The so called "heartbleed bug" is apparently worse than an epidemic. It isn't just going around, everyone's already got it. The tiny yet massive flaw is in the popular security library OpenSSL. This is apparently a week for irony.
OpenSSL is used by a vast array of linux-based servers and other devices (routers, switches, firewalls, vpns, even phones) to make the infrastructure we use every day more secure, by giant everyday companies like Yahoo and such. It's a library that handles the nuts and bolts of encrypting and decrypting stuff. But it's not the encryption that was broken. Nor is it bad guys social engineering their way through gullible call center employees, or hacking into point of sale machines to collect credit card info. And it's not silly users opening obviously malicious attachments to zombify their computers.
Apparently by tickling it the right way, evildoers sitting anywhere on the internet can get unpatched OpenSSL/TLS implementations anywhere else on the internet to broadcast actual dynamic blocks of the system's memory buffers. Blocks of memory that includes stuff like usernames, passwords and even private cryptographic keys -- all sorts of scary information. Seriously?
In other words, you know all those people who diligently kept their servers' OpenSSL up to date to keep up with the latest in security and defend their data against the world's hackers? Well every single one of them (possibly including the author of this blog) has apparently been unknowingly wearing a backless hospital gown and no underwear for security for as many as two years. And we have no idea if anyone took any pictures.
So in April 2014, we learned that security actually made us less secure. Making up for that hit to the technological psyche may be harder than fixing the bug. That and having to look at this tacky 'heartbleed' image (left) for the next month.
After I finish changing the 9,235 usernames and passwords I have accumulated after two and a half decades on the internet (ok maybe I exaggerated that by a few dozen), I think I'm going to go buy a strongbox, fill it with gold coins, bury it in the backyard, and draw a treasure map.Security · Software