If you’re concerned about security or just sick to death of hearing about the notorious Heartbleed bug, you may want to shut out the internet’s pervasive Heartbleed noise.
But perhaps you shouldn’t. It’s a catalyst for a long-overdue discussion about what it means to be a part of the virtual world, what this means for the open source community and who we trust.
At times like this, those of us who were feeling a little behind with the state our online security game have been busy. Some sources estimate that more than a third of us do not have password protection on their mobile devices. Other estimates put that figure much higher. If you haven’t been concerned about the issue (is your password “Password”, like so many other people out there?), now is the time to take stock: Find a better way to protect yourself and stop leaving a digital key under your virtual front-door mat.
My own personal productivity has taken a hit since last week’s news about the Heartbleed bug. I’ve been busy changing passwords, of course, but I’m also revisiting my personal online security infrastructure. And if the figures regarding weak passwords – and no passwords at all – are correct, many of the people reading this should do the same.
Of course that’s what has so many of us chewing nails. It’s a pain to step away from the seductive power of our online tools for a few minutes – or several hours – to evaluate how we use those tools and how our use of them is making us vulnerable. It’s also difficult for most of to find the time to do so because of our perhaps not-so seductive work and/or school obligations. Hackers happily exploit this fact of modern life.
How did we get here?
By this time, most tech-savvy readers know that Heartbleed is not a virus, created deliberately to entrap unwary netizens. Rather it’s a coding error in the OpenSSL cryptographic software library, an inadvertent omission by one of the open source programmers who contributed to the free software that is ubiquitous in much of the corporate world. Robin Seggelmann , the German Ph.D. student and programmer whose error gave us the Heartbleed bug, was working on improving the security of the system at the time. The ball that he dropped – a failure to validate a variable – was not caught by the code reviewer who certified his code. It’s the type of error that’s easy to make, but supremely difficult to spot. It did not create a functional error, but merely created a vulnerability for someone with the imagination, the technical ability, and the will to exploit a system weakness. Therein lies a one of the glaring weaknesses of today’s complex systems: we don’t know what we don’t know.
And to think – many of us recall a time when our everyday tools were as simple as pencil and paper.
Constructing a security plan is part of the hidden cost we pay when we acquire anything from a new smartphone to a Facebook account. We’ve created a digital world that mirrors all the pitfalls of our analogue world, yet many people wander through it without any idea of the topography. Knowledge is power. It’s protection, and ultimately – with a certain amount of perspective – it can be a stress-reliever. That said, any complacency we nurture concerning the role of larger powers in the digital world has suffered a blow.
The NSA (National Security Agency), for example, says it has your back. According to several mainstream sources, it probably also has your passwords, your online browsing habits, and much more. According to this Bloomberg article, the NSA has known of and exploited the Heartbleed bug for some years. It is alleged that rather than warn netizens of the impending dangers, it used this vulnerability to learn more about what the general populace of the U.S. does online.
Denials were quickly issued by the NSA and the White house and Seggelman himself stated that he does not believe that the NSA had anything to do with the bug. In the wake of the Snowden affair, the denials are viewed by many with skepticism. We may never know the full story on this, and the situation calls attention to other issues.
Of immediate concern is the future of open source development. Open source projects have given a great deal to all of us – access to cutting edge software, the opportunity for programmers the world over to feel the satisfaction of creating something that benefits millions and the fulfillment of working on things they care about. Does this latest development bring all of this into question? Many commentators say that open source programming has given us too much benefit to use this bug as an indictment against free, open source software.
And what does it mean for the everyday internet user? In the wake of the recent Heartbleed-related events, investigative journalist Julia Angwin, author of “Dragnet Nation” discussed the lessons she learned during a year of intensive effort to up her personal online security. In an NPR interview earlier this year, just predating the revelation of the Heartbleed bug, she listed several areas of vulnerability that many users don’t realize exist.
For example, do you order goods and service online or perform bank transactions from your neighborhood coffee shop, using the “free” wifi? You may want to rethink that and set up your own VPN (virtual personal network) or a “MiFi” – a wireless router that allows users to access the internet securely from locations away from home. Beware that some versions of wireless routers have had their own security issues; research before you buy.
Be aware, too, that your searches are not “your” searches.
Love the convenience and breadth of Google searches? Google loves you too. If you don’t want your searches to be a matter of long-standing record, you may wish to start using other search engines. It might also surprise you to know that agencies such as the U.S. Post Office sell their address change data.
More than ever before, a huge percentage of our time and money goes to the tools we use, as opposed to the tasks for which we use them. Yes, it’s all about the tools. They give us so much – and they demand a great deal.
It’s easy to cross the line from carefully researching and setting up a personal online security plan. Julia Angwin found her own limits during her year of experimentation and research. To her, an acceptable comfort level comes from knowing that she’s taken sufficient pains with her online security to know that her accounts are not “low-hanging fruit”. It’s a personal choice, she points out. It’s also an expensive one; Angwin spent about $2500 on devices and software to thwart what she considered to be the most immediate and likely threats.
We’re all vulnerable in some way. But can we all pay the price that privacy (within limits) demands?
Where are your boundaries? What will you give of your time and money to reduce your risk?