Snowden and Heartbleed

By now I’m sure you’re all aware of Edward Snowden and his revelations about the NSA, GCHQ (Great Britain’s version of the NSA), and just about every other government’s intelligence gathering organization.

And, I’m sure you’ve all read about HeartBleed – the bug in OpenSSL which effectively broke internet security, everywhere. In fact, it might have broken your phone, too.

In fact, there’s also a rumor that the NSA “used” the HeartBleed bug to extract things like passwords and private keys from servers for years before it was discovered “in the wild”.

But I think Snowden’s revelations and HeartBleed are actually much more broadly connected than the NSA’s alleged use of it (which they of course denied).

And, I believe that the HeartBleed incident is actually far more dangerous than Snowden’s revelations, and, ultimately, what we should really be worrying about.

And, that both issues – the Government’s eavesdropping, and Heartbleed, are our fault.

First the NSA issue. Like most people, I think most of us already assumed that the Government, or the Companies that provide internet services, or irresponsible employees of either of these entities, were probably accessing our data anyway.

While it may not have been something we fretted about on a daily basis, we took common sense precautions, like having good passwords, not sharing passwords between sites, taking care not to email sensitive information like passwords, SSNs, and the like, etc.

And, if we did something illegal, we were probably smart enough not to transmit it via the internet or even the phone.

In this regard, we owe one to the conspiracy theorists for at least making us think about these things.

The sad fact is, most of us weren’t careful enough with our personal information anyway to have the NSA revelations make any difference. For everything you’re probably concerned about the NSA doing – spying on what products you buy, your credit card #s, what you send in emails, what web sites you visit – someone else was probably doing it already.

Think I’m kidding?

  • Reading your Mail. We already know Google scans your mail (Gmail) to give you helpful advertising.
  • Credit Card Numbers. You give your credit card to a stranger, who disappears into a back room with it, every time you charge your dinner in a restaurant.
  • Buying Habits. Let’s just forget Amazon. Use one of those handy Supermarket, Best Buy, or simaler reward cards? What do you think they’re doing with your data?
  • Bank Card Pins? Try buying a metro card in New York.
  • Your Location? Apart from just owning a phone which tracked your location, many Android Users actually paid for an application which tracked their location while pretending to be a flashlight

It goes on and on. No, the NSA isn’t doing anything different the someone else has been doing for years, legally, or illegally.

Of course, the advent of Social Media has only made this worse. Think about it: If the NSA really wanted to know where you’d been do you think they’d start by trawling through petabytes of data to find out? They’d probably start by looking at your Facebook, Instagram, or public Twitter postings, in which you probably blithely reported your location, what you were doing, who you were with, and what you were wearing.

Of course, that doesn’t make it right. Especially when it’s your elected government, and it could possibly be used in ways you don’t expect. Especially if the government, or someone important to the government is unhappy with you.

But does anyone actually expect this to stop? Sure, we can express indignation, demand action from Congress, even pass laws. But, in my opinion, all that means is that we’ll drive their efforts back underground. In the Government their will always be people who view the laws as guidelines, more than actual rules.

Even worse, whatever changes we can institute in our own government, it does nothing to impact what other people, companies, and countries will do illegally.

As a little “P.S.” to the NSA, it doesn’t matter what else we learn from Snowden, or, in fact anything beyond one fact: You Did It. You went as far as you could go, and beyond. You broke the trust of your citizens. You broke the trust of your citizen’s companies. You broke the trust of our allies. Nothing you can do will undo that, and we will always know you will do it.

No, the real problem is us. Beyond the fact that we’ve elected and enabled a Government which does this, the fact is that most of us don’t manage our privacy in a way we’d expect others to respect it.

That – and this is where we get to HeartBleed – is where the real problem is.

We found out last week that even if we did all the right things to protect (most) of our data, the tools we were (implicitly) trusting we horribly, horribly broken.

And that’s our fault, too.

The HeartBleed bug is roughly the equivalent of finding out:

  • Seat belts, if fastened while the back right passenger door open, will spontaneously fly open in the case of an accident
  • Electrical outlets will stand a 10% chance of shooting out bolts of high voltage electricity if you plug something in while standing on one foot.
  • If you take aspirin while drinking milk from a cow with a black spot on it’s forehead, will make you break out in hives for a week.
  • All door locks and alarm systems made in the last two years have a defect such that your house can be easily entered by someone carrying a cat.

So you’re probably saying “Well, those are ridiculous examples! Those things could never happen?”.

Why is that?

Because, all of those things – seat belts, electrical outlets, etc, are surrounded by systems – regulatory, commercial, or social – that makes it very difficult for broken products to survive. We all know what would happen if seat belts started failing that way, or people started to get shocked by their outlets, or people broke out in red spots. There would be outrage. There would be congressional hearings. There would be lawsuits.

And there would even be reform. It might be something as important as UL (Underwriter’s Laboratories), or an “Evil Government Agency” like the NTSB (I don’t think they’re evil), or even a semi-evil organization like the FDA (I don’t think they’re evil either, just a little misguided sometimes).

The point is, we have now learned that the systems – regulatory, social, or commercial – to protect the internet, our use of it, and the safety of our data on it – are non-existent.

OpenSSL, which is the software impacted by HeartBleed, is maintained by a group of less than a dozen individuals who rely on donations (and a few corporate contracts) to maintain a piece of software which is central to our security on the Internet. And, apparently, only one of those volunteers work on the product on a full-time basis – the rest of them have “day jobs” which may not even be security related.

Let’s put this in perspective. The next time you get on an airplane, how you would feel if you learned the airplane’s collision avoidance systems was maintained by 12 volunteers who didn’t get paid, and only worked on the systems part time, because they to support themselves with day jobs as accountants, construction workers, and cooks?

And oh, one more thing. There are no formal test systems for the Collision Avoidance System. The volunteers do an amazing job of reviewing each other’s work, but since they are stretched so thin, they haven’t had the time to produce a rigorous set of tests for the software.

That’s the case with OpenSSL, so Heartbleed is really no surprise to anyone. In fact, I think people in the industry are still in shock as to how bad it is, and not quite sure what do other than patch up the current hole (Thank goodness the folks at OpenBSD have at least started a major clean-up).

But OpenSSL is just part of the problem (oh, by the way, in case you thought HeatBleed impacting your Android phone was bad enough, it’s not just things like sign-ins to your Bank Account that are impacted. It’s every website that uses OpenSSL for security, including, potentially, power plants, hospitals, chemical plants, oil refineries, train control systems).

Let’s say you decide “Ok, I’m now going to be a safe, responsible internet user, and encrypt my sensitive emails”. Assuming you’re a “normal” person, this will prove to be an enormous pain, and you’ll probably end up giving up or doing it wrong.

“But, but”, you say, “how is this my fault?”. Ok, you didn’t do it deliberately. But what we have done is the equivalent of spending the last 10 years riding in cars with unregulated seat belts, 90% reliable electrical sockets, mostly good cow’s milk, and doors for mostly trustworthy dog-lovers. Certainly not a disaster. Yet.

But, we have to understand, as the public, that it’s a problem, and have the will to fix it. Hopefully, it won’t take something like defective ignition switches killing people to get everyone’s attention, but I have my doubts.

Then, we need to find a way treat these things like what they are : Public Utilities, or vital parts of Public Utilities, which require the appropriate level of care and trust.

Let’s be clear here – like, say, the public water utility – just because we choose to protect a given variant of software doesn’t mean you have to use it – just like you don’t have to drink tap water. If you think tap water isn’t protected well enough, or you don’t like it because you don’t like your water company, then you don’t have to use it.

What examples of these sorts of systems exist? Lots of models come to mind.

  • U.S. Government systems, like the NTSB, or FDA
  • Independent systems, like the Underwriters Laboratory
  • International Organizations, like the ACM, IEEE
  • Trusted private organizations, like Consumer Reports
  • Stewardship by private or public organizations, like Google, or Symantec, etc. Note I didn’t use the word “Trusted”
  • Form Private companies which will produce their own versions of SSL which are in turn certified by independent parties and sold, like enterprise software.

Some of these systems are regulatory, some provide objective reviews, and some do actual development. It’s likely that this problem needs some combination of all three.

You’ll notice I didn’t mention “Open Source”. This doesn’t mean that I don’t think these components shouldn’t be Open Source – they have to be to be trusted – it means that we can no longer rely on the current system of “Let’s hope we get enough donations to maintain this well”.

Some Open Source products are amazingly well funded and maintained, and some, like OpenSSL, are starved for resources and funding. So, I think the “Open Source” system is a part of the solution, but clearly not all of it.

So what do we do now?

If you’re an ordinary citizen, you can:

  • Make sure you are treating yours and your family’s information responsibly. Remember, for all intents and purposes, once you put information on social media, it’s out of your control and it’s forever. That should be enough to give anyone pause.
  • Use safe password practices. Consider using a tool like 1Password to generate and store good passwords. (By the way, Agile Bits, the people who make 1Password, have an amazing blog which talks about HeartBleed and you).
  • Do you best to understand other security issues like “SSL” and “Encryption”. You don’t need to be an expert, but, like your car, even knowing a little bit more is helpful
  • Support political candidates that take your rights to privacy seriously. Resist the urge to get partisan about this – both parties have been violating those rights, both have continued to violate them, and both will continue to, if given the chance.
  • See below. Maybe you can do more!

If you work in Technology, or are even more interested, there’s lots more that you can do!

  • Understand the efforts of the OpenSSL group, and, where possible, how you might be able to help. For example, I’ve noticed there been a hue and cry over the lack of automated tests for SSL, but no one has stepped up even offer to define them, much less build them.
  • Understand the efforts of the OpenBSD Group, which, as previously mentioned, is trying to improve the OpenSSL situation. The OpenBSD group has an excellent track record for security, and are generally highly regarded.
  • Donate money to wherever you feel it will work best: The OpenSSL Group, The OpenBSD Group, etc. If you really want to impact personal security in a broad way you can do what the guy who found the HeartBleed bug did – donate to the Freedom of the Press Foundation (follow the link to see why this makes sense).
  • If you’re a real geek, consider contributing to any one of these projects – OpenSSL, OpenBSD, or one of the Freedom of the Press Projects. But if you do so, understand what’s needed – in my view, OpenSSL needs a lot of good old grunt-work – not super cool groundbreaking stuff, but good old things like…test cases.

Finally, if you’re good at organizing, help think about what I wrote above about systemic improvements. I will be. Maybe I’ll even try and do something.


I can’t believe I have to post this, but what not to do about HeartBleed.

Also Android phones may not be susceptible to HeartBleed, but it’s very hard to tell.

  1. #1 by jonathan on 2014.04.15 - 2:58 pm

    I LOVE 1Password, I couldn’t live without it!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: