Heartbleed continues to haunt technology companies, security researchers, and the consumers whose personal information might be compromised by the infamous security vulnerability. A report from Errata Security says that 300,000 servers are still vulnerable because of the bug, which was discovered in April, and that efforts to patch those vulnerabilities have stalled out.
That’s in stark contrast to a previous report, which said that the number of servers affected by Heartbleed had fallen from 600,000 to 300,000 in just one month. “This indicates people have stopped even trying to patch. We should see a slow [drop] over the next decade as older systems are slowly replaced,” Errata’s Robert Graham says. “Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.” Wonderful.
This means that consumers will be sending personal information to compromised servers for the foreseeable future — and they might not even know they’re doing it because companies won’t have to disclose their security to their customers. The idea that people can keep their data safe was already laughable, but the ambivalence with which some companies are treating this bug lends further credence to the idea that “digital security” is nothing more than an oxymoron.
And make no mistake: Heartbleed continues to affect the Internet because of the ambivalence and ignorance of the groups trusted with personal information, as the Guardian reports:
It’s likely people are failing to patch out of “simple ignorance as to the importance of the task, the fact they are vulnerable or the process to be followed”, said James Lyne, global head of security research at Sophos.
There now appears to be “a sense of auto update”, Lyne added. “Many have gotten rather used to auto updating built in to our everyday technology. Manual intervention like this is an unusual experience for most admins, so perhaps it has fallen on confused ears.”
So hundreds of thousands of servers and countless people will remain vulnerable because the people trusted with our personal information have the same expectations for a critical bug that my brother has for his PlayStation console. What a tremendously comforting thought.
Pando weighs in
The bug was caused by a coding error that its author described as “quite trivial” despite the effect it had on Internet security. The volunteers who checked his work failed to spot the bug, and so it was introduced into a security tool used by roughly two-thirds of the Internet. No-one else bothered to check for a vulnerability because — fittingly enough — many open source tools are considered more secure than their proprietary counterparts because anyone can edit them.
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it’s amazing that anyone even bothered to look for the Heartbleed bug in the first place.
On the irony of “digital security” in the wake of numerous data breaches, crippling bugs, and ransomed iPhones:
These reports continue months of security woes for Apple customers. First it was revealed that the company had failed to implement a security standard in its mobile operating system; then we learned that the issue affected its desktop operating system, too; and now Australians are being locked out of their own smartphones and asked to pay some unknown hacker for access.
And those are just the problems specific to Apple. There’s been the Heartbleed bug that crippled two-thirds of the Internet, multiple security breaches each affecting millions of consumers, and the constant knowledge that intelligence agencies around the world are spying on, well, everyone. If these problems have taught us anything, it’s that the term “digital security” is an oxymoron.
The Linux Foundation’s announcement shows that technology companies are starting to take this seriously. Besides the OpenSSL Foundation, which oversees the technology after which it’s named, funding has also been granted to the Open Crypto Audit Project, and will be allocated to other groups looking after the Network Time Protocol and OpenSSH. The group isn’t just patching a weak spot in OpenSSL’s infrastructure — it’s trying to secure other tools as well.
When I wrote about efforts to prevent the next Heartbleed from happening, I ended with a simple question: “We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?” It seems that the Linux foundation agrees, and given its latest announcement, the future of the Internet now seems a little less bleak than before.