CS4ProgrammingWeek14

From GIS CS4
Jump to: navigation, search

Continue Khan Academy programming using Java Script https://www.khanacademy.org/cs

Monday

Happy 88th Birthday Her Majesty The Queen Elizabeth II

https://twitter.com/BritishMonarchy/status/457851279394349058/photo/1


In The News Special - HeartBleed

Heartbleed walks into a bar, and says 'Hello!'

The bartender says:
'Hello!
-----BEGIN RSA PRIVATE KEY----
GDSSHPAIBAAJB2041F379AFCD4573B639D56C6ABB1EB0
D007AB9686634CF2B3A694AE7F76DAE7102EA819C0EF44CC94B3-66E6E39AA498
....


What Is HeartBleed?

Bruce Schneier - "On the scale of 1 to 10, this is an 11" - a few days later he revised his rating of HeartBleed to 9 out of 10

XKCD Cartoon Explanation of what HeartBleed is

OpenSSL Code + fix

Cause of bug introduced in 2012 by developer Robin Seggelmann

"I was working on a research project at the University of Münster using the OpenSSL encryption library
 and releasing bug fixes and new features that were developed as part of my work on the OpenSSL 
project. The various changes were checked by a member of the OpenSSL development team and then 
incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat 
extension, I failed to check that one particular variable, a unit of length, contained a realistic 
value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL
developer who reviewed the code also did not notice that a mistake had been made when carrying out the 
check. As a result, the faulty code was incorporated into the development version, which was later 
officially released.

Because no plausibility check had been carried out on the length, by entering invalid values it was 
possible to read more memory than intended. This meant it was possible to access security-related data, 
turning a simple mistake into one with massive consequences.


Consequence of HeartBleed


Was HeartBleed Exploided before it was discovered?

Probably not.

There is evidence that security organisations where using it since November 2013.


Who Is Affected?

100% of ALL Internet users!


Recovering from HeartBleed

  1. Servers (Not Windows or Mac - but ANY software using OpenSSL)
    1. All affected servers/software packed
    2. All affected Security Certificates MUST be replaced by New Ones
    3. All affected Security Certificates MUST be Revolved
  2. Clients/Users (Windows/Mac/Linux/iOS/Android/etc)
    1. Make sure web browsers support Security Certificate Revocation
      1. revoked.grc.com
      2. CloudFlare
      3. Verisign
    2. Change your passwords on affected websites


Might be time for you to use a Password Manager like LastPass (free) - more information here.


Why is Security Certificate Revocation so important?

“Certificates” provide a means for web servers at
the far end of remote connections to verifiably
assert their identity across the Internet.


A consequence of HeartBleed is that an attacker has/had a means of obtaining a server's Certificate. It is then very possible for them to perform a Man-In-The-Middle attack and intercept your request (via DNS or other means) to say 'https://www.google.com' or 'https://mybank.com' - your web browser would see a 100% valid Certificate and display no warnings.


However much of the certificate revocation system is badly broken and doesn't actually work


Useful Security Tools


NASA Deep Space Network

Check this out!


Refine Tool.getToolHit(zx, zy) method

Refine the Tool.getToolHit(zMouseX, zMouseY) method such that it detects a hit within the circle.

Hint:

  • Use Pythagorus theorum (hypotoneuse^2 = x^2 + y^2).
  • The radius of the Tool circle background is TOOL_WIDTH/2. This is the hypotoneuse of the triangle.
  • The length of the horizontal leg of the triangle x = (Tool.x - zMouseX).
  • The length of the vertical leg of the triangle y = (Tool.y - zMouseY).

Complete Rock-Paper-Scissors

Rock-Paper-Scissors 2

Rock-Paper-Scissors 3

Rock-Paper-Scissors-Lizard-Spock

https://www.youtube.com/watch?v=iapcKVn7DdY

Rock-Paper-Scissors 4

Review For Test (Friday)

  • Review Arrays

https://www.khanacademy.org/computing/cs/programming/arrays/a/review-arrays

  • Review Objects

https://www.khanacademy.org/computing/cs/programming/objects/a/review-objects

  • Review Object Oriented Design

https://www.khanacademy.org/computing/cs/programming/object-oriented/a/review-object-oriented-design

Tuesday

Thursday (Lab)

Review For Test (Today!)

  • Review Arrays

https://www.khanacademy.org/computing/cs/programming/arrays/a/review-arrays

  • Review Objects

https://www.khanacademy.org/computing/cs/programming/objects/a/review-objects

  • Review Object Oriented Design

https://www.khanacademy.org/computing/cs/programming/object-oriented/a/review-object-oriented-design


Technology Friday

Mini News


How to Debug A Program in Khan Academy