Tech Titans Donate Millions to Fight `Heartbleed’

REPLAY VIDEO
Your next video will start in
Pause

Recommended Videos

  • Info

  • Comments

  • VIDEO TEXT

April 28 (Bloomberg) -- Linux Foundation Executive Director Jim Zemlin discusses tech company donations to help prevent the next “Heartbleed” like bug. Zemlin speaks on Bloomberg Television’s “Bloomberg West.” (Source: Bloomberg)

Live from pier three in san francisco, welcome to bloomberg "west." it is a race against time as microsoft tries to fix a major security flaw in internet explorer, that hackers are already using in targeted attacks.

We are expecting the biggest ipo filing since facebook with alibaba.

The commerce e-commerce giant is on an investment spree with the latest deal announced today.

First, a check on your top headlines.

Apple and samsung are ready to make their final pitches to the jury.

Closing arguments will begin today in the blockbuster patent trial.

Apple is seeking $2.2 billion in damages for patent infringement.

A win would allow the company to seek a sales ban on earlier models of samsung phones.

An update from google on itself driving cars.

The company says that cars have lost nearly 700,000 autonomous miles.

Google has been testing the cars around the hometown of mountain view, to improve their ability of driving in urban areas, but they say there are more problems to solve before the car starts driving in other cities.

Microsoft will begin rolling out its first original xbox tv shows in june am including a reality series called "every street united" which will cover local soccer teams, as well as coverage of the binary music festival.

To our lead story, and after the disclosure of the heartbleed glitch, there is another glitch affecting the internet explorer browser.

This affects about 25% of browsers out there, looking at versions six through 11, although the most recent ones are mainly being hurt.

The way it works, it gives the hacker the same level of access as the official user.

People that still have microsoft xp, windows xp, are particularly troubled in this case.

Cory johnson, microsoft stopped providing security patches for xp, so those 3 million machines have nothing to do.

We know the mitigation it takes to take the system to the new operating system.

For an individual, it may take a few hours, but corporations, it takes nine months to make the switch on average.

The change away from xp does not happen quickly.

It is likely that we will be hearing more things like this because the hackers are evolving and this operating system is not.

It feels like there is a new one of these every day.

Are there more attacks, or is security tracking getting better?

These techniques used by hackers, particularly in eastern europe, are very different from where they were even a year ago, much more organized, bigger groups.

Where do they go from here?

I know microsoft is doing an investigation, but at what point do they make an exception for this major security flaw for xp users, maybe they would do something.

You wonder what form it would take, and what does this mean for microsoft itself?

If people are unwilling to switch to a new browser, they may move to a new product.

For more on how risky this flaw is, i want to turn to the director of threat research at fire eyes, the company that found the breach.

Why are we seeing more of these threats, is it because people like you are getting better at tracking them down, or there are just more of these things happening?

A combination of both.

It's a pleasure to be here.

In this case, the bone ability was widespread, roughly one in four users visiting the web, going to any website that hosts this kind of exploit, would have been compromised.

We do not see this going away.

We detected this particular thread group as recent as friday and we had to move quickly to get detection, response, prevention, and advisory out quickly in order to respond to the threat.

Fundamentally, i do not see that this particular issue will go away anytime soon.

Are you looking at particular , flaws in xp, because it is not getting updated?

We are looking at the front groups that are using these attacks and these vulnerabilities.

We are able to detect and see these types of vulnerabilities being westernized into the tax just by looking at the affects of the victims involved.

We are then able to further develop defenses, protections, as well as advisories, based on that.

We do not need to necessarily go through and document all the different vulnerabilities.

The attackers are already doing that for us.

Walk us through how this particular vulnerability is and what it actually means.

Fundamentally, zero day attacks are roughly two to go different things from vulnerabilities.

Vulnerabilities are not that serious unless you are dealing with a remote code execution vulnerability.

That allows a hacker to compromise a user remotely, from anywhere on the internet.

Those of the types we see from these different groups, the ones that we see the most severe.

Fundamentally, we see this type of issue getting worse over time.

If i have internet explorer, what should i do?

Right now, you can go through and disable flash.

That seems to be the initial infection vector.

You can also enable private mode.

The croissant hasn't ruled out the enhanced mitigation toolkit, or you could switch to a different browser.

You talk about finding the affects of the victims involved and using that as methodology.

Have you any anecdotes, something that happened to somebody, or a company?

In this particular case, we work closely with many of our customers who were targeted in this particular campaign.

We went through and actually merged the intelligence collected from our worldwide sensor grid of appliances protecting the customers, along with boots on the ground.

Those folks involved with instant response professional services.

We fused the information to go from discovering the exploits to rolling out protections for it, to rolling a prevention for it, as well as working with microsoft to release the advisory, less than 24 hours, on a weekend.

My point is, what did you see happening that let you roll all of this together into an alert?

We start with some sort of spear phishing attack.

In this case, the thread group involved was watching some sort of malicious link within mail messages.

Unfortunately, those victims were clicking on the links, getting compromised, seeing the results of that, and seeing how the compromise occurred.

Normally, visiting a website should not compromise an endpoint, but in this case, that is what was happening.

What do you see as a result of this happening, do you see microsoft revealing a patch for ie, and do you see other people downloading other browsers instead?

It is a combination.

This should be the final nail in the coffin for windows xp users.

They should really not be using the operating system anymore.

For those users who are using internet explorer but later versions of windows, a variety of different mitigations would solve the problem.

The most effective one we have seen is actually deploying emess.

It would have caught this exploit as well as the past three or four that we have seen, plus 10 or so others from the last year.

Unfortunately, that will not work for most enterprises based on the pains of rolling out the type of fix.

That is why microsoft is offering these other mitigations, such as turning on protected mode, potentially disabling activex controls, or flash altogether.

Thanks so much for sharing with us the work you did on this one.

One ceo says he got fired after pleading guilty to domestic charges -- violence charges.

We will talk about how this may impact the company going public.

? welcome back to bloomberg "west." i'm emily chang.

Radiumone ceo gurbaksh chahal said that he was fired by the network after accepting a plea deal on domestic violence charges.

He was charged with 45 felonies of domestic violence, but all of them have been dropped, and he accepted a misdemeanor plea deal and a fine instead.

Bill lonergan, the ceo of the company, will take over the company, which was in the stages of an ipo.

Cory johnson is with me as well as ari levy.

You were speaking with chahal over the weekend.

What did he have to say?

He was shocked.

It had been 10 days.

He pled guilty to the charges, charges happened about six months ago he pleaded guilty, paid the fine.

The board waited until april 26 to do anything about it.

He had many more to meeting since then, so i think he is surprised.

-- so i think he is apprised.

According to chahal, it was not the charges itself, but the criticism of it.

Obviously a dramatic story.

This had been going on for two years since the original charges were filed.

If you think about his position, 45 felony accounts, convicted of none of them.

And that he had to pay a $500 fine and do some community service.

What is the big deal?

From the board's perspective, this company will be going public, we will have to answer to investors.

Investors will have a lot of questions about this company because it is an ad tech company.

Having to answer the question, why is the ceo, who pleaded guilty to two misdemeanor charges related to domestic assault, why is he your ceo, isn't there anyone else?

It is better to get rid of it now.

While he has been facing the charges, we had the cto on from radiumone.

I want to talk about his blog post.

He says -- cory, what did he have to say about the actual accusations?

Aside from getting fired, what did he have to say?

I thought he said even more on the blog them when he talked to me, and i talked to him many times.

I asked him specifically about what happened.

He said he lost his temper.

I do not know what that means and i will not try to interpret it.

There was a lot of media about this.

A lot of them focusing on this notion that there was a videotape, which no one has seen, which revealed something that was never revealed.

Known in the public.

Correct.

-- no one in the public.

I do not know what it showed, but i know it never made it to court.

Some of the reporting on that is so inflammatory, perhaps irresponsible.

Didn't the police say in court documents that he hit her 117 times?

But they never charged him.

I do not know what happened.

He said he lost his temper.

It is still a serious thing.

Ari, how does this impact the road to ipo?

Will they still go public?

That is very much up in the air.

Whether conversations are still have -- happening with the banks, whether they want a cooling off until, hopefully we can find that out.

Bill lonergan, who is taking over, he has been a finance and operations guide to run his career.

He was the cfo of blue lithium, the company that chahal founded before selling it.

He is not a startup ceo.

Whether this is the long-term answer to who will run the company, we do not know that yet.

May be the most inflammatory thing that he said yesterday was that he said the board compelled him to take the plea, that he wanted to fight in court and become exonerated.

It runs a direct quote in my story, the board wanted me to settle the so we could go on with the ipo.

He is leveling the charge against his board of directors that they compelled him to take the police so they could get their payout in the ipo faster than they would otherwise if you are fighting it.

In terms of timing, what have you heard?

Are the plans the same, will it be postponed?

A spokesperson for the company would not say.

It is small enough, they could file anytime now.

We know they are coming close.

It is ironic this is all happening at the same time, in the same week literally.

It is not a coincidence.

I think it is the reason it is all happening at the same time.

Maybe after 10 days, they thought it would go away, and maybe they had suggestions for the bankers that it would not go away.

There are many things that could derail an ipo, we just do not hear about them.

Thank you both.

The heartbleed but grabbed headlines and proper attention to how underfunded open source efforts really are.

Now facebook, google, and amazon are pledging money.

But will it be enough?

? welcome back to bloomberg "west." i'm emily chang.

On wednesday i will be interviewing twitter ceo dick costolo.

We will be talking about their efforts to attract more mainstream users, its new ad network, and much more.

Don't miss my interview with dick costolo coming up this wednesday.

Now to the security flaw exposed earlier this month, heartbleed.

It has some tech giant coming together to fund improvements in open-source programs.

Cori, this is interesting.

People tell me that all of these bugs could compromise the future of open source and whether it exists at all.

It is an interesting story and not easy to say, heartbleed bug.

Heartbleed bug.

The organization has a new innovation because of this heartbleed bug.

The director of the linux foundation is now with me.

Open ssl has not received a lot of financial support like lennox, for example.

That is right, atypical market failure.

If you look at lennox, an important project that has received a lot of funding and is an important part of society.

Open ssl is also an important part of internet security, but for some reason, funding has not caught up with the important role it plays on the internet.

Can you explain what is open ssl?

Open ssl, essentially that lockbox in the corner of your web browser.

It provides encryption for communication that you send over the internet.

In this case, there was a bug discovered in the code base that was the result of this heartbleed bug.

Open ssl is created by whom?

A group of developers, some of the best in the world when it comes to crypto technology, who have spent most of their adult lives on this, by and large, as volunteers, to put together the code.

They have not had a lot of resources.

Post-heartbleed we decided to take a broader view and look at projects, not test open ssl, but other projects that are widely just lloyd and available jet -- widely deployed and available to the internet, and provide the resources to them to make the software better.

You got big cash donations from companies that use or host open ssl.

It is more than just open ssl.

The companies i've spoken with want to get ahead of the next heartbleed.

What they want to do is look for all of these products out there that are important to the stability of the internet and provide them with resources.

Whether it is microsoft or amazon or facebook or google.

It is not just about open ssl.

It is how do we get ahead of them rather than reacting defensively.

You said some of the greatest computer experts created open ssl, but there is some criticism that the code is written so poorly, the notions might be great, but the code is so sloppy, open ssl cannot be saved and read to go to -- and we need to go to an alternative.

Open ssl is widely used, so we cannot move to something else.

We need to allow them to have more resources to make the code base better.

You will see other efforts trying to clean up the code base in parallel, and that is a great thing about open source.

You can have multiple responses to any problem.

That needs to be accepted by the open ssl leaders, and that has not happened until now.

Can your involvement change that?

The open ssl guys were work on their code.

One of the things they have needed is resources to have people working full-time on the code base, provide for audit, additional testing.

That is what we hope to provide, in addition for next project that needs it, beyond open ssl, other core infrastructure projects that for some reason have been underfunded.

Thank you very much.

We will be right back with more bloomberg "west." it is 26 minutes past the hour, and that means bloomberg tv is on the markets.

We do have the nasdaq, after being a little changed, now down 1.5%. we are really seeing a sellout continue with these momentum names, and netflix, amazon adding hit particularly hard.

Baidiu as well.

We will continue to watch the downward movement.

?

This text has been automatically generated. It may not be 100% accurate.

Advertisement

BTV Channel Finder

Channel_finder_loader

ZIP is required for U.S. locations

Bloomberg Television in   change