Open source software developers released the exploit of an attack method used by unknown hackers. This one is similar to the FBI’s exploit, about which the judge blocked information. The FBI isn’t going to be the only party who would know about their exploit. So, is it better kept in the hands of people who can use it for whatever purpose? Or, are we all better off having these security flaws published so that software developers can fix them to keep users secure, and users can know when they may be at risk? Which decision keeps more people safe? Who really has your back?

The heart shaped hole in the internet’s security

“If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”  The Tor blog

Buried in a section of today’s news you’ve probably not paid attention to is an item about something called the Heartbleed bug. There’s more than likely one of three reasons why:

  1. It didn’t get that much prominence in most news outlets.
  2. The coverage you came across didn’t make much sense. It’s an internet security hole that effects something-or-other, sounds complicated, and what’s with the odd name, anyway?
  3. You don’t think it really matters, and hey, aren’t you being spied on, anyway?

Here’s why it matters: There was left a gaping hole in the middle of OpenSSL, which is what heaps of web services use to keep your data yours.  You may think the web service you’re using/providing is keeping data confidential, but this bug allows the option for someone/something to reach in and grab a 64k bit of the memory. That’s not huge, you may think, but consider that the attacker can dip in as much as they like, or as much as they can devise a program to do. It’s sort of like reaching into a puzzle box and pulling out a piece of it. By itself, it may not accomplish much, but you can keep pulling out another one, and another one until your picture starts emerging.

The name refers to an extension at the, um, heart of the problem. There’s a piece of the process that’s called “heartbeat” and when the bug in this extension is exploited it leaks data from the server it’s sitting on. It could be your secret dating profile on that site for cryptozoology cosplay enthusiast, or it could be your bank.

We won’t go into the details here, but it’s a significant enough that the good people who caught it made a website about it. You can also check whether your server (or the site you like to use) has an issue here (when it’s working).

The bug is limited to OpenSSL’s 1.0.1 and the 1.0.2-beta release, 1.01 is already broadly used though not the latest version. But a number of services on the web are not up to the latest, and it’s more likely than not that at least some of the ones you use either have it running, or had it running for a time until recently, and thus private encryption keys may have been exposed, meaning even after updating the jig could be up on a number of web services.

Now I’ll let some other folks tell you why it’s serious:

  • Steven J. Vaughan-Nichols: “The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.”
  • This guy on Reddit:  “Up to 70% of the internet has been totally insecure for 2 years and will be for a while yet. … You can rectify the problem by installing the latest version of OpenSSL but there is no way to know you haven’t already had your keys stolen.”
  • Michael Rundle: “Luckily the bug has already been fixed, but it’s up to web admins to install the patch – and there is no way for the researchers to force the update to be applied.”
  • The Existential Type Crisis blog (quoting a researcher): “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

There’s no way of knowing if this exploit was discovered or used by anyone before researchers with Codenomicon and Google Security found it, but it’s great SEO for the former, if one were to, you know, look at the positive side.  The problem is we don’t know. The likelihood is that in the two years it’s been possible to find this hole, it likely has been by someone else as well.

As it’s patched and closed, it will be interesting to see what if any effect it has on the NSA . Maybe someone will spill a leak about it and let us know. In the meantime, it raises some interesting issues for the rest of us…

UPDATE: EFF is now investigating the NSA angle here. I'm not saying I called it... but I kind of am. - yours truly

UPDATE UPDATE: The NSA did know about it and exploited it for the last two years, it seems. Coming up next: Did they introduce it into the code?

Where is your data right now? How many servers is it sitting on? What’s protecting it? Emails, bank details, medical history, personal notes, crude jokes, angry tirades about your boss, etc. The axiom goes: ‘don’t trust any technology with your life.’ I don’t know if I’ll go that far, since I do get on airplanes, but we do put an enormous amount of trust, all of us, in technology that we have no way of knowing really works. Unless we all put everything down right now and spend the next six years getting a PhD in computer science and then sit back down at the computer again. We rely on trust using an inherently untrustworthy system.

How much should you be doing online? Every account you have creates a new level of complexity to manage. Complexity = vulnerability in biology and technology. How many things are running through the web tubes? How many of those tubes are broken?

Consider minimalism. Instead of thinking of digital security for all your accounts and doings, it may be time to consider digital minimalism. What are the fewest accounts you need to do what you need to do online? What’s the minimal amount of information in each one to do it? Some of those may still be compromised, but you’ll have less to distrust.

This probably just explained it better than anything written above.