A New Stone Age by 2114

Jared Diamond, noted author of “Guns, Germs, and Steel” and “Collapse: How Societies Choose to Fail or Succeed,” has a new book out. It’s actually a revision of his first book “The Third Chimpanzee” with an edit focused on young people.

In simple terms, Jared’s thesis is that we have about 50 years to establish a sustainable world. If we’re successful then we get to continue having a technological culture. If we fail, we’ll be blown all the way back to stone age conditions by 2114. He figures the odds of pulling it off are about 50/50.

I’m not sure I can be so sanguine, given that our political and corporate institutions, the entities that would have to be active at the core of a transformation, are for the most part directly opposed to disrupting their power and profit models. I won’t put a number on our odds, because I don’t have the least idea how to quantify progress towards a transformation, but I know it won’t be easy.

More background on Jared Diamond and his new book, including a one hour interview, is at Climate Desk.

NSA Knew About Heartbleed

Nevermind what I posted yesterday. Today it seems clear that our imperial witch hunters chose to leave us all vulnerable to criminal fraud for years, according to this report from Bloomberg.

Fuck.

All Your Router R Belong To Heartbleed

Every router on the net is affected by the Heartbleed bug. Routers are transmission control devices that are used on telecom networks and server farm networks everywhere. When a secure htttps connection request passes through them they use software that contains the vulnerable Heartbeat routine to process them. So, every router can be tapped by Heartbleed.

In other exciting news, after reading more analysis about the source of the bug it seems unlikely that US NSA instigated it. The man who actually wrote the code is in Germany and has come forward to say it was just a mistake on his part. He’s probably telling the truth.

And so it goes …

Heartbleed SSL Security Bug

The Heartbleed SSL security bug is all over the news now. Some basic facts:

Every web server on the net, with few exceptions, got hit. Not just Yahoo! Banks, stores, any site that uses SSL security. Almost all of them use the version of SSL that includes the vulnerable Heartbeat routine.

My sites *don’t* use SSL security for several reasons, particularly because there’s no private messaging or financial transactions. So, due solely to blind luck, you probably don’t have to change your passwords. My recommendation is that you change your password here once a year.

You will need to change ALL your passwords on SSL Secure sites, but not yet. First, all the sites on the net have to patch their code & that will take days, maybe even a week or two.

The SSL code got corrupted two years ago. Rumors about how / why it happened are all over the map:

Was it done by mistake? Probably not. Not impossible, but it doesn’t seem likely to me. It works too perfectly to be an accident. All your password R belong to anyone who can exploit it. How long have “bad guys” known about this bug? A while, several months at minimum.

Could some credit card stealing hacker have inserted the bug? Possible, but not so likely. If thieves had done it, banks and stores would have started losing significant amounts of money two years ago.

Is it possible the NSA did it? Yup. Is that likely? It’s 50/50 in my book, they have been caught red-handed corrupting net security software and there is no question they do things like this. If the NSA did it, they probably thought nobody would notice, and that would be correct, it seems to have taken at least a year for anyone to discover the bug.

Can you tell if someone has exploited the bug to get your info? No, it’s untraceable. What’s exposed? Everything, as described in this notification from Cloudflare:

Heartbleed (CVE-2014-0160, http://www.openssl.org/) is a flaw in OpenSSL, encryption software used by the vast majority of websites to protect sensitive information. This vulnerability in OpenSSL allows an attacker to reveal up to 64KB of memory to a connected client or server. This flaw could expose sensitive data such as passwords or usernames – even when you thought it was encrypted.

Did the Target Hackers use this bug to get into all the store systems that were hacked last year? Maybe, it’s certainly not impossible. Security professionals haven’t fully documented how that hack was done. Target may know all the details, but they’re not publishing all the facts. We do know that it was (at least in part) an inside job. The hackers broke into a payment processing system first & then used that system to gain access to Target internal systems.

Did the Target Hackers or someone like them get into other stores? Yes, other stores have been broken into and nobody likes to admit it. Security professionals don’t find out until some random bank issues a debt / credit card recall notice & they refuse to say why. Sally Beauty is just one example of a store that recently acknowledged it had been hacked.

WHAT CAN I DO?!?

Get a Bluebird card from AMEX, there are no fees on this card. Load it from your bank account or debit card. Use it on the net every time you spend money, no exceptions. If you do that you’ll never risk losing more than the residual balance on the card. Only load it right before you’re planning to use it.

I have been using Bluebird since the day it was released. Let me repeat the key piece of info: no fees, not for loading it or using it. You pay a couple of dollars the day you get the card & then you never pay again.

And still I got stung in the Target store while Christmas shopping last fall. My bank had to issue a new debit card. Didn’t lose anything then, but now I’m going to use Bluebird even more than before, especially when I travel.

Change all your online passwords, particularly email, banks & stores. But wait a week to do it, until after Sys Admins update sites.

Get a pro-quality password manager. I use mSecure which is a little cheaper than 1Password. They make it super simple to change all your passwords quickly and sync across all operating systems and devices.