Whatever trust a sane person could have in the Internet was lost last week, thanks to idealism and cheapness. The awfulness that is Heartbleed would have been difficult to imagine, except it is now right here among us.
How did this happen?
Blame it on open source. And the myth that open source software is somehow sanctified because so many people are supposedly looking at it that any serious flaw will be discovered and fixed.
That may be fine for most problems, but security isn’t most problems. By not rooting out a subtle bug that has existed since 2011, the open source community has shown that crowdsourcing security software isn’t such a good idea. Especially when the price is so right that it becomes the software almost everyone uses.
In this case, we have the OpenSSL Project, which operates on about $1 million-a-year, according to the Wall Street Journal, responsible for the security an estimated two-thirds of Internet servers. The newspaper says the project is managed by a team of four.
The bug was apparently discovered by Google, which gently sounded an alarm that allowed some companies — but curiously not Amazon or Yahoo — to fix their systems before the problem was announced on Monday.
Left without recourse
The Heartbleed situation is full of unknowns. How many machines and devices are potential targets? No one knows, but according to published reports most web servers, including embedded servers in appliances.
How many users have had their information stolen? Again, no one knows and exploiting Heartbleed leaves no evidence behind. That means owners of hacked systems will never be able to warn their customers of the data theft. Nor will users have any recourse.
What we do know is that many systems using the OpenSSL code will be very hard to update. And it is hard to communicate to users exactly what they are supposed to do.
One thing seems fairly certain: Now that the weakness is widely known, it will be exploited, perhaps for many years to come.
The co-discoverer of Heartbleed, the Finnish security firm Codenomicon, has published a helpful FAQ at Heartbleed.com.
And it gets even worse: InfoWorld reports that Heartbleed can divulge SSL certificate keys. The means commerce sites will have to rekey or regenerate their certificates to continue safely. It seems impossible to know how many sites should really be shut down — but are not. There is a lot of incentive for companies to just keep running and patch OpenSSL and fix the certificates as soon as they can.
I was supposed to write a couple of columns today, but instead I am spending time trying to figure out which passwords I need to change and when I need to change them to protect myself.
I am not alone. Experts are saying everyone should change their passwords. Except that isn’t what all experts are saying and it seems clear that not all passwords have potentially been exposed.
Of course, since we all reuse passwords (don’t we?) a password exposed via one service could be exploited on another system not directly affected by Heartbleed. So changing all my passwords seems the only choice. If only I can remember all the places that might be storing some personal information about me.
Frankly, I’d rather be writing columns than changing passwords. So that’s what I am doing, while dreading all the changes that need to be made. I really, really don’t want to have to come up with another set of passw0rds. Nor do I really want to invest in a password manager of some sort. But, I also don’t want to stick my head in the sand.
Since joining SiliconANGLE, I’ve been thinking about what kind of security problem could appear that could really threaten the growth of mobile and the cloud. What would it take to make cloud customers take a deep breath and put the brakes on their projects? What would make customers really understand that an Internet cool enough to give you all this can potentially take a lot more away?
Heartbleed probably isn’t that problem. But it sure should be. We need to stop, think and test now, because the Heartbleed II could, worst case, just shut us down.