DTNS 2212 – Total Eclipse of the Heartbleed

Logo by Mustafa Anabtawi thepolarcat.comAndrew Zarian is on the show and we’ll kick around some Heartbleed news to scare the SSL out of you, plus what the governments doing to help patch software. And Jessica Dolcourt helps us decide if Windows Phone’s Cortana will inspire us to ditch Siri or Google Now.

MP3

Multiple versions (ogg, video etc.) from Archive.org.

Please SUBSCRIBE HERE.

A special thanks to all our Patreon supporters–without you, none of this would be possible.

If you enjoy the show, please consider supporting the show here at the low, low cost of a nickel a day on Patreon. Thank you!

Big thanks to Dan Lueders for the music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, Kylde, TomGehrke and scottierowland on the subreddit

Show Notes
Today’s guest:  Andrew Zarian of the GFQ Network and Jessica Dolcourt of cnet.com

Headlines

TechCrunch reports Windows Phone 8.1 arrived today for developers as a developer preview. While the OS is not finished, pretty much anybody can get it by signing up for a free Microsoft developer account and starting a project. Of course you voice your warranty and you can’t roll back to Windows Phone 8, so it may not be for everyone. Reviews of the OS came out today too with many people raving about Microsoft’s voice-activated assistant Cortana. That feature is only available in the US.

Engadget posted Google has agreed to buy Titan Aerospace, makers of solar powered drones. You may recall Facebook was in talk with Titan Aerospace a few months ago. Facebook bought a different company called Ascenta. The WSJ says Google intends to use the drones as part of its Project Loon attempt to broadcast the Internet from floating weather balloons.

Mozilla’s Mitchell Baker announced the appointment of Chris Beard to the Mozilla Board and the position of interim CEO. Beard has worked at Mozilla since 2004. He has an MBA from the University of Edibnburgh and worked in senior product and marketing roles at HP and Sun as well as founding the Puffin Group which was acquired by Linuxcare. Beard joined VC firm Greylock in July 2013.

Heart Monitor

Friday we told you Cloudflare had opened a server to be hacked, to see if private keys really could be extracted from a server by exploiting the Heartbleed vulnerability. It took 9 hours for someone to do so. Ars Technica reports software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI obtained the keys. As of Saturday, CloudFlare had confirmed four “winners”, the other two being Rubin Xu, a PhD student in the Security group of Cambridge University and security researcher Ben Murphy.

A more worrisome exploitation of Heartbleed came from the Canada Revenue Agency which reported 900 Social Insurance Numbers stolen by someone taking advantage of Heartbleed. The CBC reports the theft was discovered by admins who were patching the CRA’s servers. The agency is still examining the breach to see if data related to businesses had been removed as well. The agency did not describe how the attackers used Heartbleed to gather the numbers. Anyone affected will be provided with free credit protection.

Of course patching the bug is not simple as Akamai has learned the hard way. PC World reports Akamai is reissuing all SSL certificates and security keys used to encrypt connections between its customers websites and visitors. Akamai THOUGHT its customers were less vulnerable to Heartbleed because of custom code related to how the keys were stored. Akamai released that code Friday to help out other researchers. As if to demonstrate the value of open source, researcher Willem Pinckaers found defects in the code Sunday. Akamai’s code left three of six critical values of an RSA key unprotected allowing an attacker to calculate the rest of the key.

Of course maybe all this could have been fixed years ago if the US NSA had let companies know about Heartbleed. Bloomberg reported Friday that two sources told them the NSA knew about Heartbleed for two years. A statement from the Office of the Director of National Intelligence said, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

Of course that doesn’t mean the US government agencies don’t find out about flaws and keep it to themselves sometimes. The New York Times reports the White House response to allegations the NSA knew about Heartbleed was to issue a statement saying there is now a “bias toward responsibly disclosing such vulnerabilities.” The exception of course is when there is “a clear national security or law enforcement need.”

News From You

AllanAV sent in the Ars Technica republication of the Wired UK article on a glow-in-the-dark road that debuted in the Netherlands on a 500 meter stretch of the N329 highway, replacing streetlights. The markings are not merely reflective, but created with photo-luminescent powder integrated into the road paint, developed in conjunction with road construction company Heijmans.

tekkyn00b posted the MacRumors article passing along the StreetInsider story that Jefferies analyst Peter Misek claims Apple wants to raise the price of the iPhone 6 $100 if they can get the carriers to agree. No carrier will likely WANT to raise the price in this world of bargain smartphones but Misek argues “Carriers realize that the iPhone 6 will likely be the only headline-worthy high-end phone launched this year and that they will lose subs if they do not offer it.”

And melchizedek74 pointed us to The Verge article that noticed Comcast’s Netflix speeds have improved dramatically since the two companies agreed to an interconnect contract. Comcast is the 5th fastest streamer at an 2.5Gbps for Netflix streams in March, vs. the average 1.15 Mbps it reported in January.

Discussion Section Links: Windows Phone 8.1 & 

http://www.cnet.com/news/cortana-vs-siri-vs-google-now/

http://arstechnica.com/gadgets/2014/04/windows-phone-8-1-review-a-magnificent-smartphone-platform/

http://www.theverge.com/2014/4/14/5612322/windows-phone-8-1-download-features

 

 http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=0

http://www.bloomberg.com/news/2014-04-14/president-s-security-flaw-guidance-seen-hard-to-implement.html 

When the see the lunar eclipse!

http://mashable.com/2014/04/14/what-time-is-the-lunar-eclipse/?utm_cid=mash-com-Tw-main-link

Pick of the Day: Hitbliss via Mike!

Tuesday’s guest: Nicole Lee, Engadget