The one lesson to take from Heartbleed that everyone is afraid to say out loud
If you've been anywhere near the internet, smartphone, or a TV in the last week then you have likely been hearing whispers and screams over the "most widely spread security vulnerability in history" or more specifically the OpenSSL heartbeat flaw.
First, what the heck is this OpenSSL heartbeat flaw aka "Heartbleed" anyway?
To explain what Heartbleed is, let's first go back to your days of sleep away camp - do they even have those anymore? Anyway...so you are there with all your fellow sleep-awayers and it's time for bed. Lights out!
So no one can see eachother but we can all still talk to each other. And talk we do. But after a bit things start quieting down until you start hearing the last few "hey, Tom - you awake?" "Yeah." A couple of minutes more "hey, Tom - you awake?" "Yeah." And so on until Tom finally screams shutup and go to sleep...or stops answering.
In the tech word, a "heartbeat" is the proverbial "hey, Tom - you awake?" that one computer sends to another in order to make sure they're still there and should still be talking through the darkness.
Almost every piece of software designed to communicate over a network (like the internet) has some form of a heartbeat.
OpenSSL is a small piece of open source software designed to secure your internet communication. It's implemented in pretty much everyone's network in one form or another from firewalls to routers and web servers to load balancers.
Everything you touch every day - your banks website, your Twitter, your Facebook, your local clubs member site - likely goes through a piece of the internet utilizing OpenSSL.
I won't go into the nitty gritty but to keep it simple - OpenSSL's heartbeat bug is that, in specific versions of OpenSSL, it allows a malicious individual or individuals to "request" part of the servers memory.
What is in that memory at the time of the request is subjective. It could be basic information about the server and it's active connections (in an abstract sense) or it could be the logins and passwords to all the currently active users. Meaty stuff!
Even more disturbing, it opens up the doors to the castle by making it possible to get the actual keys to all the locks that provide all that security you hear so much about. If that happens, then it's not only what is in memory that is accessible but all the traffic going across the, so-called, secure connection.
Needless to say, the Heartbleed flaw is a BIG flaw. But it's in a small piece of software and fixing the flaw wasn't a big deal. Applying the fix to the millions of machines using OpenSSL is, however, a HUGE deal.
Samurai sysadmins everywhere are feverishly pecking at their keyboards right now to get things straightened out (if they haven't already).
Now, there are larger dangers of the Heartbleed bug which I won't cover as better men then I have already done so. What I do want to make sure you take away from this is the following...
Heartbleed should teach us that there is no such thing as "secure" when we're talking about technology and computers. There are degrees of "openness" but the notion of a completely "closed" and "secure" system is subjective at best.
Every single system can be penetrated and manipulated with the right amount of motivation.
The safest way to protect yourself on your PC, laptop, or smartphone is to assume that someone is always watching and someone can always get to what you're protecting - if they really wanted to. (the "if they really wanted to" is important in gauging how freaked out you should be)
The notion of secure has alway's urked my kind (hackers who grew up in the 80's with our 3600 baud modems) because the true hacker knows that the notion of a secure system is a mirage and only serves to lower the diligence of it's users.
Advertised "security" only serves to give a false sense of security.
Even if you took your computer and disconnected it from your wifi and pulled out it's ethernet cord.
Even if you took that same computer and placed it in a safe room with 18-inch cinderblock and one of those huge spinning locks you see on the safe at your bank.
Even if you took 4 of the meanest navy seals and placed them to guard your computer which you placed in your "safe room."
If there is somone out there who wants what you have on that computer - they will find a way to get at it. It's just that simple.
So - what do you do? Go dark? Back to paper and pencil?
No, in our world - for most of us - that would be nearly impossible. Instead, don't scratch yourself in public because someone is always watching.
Assume that your passwords have a finite window before someone has them and change them often. Tell Siri to remind you every 10 days to change your password.
Assume that the files you're storing on your cloud drive will be made available to those that want to get at them and make sure you have backups and backup plans should they actually get out.
If there is one thing I learned in my very short stint in a military uniform (ROTC) its this. Always have a contingincey against the worse possible outcome.
Always assume they know you're coming. Always have a plan to react when they do.
Heartbleed should teach you to stop assuming security just because someone tells you something is secure.
Assume that everyone is watching and you'll be better for it.
1. The specific versions of OpenSSL which are affected are 1.0.1 through 1.0.1f, if you're wondering.