Yes entirely on name, visual identity and first three paragraphs. More like this for serious vulns, please.
Also, what a great name.
The remaining of the page is a loud reminder of the gap between the sec and dev communities, at least as practiced in lolstartupland. Or at least between offence and defence. The second paragraph tells you the sky is falling, and then it takes them 13 questions to tell you which openssl versions are vulnerable.
(Also, I wish the behind the scenes action was less messy; why not coordinate with Debian and RedHat patches? Why did Cloudflare get advance notice?)
But can we still have the CV numbers as well please.
"The security community refers to vulnerabilities by numbers, not names. This does have some advantages, like precision and the ability to Google them and get meaningful results all of the time"
I wish everyone embedded a Dewey Decimal number into their factual pages. Would be ace.
"I saw some kvetching on Twitter to the effect that the logo designer heard about Heartbleed before the distribution maintainers at e.g. Ubuntu and RedHat did."
Updates for Debian and CentOS landed within hours. Would have been nice to have them as we read the page.
Interestingly nothing (apparent) for Manjaro yet. Manjaro is a staged version of Arch which I have installed on a test machine to sample Gnome 3.12 when it lands in the repository a week or so.
[keith@mocha ~]$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
There is no doubt that masterful branding of the bug helped with patching of vulnerable systems in this case. It is not at all clear that the trend it will surely start will be a good thing. Marketing does improve visibility. But it also, inherently obscures the truth. Even in this case: some people on HN don't know that it was a Google researcher who first discovered/reported the bug; the actionable/technical information on the bug was hidden below the fold because the primary goal of the page was to be a long term marketing tool for the security firms, not the shortest path to patch vulnerable systems. We will see how this trend develops but I would not be surprised if we get more and more marketing with less upside (necessary visibility) and more downsides.
Because Cloudflare is possibly the biggest and most vulnerable target due to the enormous number of websites and businesses relying on it. I would not be surprised if at least FB and Twitter also had early access.
It was clear from the beginning that as soon as the details became public, a race would begin for the script-kiddy-friendliest tool to own sites/users. And the most likely targets of script kiddies should be warned in advance.
Heartbleed is not super descriptive to layfolk but it's certainly catchy, I'll give you that. Having a dot-com domain with said simple name was great, too.
But the content? A loud reminder indeed. As a member of the dev community, I would have wanted to see the following:
1. How bad is it? If you're using SSL, then an attacker may be able to read your machine's memory without leaving a trace.
2. Who is affected? Users of OpenSSL versions X-Y. Check your site here [http://filippo.io/Heartbleed/], but your client code may be affected too!
3. How do I secure myself? Update to OpenSSL version Z, reboot, and consider resetting all sensitive data on your server (reissue your SSL certificate, reset your user passwords and sessions, etc).
These facts are littered throughout a 2,000+ word document. In the future, I would like to see these things answered plainly at the very top.
I'm noticing this at work, too. Give things - even entire contexts - short, pronouncible names.
For example, at our place, "Munin" or recently "Graphite" have been established as the name for our monitoring systems. They describe a system spanning a couple hundreds servers, include a handful of different daemons and configurations and generally, a lot that's going on, so the term is inherently ambiguous and imprecise.
However, I've found that this takes a lot of pressure from the less involved people. They don't need to figure out how to call something precisely and correctly. They have an accepted, not entirely correct term that's precise enough to get the point across: "Munin on Server X broke" is all I need. Similarly, "Is our server X affected by Heartbleed?" might be a silly question because server X is no webserver, but it's easy to answer, because the question is precise enough and just on the right level.
"The Heartbleed announcement ... is masterful communication."
You have to be kidding me. It took so long to decipher what I wanted to know that I went elsewhere.
Edit: "masterful communication" this is not, since the reader doesn't know who the page is aimed at. Even a line at the top saying "Technical people go _here_", and then something aimed at technical people would be better.
But you did. What the communication accomplished was getting others who otherwise might not have heard about or cared enough to do something to take measures in fixing it.
The announcement isn't for technical folks. If you want to know the in depth details then you likely have no issue referring to bugs as numbers, or reading up on the technical details of the exploit. When you announce something you give the information in a form that the public can understand.
For example if I announce a new processor, I'll announce its clock speed, number of cores. If I feel like getting in depth cache levels, and bus speed. A technical person will still have a million questions. But my announcement isn't for them, its for the lowest common denominator of people who care. Often times who have no clue of every technical aspect. Only the most simplistic understanding of the topic, if any at all.
Where? And if Heartbleed took to long to figure out, how long did it take to decipher other security vulnerabilities? Don't compare it to a landing page of a consumer service, compare it to most other OSS announcements and projects.
UK Offtopic: kalzumeus.com is being blocked under the category 'gambling' for me by the TalkTalk HomeSafe filter. First time I've seen the filter. My ADSL over copper connection is provided by EE.
I can't change the settings as I am not a TalkTalk customer (to my knowledge, my connection has remained functional despite mergers: Freeserve -> Wanadoo -> Orange -> EE). I certainly don't have a 10 digit customer reference and my account email is 'unknown' to the filter.
Cameron's cyber-nanny can be circumvented for eminently respectable domains such as this by judicious use of ?oo?le Cache of course.
Anyone else from the UK with default filter settings seeing this? I'm about to write to my M.P. and some wider data points would be helpful.
I have used the 'report' button: perhaps they will unblock the domain when they realise it is about Bingo.
Oh, great. Then in a few years we can have minor security issues given names, too. Like how winter storms this past winter were called "Polar Vortexes." This world needs less media sensationalism, not more.
"Your bosses / stakeholders / customers / family / etc also cannot immediately understand, on hearing the words “Rails YAML deserialization vulnerability”, that large portions of the Internet nearly died in fire."
I watched my colleagues working around the clock (not that bad as it sounds - we are scattered around the planet for a reason) patching servers, testing and ensuring every hatch is properly shut. I can imagine other teams all over the world and all over the internet doing the same, literally saving our civilization from a threat only a tiny percentage of the population had any idea existed and an even smaller group has any idea of how it threatened us.
You don't think for a second that the reason you were all working so hard to fix this is entirely because of the marketing? The intense marketing of Heartbleed alerted legit crackers (who would have found out anyway), and a thousand times worse, it alerted wannabe crackers of low hanging security exploit fruit.
I remember when the antivirus companies would fight about who gets to name what. Didn't one try to name Slammer "Sapphire" after a stripper an engineer had seen the previous night?
I don't have a problem with making fanfare around the bug, but I cannot help but feel that the Linux and BSD distro maintainers should have been notified before it went public so that the patches would be available at the same time as the site goes up. Instead, Codenomicon caused them to have roughly 16-24 hour delay in releasing patched versions, while doing a poor job of communicating which versions of libssl are vulnerable (1.0.1 a-f were vulnerable, yet most distros use 1.0.1e and they patched that version instead of upgrading to 1.0.1g, making things very confusing).
So while all the marketing has been great for Codenomicon, it caused most sysadmins and distro maintainers more headache than it should have.
Yes, not notifying at least the big linux distros and BSD projects was quite irresponsible. Everyone except for a few chosen service providers like cloudflare was thrown under a bus here.
I can't disagree with this post enough. Security exploitations shouldn't be about marketing. Security exploits should be handled first and then communicated to the public after the fact. The way Heartbleed was handled lead to a media firestorm. Other than Codenomic, who else benefitted from this?
> Marketing Helps Accomplish Legitimate Goals
Are you kidding me? The only goal of a security issue should be fixing it and getting everyone else to update to the fix. Heartbleed will be remembered forever because of the BS marketing.
OpenSSL isn't a startup, it's a security library that is used by over half of the internet.
Yes, a thousand times yes. The point isn't to market a vulnerability, the point is to get a fix out there.
Forcing the entire world to scramble is great marketing, but poor security. Vendors needed time to prep releases and communications; there's tons of confusion flying around out there.
Likewise, patio11's trying to capitalize on the awareness to market himself may also be great marketing, but it's bad advice.
I don't know why parent is being downvoted, either. This is simply not how you keep people secure. This is how you grandstand to promote yourself at the cost of other people's security.
Who is "the public" here? Why should package maintainers be hearing about this any sooner than me? I may not help maintain a popular Linux distribution, but I may very well run a service that my customers' bodily safety depends on the encryption of the SSL connection. (Hypothetical.) After disclosure, my only option is not to wait for a fix from my vendors and service providers, but to shut down my service (and lock out my customers) until a fix is available from them (or my own efforts) hours later. Otherwise, the bad actors who would benefit from seeing their SSL traffic would have hours to do so, and for some of us that can cost lives.
This marketing page was effective communication not just to the public, but the hundreds of thousands of technical people that needed to understand that this disclosure was different, they needed to take action, which in this world of plentiful managed hosting, is really not typical.
No, a thousand times no. It's pretty obvious big targets would be on top of this. But given the severity of this bug you need to get to the lazy sysadmin, to the small ecommerce owner that doesn't have an on site admin, etc.
At that point, speed isn't really the issue yet. Heartbleed was in the wild for two years. Would a day or two have made much difference? Highly unlikely.
Speed matters after the disclosure, when every petty criminal and script kiddy in the world is suddenly empowered.
The first thing I thought about this whole thing when I saw the name was "this is a great name for this bug, and will help ensure everyone hears about it - and panics, which is the goal". I think the logo helped amplify that, so great work by the people who thought this up.
Also, hats off to the heartbleed.com keepers, Codenomicon, for handling this very selflessly - despite this (fuzzing) being their core business and having found the bug itself. They could have made it a "company logo first" marketing campaign.
Excellent writeup but as long as the subject is marketing and memorability in names (and in particular domain names) kalzeumus (or is it kalzumeus) isn't the easiest name to remember for a blog or business.
And it lends itself to many typos which is one of my areas of expertise along with branding. I can't easily tell someone "just go to kal zum e us dot com" like I can "heart bleed" (which by the way has a typo that would leak in high volume traffic to "blead" a bit).
Other than that I agree with what Patrick is saying, although I did find the use of "heartbleed" with something also referred to as "heartbeat" (which of course wouldn't be available as a domain name) a bit confusing at first.
Don't overdo it either. There's plenty of landing pages with non-existing services, no need for crazy project pages where the projects themselves will die soon out of interest or are just subpar.
In this specific case, I would prefer resources spent to make the OpenSSL library itself better instead of the https://www.openssl.org/ domain better.
Talking about marketing: Wouldn't this be a great time for one of the not so small IT companies to pull off a publicity stunt within the tech community and donate a few full time developers to improve the openssl codebase?
For example I might not like Facebook, but if they'd actually make such a contribution to the public good I'd always have to include that counter argument in my criticism.
Maybe some one here on hackernews might be able to pull some strings?
The one weak point of the landing page is that it didn't indicate who was not affected. I read to the bottom of the announcement and had to think a while on whether I had to update my laptop because, hey, this seems like a serious bug. Granted, I'm nontechnical... but that's kind of the point.
Edit: not sure why this was downvoted, but if it contains an error please add a comment pointing it out. If you just think it should be lower on the page, no worries.
[+] [-] phillmv|12 years ago|reply
Also, what a great name.
The remaining of the page is a loud reminder of the gap between the sec and dev communities, at least as practiced in lolstartupland. Or at least between offence and defence. The second paragraph tells you the sky is falling, and then it takes them 13 questions to tell you which openssl versions are vulnerable.
(Also, I wish the behind the scenes action was less messy; why not coordinate with Debian and RedHat patches? Why did Cloudflare get advance notice?)
[+] [-] keithpeter|12 years ago|reply
"The security community refers to vulnerabilities by numbers, not names. This does have some advantages, like precision and the ability to Google them and get meaningful results all of the time"
I wish everyone embedded a Dewey Decimal number into their factual pages. Would be ace.
"I saw some kvetching on Twitter to the effect that the logo designer heard about Heartbleed before the distribution maintainers at e.g. Ubuntu and RedHat did."
Updates for Debian and CentOS landed within hours. Would have been nice to have them as we read the page.
Interestingly nothing (apparent) for Manjaro yet. Manjaro is a staged version of Arch which I have installed on a test machine to sample Gnome 3.12 when it lands in the repository a week or so.
Sort of ties in withhttp://allanmcrae.com/2013/01/manjaro-linux-ignoring-securit...
perhaps. I get the impression that Manjaro (and other similar client OSes) are mainly for end users and not on servers.
[+] [-] kruipen|12 years ago|reply
[+] [-] mschuster91|12 years ago|reply
It was clear from the beginning that as soon as the details became public, a race would begin for the script-kiddy-friendliest tool to own sites/users. And the most likely targets of script kiddies should be warned in advance.
[+] [-] shazow|12 years ago|reply
But the content? A loud reminder indeed. As a member of the dev community, I would have wanted to see the following:
1. How bad is it? If you're using SSL, then an attacker may be able to read your machine's memory without leaving a trace.
2. Who is affected? Users of OpenSSL versions X-Y. Check your site here [http://filippo.io/Heartbleed/], but your client code may be affected too!
3. How do I secure myself? Update to OpenSSL version Z, reboot, and consider resetting all sensitive data on your server (reissue your SSL certificate, reset your user passwords and sessions, etc).
These facts are littered throughout a 2,000+ word document. In the future, I would like to see these things answered plainly at the very top.
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] wslh|12 years ago|reply
[+] [-] tetha|12 years ago|reply
For example, at our place, "Munin" or recently "Graphite" have been established as the name for our monitoring systems. They describe a system spanning a couple hundreds servers, include a handful of different daemons and configurations and generally, a lot that's going on, so the term is inherently ambiguous and imprecise.
However, I've found that this takes a lot of pressure from the less involved people. They don't need to figure out how to call something precisely and correctly. They have an accepted, not entirely correct term that's precise enough to get the point across: "Munin on Server X broke" is all I need. Similarly, "Is our server X affected by Heartbleed?" might be a silly question because server X is no webserver, but it's easy to answer, because the question is precise enough and just on the right level.
[+] [-] keithpeter|12 years ago|reply
As a teacher, I give silly names to maths topics and it seems to help the students organise their 'big picture' a bit.
[+] [-] nodata|12 years ago|reply
You have to be kidding me. It took so long to decipher what I wanted to know that I went elsewhere.
Edit: "masterful communication" this is not, since the reader doesn't know who the page is aimed at. Even a line at the top saying "Technical people go _here_", and then something aimed at technical people would be better.
[+] [-] jmathai|12 years ago|reply
That's an enormous win.
[+] [-] valarauca1|12 years ago|reply
For example if I announce a new processor, I'll announce its clock speed, number of cores. If I feel like getting in depth cache levels, and bus speed. A technical person will still have a million questions. But my announcement isn't for them, its for the lowest common denominator of people who care. Often times who have no clue of every technical aspect. Only the most simplistic understanding of the topic, if any at all.
[+] [-] jdubs|12 years ago|reply
I think this is a case where the message could have been more concise.
[+] [-] joshdance|12 years ago|reply
[+] [-] keithpeter|12 years ago|reply
https://dl.dropboxusercontent.com/u/8403291/talktalk-blockin...
I can't change the settings as I am not a TalkTalk customer (to my knowledge, my connection has remained functional despite mergers: Freeserve -> Wanadoo -> Orange -> EE). I certainly don't have a 10 digit customer reference and my account email is 'unknown' to the filter.
Cameron's cyber-nanny can be circumvented for eminently respectable domains such as this by judicious use of ?oo?le Cache of course.
Anyone else from the UK with default filter settings seeing this? I'm about to write to my M.P. and some wider data points would be helpful.
I have used the 'report' button: perhaps they will unblock the domain when they realise it is about Bingo.
[+] [-] bhousel|12 years ago|reply
[+] [-] rubiquity|12 years ago|reply
[+] [-] rbanffy|12 years ago|reply
I watched my colleagues working around the clock (not that bad as it sounds - we are scattered around the planet for a reason) patching servers, testing and ensuring every hatch is properly shut. I can imagine other teams all over the world and all over the internet doing the same, literally saving our civilization from a threat only a tiny percentage of the population had any idea existed and an even smaller group has any idea of how it threatened us.
[+] [-] rubiquity|12 years ago|reply
Marketing works both ways, you know.
[+] [-] danielweber|12 years ago|reply
I don't look fondly on those days.
[+] [-] IgorPartola|12 years ago|reply
So while all the marketing has been great for Codenomicon, it caused most sysadmins and distro maintainers more headache than it should have.
[+] [-] throwaway7767|12 years ago|reply
[+] [-] rubiquity|12 years ago|reply
> Marketing Helps Accomplish Legitimate Goals
Are you kidding me? The only goal of a security issue should be fixing it and getting everyone else to update to the fix. Heartbleed will be remembered forever because of the BS marketing.
OpenSSL isn't a startup, it's a security library that is used by over half of the internet.
[+] [-] teacup50|12 years ago|reply
Forcing the entire world to scramble is great marketing, but poor security. Vendors needed time to prep releases and communications; there's tons of confusion flying around out there.
Likewise, patio11's trying to capitalize on the awareness to market himself may also be great marketing, but it's bad advice.
I don't know why parent is being downvoted, either. This is simply not how you keep people secure. This is how you grandstand to promote yourself at the cost of other people's security.
[+] [-] aculver|12 years ago|reply
This marketing page was effective communication not just to the public, but the hundreds of thousands of technical people that needed to understand that this disclosure was different, they needed to take action, which in this world of plentiful managed hosting, is really not typical.
[+] [-] rabino|12 years ago|reply
[+] [-] jdubs|12 years ago|reply
[+] [-] ef4|12 years ago|reply
Speed matters after the disclosure, when every petty criminal and script kiddy in the world is suddenly empowered.
[+] [-] higherpurpose|12 years ago|reply
[+] [-] zurn|12 years ago|reply
[+] [-] pmorici|12 years ago|reply
[+] [-] larrys|12 years ago|reply
And it lends itself to many typos which is one of my areas of expertise along with branding. I can't easily tell someone "just go to kal zum e us dot com" like I can "heart bleed" (which by the way has a typo that would leak in high volume traffic to "blead" a bit).
Other than that I agree with what Patrick is saying, although I did find the use of "heartbleed" with something also referred to as "heartbeat" (which of course wouldn't be available as a domain name) a bit confusing at first.
[+] [-] bernardom|12 years ago|reply
But: are there enough two-english-word combinations left as viable .com names, much less ones that accurately describe the vulnerability?
[+] [-] ereckers|12 years ago|reply
[+] [-] thu|12 years ago|reply
In this specific case, I would prefer resources spent to make the OpenSSL library itself better instead of the https://www.openssl.org/ domain better.
That being said I agree with the article and love how http://heartbleed.com/ was done.
[+] [-] Perseids|12 years ago|reply
For example I might not like Facebook, but if they'd actually make such a contribution to the public good I'd always have to include that counter argument in my criticism.
Maybe some one here on hackernews might be able to pull some strings?
[+] [-] pasbesoin|12 years ago|reply
Serial Killer (Yeah, drops the "De", but more people will associate with it, and it's easier to parse and pronounce.)
[+] [-] pseut|12 years ago|reply
Edit: not sure why this was downvoted, but if it contains an error please add a comment pointing it out. If you just think it should be lower on the page, no worries.
[+] [-] digismack|12 years ago|reply