Archive for April, 2014

Our Response to “Heartbleed”

Filed Under: News by midas — Leave a comment
April 11, 2014

OpenSSL Heartbleed VulnerabilityAs many of you may already be aware, information was released on Tuesday this week about a major Internet vulnerability widely referred to as “Heartbleed”.

This vulnerability affected a common software library called “OpenSSL” which is a cryptography system built to encrypt passwords and other sensitive information on around two-thirds of all websites on the Internet.

Many popular websites, including Twitter, Yahoo!, Gmail and Facebook had been found vulnerable to Heartbleed, which if exploited could potentially reveal the contents of a server’s memory, including passwords and other sensitive information.

Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL“, reveals the website devoted to explaining the bug.

Whilst many of these websites have now this week been updated/patched against Heartbleed, the vulnerability itself has been present in the latest versions of OpenSSL for the past two years, but has only recently come to light and details publicly disclosed this week.

Our MIDAS servers run OpenSSL, however, we have no reason to believe that the vulnerability has been exploited to compromise the integrity or confidentiality of any of our services or of our users’ data. Even so, due to the hard-to-detect nature of the attack, we’re taking a very broad view of the potential vulnerability and have responded accordingly.

What has MIDAS done in response?

Our MIDAS servers run OpenSSL, and we’ve been proactive in making sure that our users’ data and accounts are kept safe. Specifically:

  • Our servers have been patched.
    As of Wednesday 9th April 03:33 UTC, all of our servers have been updated to use a newer, protected version of OpenSSL.

  • We’ve reset SSL keys and certificates for our public *.mid.as servers.
    As of Thursday 10th April 21:51 UTC all of our public servers are using newly-generated keys and certificates. Additionally, we’ve asked AlphaSSL to revoke our old certificates, just to be on the safe side.

What can you do?

We have no reason to believe that the Heartbleed vulnerability has been exploited to compromise the integrity of any of our services or of our users’ data. Even so, if we “host” your MIDAS and you want to be extra careful, you can change your MIDAS password at any time, once logged in via the “Change Password” near the top of your MIDAS screen.

Here’s some handy tips for creating better passwords:

MIDAS Password Security Settings

  • Avoid using the same password for multiple websites
  • Make your passwords at least 8 characters
    – In MIDAS, you can enforce a minimum password length for users via MIDAS Admin Options → Manage MIDAS → Security → Minimum Password Length

  • Include a mixture of numbers, upper & lowercase letters, and symbols in your password
    – MIDAS can randomly generate such passwords for users, via MIDAS Admin Options → Manage Users & Permissions → [select user] → Password → Random.

  • Avoid complete words
  • Avoid common passwords such as “123456” and “password”
Tags: , ,

Mozilla: The organization who USED to believe in equality and freedom of speech!

Filed Under: Uncategorized by midas — Leave a comment
April 3, 2014
Mozilla Corporation

You’ve probably heard of Mozilla – they’re the folks behind the well known and popular Firefox web browser, and as you may know, we develop a powerful browser-based Room and Resource Scheduling System, MIDAS, which we support in all major browsers, including Firefox.

In fact, ever since we first began development of MIDAS back in 2005, the primary browser we continue to do the bulk of our development and debugging in has been Firefox! It’s been our browser of choice, and we’ve long since been admirers of Mozilla’s open and inclusive approach to the development of Firefox and the web, and their company ethos, that:

“Mozilla believes both in equality and freedom of speech. Equality is necessary for meaningful speech. And you need free speech to fight for equality”

However, today Mozilla have demonstrated that this ethos is in fact untrue, and that they no longer believe in equality and freedom of speech for ALL.

Here’s a brief outline of what’s happened:

Mozilla Firefox Last month, Mozilla appointed a new CEO, Brendan Eich. Eich was the inventor of Javascript (one of the programming languages that our software utilizes!) and co-founder of mozilla.org.

Six years earlier, in 2008, long before he became CEO, Eich made a personal donation to a campaign for “California Proposition 8“, a bill which, rightly or wrongly depending upon your view, opposed same-sex marriage taking place in the state of California.

Following his appointment to CEO of Mozilla last month, a number of Mozilla employees, board members, and members of the global L.G.B.T community expressed their unhappiness with his appointment to the role of CEO, as they felt that because he’d previously supported a campaign opposing same-sex marriage this made him unsuitable to be CEO of a company that had equality and freedom of speech at the very heart of its core values.

For the past several weeks, since Eich’s appointment, there has been a sustained and vicious campaign targeted against Mozilla, Firefox, and Eich himself, with pressure from all sides for Eich to stand down/be removed from his role as CEO.

Today, following this sustained pressure, Eich has stepped down as CEO.

Many are celebrating this, however, regardless of your view of Brendan Eich or your position on same-sex marriage, Mozilla as a company promoted “equality and freedom of speech” for ALL. By this token, Eich (along with every other Mozilla employee, regardless of position, gender, religion, or sexual orientation) has the same right to express his views without fear of censorship or persecution – whether you agree with his views or not.

No one should be denied the right to express their PERSONAL opinion or view on any subject, and remember, this was only a personal view of Eich, not an official Mozilla/Firefox view/policy/position.

In pressuring and forcing their CEO to step down because of his *personal* view on a subject, Mozilla have denied Eich his right to equality and demonstrated that they no longer stand for true equality and freedom of speech for everyone.

We used to believe that Mozilla were promoting an “open web for all” – we are now struggling to reconcile this ethos with Mozilla’s actions and stance today.

Many Firefox users have since taken to Twitter to vent their anger & disappointment at @Mozilla and @Firefox‘s stance on this matter, with many previously loyal users uninstalling and boycotting their products in protest.

Our web based Room and Resource Scheduling Software MIDAS is supported in Firefox, but also supported in Internet Explorer, Google Chrome, Apple Safari and Opera browsers as well – as we believe in giving you the choice over which browser (and company) you choose.

UPDATE 6th April:
Two days later, and Mozilla’s own customer feedback site (https://input.mozilla.org) clearly shows the amount of negative feeling towards the company as a result:

Mozilla Customer's Feelings and sentiment
Mozilla Customer’s Feelings
Tags: ,