Heartbleed Reaction Part 2

A particularly relavent statement from http://heartbleed.org (server side):

"Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most."

There doesn't appear to be any up-to-the-minute current registry that I could find of sites that are affected on the server.  The scan posted on github is fairly out of date at this point, and from what I can tell only takes the homepage into consideration, not sites that only forward to https for things like login / checkout.

Here is the best one-off checker I could find (server side):
- https://www.ssllabs.com/ssltest/

Also, it may not be necessary to update Chrome/Firefox, based on the following language on the security stackexchange site:
- http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely

"Chrome (all platforms except Android): Probably unaffected (uses NSS)"
"Chrome on Android: 4.1.1 may be affected (uses OpenSSL). Source. 4.1.2 should be unaffected, as it is compiled with heartbeats disabled."
"Mozilla products (e.g. Firefox, Thunderbird, SeaMonkey, Fennec): Probably unaffected, all use NSS"

The potential vulnerability of clients is discussed here:
- http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely
- https://www.openssl.org/news/secadv_20140407.txt (language: "client or server")
- http://heartbleed.com

"Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services."

My guess is that curl going to an https site would be affected, or other programs that use OpenSSL.  Maybe a chat client or if programs are downloading their own "auto-updates" over SSL.  Those are the only kinds of things that come to mind right now.

Reacting to Heartbleed

It's 2:37am and I can't sleep.  It feels like the internet fell down around my ears.

What I am doing:

1. Got educated at http://heartbleed.com
2. Updated Chrome to the 34.x version manually (promoted to stable yesterday)
• look at https://support.google.com/chrome/answer/95414 and search for "Check for update manually"
3. Checked for vulnerability in sites I use
• dnsimple.com (patched as of 8 Apr 14:22 GMT)
• github.com (patched and sessions invalidated somewhere between 8 Apr 18:34 GMT and 9 Apr 01:08 GMT, based on atom feed post timestamps)
• familysearch.org (not vulnerable as of 8 Apr around 16:00 GMT)
• amazon.com (not vulnerable as of 8 Apr around 16:00 GMT)
4. Completely clearing cookies and cache on ALL my computers, family & work, including phones
5. Installing LastPass and resetting ALL my passwords as I become confident that each site is patched
• I am assuming that all my user/passwords are either already known at this point, or can be discovered by anyone who recorded SSL traffic in the past 2 years
6. Wondering what will happen because of this

UPDATE: Chrome update seems to be not strictly necessary as stated here.  But I'm upgrading anyway, because the Chrome stable release on 8 Apr. 2014 has a lot of other security fixes in it.

UPDATE: More details that I've learned are here in a follow-up post.

Flesh pots & Resistance to change

I was reading the account of Moses leading the Isrealites out of Egypt. After all of the miracles that accompanied the exodus comes the account of the net sum response of the Isrealites (Exodus 16:2-3):

2 And the whole congregation of the children of Israel murmered against Moses and Aaron in the wilderness:

3 And the children of Israel said unto them, Would to God we had died by the hand of the Lord in the land of Egypt, when we sat by the flesh pots, and when we did eat bread to the full; for ye have brought us forth into this wilderness, to kill this whole assembly with hunger.

I'm sure that my response to inspired leadership has sometimes sounded like this. And I'm very much willing to both admit that and abandon that position.

In stark contrast, is the message contained in Pres. Henry B. Eyring's conference talk, Trust in God, Then Go and Do. In particular, another scripture comes to mind (1 Nephi 3:7):

7 And it came to pass that I, Nephi, said unto my father: I will go and do the things which the Lord hath commanded, for I know that the Lord giveth no commandments unto the children of men, save he shall prepare a way for them that they may accomplish the thing which he commandeth them.

Willingness to move forward and change and follow inspired leadership is a quality that I value, and that I seek to emulate & encourage.

Published with Blogger-droid v1.6.7

Test code structure

There are a lot of ways to build an unmaintainable test suite. Jay addresses this topic straight on. The most important idea I got out of it is this: "If It Hurts, You're Doing It Wrong."

Now how to get from painful to joyful ... that is the question. Probably by just applying common sense and proper code structure to tests, not just production code.

UPDATE

I've done my share of painful, stupid things:

• the monolithic build system that had super-ant-tasks with laser vision
• the event subsystem that was really just JMS
• the custom deploy system that really should have been one of rsync or rpm
  
• the object persistence layer that was supposed to be super-generic, but was really tied super-close to the domain objects
  
• ... I'm sure I could go on

The main thing I've learned is to work with the door open. And stay wide open to how to do things better and to always strive to see the things I'm missing.