Heartbleed – it gets worse…

Apparently, the NSA may have at least known of this bug for a long time, and you can bet your boots they’ve exploited it against someone. Given their propensity for reading the communications of all and sundry, I somehow doubt that only the ‘bad guys’* were targeted.

In any case, if the NSA knew about it, and the bug itself was hidden in plain site, you can take it for granted that someone else did. Which, if true, means that the NSA has worked to weaken all of our collective security, including the security of the country they’re meant to protect.

Meanwhile, lastpass have put up a useful tool to help with figuring out what passwords need to be changed and where. Because the important thing here is to change your password only after the affected service has both patched and updated their SSL certificates. Doing it before that means you’ll still be vulnerable.

Finally, some food for thought from Bill de hÓra …

* insert your preferred bad guys here

Ben Goldacre: What the Tamiflu saga tells us about drug trials and big pharma

Remember the big stockpiling exercise by Governments of Tamiflu for our benefit in the event of a pandemic a few years back? Looks like all that money was wasted

So does Tamiflu work? From the Cochrane analysis – fully public – Tamiflu does not reduce the number of hospitalisations. There wasn’t enough data to see if it reduces the number of deaths. It does reduce the number of self-reported, unverified cases of pneumonia, but when you look at the five trials with a detailed diagnostic form for pneumonia, there is no significant benefit. It might help prevent flu symptoms, but not asymptomatic spread, and the evidence here is mixed. It will take a few hours off the duration of your flu symptoms. But all this comes at a significant cost of side-effects. Since percentages are hard to visualise, we can make those numbers more tangible by taking the figures from the Cochrane review, and applying them. For example, if a million people take Tamiflu in a pandemic, 45,000 will experience vomiting, 31,000 will experience headache and 11,000 will have psychiatric side-effects. Remember, though, that those figures all assume we are only giving Tamiflu to a million people: if things kick off, we have stockpiled enough for 80% of the population. That’s quite a lot of vomit.


The EU owns the ball and the pitch, as it were.

A Mayor for Dublin – the detail matters…

And rightly so. As Dr. Quinlivan points out:

In 2006, I remember interviewing the Mayor of Schenectady (New York), Brian Stratton, who made a very persuasive case to me for directly elected mayors. He said that when he was elected mayor he inherited a fiscal train wreck but was able to turn things around because he had immense executive powers. What he failed to mention though was that the fiscal train wreck had been caused by the previous directly elected mayor who had bankrupted the city with a massive deficit and a rock-bottom credit rating.

Many directly elected mayors in America have veto power over the council and are all powerful. When I asked the mayor of Albany, Gerald Jennings, about his relationship with his council, he laughed and said, ‘I’m not obliged to go to council meetings, thank God.’

Do we need an executive Mayor? Hmm.

How to do new things

Dave Winer:

The best way to learn something is to start doing it. Don’t wait for full knowledge to come to you. Often it won’t. Just pretend you know what you’re doing, and hit the walls. That helps define the shape of the problem. Make it small enough that you can start solving it right now, without waiting. Each part of the problem is smaller than the whole thing. And tell yourself you can do it, because you can.

via Memex: How to do new things.

Tuesday morning and the internet is on fire : OpenSSL Heartbleed Bug

This is pretty bad :

In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. It supports up to 64 KiB. You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only actually send, say, one byte, OpenSSL would send you back your one byte — plus 64 KiB minus one byte of other data from RAM

So, what does that mean?

This allows the other endpoint to get random portions of memory from the process using OpenSSL. An attacker cannot choose which memory, but if they try enough times, their request’s data structure is likely to wind up next to something interesting.

And to add insult to injury,

None of this will be logged anywhere, unless you record, like, all your raw TLS connection data.

Which means you won’t know if you’ve been hit, so you need to assume you have.

For further detail, there’s a good summary here:

existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug.