Archive for April 10, 2014

Thursday, April 10, 2014

The Birth of Amazon.com

Philip Greenspun finds lots of interesting passages in Brad Stone’s The Everything Store: Jeff Bezos and the Age of Amazon:

PowerPoint is a very imprecise communication mechanism,” says Jeff Holden, Bezos’s former D. E. Shaw colleague, who by that point had joined the S Team. “It is fantastically easy to hide between bullet points. You are never forced to express your thoughts completely.” Bezos announced that employees could no longer use such corporate crutches and would have to write their presentations in prose, in what he called narratives.

[…]

Bill Miller, the chief investment officer at Legg Mason Capital Management and a major Amazon shareholder, asked Bezos at the time about the profitability prospects for AWS. Bezos predicted they would be good over the long term but said that he didn’t want to repeat “Steve Jobs’s mistake” of pricing the iPhone in a way that was so fantastically profitable that the smartphone market became a magnet for competition. The comment reflected his distinctive business philosophy. Bezos believed that high margins justified rivals’ investments in research and development and attracted more competition, while low margins attracted customers and were more defensible.

Visualizing Regular Expressions

This site will generate a graph diagram for an NFA that corresponds to a regular expression, as well as a corresponding DFA (via Chris Nebel).

Clean Up Your Projects With Xcode 5

Tony Arnold:

As long as you’re only keeping system frameworks in that group, you can delete it. Yes, delete the entire “Frameworks” group. Just ensure that you’ve enabled Link Frameworks Automatically in your Xcode project’s settings.

The OpenSSL Heartbleed Bug

The Heartbleed Bug:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

Adam C. Engst:

We won’t lie — it’s extremely bad, and among the worst security bugs we’ve seen in recent history. It enables attackers to break encryption and potentially access other sensitive information from the server. Worse, it does so invisibly, so Web site administrators can’t go back and check logs to see if the site has been attacked in the past.

Security expert Bruce Schneier calls Heartbleed catastrophic, saying “On the scale of 1 to 10, this is an 11.” Half a million sites may be vulnerable to the bug, according to Netcraft. With this tool from Filippo Valsorda, you can test sites you use regularly, although negative results may not mean anything, since conscientious system administrators are installing a new version of OpenSSL that patches the bug quickly.

Sean Cassidy:

Then it copies payload bytes from pl, the user supplied data, to the newly allocated bp array. After this, it sends this all back to the user. So where’s the bug?

[…]

What if the requester didn’t actually supply payload bytes, like she said she did? What if pl really is only one byte? Then the read from memcpy is going to read whatever memory was near the SSLv3 record and within the same process.

LastPass offers a great service:

To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

Mashable has a list of affected sites.

Update (2014-04-11): See also xkcd and The New Yorker.

Update (2014-04-14): Cyrus Farivar:

President Barack Obama has explicitly decided that when any federal agency discovers a vulnerability in online security, the agency should come forward rather than exploit it for intelligence purposes, according to The New York Times, citing unnamed “senior administration officials.”

However, while there is now a stated “bias” towards disclosure, Obama also created a massive exception to this policy if “there is a clear national security or law enforcement need.”

Michael Riley:

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

ODNI Public Affairs Office:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

Update (2014-04-23): Apple issues AirPort Base Station Firmware Update 7.7.3.

Update (2014-04-29): Accidental Tech Podcast 60 has a good segment on Heartbleed.

Update (2014-05-14): Martin Fowler:

The proof-of-concept test above shows that it is conceivable that had someone tried to unit test the code, they could have possibly caught and prevented one of the most catastrophic computer bugs in history. The existence of the proof-of-concept unit test eliminates the assertion that it would've been impossible. Sadly the fix submitted for the bug also lacked a unit test to verify it and guard against regression.

When Two-Factor Authentication Is Not Enough

Bron Gondwana:

This is why this email was such a surprise. Like the poor quality mailing lists mentioned above, it didn’t require a confirmed opt-in. We had to reply to say that we didn’t want the contact email address changed.

This means that a forged source address was sufficient. Even though the attacker couldn’t read email to hostmaster@fastmail.fm, they didn’t need to. All they needed was for us to not read it.

To Gandi’s credit, they responded very quickly to our “NO, DON’T CHANGE IT” email, and locked our account to stop any further shenanigans while they investigated and collected more documents from us.