Some of the most serious security problems revealed in the last few months were caused by momentary carelessness. Apple’s inability to implement a popular security standard in its mobile and desktop operating systems was caused by the repetition of just two words. Most recently, the engineer whose work introduced the Heartbleed bug to the OpenSSL code library says the problem could “be explained pretty easily” and that the coding error itself is “quite trivial.”
The errors themselves may be tiny mistakes, but that’s what makes them so dangerous. Apple didn’t notice its mistake for at least 18 months, and no one found the Heartbleed bug until two years after its introduction, despite the fact that all of the relevant code is open-source. Finding these errors would be like finding a typo in “Infinite Jest” — it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later.
Reactions from around the Web
The New York Times notes that these kinds of problems aren’t going to go away:
We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety. We’re constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable.
Even though security is an increasing area of concern for large technology companies, it is often considered an afterthought rather than an essential part of building all the goodies we use. Experts say that while instituting a more secure tech culture is possible, it will require a long-term investment in educating software engineers and improving core technologies.
Quartz explains why it took two years to discover a problem in open-source code:
Why did it take until last week to discover, and why did the means of the search only exist four months ago? The answer lies in in how the basic infrastructure of the internet is governed by its users—or not.
This software ‘is as close to a public good that you have,’ [CloudFlare CEO Matthew] Prince says. It’s open-source code managed by a foundation. While that has plenty of advantages, it also means the software is comparatively under-invested in by experts in the field and not as efficiently maintained—Prince describes it as a ‘spaghetti nest of code.’ It received less than $1 million in income from donations and consulting work last year.
The Washington Post points out that this problem is common to many open-source tools:
Open-source advocates often claim that their work, as opposed to software produced by private companies such as Microsoft, has fewer problems, because of the inherent transparency of the process. The belief is captured in a saying popular among the community: ‘Given enough eyeballs, all bugs are shallow’ — meaning flaws are not terribly serious and are quickly fixed.
But security experts have warned for years that open-source software can harbor serious problems because the volunteers and nonprofit groups that often create them lack the time and expertise to continually update their work, especially as hackers become more prevalent and sophisticated. While some open-source projects, such as the Ubuntu operating system or the Firefox browser, have foundations supporting them, many others do not. Some private companies also produce open-source software.
The New Yorker writes about how hard it is to find problems with Internet infrastructure:
Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts. It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers. If open-source software is at the heart of the Internet, then we might need to examine it from time to time to make sure it’s not bleeding.
The Electronic Frontier Foundation is trying to figure out the extent of the problem:
A lot of the narratives around Heartbleed have viewed this bug through a worst-case lens, supposing that it might have been used for some time, and that there might be tricks to obtain private keys somewhat reliably with it. At least the first half of that scenario is starting to look likely.
Pando weighs in
I wrote about why having to change your passwords — after the relevant sites have been updated to the patched version of OpenSSL — is actually a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse.