Laurel L. Russwurm

a writer, the copyfight and internet freedom

Heartbleed and Passwords

leave a comment »

If you have any passwords on the Internet, whether for email, social media, or buying and selling, you must change them now to protect yourself.

[reblogged from techDITZ]

Heartbleed is a security breach that compromises passwords. Now is the time to change passwords.  --Bob Jonkman

Bleeding HeartsMy favourite spring flowers are called “bleeding hearts,” but this spring the online world is reeling with the discovery of something completely different — an Internet problem that’s been named “Heartbleed.

This is is not a computer virus, it is a mistake someone made in the SSL software code. When such a mistake is made in a novel it would be called a typo, but on the Internet, Heartbleed is a serious security flaw.

For years watchdog organizations like the EFF (Electronic Frontier Foundation) have been advocating the adoption of internet security feature called SSL/TLS encryption.

Secure Sockets Layer (SSL), more properly called Transport Layer Security (TLS), has become the default approach for protecting sensitive data flowing over the Internet. SSL uses encryption to provide data confidentiality for connections between users and websites and the web-based services they provide. The vast majority of sensitive web traffic, such as user login screens, e-commerce checkout pages, and online banking, is encrypted using SSL.

Thales e-Security: SSL/TLS Encryption

Over time more and more websites have adopted this security measure as a way to make the Internet a safer place for you and me. That’s why something like three quarters of the Internet uses SSL/TLS encryption today. This is a good thing.

What is Heartbleed?

The security vulnerability known as Heartbleed is a programming error in the SSL code, and it’s a bad thing because it has made every site that uses SSL vulnerable. Although we are only hearing about it now, it has existed since 2011 or 2012.

I first heard about it on Wednesday, April 9th, 2014. Today (April 11th) the Toronto Star reports the Government of Canada is disabling federal government public websites — at taxtime — in a move to protect users. I don’t understand why they didn’t do this the moment the Heartbleed story broke.

This vulnerability went undetected for something like five months (and apparently NSA knew, but didn’t bother to mention it to its Five Eyes allies, like, say, The Government of Canada, because NSA was too busy exploiting the vulnerability for its own purposes.)

Heartbleed vs Websites

A real world comparison might be that using SSL is like a having double lock deadbolts on the door, and “Heartbleed” is what happens when you forget to lock the back door. Ordinary people can’t fix the Heartbleed problem. It can only be repaired (or patched) by the people running SSL websites & servers.

The Internet giants (Facebook, Twitter, Google etc.) were warned first, so they fixed the problem before the vulnerability was announced publicly. Most of them are trying to allay the fears the media has been whipping up about this all week.

But the Internet is also crowded with many smaller sites that smaller organizations and even ordinary people host themselves. The EFF has kindly explained how our SysAdmins can effect the Heartbleed fix:

The Bleeding Hearts Club: Heartbleed Recovery for System Administrators

Correcting the code is not an immediate fix, because each SSL secure website also must have its Security Certificate updated, which will take time with so many websites doing this.

Heartbleed vs People

For you and me, the biggest problem is that our passwords may be compromised.

This is such a big glitch, most of us won’t be attacked today. Our passwords probably won’t be used to crack our accounts right now because so much of the web is affected.

But we can no longer trust that our passwords are secure.

The Apartment Analogy

If the superintendent of an apartment building replaces flimsy locks on the doors of all the rental units with good strong deadbolts, it makes it harder for bad guys to break in.

If someone secretly copies the master key, they can break into apartments.

When clever crooks use the duplicate master key to break into apartments, they are very careful in what they steal. So long as the thefts aren’t noticed, the thieves can keep coming back for more.

No one can tell there is a problem until something is discovered to be missing..

The only defense that the tenants have is to change the locks on the door.

Heartbleed

If a website or email platform adopts SSL/TLS security, the website security becomes much more powerful, because it adds encryption which prevents most security breaches.

A bad guy exploits Heartbleed by using it to download passwords etc.

When Internet criminals exploit the Heartbleed error, their intrusion is invisible. There is no way to see how much security information has been downloded, or whose security has been breached.

No one can actually tell who or what is at risk until there is an actual attack.

The only defense that the users have is to change the passwords on their data.

 

 

 



Like the NSA, black hat hackers (or crackers) may have already filled databases of passwords they’ve found the Heartbleed system. . Even if the System Administrator has fixed the Heartbleed problem for their website, it doesn’t change the fact that any bad guy who cracked the website before the fix still has your password. Or passwords.

If three quarters of the people in Toronto left their doors unlocked, only some of those homes would be broken into right away. Because so much of the Internet has been at risk, they might not get you today, but they might tomorrow, or next week.

HTTPS WEBSITES ARE VULNERABLE

You can tell a website uses SSL by looking at the URL (or the website address). SSL website URLs don’t start with http:// (like this one). SSL URLs all begin with https://. You used to be able to tell with a glance at your browser bar, but today’s fashion is to hide this part of the URL in the browser bar. Some browsers show you are at an SSL site with a padlock symbol, others display SSL URLs in different coloured text, but if you aren’t sure, you should be able to see which it is by cutting and pasting the URL it into whatever text editor you use.

Not all HTTPS websites were vulnerable to Heartbleed because there are different versions and configurations, but there is no easy way for you and I to tell which SSL sites were vulnerable.

As well as SSL websites, any secure site where you use passwords — email, instant messengers or IRC services may have been compromised.

Nobody Knows For Sure

Google, Amazon, Facebook and Paypal claim their customers are not at risk because they have fixed any Heartbleed problems they had.

But because the Heartbleed vulnerability is invisible, until someone actually breaks into our accounts, we can’t even tell if they have been compromised. Even if the Internet giants have fixed their problems, the only way we users can be sure we are safe is by changing our passwords.

Someone has put together a Heartbleed Test so we can discover which SSL sites we use are vulnerable or fixed. Once we know the website is no longer vulnerable to Heartbleed, we can only be sure of our security after our password is changed.

Tumblr just told me to change my password, which means Tumbler has fixed their Heartbleed problem, and wants to be sure its users accounts are secure. Bravo.

I am in the process of typing the URLs of sites where I have passwords (Facebook, Twitter etc.) into the Heartbleed Test to find out they are secure before I change my passwords.

Heartbleed isn’t a threat to websites like Pinterest (http://www.pinterest.com/), techDITZ (http://techditz.russwurm.org/blogs/) or deviantART (http://www.deviantart.com/) that have not yet made the transition to HTTPS

Password No-Nos

  • Never use the same password more than once.
  • Never use passwords like “Password” or “1234″
  • Never use your mother’s maiden name, the name of a loved one, or a birthday… especially these days when all of our personal data is being harvested by corporations and governments alike. If your parent, partner, child, co-worker, next door neighbor or best friend can guess your password, it isn’t secure.

Good Password Practices

I have plenty of passwords, so I keep them filed in a safe place on my desktop computer. But I learned the importance of having a backup copy somewhere else this past summer when I had a major disk failure and I lost something like a terabyte of data — mostly photos —and my password list!

The only time you have to change your password is when:

  1. it has been breached (or when there is a good probability it has been breached
  2. when the website owner tells you you must. or
  3. when you’ve foolishly shared you password with someone you shouldn’t have.

Bob Jonkman, one of the computer security experts I know, recommends using a password manager, such as KeyPassX. But if you don’t he says:

  • Use a different password on every site or application for which you need a password. That way if one site is compromised it doesn’t affect every other site. Of course, Heartbleed affects every [https] site, so that’s not always true.
  • Make it long. Long passwords are good passwords. 20 characters is good. 16 is probably adequate. 10 is marginal.
  • Choose a phrase that is easy to remember, but difficult to guess. As an example, something like “Itookthebustoworkthismorning” — it’s sufficiently long, easy to type, easy to remember.
  • Don’t bother with $p3c14l characters or numbers; the bad guys have software that makes those substitutions too. Special characters make the password difficult to type and difficult to remember. If you need to type slowly because of special characters then it’s easy for a bad guy to shoulder-surf and see what you’re typing. According to KeepassX the passphrase “Itookthebustoworkthismorning” has 28 characters for 224 bits of entropy; on the other hand, passwords with 28 random characters with upper-case, lower-case, numbers and special characters (created by KeepassX’s password generator) have only 182 bits of entropy.
  • If the site does not offer a password reset option then write down your password, and keep it where you keep your money. If the passphrase is protecting $10 worth of data then keep it in your wallet; if the passphrase is protecting $10,000 worth of data then keep it in a safe. Don’t forget to write down the site or application name, the user ID, and any other credentials you need.

— Bob Jonkman, [kwlug-disc] Heartbleed affected sites

Although Heartbleed is a problem, it is being resolved all over the Internet… all over the world… as you read this.

And SSL encryption is still a good idea, just as house keys are, because personal security is important.

And privacy matters.

XKCD: HeartbleedCredits:


XKCD “Heartbleed” by Randall Munroe is released under a Creative Commons Attribution-NonCommercial 2.5 License.

Written by Laurel L. Russwurm

April 12, 2014 at 12:22 pm

Posted in copyright

Sarah McGill Russwurm and the Public Domain

leave a comment »

Mrs Sarah McGill Russwurm ~ Public Domain Portrait

This photograph is a piece of history that needs to be shared, which is why I am happy to have completed this restoration during Black History Month (just).

I was inspired to undertake the digital restoration work when I saw a copy of this daguerreotype reproduced online stamped “copyright” — even though it is clearly in the public domain.   While the publishers of Envisioning Emancipation  are within their rights to copyright their publication, they should not claim copyright on individual photographs from the public domain.  Since the copyright notice is only present on the images reproduced in the online version of The Daily Mail, I am inclined to think the British tabloid added the copyright notice in a misguided attempt to “protect” the book.

Either way, it is bad enough that an important historic woman like Sarah McGill Russwurm has nearly been lost in the mists of history, without compounding the error by locking the only extant image of her behind copyright.

This photograph of Sarah Russwurm is based on the daguerreotype portrait by Augustus Washington, African American Daguerreotypist circa 1854, of an Unidentified woman, probably a member of the Urias McGill family, three-quarter length portrait, facing front, holding daguerreotype case.

The original is held in the American Library of Congress which has made two photographic copies easily accessible in its online digital holdings. The black and white photograph (marked “1947″)  is in very good shape, unlike the colour photograph, which shows marked deterioration. There are numbers at the top of the colour print which seem to indicate it was made in 1965.  Ironically, the version of the photograph reproduced in Envisioning Emancipation was a a black and white rendering of the extensively damaged colour print.   Careful examination of the partner daguerreotype, of Sarah’s younger brother, Urias McGill, show signs of having been tinted, so it is reasonable to suppose that the original daguerreotype of Sarah may have been tinted as well.  If so, it might be worthwhile for the Library of Congress to take new colour photographs from the original daguerreotypes.

To create the image pictured here above I combined the the colour photograph’s frame with the black and white photo to create this digitally restored colour photograph of the framed daguerreotype. The Library of Congress notes that there are “No known restrictions on publication,” which confirms the original image is in the public domain. Even with the absurd copyright terms we are seeing these days, it is still reasonable to expect a daguerreotype taken in the 19th Century ought to be in the Public Domain by the 21st.

Whether or not this image actually is Sarah Russwurm, it is a historic record in the public domain that anyone should be able to use.   Because I consider my digital work to be a restoration, so this work is also in the Public Domain, which means The Temple University Press is welcome to use my digital restoration in future reprints of the book.   Anyone can click on my restoration above to download a large size, or you can purchase high quality photographic reprints of the original from the Library of Congress here.


Image Credits:

The original daguerrotype made by Augustus Washington is housed in the Library of Congress.  I have also published this photograph, along with what I know of Sarah Russwurm on my Russwurm Ancestry geneology blog.

Public Domain Mark
This work is identified as a Public Domain work free of known copyright restrictions.

Written by Laurel L. Russwurm

February 27, 2014 at 9:07 pm

Posted in copyright

Free Culture update

with 2 comments

It is gratifying to see more and more wonderful digital Free Culture resources being made available. In the sidebar you’ll find my list of Free Culture resources I’ve been compiling as I come across them online.

Free culture is culture we can share without having to fear copyright law.

The free-est of the free are those creative works in the public domain. As copyright law has expanded the terms to ridiculous lengths, fewer works are entering the public domain.

The excellent OpenGLAM helps educate Galleries, Libraries, Archives and Museums about  the importance of digital access, which has led to many institutions digitizing public domain works in their holdings and sharing them online.   From my point of view, this will go a long way to discourage the nefarious practice of digital copyfraud.

My newest listings of public domain repositories include Wikipaintings and Public Domain Review

my Canadian copyright symbol
These days, our newly made creative works are “protected” by copyright whether or not we want them to be. Creators who have come to realize the importance of sharing can work around this by releasing our works with a license to share. My favorite are Creative Commons licenses.  All of my blogs are published with a Creative Commons Attribution 3.0 Unported License except for the one with a CC0 public domain dedication.  Athough two CC the licenses are not considered to be free:

  • No Derivatives” prevents us from making any changes… even color correction, cropping etc., and
  • Non Commercial” which prevents commercial use,

all of the other licenses are. Because they are standardized,  they are easy to use because I don’t have to learn the terms of a new license every time.

The Freesound ProjectThere are a growing number of web platforms where people can find material with free culture licenses. If you want to make a video, or if you need illustrations for that presentation, or a cover for your novel, All the material on these sites are licensed, so people can decide which license will suit their needs. I’ve known about Flickr (for photos) and Jamendo (for music) for a long time, and these days even YouTube has given users the option of a free culture license. But by far the coolest addition to my list of free culture licensed material is the amazing Freesound project, an online sound effects library, where I found some all the terrific sound effects I needed for a small film I made last month.

There is a wealth of great material in my free culture list, and I will continue to add links as I find new resources.  If you’ve got any I’ve missed, please let me know.

If you’re interested in finding out more about Free Culture, read Larry Lessigs terrific book Free Culture; you can buy a copy from your local book store, or legally download the PDF, or do both (like I did).

Written by Laurel L. Russwurm

February 22, 2014 at 8:00 am

Posted in copyright

Winter Valentine

leave a comment »

cool VALENTINE - Happy Valentines Day 2014

Happy Valentines Day

~ caution : weather ~

Written by Laurel L. Russwurm

February 14, 2014 at 7:20 pm

Posted in Holiday

Privacy Matters! #StopSpying

leave a comment »

Written by Laurel L. Russwurm

February 11, 2014 at 7:19 am

Posted in copyright

Tagged with , , , ,

Happy GNU Year

with 9 comments

Happy GNU Year!


This virtual card is the best gift I can give my readers and online friends this holiday season. Not just because its the best and most awesome Happy GNU Year card you’re likely to find online, but because I created it entirely using free culture and free software.

The Free Software Foundation‘s GNU operating system led to the adoption of the gnu as its symbol.  Free software is incredibly important for a host of reasons, and yet I very much suspect it wouldn’t exist at all any more but for the efforts of Richard Stallman and the FSF.  I highly recommend that you use free software as much as possible, not just because it’s usually free of charge (gratis) but far more importantly, because it respects our personal freedom (libre).

The penguin “Tux” is the mascot of the Linux kernel, is the heart of the free and open source software operating systems we use today. (MacOS and Windows are the non-free software used in personal computing devices (computers, cell phones, tablets, PVRs &tc.)

Creative Commons Attribution-Sharealike 3.0 Unported (CC BY 3.0)) LicenseIf you click on the card, you’ll find a higher definition version suitable for printing.  And you are allowed to print it, because this card carries a free culture license, specifically a Creative Commons  Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License  This license gives you the freedom to use this creative work in any way you like, even commercially, with only 2 restrictions.

  1. The “Attribution” restriction means you must credit the creator(s) as specified.
  2. Second, whether printing it out and selling physical copies, mailing it to you your friends, or modifying it to create something completely different, it must carry the Creative Commons Attribution-Sharealike License, or a similar license that requires attribution perpetuation of the license terms.

Attribution is simply giving credit where credit is due. I try to provide attribution for everything I use, even work in the public domain. The “share-alike” part of the license exists to prevent creative works from being removed from free culture and locked behind copyright.

Below you can see the steps that led to this card. Click on any of the images below for a larger/printable version.

Happy GNU Year Green (cc by-sa)Modified "Powered By GNU/Linux" Free Software  sticker set Happy GNU Year STENCIL

On the left is my first try, which I like a lot. It could make a good poster, but it’s too difficult to see and read in small formats because it’s too cluttered.

In the centre is the “wallpaper” background I devised. I modified the Powered by GNU-Linux sticker set originally created by deviantdark and published on deviantArt  under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License.  There are many free software operating systems not included, so I added Trisquel and centOS when I made up the wallpaper background. You can download the printable sticker sets from the deviantART Powered by GNU-Linux page and make your own sticker for your computer.

On the right is the first draft of the red card. I loved the simplicity of Rasmus Olsen‘s gnu meets penguin titled GNU/Linux licensed Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) that I found on Flickr.  I altered the image by bringing the penguin close enough to touch noses with the gnu, and stood them both on the lettering. In the final version, I changed the lettering because it was hard to read when the wallpaper was added.

CORRECTION: Rui Damas is the originator of the GNU/Linux artwork I reused, and it was actually released under the GNU Public License. I’m not entirely sure what that does to my licensed usage. [Thanks to Mike Linksvayer for pointing that out!]

Free Software & Free Culture

It’s no harder to learn to use free software than it is to learn to use a windows computer or a Mac.  Many Apple and Windows users are already using free software with Firefox or OpenOffice (I prefer LibreOffice).  The coolest and best ebook conversion software is called Calibre (it comes with a good e-reader so you can read eBooks on your computer).  And of course my favorite blogging software, WordPress is free software.  Wikipedia runs on free wiki software (which is why there are wikis popping up all over) and if you’re into video production, you could so worse than the amazing Blender 3D animation software or Kdenlive for video editing.  You can use social networking with GNUsocial and Friendica.   If you do switch to free software, the biggest difference you’ll notice is that you don’t have to pay for things again and again and again.  Other advantages include better security and a much lower incidence of spyware and other malware.

It was difficult for me to unlearn Photoshop so I can learn to use GIMP, but I keep trying.  I still look for a lot of the features where they would be in photoshop, but its getting easier.  I have yet to find anything Photoshop can do that can’t be done in GIMP; the challenge is finding out how to do it.   That’s why I’m so pleased I made this card entirely with GNU Image Manipulation Program (GIMP) on my computer, which is currently runs on Linux Mint in a MATE desktop environment that has the  Ubuntu Studio plug-in.

As the copyright maximalists successfully lobby to lock up more and more of our culture for longer and longer terms, the importance of free culture has become more apparent.   Sites like the Flickr photosharing site and deviantArt make it easy for users to give their work Creative Commons licenses, so they are often the easiest places to find images licensed to share.

All versions of my GNU year card are licensed Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License.  If you’re interested in finding out what free culture is out there, I’ve been growing a list of Free Culture resources (in the right sidebar).    And if you have some spare cash left over from last year, please consider making a donation to the two non-profit organizations that have been instrumental in ensuring the continued existence of free software and free culture:

The Free Software Foundation and Creative Commons

And have a Happy GNU Year!

Tonight is Christmas Eve…

leave a comment »

Merry Christmas wreathI wish you a safe and happy holiday season, regardless of what you celebrate.

Written by Laurel L. Russwurm

December 24, 2013 at 9:40 pm

Posted in copyright, Special Event

Tagged with ,

Follow

Get every new post delivered to your Inbox.

Join 1,329 other followers