The oddly named cyber vulnerability, Heartbleed, is everywhere in the tech news. Even non-tech security types recognize the seriousness of this issue. What is the bumper sticker version of Heartbleed, and what does it teach us?
Heartbleed is a two-year-old vulnerability recently found in a major swath of well-known Internet sites. It resides in the OpenSSL program. This bit of software helps add security to these sites, but there was a programing error that allowed unauthorized access to huge troves of private data held by the owners of the sites for business purposes. OpenSSL is a so-called open source program, free to use, and darned near ubiquitous because it was good.
The hundreds of sites that had the backdoor are in the process of making the fix. Once the site (your bank, Google, etc) applies the patch, you must change your password to ensure no one who may have stolen it can exploit it. You can wait until the patch is in place (risky) or change all your passwords now (recommended), but you will need to do it again when the specific sites finally do the patch.
This event shows the inherent fragility of the Open Source aspects of the Internet. This does not mean we should abandon, or even denigrate, this methodology. Software that is developed and distributed for free is updated by crowd sourcing and is one of the cleverest and most innovative features of the digital world. There are massive advantages to this way of doing business, but there are also liabilities. The sheer breadth of the OpenSSL’s utilization made this error one of the biggest and most significant in history. Benefits must always be weighed against the risks.
There have been some commentators who jumped on the continuing anti-NSA hysteria in this situation. A Bloomberg story alleged the NSA knew about the backdoor but instead of warning the rest of us, they exploited it. The U.S. government categorically denies this. It also flies in the face of the NSA’s second main mission (spying being the first) of protecting America. If it had been a backdoor in the software of a few selected “targets,” I believe they would have kept quiet, but the vulnerability was so wide and deep, that it would have been the height of negligence to know and not warn people. My professional geek friends (the really smart kind) seem to have achieved a majority consensus that the Bloomberg story is wrong, but some are still very dubious. Such is the legacy of the post-Snowden era.
Bottom line is this: the hyper innovation and (sometimes) openness of the Internet is a huge blessing, giving us enormous advantages. Additionally, the digital world has a remarkable capacity for “self-healing.” The fast response to Heartbleed is a testament to that. That said, we also incur great risk. People make mistakes, and code writing is never perfect. If we start expecting it to be, we’ll never get any products on the street and the only winners will be the tort lawyers (sorry guys). So, understand the risks and be ready to react to fix things. We will never achieve 100% security. The battle to mitigate the risk is an ongoing one. Fight on, but don’t demand perfection. It’s not going to happen.