Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.

About these ads

I don’t like sketchy ads either

Almost two years ago, I got invited to join WordPress.com’s WordAds program, and for the most part it’s worked well–aside from these advertisements failing to earn me truckloads of money, as opposed to enough for a nice dinner every now and then.

Walmart voucher adBut a week or so ago, a few of the ads sent here by this program started looking distinctly sketchier. One made diet claims unlikely to survive scrutiny by the Food and Drug Administration, while another made the economically implausible offer of a free $1,000 Walmart voucher. And sometimes the appearance of these ads was followed by one of those spammy pop-up ads for the MacKeeper app–also served by the same Tribal Fusion ad network.

That’s not the “high quality” content WordPress promised when it launched this partnership with Federated Media. So I posted a cranky tweet about it and then followed up with a complaint sent through the appropriate form, saying that “If you don’t kick these garbage advertisers out of WordAds, I’ll drop out of the program.” (That was an easy threat to make, since I don’t have that much money at stake.)

I got a quick acknowledgment saying that my gripe was legitimate, followed the next day by a report that the advertiser had removed the offending items and pledged to clean up its act.

I haven’t seen any objectionable ads since; it appears the system worked. But if you see ads making a pitch that looks dodgy, let me know about it. Bad ads are a Web-wide problem, and the least I can do is not have my little corner of the Web contribute to it.

Potential exposure is not forced exposure

One of the foremost foes of intellectual-property extortion is shutting down. Groklaw founder and editor Pamela Jones announced this morning in a post, titled “Forced Exposure,” that the possibility of NSA surveillance of her e-mail means she can’t trust e-mail as a means of collaborative input, and therefore the blog must end.

Groklaw signoffThey tell us that if you send or receive an email from outside the US, it will be read. If it’s encrypted, they keep it for five years, presumably in the hopes of tech advancing to be able to decrypt it against your will and without your knowledge. Groklaw has readers all over the world.

This news bothers me deeply–because Groklaw has provided an immense public service in collecting and presenting evidence of grotesque IP abuse such as the SCO Group’s prolonged and mendacious attempt to claim copyright over code in the Linux operating system, and because I don’t like finding fault with somebody whose work I and so many other people admire.

But look: Potential exposure is not forced exposure. Or if it is, it’s always been there. Yes, the NSA might be reading my e-mail and PJ’s. But keyloggers planted by the Russian mob might be reading it too. The NSA might have the ability to crack PGP encryption in five years–or they could have had it all along and haven’t told us, or they could decide to ignore that five-year timeline. Your own computer might be airtight, but what about the machines of all your correspondents? For that matter, how can you be sure you’ve maintained your privacy offline without going into Kaczysnki-esque seclusion?

If your reaction to those possibilities is to declare that all is lost and that you should “get off the Internet to the degree that it’s possible,” as PJ wrote in this morning’s post, then how are you not tumbling into the same existential fear that the defenders of the surveillance state sometimes seem to think is the right and proper state of a compliant citizenry?

I don’t know PJ (friends whose judgment I trust do and profess a deep respect for her) and only have a vague notion of what her life has been like running Groklaw (it’s entailed being the target of an unhealthy dose of character assassination). But with my limited knowledge I can’t endorse her stance. I wish she’d at least found somebody else to run the site: While we’re having this hypothetical discussion, very real copyright and patent extortion is going on, and Groklaw was doing a damn good job of exposing it.

How a hidden OS X process made my old employer think my Mac had been hacked

A slow Monday that I’d hoped would ease my way back into a semi-normal workweek was interrupted by a note from an old Post colleague–specifically, somebody in the IT department–with the never-good subject line of “virus?”

The security guys are reporting that someone is attempting to logon to VPN with your old credentials.

I replied saying that it was probably something spurious unless it was coming from the IP address my home currently had assigned from Verizon. He wrote back to say “turns out that IP is what is pinging the VPN server.”

Well, crap.

Little Snitch network monitorI updated my Mac’s ClamXav malware-scanner for the first time in months and got it started on a tedious inspection of my Mac, then downloaded the trial version of a network monitor called Little Snitch.

The virus scan found nothing, and Little Snitch didn’t report any oddball apps trying to send out data either. I also checked the settings of apps that I’d once configured to log into the newsroom remotely, but found nothing there.

Then I thought to try searching for the Post VPN address in Little Snitch’s network monitor. That revealed that Safari–to be exact, its WebProcess component–had pinged it only a few hours ago. A search for that address in Safari’s bookmarks and history located an old bookmark for the site that I’d misplaced in an unrelated, rarely-opened folder. Since deleting that, Little Snitch hasn’t recorded any more access attempts, and I haven’t gotten any other reports of those from the Post’s IT people.

WebProcess itself seems remarkably undocumented on Apple’s customer and developer sites, aside from references to it by users in the company’s tech-support forums. A further inquiry confirmed my initial hunch that this process updates Safari’s “Top Sites” view of pages you’ve visited recently–how else will the browser know to provide current previews of them?

What I still don’t get is why WebProcess would have kept on checking a site I hadn’t visited in close to two years–and which I don’t remember seeing in Top Sites anytime since. But I’ve witnessed enough weird behavior lately from individual Apple apps that I can’t put this past Safari… which is to say, I hope that’s all this is and that I haven’t missed something else.

Belated updates to this year’s stories

You don’t have to run a correction when a story changes after you’ve written about it–but it is polite to follow up. Here’s a not-so-short list of updates to stories I’ve done this year.

Old stories sepia toneWhen I wrote that Google’s new, unified privacy policy would almost certainly be recast to let users opt out of having the company assemble a detailed portrait of them based on their use of separate Google services, I was wrong; that has yet to happen.

Sonic.net’s groundbreaking fiber-to-the-home service–a steal at $69.95 a month for 1 billion bits per second–seems to be off to a fine start in Sonoma County, but the planned expansion to San Francisco’s Sunset District is still on the way. It hasn’t shown up as an advertised offering on this Santa Rosa, Calif., Internet provider’s home-services page either.

Remember when adjacent-friend-discovery apps were going to blow up after their moment in the sun at SXSW in March? Didn’t happen. Facebook bought Glancee (and has yet to do much publicly with its technology), while Highlight seems to have fallen off the map (maybe I’m not hanging out with the right crowd?).

The ethics of outsourced manufacturing, fortunately, have stayed in the headlines since I wrote about them in March for CEA. And we may even be seeing legitimate progress, to judge from the New York Times’ story earlier this week recounting upgrades in pay and working conditions at contract manufacturers Foxconn and Quanta’s Chinese factories.

I’m still waiting to see comparable progress in liberating e-books from “digital rights management.” The sci-fi publisher Tor/Forge–a subsidiary of Macmillan–went DRM-free in July, but other branches of the major publishing houses have clung to this self-defeating measure. 

After saying so many good things about the car2go car-sharing service–and seeing that story get picked up in a few other places–I have to confess that I, ahem, haven’t used the service since. Capital Bikeshare is even more convenient and cheaper for trips under two miles, plus I need to make my way into the District to jump into one of car2go’s Smart fortwo vehicles.

I tempered my praise for Sprint’s Evo 4G LTE by wondering how long its users would wait to get Google’s software updates. Answer: almost six months, the time it took HTC and Sprint to deliver the Android 4.1 release Google shipped in June.

I was pretty sure I’d buy a Nexus 7 tablet after liking it as much as I did in July. But now that I own an iPad mini, that purchase seems like it would be redundant. Am I making a mistake there?

After teeing off on Apple Maps in the first chapter of my iPhone 5 review for CNNMoney.com, I have to give Apple credit for fixing the two worst flaws I called out. It now lists the correct address for the Kennedy Center as its first search result and provides a route to Dulles Airport that don’t cross any runways. But it still doesn’t know about Yards Park or the new 11th Street Bridges across the Anacostia–and the latter omission means its directions will now send you on a closed stretch of freeway.

My upbeat review of Samsung’s $249 Google Chromebook noted some build-quality concerns, in the form of a loose corner of the screen bezel. I found out the hard way that it’s more delicate than that; its LCD is now broken, and I don’t even know how. (We do have a two-year-old at home, but it’s also possible that I dropped something on it.)

My advice about enabling multiple-calendar Google Calendar sync on an iOS device by setting up your Google account as a Microsoft Exchange account will soon be obsolete. Effective January 30, Google will no longer support Exchange syncing on new setups (although existing ones will still work). Fortunately, it’s also posted instructions to enable multiple-calendar sync without the Exchange workaround.

3/23/2013: Updated the link for the car2go review after the post vanished in a site redesign and, for CMS-driven reasons that escape me, could not be re-posted at the same address. 

Why are random spammy sites pointing to here?

Spammy referrersI never mind people reading this blog, but lately I’ve been getting a little antsy over some of the sites that seem to be sending people here. Over the past few days, a motley assortment of spammy-looking pages have been showing up as referers in my stats.

As you can see in the screen grab I took Tuesday morning, most seem to reside at domain names that suggest some sort of substance. But when I’ve clicked through I’ve found nothing but a list of search links, in some cases categorized and in other cases pretty much random. And the searches that I can see in some of those referring links–today, for example, “star hotel roma” and “blog for make money online”–have little to nothing to do with what I write about here.

Spam happens because people think that it will help them make money online. But just what kind of business model am I looking at here? The only way I can see the spammers profiting from sending people to my site is if they’ve got a business connection to a WordAds advertiser, but the ads I see have almost always been from name-brand companies–this program is deliberately limited to “high-quality,” national advertisers. So what’s the deal? If you have a theory, I’d like to read about it in the comments.

A fix for strange search results

Something looked broken with Web search on my computer yesterday, and it took me only about 18 hours of detours to figure out the problem. To spare you all the trouble of repeating my troubleshooting, here’s how things worked out.

search redirect network activityEverything started when I was doing a routine search for a post I’d written last winter on CEA’s blog. I clicked on Google’s link, saw a random address appear and then another, and found myself looking at a sketchy page with ads for some casino instead of my analysis of exemptions to the Digital Millennium Copyright Act’s anti-circumvention provisions.

My first thought–both frightened and angry–was that I’d finally gotten hit with a virus like DNSChanger on my own computer. But the same hijacked search happened in another Mac and on the Chromebook I’d just reviewed.

Maybe my wireless router had gotten compromised somehow? I had covered one reader’s experience with that two years ago, and my fellow tech journalist Glenn Fleishman (I’d say he’s forgotten more about WiFi than I’ll ever know, but he forgets nothing) thought that was likely too.

But the router had nothing amiss with its domain-name-server settings. Meanwhile, doing the same search in the browser on an AT&T Android phone (another recent review) didn’t yield any spurious results. Two replies on Twitter also suggested this issue might be specific to Internet providers.

My last move before getting distracted by our daughter was to try the same search on other sites. At Bing, the result also got hijacked; at DuckDuckGo, it did not.

This morning, as I was using Safari’s Web Inspector to see if I could get any more insight on the mechanics of the hijack (and take the screengrab you see above), another Twitter reply suggested that it could be an issue with CEA’s installation of WordPress. There is a history of exploits for that popular blogging platform that target incoming referrers from popular sites to send those clicks elsewhere; see, for instance, this Q&A thread.

(WordPress.com, this blog’s host, is a commercial service that runs WordPress; one of its selling points is having professionals stay on top of patches and security so I don’t have to.)

Sucuri LLC’s malware-checking site didn’t find any malware at CEA’s blog. But when I e-mailed somebody at the Arlington, Va., trade association, they did find a malicious script on the site that’s since been removed. And now, my original search takes me to the right page.

So I guess reporting this counts as this week’s good deed for the Internet… and maybe a start on next weekend’s USA Today column. But before I do that: Have you run into anything like this? Were you able to get it resolved? What else would you like to know about search hijacking?

Internet 1, Big Copyright 0

Some 11 and a half years ago, I was mad enough about a story in the news that I stayed up until 3:57 a.m. (according to the timestamp on the file) to write a column about it. That issue was a case called Universal v. Reimerdes, in which a federal judge had ruled it illegal to distribute the DeCSS DVD-unlocking software.

I knew that the Digital Millennium Copyright Act’s “anti-circumvention” provisions made such a ruling possible. But it was something else to see it applied to a program with obvious fair-use potential–and to have people then act as if it were entirely feasible to halt the distribution of that file over the Internet. I just had to write about something so insultingly unfair and mind-boggingly stupid… assuming I could get the importance of it across to people who had never heard of DeCSS or the DMCA:

Last Thursday, a judge in New York City ruled that an obscure magazine called 2600, based in Middle Island, N.Y., can’t post an equally obscure program, DeCSS, on its Web site, or link to other sites that offer it. Few people have used this software, which unlocks a DVD movie’s encryption, and not many more seem to care.

They should. This lawsuit is all about the mix of fear and greed that is driving the entertainment industry to put tighter and tighter locks on its products–and whether consumers get to do anything about it.

That August 25, 2000 column in the Washington Post was the first of many copyright rants I’ve had occasion to write. A lot has changed since then–DeCSS, of course, never disappeared and has since been replaced by better software that I’ve used to make copies of my DVDs to watch on laptops without optical drives–but one thing had not. The entertainment-industry firms that had lobbied for the passage of the DMCA and cheered the DeCSS verdict had kept on getting their way in Washington. Never mind the larger size of the tech industry; at worst, Big Copyright might lose a round after an egregious overreach, but that setback would then go largely unrecorded.

That changed this week, thanks to a storm of protest over the Stop Online Piracy Act and its Senate counterpart, the Protect IP Act. Both would have turned the Internet’s Domain Name System into a censorship mechanism; the former would have also given copyright owners a financial kill switch for sites accepting user-generated content. And both looked set to sail through Congress until people noticed and started getting righteously fed-up, culminating in yesterday’s blackout protests at sites from Wikipedia to WordPress.com.

Those two bills have since taken a public beating–not just on tech-news sites, but on the evening news–and sponsors of each have been rushing to hit the Undo button on their support.  To judge from the more delusional press releases issued over the last 48 hours, I’m not sure that Hollywood even knows what hit it.

I would have liked to have seen this moment happen back in 2000, but this year will do.

Phishing hacks e-mail users, not e-mail services

I’ve seen one too many “Gmail hacked” headlines this morning. Yes, Chinese hackers were able to access “hundreds of Gmail accounts, including some belonging to senior U.S. government officials and military personnel,” as the Post’s story puts it (without using the phrase “Gmail hack”).

But those con artists in China did not break into these accounts by exploiting a vulnerability in Google’s systems, the basic definition of a “hack.” They exploited one in the minds of those Gmail users–by fooling them into entering their passwords on a fake Gmail login page. The spear-phishing e-mails sent to these victims encouraged them to click on a link to view an attached file; those links opened a page in their browser that, in at least some older versions of Internet Explorer, appeared to have a valid google.com address.

You can criticize Google for not flagging these messages as phishing, something Gmail tries to do automatically. But without affirmative action by the targeted users–typing a password into the wrong page–these attacks would fail. That’s the point I tried to make on Twitter this morning:

Another former tech columnist, BusinessWeek alumnus Steve Wildstrom, replied by noting that even if the Chinese hackers had targeted software on the victims’ computers, it still would not have represented an attack on Gmail’s own servers:

And yet a lot of stories have ran with the concise, too-convenient “Gmail hacked” or “Google hacked” phrasing. I know that’s eye-catching–especially compared to the lengthy throat-clearing of Google’s bland blog post yesterday–and fits neatly into the ongoing Google-against-China, spy-vs.-spy storyline. But it’s also inaccurate and, by suggesting that mistakes were made where they were not, unhelpful to users trying to stay safe.

Phishing attacks aren’t always obvious. But one thing holds true about all of them: You own your own keystrokes.

(Disclosures: I used “Gmail hacked” as one of the tags for this post. I’ve also been a speaker at Google events, including a panel discussion in January 2010 and an all-day conference next Thursday.)

Edits, 1:01 p.m. Fixed one incorrect link and replaced another with a more useful address.

The market for Mac malware

Are malware makers finally ready to pay Apple the ultimate compliment by writing viruses and trojans that target Mac OS X?

Sure–they already have. For the past few years, Mac trojans have been surfacing that will screw with your machine in various ways. But they all require assistance from the unwise or the unwary: You not only have to download and install one of these malicious programs, you also have to authorize its operation by typing your Mac’s admin password. And these phony applications are so rare and so obvious that Mac users can comfortably get by without running anti-virus software.

That’s not the case in Windows (nor was it always the case with “classic” Mac system software). On Thursday, ZDNet’s Windows columnist Ed Bott suggested that Mac users were due to experience that sort of anxiety, citing the Mac’s increased market share, the history of remote exploits for Mac OS X and the arrival of the first Mac-specific write-your-own-virus toolkit:

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack.

The next day, Bott wrote about a new trojan, hidden behind a “poisoned” image page found in a Google search, that featured both Windows and Mac versions.

The problem with predicting an imminent wave of Mac viruses is that so many people have been wrong before–as Mac blogger John Gruber noted in a post Thursday, titled “Wolf!”, that quoted more than a dozen forecasts of Mac malware doom, going back to 2004. But this time could be different. Veteran Mac journalist Glenn Fleishman surprised a few people, possibly including himself, by repeatedly defending Bott’s analysis in conversations on Twitter.

(This is why you should follow more than one person covering a subject you care about; you’ll see this shop talk among competing reporters and analysts that you’d otherwise miss if you only followed one of those people.)

As a Mac owner and the primary source of tech support for two others (my mom and my mother-in-law), I’m not too worried about Mac trojans. I think Bott slightly oversells that risk, for two reasons.

One, every Mac trojan that I’ve seen so far requires you to type an admin password. Any Mac user with a few weeks of experience should recognize as an unusual sign, reserved only for things like system-software updates and installing printer drivers–other apps only require you to drag their icons to the Applications folder. This sets the Mac apart from Windows, in which almost every single program requires running an installer and authorizing that action by clicking through a User Account Control dialog. That said, recent Windows switchers could easily see a password request from a new OS X app as something normal.

Two, Apple’s Mac App Store provides a safe alternative (though I’m happy it’s not the only way to add third-party software to a Mac.) Somebody worried about getting hit with viruses from strange downloads can stick to that and should be safe. I wish Windows had an equally simple, obvious alternative–a few of my readers at the Post seemed unable to avoid downloading the trojan of the week and desperately needed such an option.

And yet: Over Easter, I expanded my usual troubleshooting of my mom’s iMac by installing the free, open-source ClamXav anti-virus program on that machine.

I’m much more concerned about zero-day exploits of vulnerabilities in OS X’s Internet-facing software. As contests such as the annual Pwn2Own competition have shown, it’s not all that hard to take control of a Mac remotely by luring a victim to a malicious site. The Mac’s growing market share–which Apple put as more than 20 percent of the consumer market in the U.S. back in October–gives malware authors an increasing economic incentive to target those flaws. And Apple’s sometimes-sluggish pace at shipping security fixes makes their job easier.

That’s my worry. I hope I’m wrong about it.