What the average internet user needs to know about Heartbleed

What is heartbleed?

It has been a couple weeks since the heartbleed bug was announced and so far the world hasn’t ended. This post has been a long time coming. I have intended on writing it since the vulnerability was announced but unfortunately, life kind of got in the way and it has taken me this long to sit down and get it written. I wanted to write something that  I could send to my friends that broke down what the issue was and how it affected them.

For starters, what is the heartbleed bug? The best explanation I have found that communicates it best is a comic put out by xkcd.com.

w640

What the heartbleed bug did was open a hole in the handshake that happened between 2 computers when they were trying to make a secure connection that allowed the requesting computer to pull data from the information that was stored in-memory on the target server. This information could be anything from data that had previously been sent back like a web page, user names and passwords from users that had recently logged in, or in another scary case, credit card or banking information from someone that had recently made a purchase. The worst part is that there is no way for the administrator of the target server to determine if a hacker had exploited the heartbleed bug. The other scary part is that it was around for roughly two years before it was discovered and it was deployed on roughly 66% of the servers on the internet.

So what should you do?

First, don’t panic. Even though the heartbleed bug has been around for roughly two years, there hasn’t seemed to be widespread exploitation of the vulnerability.

Second, don’t change your passwords just yet. You  need to make sure the servers hosting the accounts have either been patched or were never open to the vulnerability. These two sites have a pretty comprehensive list of sites and their status: CNET & Mashable. If the site you want to look up is not listed in that list. The popular password tool LastPass has published a website checker that will allow you to enter the domain name of the site in question and let you know if it has been patched.

Third, once you have checked your sites and verified that they have either been patched or not vulnerable at all, now you can change your password. Here’s where it gets tricky…you really shouldn’t be using the same password on all your accounts…now is the perfect time to make them all different…seriously stop laughing…I’m not joking. You really do need to have different passwords on each of your accounts.

OK, so how do I have different passwords for each account?

First, go download Google Chrome and set it as your default browser.

Second, download this Google Chrome Extension. The beauty of this extension is two-fold, it generates a password for you on the fly based on the URL you enter and a master password (which can be the same for all accounts) and will generate a consistent password that you can look up each time you need it. There is a setting that you can set that will allow you to not store your master password which I would recommend. By not storing the master password you can ensure that it can’t be stolen. Everything is done in the browser so your password is not sent over the internet for someone to sniff either.

I still have questions, what do I do?

I  understand this so, if you have questions, either leave a comment below or send me a mention (@Jeff_Miles_says) on Twitter and I will do my best to answer as quickly as possible.

NIV Ragamuffin Bible: Meditations for the Bedraggled, Beat-Up, & Brokenhearted

NIV Ragamuffin BibleThe NIV Ragamuffin Bible blends the wildly popular New International Version of the Bible with reflections of the late Brennan Manning (1934-2013), author of The Ragamuffin Gospel: Good News for the Bedraggled, Beat-Up, and Burnt Out. This bible contains 104 devotions, 250 reflections, & 150 quotes from the late Brennan Manning. For those who are unfamiliar with Brennan Manning, he is the author of what many would consider the best books on grace ever written, The Ragamuffin Gospel: Good News for the Bedraggled, Beat-Up, and Burnt Out. I read this book over 10 years ago and still view it as one of the best Christian books ever written. The tagline on the back of this bible sums it up best: “Do you believe that God not only loves you, but that he also likes you?” This question is pivotal in our walk with Christ and the aim of this bible is to use the scriptures of the NIV and the reflections of a great man to draw you closer to God and help the reader understand how much God not only loves them, but also likes them! My plan, once my current Bible reading plan is finished is to use a year long Bible reading plan and read it in the NIV Ragamuffin Bible, stopping along the way to read the wonderful reflections, devotions, and quotes, I hope you’ll join me.

Ingredients for Success: 10 Best Practices for Business and Life – Joseph James Slawek

ingredients for successIngredients for Success: 10 Best Practices for Business and Life is a quick little read but packs a pretty good punch. Joseph is the CEO of FONA International an flavor company that creates flavors for the beverage, confection, grain, savory, healthcare, and dairy/dessert industries.

In his book, Joseph outlines his strategy for  business and life based on the parables of the Ten Virgins, Talents, and the Sheep and the Goats taken from Matthew 25. I will not steal his thunder and tell you what those 10 best practices are but I will say that if you were to implement those 10 best practices, you would be successful.

Overall, I thought the book was a good quick read that left me with ideas that I could implement in my life after reading it which is the aim of any writer of a book like this. Joseph has done a good job taking his experiences both working for someone else and running his own company and distilling what has made him successful down into a manageable book that just about anyone with any amount of time can read and glean insight from and does so in a way that doesn’t come across as better than thou or preachy.

2013 Gartner Application Architecture, Development & Integration Summit – Day 3

2013-12-05 08.36.25

Disruptive Fun

The keynote speaker this morning was Ze Frank, the Executive VP for BuzzFeed. He talked about the 3 major disruptions in his life and how they got him to where he was. The cool part about this keynote is that he was able to take his learnings from the media world and apply them to IT and essentially say that the core fundamentals that every company deals with are the same. He shared some beautiful and hilarious stories from his journey and overall it was a great talk. If you ever have a chance to listen to Ze Frank I would definitely recommend it, he is a very insightful communicator that you will have a great time learning from.

Ten Essential Principles of Modern Application Architecture

This session was a great wrap up to all the things that I heard over the course of the summit. The basis was a service oriented architecture, then from there you can build the quick delivery context aware applications that we need to move towards amidst the Nexus of Forces.

Summary

Overall, I thought the summit was a great conference and I learned a lot of things I can take back and begin to push the implementation of at our company. I wish though that others from my company had been here, especially from our integration group.

2013 Gartner Application Architecture, Development & Integration Summit – Day 2

2013-12-04 05.27.32I expected some nickel and diming when I came to Las Vegas but then I realized that nickels and dimes were too cheap…The picture to the left is what my gym was on Day 2 of the Gartner AADI Summit 2013.  I had been told that there was a fitness center available but packed some in room workout capabilities into my suitcase just in case. I was right, the hotel wanted to charge me $25 a pop to use their “Resort” every time I wanted to workout. Thankfully, I packed my yoga gear and DVDs so I was able to get my workout in nonetheless without paying the extra $25.

You didn’t come here to read about my workout though, here’s the good stuff!

UX Design and the Enterprise Architect

Who doesn’t want a little User Experience (UX) with their coffee? This was a really good session centered mainly around the paradigm shift that is coming/in process. “UX is the looming relevance challenge for IT organizations.” How true this is and how irrelevant are so many of our IT organizations. The speaker talked about the paradigm shift that is needed. He mentioned that you can’t just stick lipstick on a pig when it comes to UX. UX has to be the first part of the process and that is the fundamental problem with IT, we are engineers/developers first so we want our processes to be engineer/developer focused. However, when it comes to UX, design has to come first and it is not just aesthetics. It is fundamentally how your users interact with your apps. One key takeaway that I took from this session was with the fracturing of the UX between iOS, Android, & Windows Modern UI it is impossible to use a cross platform UX that fits with every platform so he recommended developing a corporate UX standard that would be standard across your apps and hold true to that UX framework to simplify your development.

Atlassian: How to do Kick-@$$ Software Development

Aside from the proliferation of the term Kick-@$$ (which the speaker tastefully warned the audience about at the opening of his session) throughout the length of this talk (to the point that I finally copied the text to my clipboard and just hit ctrl+v every time I needed to use it in my notes it was happening so often) this was an extremely good session. The premise of the talk was that in the movie Kick-Ass (I haven’t seen it) the main character decides one day that he is going to dress up as a super hero and fight crime…the first time he does though he is brutally beaten up and stabbed and it is not until he forms a team around him that he really starts to Kick-@$$ so to speak. Complete with the full getup (minus the mask – to which the speaker relayed to us that it is not smart to wear a mask in a casino :-), the casino had guards waiting for him at the elevator before he even made it from his room) the speaker lamented the early days as a software developer where he felt he would go out and save the world with software but just ended up feeling beat up and stabbed.  He then talked about Agile and its adoption history and how we are moving into a post-Agile world and companies are struggling to figure out how to deliver software more and more quickly in this new environment. He then talked about the 4 main ways that Atlassian does Kick-@$$ software development:

  1. Build Kick-@$$ things
  2. One Kick-@$$ team
  3. Kick-@$$ Collaboration
  4. Kick-@$$ Automation

Overall, this was a great talk with a lot of cool takeaways the biggest one for me being how intently focused they were on being a development shop more and not growing their non-development staff in leaps and bounds, but enabling their developers to do the testing, support, & design roles by bringing in a few experts that trained their developers how to fulfill those roles.

The Element: How Finding Your Passion Changes Everything

This session was hilarious, though terribly named. Sir Ken Robinson gave an extremely engaging talk about talents and creativity and how they affect our ability to create and re-create our lives and the paths we take. Two key quotes I have from this session are “Whatever you woke up worrying about this morning…get over it! How important can it possibly be in the grand scheme of things.” and “Talent is often buried deep, the challenge for leadership is to create conditions where talent will show itself.” If you are interested, I would recommend watching his TED talks, he is a very engaging speaker and his views on education and the reform it needs seem to be very good.

HTML5 and the Journey to the Modern and Mobile Web

This was a really good background session on what HTML5 was as well as what it isn’t along with the common misconceptions surrounding HTML5. I could tell that both presenters really knew what they were talking about. One key takeaway came during the recommendations section of their session when they said, “If your team has not yet done so, learn HTML5 and CSS3 and emerging modern Web tools.”

Microsoft: Delivering Revolutionary Modern Business Applications with Cloud, Data, and Devices

This one was a good presentation on what is available using Windows Azure for a public cloud provider especially in conjunction with on premise solutions. A key takeaway here is that Microsoft wants to be your cloud provider and they are doing everything they can to make themselves the vendors of choice including giving you options to host non-Microsoft products on their cloud and having easy integration from the cloud to on-premise solutions giving you a truly integrated hybrid solution.

Architecting and Developing Secure Applications

This was a pretty meaty session for 4:30 in the afternoon, but it was a great one! He started out by saying that writing secure applications is a major paradigm shift for so many developers because what they don’t know CAN hurt them. He laid out 3 key issues then expounded on them. The 3 Key Issues were:

  1. Why should enterprises place an emphasis on application-layer security?
  2. Which application security testing solutions can help enterprises develop secure applications and how will these evolve?
  3. How should organizations take a 360 degree comprehensive approach to application security?

I have a ton of notes for all the different sections, but if I were to recommend a starting point for anyone, look at the slide deck (see session title link), then go download the 360 degree approach white paper.

Summary

Overall, it was a really good day with a lot of information. I am almost to the point that I am on brain overload, but I think I have enough left for day 3 🙂