The backdoor into the ancient old encryption standard can only be used if you can intercept the victim’s packets, potentially with a malicious Wi-Fi link, but once they’re in, hackers can slurp your cookie data. Security expert Robert Graham explained:
POODLE (Padding Oracle On Downgraded Legacy Encryption) allows the hacking of clients – your web browser and such. If Heartbleed or Shellshock merited a 10, then this attack is only around a five.
It requires someone to be a man-in-the-middle to exploit. This means you are probably safe from hackers at home, though not safe from the NSA. However, when at the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack.
What the hacker will try to do is hack your session cookies. That means they won't get your password for your account, but they will be able to log in as you into your account. Thus, while you are at Starbucks, some hacker next to you will be able to post tweets in your Twitter account and read all your Gmail messages.
The vulnerability shouldn’t matter because SSL 3.0, which is 18 years old, should have been retired years ago. However, the internet being the buggy back-compatible thing it is, the standard is still kicking about. Google security bod Adam Langley said:
This should be an academic curiosity because SSL 3.0 was deprecated very nearly 15 years ago.
However, the internet is vast and full of bugs. The vastness means that a non-trivial number of SSL 3.0 servers still exist and workarounds for the bugs mean that an attacker can convince a browser to use SSL 3.0 even when both the browser and server support a more recent version.
Thus, this attack is widely applicable.
Apple design guru and revered genius Sir Jony Ive has made it clear that he doesn’t find it the least bit flattering when other devices bear any resemblance to the fruity firm’s precious iThings. At Vanity Fair’s New Establishment Summit in San Francisco, he told an audience member who asked about similar designs from rivals like Xiaomi:
I think it’s really straightforward: it really is theft, and it’s lazy and I don’t think it’s OK at all.
Though he later admitted that might have been a bit harsh and made him seem just a tad bitter. Xiaomi boss Lin Bin certainly seemed to feel Ive had gone a bit far. He told the China News Service:
Xiaomi is a very open company, which would never force anyone to use its products. However, one can only judge Xiaomi's gadgets after he or she has used them. I'm very willing to give a Xiaomi cell phone to [Ive] as a present, and I look forward to hearing his remarks after he uses it.
In Blighty, a new test from mobile survey coverage company GWS shows that commuting into London sucks even more than commuters thought, because phone service on trains is now officially rubbish. One in three data tasks and one in seven voice calls attempted on commuter routes failed in areas where there should be decent coverage. GWS CEO Paul Carter said:
Leaves on the track, the wrong kind of snow, having to stand up all the way to work and back – commuters have enough to contend with without the kind of mobile connectivity problems we’re revealing today. It’s hard to believe we’re in 2014 and in a situation whereby a trained wizard would have a tough time getting a signal on the Hogwarts Express while it’s sitting in St Pancras.
Meanwhile, Microsoft aficionado Charles Petzold, whose Programming Windows book taught a generation of developers how to code for Redmond’s products, has told The Reg that he figured out the API all by himself. He said:
I never worked for Microsoft. I really liked figuring things out on my own. Early on in the development of a new version of Windows, I would explore it, I would try out various things, I would see what worked, I would see what didn’t work.
For Windows 1.0, there were five sample apps. The first one was a hello world app, except that it was very large because it included a menu, and the menu triggered an about box, and a lot of people thought all that stuff was necessary.
So I took that program and stripped away everything that seemed to be not necessary. I took away the about box and the program still worked. I took away the menu and the program still worked. I took away other things and simplified it as much as possible and that became the first sample program in my book.
In other Microsoft news, the firm has managed to tick off a load of the faithful by issuing DMCA takedowns that were a little too aggressive. Loyal podcasters and video bloggers found themselves issued with warnings and had their YouTube accounts suspended for supposed copyright infringement. Yet their musings on Windows were often just comment and advice pieces. Respected Windows nerd Chris Pirillo said in a YouTube comment:
They're going after ANYTHING with "Windows" in the title, it seems. My video was on a completely benign topic - not a review: "Windows 7 Upgrade or Anytime Upgrade?" Video ID: kUtY1AFZGTI - and I'm the type of person who intentionally avoids music, sounds, video, images, etc. WARN ALL THE TECH YOUTUBERS THAT THEY MIGHT WANT TO STOP TALKING ABOUT WINDOWS.
And the community also took to Twitter:
While Microsoft frantically tried to fix the damage:
We're looking at the YouTube notices ASAP. It is NOT the intent to target great content!— Microsoft News (@MSFTnews) October 15, 2014
And finally, in the security world, guru Mikko Hyppönen has told El Reg that law enforcement and intelligence agencies should stop complaining about the improving security on mobile phones, because they brought it on themselves.
FBI Director James Comey, US attorney general Eric Holder and Europol boss Troels Oerting have all moaned that increased data protection on mobes was going to make fighting crime and terrorism more difficult. But Hyppönen said:
Governments annoyed by companies taking a stand on security should remember they caused this themselves by hacking companies from their own countries.
Instead of just considering attacks from criminals some of the largest software companies have to consider attacks from their own governments too.
He also said that current surveillance was too pervasive:
I’m not against surveillance per se: I’m against blanket surveillance. There’s a trade off between privacy and security.
Law enforcement is imperfect so the question is whether or not it’s a good trade off to have blanket surveillance.
Intel agencies will go to any means to get what they want. I can understand why they might want to infiltrate standards bodies and push weaker cryptography but that weakens everybody’s security.
Speaking at the IP Expo conference, he told delegates:
George Orwell was an optimist. Governments can not only watch what you do (telescreens) but what you think… Show me your search history and within five minutes I'll find something embarrassing or incriminating. Guaranteed.