Heartbleed; the name and the story could easily be mistaken for a new James Bond movie, such is the level of intrigue and mystery associated with what is, after all, the greatest internet security breach of all time.
If Heartbleed has become the master criminal intent on world domination, its origins are suitably humble. A simple programming error made by a German software developer over two years ago, whilst submitting bug fixes and new features for an update to the popular OpenSSL software, was not spotted by co-workers, and before they had realised their mistake, Heartbleed was making a run for it.
They say the best trick the Devil ever pulled was convincing everyone that he didn’t exist, and perhaps the intention with Heartbleed was similar. Its incubation period has been slow, but painstaking; it takes even the finest hacker considerable time to hunt the bug down, and then to perfect the code, and create the maximum possible damage.
Criminal minds and willing conspirators have a habit of finding one another, and what could have been a harmless coding misstep became something altogether more sinister, as hackers began to see an opportunity to strike at the heart of the internet’s security framework, extracting the crown jewel of secure websites.
Just one small line of code, but its value cannot be overestimated; hacking a sites encryption key is like stealing the keys to someone’s house, where all their valuables are kept. Passwords, banking details, personal information, are all at risk, but unlike everyday burglary, this crime is undetectable.
A site has no way of knowing whether it has been hacked, and once the hacking programmes are automated using algorithms and unleashed, any website using the OpenSSL code becomes a potential target. As W B Yeats would have put it, “Things fall apart, the centre cannot hold, mere anarchy is loosed upon the world”.
But let’s just stop there and pause for breath. Because as potential world crises go, the Heartbleed saga feels a lot more Roger Moore than Daniel Craig.
As serious an issue as Heartbleed undoubtedly is, a quick risk assessment reveals that solving this particular riddle is a task perhaps more suited to an amiable, wise cracking aesthete with a penchant for martini and blondes, than an earnest, do-gooding, doom mongering, Commander.
Why? Let’s look at the facts: yes, professionals have demonstrated that Heartbleed can be used to quickly extract encrypted data; a competition begun by CloudFlare Inc. on April 11th, in response to a claim made on its own blog that this task would be “very hard or impossible”, resulted in 6 people having completed the task less than 3 days later.
Yes, millions of smartphones could be affected, and yes, the bug could mutate, adapt and renew its efforts, becoming an ever more serious threat.
But look, the most recent estimate, after the initial hysteria, reveals that just half a million websites are affected by Heartbleed, not least because the initial software error only affects users of OpenSSL from when the error was made. Ok that was 2 years ago, but if you’re OpenSSL is over 2 years old, there’s no need to panic, and most are. Still more do not use OpenSSL at all.
Is Google struggling to cope? No, it has plugged all the gaps. Facebook? Likewise. Yahoo had some issues but believes it has now eliminated the threat. And who has the same password for their Facebook, Gmail, Bank account, Credit Card, Secret Encounters dating, and personal health records anyway?
Roger Moore always wore the smug look of a man who knew that, however impossible the situation appeared, even when strapped to a spinning wheel, with knives whistling past his ears, seconds before the hidden bomb was due to blow, thrashing sharks snapping at his finely coiffed hair as he spins and spins, the trump card remains nestled in his top pocket, under the neatly folded pocket handkerchief.
Just like Bond, the internet will never let us down, because, just like Bond, it was never really looking after our interests anyway. Anyone who believes for a second that the internet is a safe and harmless place, a place where you can act with impunity, is kidding themselves. The internet can be dangerous because people can be dangerous. There, I’ve said it.
Just like all the great action movies, no story is complete without a good old fashioned conspiracy theory. The NSA allegedly knew about Heartbleed for 2 years before they decided to bring it to the general public’s attention. Now why would they do a thing like that? And who else knew?
Perhaps Heartbleed is the internet’s way of politely telling small to medium sized enterprises to spend more money on beleaguered security firms. The web community is after all, just that, a community that tries to look after its own, to help out the less fortunate: the circle of life, for squares.
Of course hacking and security breaches are taken seriously, as they should be. But to paraphrase a famous business maxim: if it sounds too bad to be true, it probably is.