12 Days competition: Day 3 – This buffer overflow broke sysadmins’ hearts

On the third day of Christmas/Your server sent to me/The clear text of your private key.

Karaoke time! Click for the melody to sing along…

OpenSSL is the boring but enormously important piece of open source encryption software that’s used by just about everybody and his dog.

In April 2014 websites everywhere were struck by an OpenSSL bug that allowed attackers to trick them into revealing fleeting glimpses of data that just happened to be in memory on the server at the time.

Most often, the fragments of data revealed by the bug contained boring and unimportant data, but once in a while, secrets such as server encryption keys were blurted out.

As sysadmins the world over got patching, a media storm erupted and a trend for bugs with clever names and fancy logos began.

Paul Ducklin explained how it all worked in his usual technical-yet-comprehensible way:

Anatomy of a data leakage bug
– the “Heartbleed” buffer overflow

And for your chance to win an exclusive, limited edition, Naked Security T-shirt, work out the answer to Paul Ducklin’s Heartbleed brain teaser below…

This December we’re celebrating Christmas by giving away five of our much-coveted, limited edition Naked Security T-shirts every day for 12 days!

We’ve selected twelve of the most interesting stories from 2014 and we’ll be writing about one of them each day.

All you have to do to win a T-shirt is read the story and answer the question.

We’ll pick 5 lucky winners out of a hat (OK, /dev/urandom) each day and those who answer the most questions correctly over the 12 days will be entered into our grand prize draw for a goody bag of geeky gifts valued at up to $500!

We need to know your email address so that we can contact you if you’ve won. When we contact you, we’ll need your T-shirt size, a delivery address and a contact number so we can ship your prize. We won’t use any of your personal details for anything other than this competition.

Entries close at 23:59 Pacific Standard Time (UTC-8) each day. Sophos staff, those pro­fessionally connected to the company, and their families, are welcome to submit answers for fun, but can’t win. T-shirt styles may vary from those depicted. Sophos’s decision is final, and so on. Please read our official competition terms and conditions.

What was Day 2’s answer?

On Day 2, we asked you how by how many days Windows Server 2003 would officially outlive Windows XP.

Very simply put, we wanted you to calculate the number of days between these Microsoft-specified dates:

08 April 2014

14 July 2015

Those are both Patch Tuesdays, of course, and the de facto release time for Microsoft’s updates is 10am Seattle time, so we assumed a precise number of days with no rounding needed.

We didn’t want you to count inclusively, where you treat even one minute to midnight as “all of today”, and one minute past midnight as “all of the next day,” and round up those two minutes to two days.

We accept that some people count, or used to count, that way.

In biblical times, for example, it was perfectly usual, which is why there’s a famous quotation from Jesus that goes, “Today, and tomorrow, and the third day.

He didn’t mean, say, Monday, Tuesday and Thursday; he meant three consecutive days, adding in both the first and the last.

But we wanted a 21st-century days-between-dates calculation, so those of you who said 463 were, sadly, incorrect.

The answer we wanted was: 462 days.

By the way, that’s 223 days from today (2014-12-03), which is just a touch over seven months.

How’s your Server 2003 replacement plan going?