Heartbleed, Borders, and Cookies

HEARTBLEED heartbleed my heart is bleeding about heartbleed….

How soon until someone writes a country ballad about heartbleed? Knowing the Internet, probably before all the [currently vulnerable sites](broken link removed) are patched. Researchers at University of Michigan previously produced a tool which was capable of scanning large swaths of the Internet at incredibly fast speeds. They took advantage of this tool to regularly scan the top 1 million sites on the Internet ([as categorized by Alexa](broken link removed))(who is not a person) and determine what portion of the sites are vulnerable. Mashable, meanwhile, has compiled a [list of the big websites that were vulnerable](broken link removed) (but now are not). This bug is the latest and greatest of them….yet (as XKCD points out)

As the NYT points out, as the web gets larger it also gets less secure (and thus, harder to defend):

“If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one. “Over all, attackers have the competitive advantage,” said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. “Defenders need to defend everything. All attackers need to find is one vulnerability.””

Rusty Foster, writing for the New Yorker, eloquently makes user-friendly sense of the bug (something I admire, working as a technical writer) while also taking care to call attention to the risks of relying on open source projects in their current state, as well as aging digital infrastructure:

“Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts. It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers. If open-source software is at the heart of the Internet, then we might need to examine it from time to time to make sure it’s not bleeding.”

Old programming languages were more intensive, and more hands-on, and thus requires that you remember more things. In this case, the software was written in C, which requires that the programmer remember to manage system memory with the code. This high-level amount of management is possible to keep track of, but given that OpenSSL is wholly volunteer driven (as Foster points out), it’s much more difficult when that work is your hobby. The Sydney Morning Herald talked to the programmer who wrote the vulnerable code.

And, for the last of the bleeding hearts, Charlie Warzel writing for Buzzfeed takes care to remind us that the biggest issue with this vulnerability (besides the fact that it’s been unpatched for more than two years) is the future risk if sites aren’t patched. As an example:

““If one guy is running a soccer blog for his kid’s soccer team and doesn’t patch the bug, some attacker can come in down the line and comprise the site and put a virus on that will attack visitors,” Wisniewski said. “The big sites are almost all fixed or will be soon. The real concern is for the future.””

If you’re totally at a loss with how you could possibly come up with some new unique passwords, The Hairpin has your back (and so does the free, trustworthy password manager LastPass)

The Internet is often spoken of as something that will reduce the reliance on borders. However, in the physical world, borders matter more than ever, at least for those who cross them.

NPR has developed a beautiful web app that walks a person through various experiences on the United States - Mexico border. Don’t click because it’s beautiful. Click because it’s important, and tells stories that need to be heard more often.

New media site [Vox also delved into border issues](broken link removed), with a short look at the use of (unnecessary) force by border agents.

That’s enough of depressing things, though. While I’m not a great cook, I love baking. I only managed to make chocolate chip cookies twice this past year, but they are possibly my favorite cookie, and you can read all about the history in the New Yorker. But if history isn’t your style and you’d prefer a deep and scientific understanding of what gives chocolate chip cookies their characteristics (and how to adjust them to be more in line with what you want), you should read this in-depth post on the science of chocolate chip cookies. And if you don’t care about the history or the science and just want to bake, well, the recipe is here.

Spring is finally here, and brought with it the perfect weather for driving with your windows down. In the spirit of that power, some upbeat music by George Barnett with 3 Statues.