The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.
The United States spends more than $50 billion
a year on spying and intelligence, while the folks who build important
defense software — in this case a program called OpenSSL that ensures
that your connection to a website is encrypted — are four core programmers, only one of whom calls it a full-time job.
In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations.
The programmers have to rely on consulting gigs to pay for their work.
"There should be at least a half dozen full time OpenSSL team members,
not just one, able to concentrate on the care and feeding of OpenSSL
without having to hustle commercial work," says Steve Marquess, who raises money for the project.
Is it any wonder that this Heartbleed bug slipped through the cracks?
Dan Kaminsky, a security researcher who saved the Internet from a similarly fundamental flaw back in 2008, says
that Heartbleed shows that it's time to get "serious about figuring out
what software has become Critical Infrastructure to the global economy,
and dedicating genuine resources to supporting that code."
The Obama Administration has said it is doing just that with its national cybersecurity initiative,
which establishes guidelines for strengthening the defense of our
technological infrastructure — but it does not provide funding for the
implementation of those guidelines.
Instead, the National Security Agency, which has responsibility to protect U.S. infrastructure, has worked to weaken encryption standards.
And so private websites — such as Facebook and Google, which were
affected by Heartbleed — often use open-source tools such as OpenSSL,
where the code is publicly available and can be verified to be free of
The federal government spent at least $65 billion between 2006 and 2012 to secure its own networks, according to a February report
from the Senate Homeland Security and Government Affairs Committee. And
many critical parts of the private sector — such as nuclear reactors
and banking — follow sector-specific cybersecurity regulations.
But private industry has also failed to fund its critical tools. As cryptographer Matthew Green says,
"Maybe in the midst of patching their servers, some of the big
companies that use OpenSSL will think of tossing them some real
no-strings-attached funding so they can keep doing their job."
In the meantime, the rest of us are left with the unfortunate job of
changing all our passwords, which may have been stolen from websites
that were using the broken encryption standard. It's unclear whether the
bug was exploited by criminals or intelligence agencies. (The NSA says it didn't know about it.)
It's worth noting, however, that the risk of your passwords being
stolen is still lower than the risk of your passwords being hacked from a
website that failed to protect
them properly. Criminals have so many ways to obtain your information
these days — by sending you a fake email from your bank or hacking into a
retailer's unguarded database — that it's unclear how many would have
gone through the trouble of exploiting this encryption flaw.
The problem is that if your passwords were hacked by the Heartbleed
bug, the hack would leave no trace. And so, unfortunately, it's still a
good idea to assume that your passwords might have been stolen.
So, you need to change them. If you're like me, you have way too many
passwords. So I suggest starting with the most important ones — your
email passwords. Anyone who gains control of your email can click
"forgot password" on your other accounts and get a new password emailed
to them. As a result, email passwords are the key to the rest of your
accounts. After email, I'd suggest changing banking and social media
But before you change your passwords, you need to check if the
website has patched their site. You can test whether a site has been
patched by typing the URL here. (Look for the green highlighted " Now Safe" result.)
If the site has been patched, then change your password. If the site
has not been patched, wait until it has been patched before you change
A reminder about how to make passwords: Forget all the password
advice you've been given about using symbols and not writing down your
passwords. There are only two things that matter: Don't reuse passwords
across websites and the longer the password, the better.
I suggest using password management software, such as 1Password or LastPass,
to generate the vast majority of your passwords. And for email, banking
and your password to your password manager, I suggest a method of
picking random words from the Dictionary called Diceware. If that seems too hard, just make your password super long — at least 30 or 40 characters long, if possible.