What can we do to prevent the next Heartbleed?
Heartbleed is a lesson in ambiguity. The bug has been described as a disaster, but there's no proof that it was used to collect information. Bloomberg reported that the National Security Agency took advantage of the bug, but the NSA denied that it exploited the vulnerability. The White House said that it has instructed intelligence agencies to fix security problems, but the New York Times reported that Obama has given the NSA some leeway in that goal. Heartbleed is either a pinprick, an arterial tear, or complete cardiac arrest -- but we don't yet know which.
We do know that Heartbleed represents a fundamental problem with Internet infrastructure. The bug was caused by a coding error that its author described as "quite trivial" despite the effect it had on Internet security. The volunteers who checked his work failed to spot the bug, and so it was introduced into a security tool used by roughly two-thirds of the Internet. No-one else bothered to check for a vulnerability because -- fittingly enough -- many open source tools are considered more secure than their proprietary counterparts because anyone can edit them.
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it's amazing that anyone even bothered to look for the Heartbleed bug in the first place.
The OpenSSL Software Foundation is a group of "someone elses" looking to fix the problems that all of the "someones" relying on OpenSSL can't be bothered to fix themselves. But the foundation is unable to employ anyone full-time, which means that its members are working on a critical aspect of online security in their spare time, or without reward commensurate to their work's importance. Steve Marquess, the foundation's president, wants to change that.
Marquess wrote in a blog post published over the weekend that the foundation often turns away the contract work that allows it to focus on OpenSSL itself because its members are too busy doing other work so they can support themselves and their families. Donations help keep the foundation running, but until they outpace the value derived from those contracts, it will be in a fairly dire financial situation. So he asked that large companies and governments keep the foundation's metaphorical lights on and allow its members to focus on OpenSSL full-time:
There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.It's time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry "an enormous burden" that affects basically anyone who uses the Internet. We wouldn't force the doctors charged with handling real heart attacks to operate on donations or in their spare time -- why delegate the task of preserving the health of the Internet to people asked to work that way?
Reactions from around the Web
Quartz explains why it took two years to discover a problem in open-source code:
Why did it take until last week to discover, and why did the means of the search only exist four months ago? The answer lies in in how the basic infrastructure of the internet is governed by its users—or not.
This software ‘is as close to a public good that you have,’ [CloudFlare CEO Matthew] Prince says. It’s open-source code managed by a foundation. While that has plenty of advantages, it also means the software is comparatively under-invested in by experts in the field and not as efficiently maintained—Prince describes it as a ‘spaghetti nest of code.’ It received less than $1 million in income from donations and consulting work last year.
The Washington Post points out that this problem is common to many open-source tools:
Open-source advocates often claim that their work, as opposed to software produced by private companies such as Microsoft, has fewer problems, because of the inherent transparency of the process. The belief is captured in a saying popular among the community: ‘Given enough eyeballs, all bugs are shallow’ — meaning flaws are not terribly serious and are quickly fixed.Pando weighs in
But security experts have warned for years that open-source software can harbor serious problems because the volunteers and nonprofit groups that often create them lack the time and expertise to continually update their work, especially as hackers become more prevalent and sophisticated. While some open-source projects, such as the Ubuntu operating system or the Firefox browser, have foundations supporting them, many others do not. Some private companies also produce open-source software.
I wrote about the shaky idea that the Internet can ever truly be secure after the bug was revealed:
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL — including Yahoo, Imgur, and OKCupid — means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.I then wrote about why being able to change your passwords is a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse. Then I wrote about how small mistakes can have enormous consequences on the modern Web:
Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later. I then wrote about how the bug was able to attract attention from, well, everyone:
Heartbleed has a dire name. Its branding is better than most of the startup logos we’ve seen in the last few years. Those two things have no doubt contributed to its ability to make sure that everyone, from renowned security professionals and the Department of Homeland Security to the Canada Revenue Agency and tech bloggers, is paying attention to this critical flaw. And, perhaps more importantly, paying attention to the structural problems that allowed it to exist.[Image via Thinkstock]