:47.640 request to log into your email. The email exists on 0:05:47.720 --> 0:05:50.719 a server. That's that's the server on the client server side, 0:05:51.279 --> 0:05:54.559 and so the the session keys are going to depend 0:05:54.680 --> 0:05:57.240 upon that asymmetrical key. They're going to depend upon the 0:05:57.279 --> 0:05:59.560 fact that you're the client. It's going to depend upon 0:05:59.640 --> 0:06:03.440 whatever server hosts the email that you access. It's going 0:06:03.480 --> 0:06:06.520 to depend upon the session time when you've actually started this. 0:06:06.720 --> 0:06:09.839 There are a lot of different factors that all uh 0:06:10.080 --> 0:06:13.560 come into play, and then that is what determines the 0:06:13.600 --> 0:06:18.400 individual session keys that then allow you to send information 0:06:18.400 --> 0:06:22.039 that's encrypted and receive information that's encrypted then decrypted so 0:06:22.080 --> 0:06:24.200 that you can read it, because if you just received 0:06:24.320 --> 0:06:27.120 encrypted information, it would not be terribly useful for a 0:06:27.200 --> 0:06:30.520 human being. Interesting maybe, but not useful. Yeah, exactly, you 0:06:30.640 --> 0:06:34.800 just be thinking that while somebody let their cat walk 0:06:34.839 --> 0:06:37.239 around on their keyboard for like an hour or something, 0:06:37.279 --> 0:06:41.479 because it's just it's there's nothing meaningful here. So this 0:06:41.560 --> 0:06:44.080 is the basic idea here. Those the session keys are 0:06:44.120 --> 0:06:47.880 symmetrical and they're used in that encryption and decryption and 0:06:48.080 --> 0:06:52.800 symmetrical keys in general are not uh, by themselves incredibly 0:06:52.839 --> 0:06:56.080 secure because you've got one, you know how it all works. 0:06:56.080 --> 0:06:59.039 But because it's based on the session and once the 0:06:59.040 --> 0:07:02.560 sessions over it's no longer a factor, it's considered pretty 0:07:02.560 --> 0:07:05.040 secure because it's not like it's something that lasts forever. 0:07:05.400 --> 0:07:08.919 It's not that long term asymmetrical key that's the really 0:07:08.960 --> 0:07:13.400 super important one. So yeah, this is used for um, 0:07:13.400 --> 0:07:16.800 pretty much anything that involves sending information across the Internet, 0:07:16.840 --> 0:07:18.920 which I don't know if you know this, that's what 0:07:19.000 --> 0:07:22.680 the Internet's for. So everything really is what it boils 0:07:22.680 --> 0:07:26.440 down to. We're talking web mail, we're talking we're talking 0:07:26.600 --> 0:07:31.280 instant messages, web browsing voice over Internet protocol. So if 0:07:31.280 --> 0:07:34.160 you happen to use a void phone, it involves that 0:07:34.240 --> 0:07:37.400 as well. Uh. Even facts is for those of us 0:07:37.440 --> 0:07:41.960 who still have to um, yeah, so and and on 0:07:42.000 --> 0:07:43.920 and on every website, I mean, you know, and any 0:07:43.920 --> 0:07:46.960 anything that you have to log into. So Netflix uses yeah, 0:07:47.000 --> 0:07:50.040 oh yeah, exactly. Yeah. So here's the thing is that 0:07:50.200 --> 0:07:53.840 open SSL is is one version of this implementation. Like 0:07:53.880 --> 0:07:57.080 we said, right, it's not that uh it's the only one, 0:07:57.360 --> 0:08:01.240 but it happens to be the most popular. And there's 0:08:01.720 --> 0:08:04.040 part of that name is pretty interesting. Or we we've 0:08:04.040 --> 0:08:08.360 talked about SSL, now it's time to talk about open right. 0:08:08.440 --> 0:08:10.920 Like I said earlier, it's an open source version of 0:08:10.960 --> 0:08:14.320 this right now. Open source, of course means that the 0:08:14.320 --> 0:08:17.600 the source code is available for people to look at, 0:08:17.680 --> 0:08:22.280 to modify, to update, to tweak. And it's important because 0:08:23.160 --> 0:08:26.320 if there are two very different philosophies when it comes 0:08:26.320 --> 0:08:29.480 to security, right, you have the one philosophy where the 0:08:29.560 --> 0:08:31.960 idea is let's lock it all down, let's have a 0:08:32.080 --> 0:08:34.480 let's have a secure room where we've got our own 0:08:34.520 --> 0:08:38.520 experts developing this stuff. They are the one and only 0:08:38.880 --> 0:08:41.880 group that can do it. And furthermore that if you know, 0:08:41.920 --> 0:08:44.600 we only have these five people who know how this works, 0:08:44.640 --> 0:08:47.200 then it's a very secure system because we trust those 0:08:47.240 --> 0:08:49.679 five people and everything's going to be cool. Assuming that 0:08:49.760 --> 0:08:52.280 none of those five people ever make a mistake, uh, 0:08:52.480 --> 0:08:56.520 then we're awesome. The other approach is the open source approach, 0:08:56.600 --> 0:08:59.480 where the idea is everyone who has the ability to 0:08:59.600 --> 0:09:02.080 look at this and to improve it has the chance 0:09:02.120 --> 0:09:05.880 to do so, and therefore you would in theory, end 0:09:06.040 --> 0:09:10.800 up eventually with the strongest kind of security because you 0:09:10.840 --> 0:09:13.800 would have some It wouldn't be limited to five people 0:09:13.840 --> 0:09:16.640 that you've identified as being really good at it. It's 0:09:16.640 --> 0:09:19.640 it's not limited at all. Anyone can start making tweaks 0:09:19.640 --> 0:09:22.440 to it. It doesn't mean that the uh CO just 0:09:22.559 --> 0:09:24.560 runs rampant and gets out of control. You do have 0:09:24.640 --> 0:09:27.640 people in charge of making sure everything is still working, 0:09:27.720 --> 0:09:30.120 everything is on the up and up right, But you 0:09:30.200 --> 0:09:33.440 also have this entire network of checks and balances of 0:09:33.440 --> 0:09:36.160 people who are who are looking for any problems and 0:09:36.200 --> 0:09:39.680 trying to solve them and advancing them to that that 0:09:40.000 --> 0:09:43.120 higher up system right exactly. So you know, again, two 0:09:43.160 --> 0:09:46.680 different approaches to the same goal, and depending upon what 0:09:46.760 --> 0:09:49.080 you're trying to accomplish. You might say one is better 0:09:49.120 --> 0:09:52.560 than the other. Now, the web at large has said 0:09:52.559 --> 0:09:55.320 the open SSL model was better. The reason I can 0:09:55.360 --> 0:09:57.400 say that is because it's so popular. We'll talk more 0:09:57.480 --> 0:10:00.360 about that a little later in the podcast. Right, but 0:10:00.400 --> 0:10:03.079 so so versions of this are available for I mean 0:10:03.160 --> 0:10:06.760 for for everything, for Unix Space systems, Linux Space Systems, uh, 0:10:07.120 --> 0:10:10.959 Mac and also Windows. Yeah. And so you also have 0:10:11.160 --> 0:10:14.720 server software using it. Yeah, yeah, some of the major 0:10:15.520 --> 0:10:18.280 the two biggest types of our brands, I guess of 0:10:18.320 --> 0:10:23.560 server software Apache and how do you say that other one? 0:10:23.800 --> 0:10:26.079 Let's go with that, because here's the thing. A lot 0:10:26.080 --> 0:10:27.800 of these are names that you see written out all 0:10:27.840 --> 0:10:30.000 the time, but you don't ever have to say them 0:10:30.920 --> 0:10:35.520 if you if you are communicating, it's basically by text. Yes, 0:10:36.000 --> 0:10:38.800 uh so injinks, let's go with that one. Um uh 0:10:39.400 --> 0:10:41.880 but but but right, But it's not totally universal, like, 0:10:42.120 --> 0:10:47.160 for example, Microsoft has proprietary server software called Internet Information Services, 0:10:47.200 --> 0:10:49.839 which does not use open SSL. Right. And in fact, 0:10:49.920 --> 0:10:52.360 if you were to look at lists of sites that 0:10:52.400 --> 0:10:55.400 have been affected by this heart bleed bug, you would 0:10:55.400 --> 0:10:58.960 see that Microsoft Microsoft are not in Microsoft's are not 0:10:59.040 --> 0:11:03.880 involved because are using a completely different security approach completely 0:11:03.880 --> 0:11:06.400 different in the sense that it's it's a different implementation 0:11:06.640 --> 0:11:09.760 of the same sort of uh security. It's again, like 0:11:09.800 --> 0:11:12.280 I said, open SSL is a very specific one, so 0:11:12.800 --> 0:11:16.880 heart bleed. The bug was announced on Monday, April seventh, 0:11:17.000 --> 0:11:20.640 two thousand fourteen, and the day we're recording this is 0:11:20.679 --> 0:11:24.079 April tenth, And of course this will be going live 0:11:24.200 --> 0:11:27.480 the following week, so you guys are are hearing. Probably 0:11:27.559 --> 0:11:31.480 I think this might be the most uh topical episode 0:11:31.600 --> 0:11:35.600 I have recorded in recent memory. So is the open 0:11:35.760 --> 0:11:38.640 SSL team, who said, all right, here's the news. Guys, 0:11:38.800 --> 0:11:42.400 Uh it's bad, and prepare yourselves right. The bug was 0:11:42.440 --> 0:11:45.880 actually discovered the previous week independently by UM by a 0:11:45.920 --> 0:11:49.760 Google security employee named Neil Meta and researchers from a 0:11:50.080 --> 0:11:54.559 finished security company called Kotonomicon, which best name. Ever, it's 0:11:54.559 --> 0:11:57.079 pretty good. As soon as I saw Cotonomicon, I was like, 0:11:57.120 --> 0:11:59.240 I'm gonna have to flip a coin to find out 0:11:59.280 --> 0:12:01.520 which of us gets to say that first. I got 0:12:01.559 --> 0:12:04.880 to it suck Lauren. Lauren took that one. Well done, 0:12:05.400 --> 0:12:08.319 thank you. But so the notifications spread through a few 0:12:08.360 --> 0:12:11.880 select organizations before the big announcement came out, so that 0:12:11.880 --> 0:12:15.360 those organizations could begin working on updates and fixes kind 0:12:15.400 --> 0:12:19.200 of quietly. This was because the disclosure would alert potential 0:12:19.240 --> 0:12:22.160 attackers to the security flaw as much as it would 0:12:22.480 --> 0:12:26.160 system administrators, so everyone was trying to be really careful. 0:12:26.480 --> 0:12:30.160 The announcement might have even been delayed further if the 0:12:30.200 --> 0:12:32.960 open SSL team thought that they could have gotten away 0:12:33.000 --> 0:12:34.840 with it. Basically, they were afraid of leaks and so 0:12:34.880 --> 0:12:36.640 they figured that they might as well go forward. Yeah. 0:12:36.679 --> 0:12:38.719 I mean, if you're going to sit there and have 0:12:38.800 --> 0:12:42.680 to alert presumably some of the really big names on 0:12:42.720 --> 0:12:46.160 the Internet to this thing, then eventually you're going to say, well, 0:12:46.240 --> 0:12:48.560 someone on one of those teams is going to say 0:12:48.559 --> 0:12:51.760 something because this is such a huge issue, right Uh. 0:12:51.760 --> 0:12:54.000 And you know this is this really reminds me a 0:12:54.000 --> 0:12:57.720 lot about white hat hackers, the people who make it 0:12:57.800 --> 0:12:59.960 there and sometimes you can call them gray hats too, 0:13:00.120 --> 0:13:03.720 but these are people who will find security vulnerabilities, and 0:13:03.760 --> 0:13:08.280 generally speaking there there m O tends to be alert. 0:13:08.400 --> 0:13:13.880 Whatever organization is responsible for fixing that vulnerability, give them 0:13:13.880 --> 0:13:16.520 a little time to do so, and if they haven't 0:13:16.520 --> 0:13:18.800 done it, say listen. If you guys don't do it soon, 0:13:18.920 --> 0:13:21.720 I'm gonna make this public because then you will have 0:13:21.840 --> 0:13:25.240 to do it. You'll be obligated to because then everyone's 0:13:25.240 --> 0:13:27.320 gonna know about and if you don't do anything, someone's 0:13:27.320 --> 0:13:29.720 going to exploit it. And it's it's kind of this 0:13:29.920 --> 0:13:34.280 crazy sort of almost like I guess blackmail is the 0:13:34.320 --> 0:13:36.400 wrong word for it, but you're kind of holding a 0:13:36.840 --> 0:13:40.160 virtual gun to the head of the responsible organization. But 0:13:40.200 --> 0:13:44.160 you're doing so in order to keep security right forward, 0:13:44.320 --> 0:13:46.599 right it's in the best interests of everyone involved, and 0:13:46.800 --> 0:13:49.439 there's a really delicate balance involved there. There there is 0:13:49.440 --> 0:13:52.360 a wee bit of controversy over who was notified when 0:13:52.720 --> 0:13:54.599 you know, some of the big companies like Yahoo and 0:13:54.640 --> 0:13:58.320 Amazon feel a little bit left out in the cold 0:13:58.400 --> 0:14:03.120 because they were. To be fair, Amazon the store was 0:14:03.160 --> 0:14:07.640 not affected, but Amazon as in the company that also, yeah, 0:14:07.679 --> 0:14:11.600 the services that was affected. So it's it all depends 0:14:11.640 --> 0:14:14.440 on how like chances are most of our listeners don't 0:14:14.440 --> 0:14:16.920 have to worry about the Amazon side unless you happen 0:14:17.240 --> 0:14:20.600 to use the Amazon services to host major apps or 0:14:20.760 --> 0:14:22.840 or other sites or things of that nature, in which 0:14:22.840 --> 0:14:25.400 case you need to look into it. Right So, so, 0:14:25.480 --> 0:14:28.120 at any rate, I think that it's generally agreed upon 0:14:28.280 --> 0:14:31.560 right now that the involved parties we're using responsible disclosure 0:14:31.600 --> 0:14:35.400 to to mitigate damage as to the best of their abilities. 0:14:35.880 --> 0:14:39.040 And the news then hit the public consciousness. I think 0:14:39.160 --> 0:14:41.960 on Wednesday, April nine, that's the first time that I 0:14:42.080 --> 0:14:44.440 heard stories about it. Of course I'm not assistant men, 0:14:44.600 --> 0:14:47.160 so yeah, and that's the day before we record this. 0:14:47.240 --> 0:14:50.600 So that's how how fast this stuff has really held Healy, 0:14:50.680 --> 0:14:53.960 This news is broken. Yeah, So the bug is present 0:14:54.240 --> 0:14:58.880 in only certain versions of open SSL. Like all great software, 0:14:59.640 --> 0:15:05.000 open SSL has generations of versions, right, So if you 0:15:05.040 --> 0:15:09.720 were to run open ss L one point zero point 0:15:09.840 --> 0:15:15.280 to dash beta or any version that is uh involves 0:15:15.360 --> 0:15:19.200 one point zero point one up to one point zero 0:15:19.280 --> 0:15:22.600 point one F, those are all affected. One point zero 0:15:22.640 --> 0:15:26.720 point one G and later perfectly fine because that's when 0:15:26.760 --> 0:15:29.960 the vulnerability was patched. Or if you're running something that's 0:15:30.040 --> 0:15:33.360 earlier than that, you're fine because the bug had not 0:15:33.440 --> 0:15:37.000 been implemented into the code. So really we're looking at 0:15:37.040 --> 0:15:39.680 one point zero point one through one point zero point 0:15:39.680 --> 0:15:43.360 one F and that one point zero point to DASH beta. 0:15:43.600 --> 0:15:47.520 Those are the ones that are um problematic. So some 0:15:48.280 --> 0:15:51.520 companies that are using open SSL, they might not be 0:15:51.560 --> 0:15:55.920 affected at all just because they never up updated the software, 0:15:56.360 --> 0:15:58.520 which you know, a lot of people will say when 0:15:58.520 --> 0:16:00.120 it comes to security, you want to keep yoursel up 0:16:00.120 --> 0:16:02.040 whereas up to date as possible. This is not one 0:16:02.080 --> 0:16:04.680 of those times. Yeah, could as could as to those 0:16:04.760 --> 0:16:09.040 lazy ye maybe maybe they just felt something bad was coming. 0:16:09.600 --> 0:16:12.800 But what exactly is going on? So this bug, we've 0:16:12.840 --> 0:16:15.720 we've mentioned it a few times. This, this heart bleed bug, 0:16:16.240 --> 0:16:19.680 is a severe memory handling bug in the implementation of 0:16:19.720 --> 0:16:23.640 the tl S heartbeat extension. That's why it's called heartbleed 0:16:23.720 --> 0:16:29.160 because it's involving this heartbeat. A heartbeat here we go, Um, 0:16:29.200 --> 0:16:33.080 a heartbeat. I'm gonna try and avoid making any nineteen 0:16:33.120 --> 0:16:36.720 eighties power ballad references here, but they're all going through 0:16:36.720 --> 0:16:39.400 my mind, trust me. So a heartbeat in this case, 0:16:39.400 --> 0:16:45.000 and the technology sense is a message sent from one 0:16:45.040 --> 0:16:47.760 machine to another while they are connected in one of 0:16:47.800 --> 0:16:50.440 these sessions. And the purpose of this message is really 0:16:50.480 --> 0:16:53.960 just to say, hey, are you still there? Right? Yeah, exactly, 0:16:54.000 --> 0:16:57.320 It's it's it's you know, saying I'm still here, are 0:16:57.320 --> 0:16:59.560 you still there? And then the responses you still here, 0:16:59.600 --> 0:17:03.640 let's keep fund trucking? So um, that's generally what it is. 0:17:03.680 --> 0:17:09.040 But the way that heartbeats work is a little problematic. 0:17:09.280 --> 0:17:13.760 So normally what happens is you have machine A send 0:17:13.800 --> 0:17:16.080 a little message over to machine B, and if they 0:17:16.119 --> 0:17:19.080 don't hear anything back after a few seconds, machine A says, okay, 0:17:19.200 --> 0:17:23.160 Machine B has ended the session or as otherwise inoperable. 0:17:23.520 --> 0:17:27.120 We will cancel the session on this side, and everything 0:17:27.200 --> 0:17:29.040 is over, and then if we want to start up again, 0:17:29.080 --> 0:17:31.600 we have to initiate a new session, all right, where 0:17:31.640 --> 0:17:34.680 we're throwing away those session keys. Yeah, yeah, but now 0:17:34.840 --> 0:17:37.280 now we know that we need to you know, re 0:17:37.480 --> 0:17:42.120 up security. But these heartbeat bugs are the heartbeat could 0:17:42.200 --> 0:17:47.280 reveal up to sixty bytes of data, and a heartbeat 0:17:47.320 --> 0:17:50.560 does not need to be sixty four kilobytes in size. 0:17:51.080 --> 0:17:53.480 And they found out that if you were to send 0:17:53.520 --> 0:17:58.000 a heartbeat message, uh, and the actual file size is 0:17:58.080 --> 0:18:00.639 pretty small. Let's say it's just to kill bite. So 0:18:00.680 --> 0:18:04.400 you're just sending a one kilobyte message saying, hey, I'm here. 0:18:04.400 --> 0:18:07.960 Are you still there? Now? Technically what's supposed to happen 0:18:08.440 --> 0:18:11.760 is machine BE gets the message and sends an identical 0:18:11.840 --> 0:18:14.880 message back to machine A, Yes I'm still here, or 0:18:14.960 --> 0:18:17.320 technically it's hey, are you still there? Because it's whatever 0:18:17.320 --> 0:18:20.960 the message was in the first case. But let's say 0:18:21.000 --> 0:18:24.640 that machine BE gets the message and the actual file 0:18:24.680 --> 0:18:28.720 size is one kilobyte, but for some reason, the stated 0:18:28.960 --> 0:18:32.359 file size is larger. Let's say it's sixty k by, 0:18:32.480 --> 0:18:35.760 so it's the maximum that a heartbeat can be. Now, 0:18:35.880 --> 0:18:39.639 Machine B has to reply back to Machine A, and 0:18:39.680 --> 0:18:43.120 it's doing it based on that stated file size, right, 0:18:43.200 --> 0:18:46.800 So it's going to take that that one kilobyte of 0:18:46.840 --> 0:18:49.800 the correct information and fill the rest of that up 0:18:49.840 --> 0:18:52.359 with junk. With a junk. Yeah, it's kind of like, 0:18:52.400 --> 0:18:54.840 you know, if you've ever heard people say when you dream, 0:18:55.000 --> 0:18:57.159 it's just your brain making up junk to try and 0:18:57.200 --> 0:18:59.160 get rid of it, kind of the same thing. It's 0:18:59.200 --> 0:19:02.880 really the machine be starts to panic and says, oh, uh, 0:19:02.960 --> 0:19:05.080 this message needs to be way bigger than what I 0:19:05.119 --> 0:19:07.280 thought it need to be. Uh, let's just ship them 0:19:07.320 --> 0:19:09.840 everything here. Uh. And And the thing is that when 0:19:09.840 --> 0:19:11.800 you when you dream, that junk is made up of 0:19:11.880 --> 0:19:15.399 I don't know, your your worries about passing chemistry in 0:19:15.480 --> 0:19:18.119 high school. In this case, the junk is made up 0:19:18.160 --> 0:19:20.879 of stuff from your computer's random access memory. Now, random 0:19:20.880 --> 0:19:23.920 access memory tends to be pretty awesome stuff because it 0:19:23.960 --> 0:19:27.639 allows you to uh to have quick access to data 0:19:27.720 --> 0:19:30.680 that you use over and over again, and that means 0:19:30.680 --> 0:19:33.000 that you don't have to have your computer access the 0:19:33.080 --> 0:19:35.879 deep memory banks like the hard drive to try and 0:19:35.920 --> 0:19:38.560 find this information. It stays there in the random access 0:19:38.560 --> 0:19:42.960 memory makes things much faster Without it, everything which slow down. Right, 0:19:43.560 --> 0:19:47.080 So here's the issue. Uh, normally random access memory, if 0:19:47.080 --> 0:19:49.920 you turn off a machine, it erases it's it overwrites 0:19:49.960 --> 0:19:53.720 itself all the time, and so nothing that stays in 0:19:53.840 --> 0:19:57.919 random access memory will stay there for very long comparatively speaking. 0:19:58.600 --> 0:20:02.480 So because of that, in general, it's considered to be 0:20:02.520 --> 0:20:06.679 pretty safe to have cryptograph keys stored in random access 0:20:06.720 --> 0:20:09.760 memory because one, you're going to need them all the time, right, 0:20:09.760 --> 0:20:12.359 You're gonna need it in order to make these communications. 0:20:12.400 --> 0:20:15.199 And secondly, because if you turn off the power to 0:20:15.240 --> 0:20:17.600 your computer, it goes away, so you don't have to 0:20:17.600 --> 0:20:19.640 work right, right, and it could be overwritten at any 0:20:19.680 --> 0:20:24.200 given moment exactly. So the issue here is that since 0:20:24.240 --> 0:20:27.480 it can be in random access memory, if you were 0:20:27.560 --> 0:20:30.240 to if you were a hacker and you wanted to 0:20:30.280 --> 0:20:33.800 exploit the system, you can send a heartbeat that is 0:20:33.880 --> 0:20:36.240 the mimimum amount of information that you need to send, 0:20:36.480 --> 0:20:40.080 but looks like the maximum amount of information. The server 0:20:40.280 --> 0:20:43.080 that you target is going to send you that maximum 0:20:43.080 --> 0:20:46.560 amount of information back, which may or may not include 0:20:46.600 --> 0:20:50.080 within it one of these cryptograph keys. Yeah, yeah, whatever 0:20:50.200 --> 0:20:53.879 John happens to be in the RAM, including potentially Yeah, 0:20:54.040 --> 0:20:56.240 so it's it's a grab bag. It doesn't mean that 0:20:56.280 --> 0:20:58.120 you're every single time you hit it that you're going 0:20:58.160 --> 0:21:00.920 to end up with the jackpot of Now I can 0:21:01.000 --> 0:21:04.640 decrypt everything that goes across your network, right, but with 0:21:04.880 --> 0:21:08.280 enough of these heartbeat attacks, you can you can absolutely 0:21:08.320 --> 0:21:13.280 put together in piece together, uh a lot of scary information. Yeah. Yeah, 0:21:13.320 --> 0:21:16.320 you can get completely decrypted information. Maybe you didn't get 0:21:16.359 --> 0:21:18.760 the key, but you might get some information that was 0:21:18.760 --> 0:21:21.600 going through the server that's really important. Or maybe you 0:21:21.640 --> 0:21:23.640 get a session key so you can see everything that's 0:21:23.680 --> 0:21:26.000 going on in that session, or maybe you get like 0:21:26.040 --> 0:21:28.960 the private key that the that's the golden goose that 0:21:29.000 --> 0:21:32.440 would allow you to not only be able to snoop 0:21:32.560 --> 0:21:35.280 on everything that's going through that server that normally would 0:21:35.280 --> 0:21:38.879 be encrypted, you could also potentially pose as that server 0:21:39.359 --> 0:21:43.000 and suddenly people think they are having a secure connection 0:21:43.040 --> 0:21:47.200 with the service that they trust because all indications show 0:21:47.320 --> 0:21:51.000 that they are, but in reality, it's going to a hacker. Now, 0:21:51.040 --> 0:21:55.239 this is a fundamental flaw in internet security. There is 0:21:55.280 --> 0:21:58.880 no way to overstate how bad this is. Yeah, and 0:21:58.880 --> 0:22:03.720 and it's exists and since December one. Um, I mean 0:22:03.720 --> 0:22:08.200 it's technically only been in distribution since March of so 0:22:08.200 --> 0:22:10.920 so so that's much better. So here's here's the thing. 0:22:10.960 --> 0:22:13.320 We know how long it's been since the good guys 0:22:13.600 --> 0:22:15.600 found out about it. The problem is we don't know 0:22:16.000 --> 0:22:19.520 if bad guys knew about it before then, because the 0:22:19.600 --> 0:22:23.119 other issue here is that you can't tell when someone's 0:22:23.200 --> 0:22:26.760 using this. They're completely untraceable. This is not like some 0:22:26.840 --> 0:22:30.400 sort of vulnerability where you have to have someone install 0:22:31.160 --> 0:22:34.760 a trojan backdoor program onto their computer. There's no need 0:22:34.840 --> 0:22:37.720 for that because it's it's a vulnerability, it's a bug 0:22:37.760 --> 0:22:44.080