[SFDXA] QRZ and the Heartbleed Bug

Bill bmarx at bellsouth.net
Wed Apr 16 14:59:37 EDT 2014 

    QRZ and the Heartbleed Bug

    If you watch the news you're probably heard a bunch of talk recently
    about the so-called Heartbleed bug. The Heartbleed bug was a
    programming mistake that made its way into mainstream security
    encryption programs about two years ago. Contrary to what some
    people are saying, it's not a virus, not a trojan, not malware, none
    of the above. Instead, its a previously unknown vulnerability in
    system software that until now has gone undetected.

    Here's an analogy of how a software vulnerability works: Suppose
    there was a coke machine at work that everybody used on a daily
    basis without any problems whatsoever. It took your money and
    delivered drinks as it should. Then, one day, someone discovers that
    if you press the Coke button three times, the Dr Pepper button once,
    and the Sprite button five times, the machine would then give you
    anything you wanted, for free. Before yesterday, nobody knew that a
    special sequence of buttons would do this, not even the original
    programmer of the machine because it wasn't intentional, it was a
    bug, a programming mistake.

    That describes how the Heartbleed bug came to be. QRZ was notified
    of the bug yesterday and we immediately applied all of the latest
    patches on the system. These security patches included new software,
    and new SSL Encryption Certificates. Everything went smoothly and so
    we're now our system no longer contains the bug.

    The heartbleed bug was on nearly every system on the internet.
    Yahoo, Google, you name them, they all had the bug. QRZ was lucky
    because we only had to patch 4 machines. Some of the bigger firms
    have thousands of machines to patch and some of them aren't finished
    yet.

    There is no evidence that anyone actually used the Heartbleed
    vulnerability to gain unauthorized access to QRZ or to our user
    accounts. None. Frankly, internet criminals who might have used this
    trap door would probably go after much more popular and rewarding
    targets than QRZ.

    To be on the safe side, however, everybody should change their
    passwords NOW. Heartbleed made it possible for criminals to get
    passwords and we don't know if they got any of ours. Your password
    could have been compromised on some other site too. It's always a
    good time to change passwords and you should do it today.

    The following cartoon talks about what makes a password really hard
    for a computer to guess. It's probably not what you think. The
    cartoon speaks of entropy. Entropy is "randomness" and the more
    entropy a password has, the more difficult it is for a computer to
    guess. Ideally, you want a password that would take even a fast
    computer several, if not hundreds of years to guess at random.

    http://forums.qrz.com/showthread.php?432424-QRZ-and-the-Heartbleed-Bug

More information about the SFDXA mailing list