Sample the reactions to news that a nefariously named creation called the Heartbleed bug has been set loose on the Web and one could be forgiven for momentarily assuming that the Internet is over.
Not so fast, say those who ponder the evolution of technology.
Yes, Heartbleed has brought home the point that interconnectivity puts us in proximity to brilliant minds and evil-doers alike. Yes, the fact that our Web passwords are vulnerable to thieves in this age of cloud computing is unsettling in the extreme -- particularly just as we absorb the reality that formidable powers of spying unleashed from Washington to Beijing may be vacuuming up our digital secrets. Yet we are already so reliant on the Web, its consequences so deeply insinuated in modern commerce and social interaction, that its reach is all but irreversible.
“People will not give up the Internet,” said technology forecaster Paul Saffo. “That would be like giving up automobiles and public transportation. ... Unless there is a dramatic, hair-on-fire freak-out break-in that’s somehow tied to MH370’s crash in the Indian Ocean, it’s just too hard a story for people to get their heads around.”
The complexity of the bug that infects the encryption software known as OpenSSL is well beyond the contemplation of non-geeks. Even mere solutions to the Heartbleed crisis are difficult to grasp. Individual users can do little to protect themselves besides change their current passwords to more difficult ones. And even then, as Jen Weedon, a threat intelligence analyst at the security company FireEye, pointed out, “the average user is dependent on the owner of [a given] website” to add a patch that protects itself against the bug and, if necessary, reissue a new digital certificate -- essentially an online ID card that proves a website's legitimacy.
Perhaps most alarming, no one has any way of telling if an attack has already taken place. It's as if the online realm has been besieged by malevolent zombies who look just like everyone else.
If history has taught us anything, it's that some companies confronted with bad news about their operations -- safety defects, security vulnerabilities -- will opt not to share it with the public.
“If GM can spend the better part of a decade covering up a faulty ignition switch that killed people, and that was a physical object,” then it’s likely “that lots of companies are hiding the fact that they had break-ins,” Saffo said.
Weedon expressed assurance that plenty of companies are finding themselves more vulnerable to security breaches than they are letting on.
“We respond ourselves to hundreds of threats,” he said. “Law enforcement and other security companies are constantly giving notification to companies that they have been breached. It happens frequently, and the responses can range from ‘Oh my gosh, let me look into this’ to putting their head in the sand.”
As word of Heartbleed has spread, some have speculated that the National Security Agency was well positioned to take advantage of the breach.
“To exploit [Heartbleed] on a massive scale, you’d need a lot of data storage and a lot of computing power,” said Rusty Foster, a programmer and journalist.
Heartbleed leaked data in such a way that anyone trying to access it essentially would have had to take what they could get. Foster said “it would take a long time and a lot of effort” to identify and analyze data leaked from the Heartbleed bug.
Weedon is not convinced only a large scale intelligence agency could have taken advantage of the vulnerability. Nor does she believe the threat has been significantly reduced now that it has been identified.
“It sounds like the vulnerability would allow anyone to eavesdrop on the data,” Weedon said. “If they are resourced properly and they have the tenacity, a dedicated attacker will be able to overcome any obstacles. It wouldn’t be surprising to me if more sophisticated adversaries were exploiting this vulnerability for a long time.”
Still, at least for now, our reliance on the Internet blinds us to the threat of these adversaries. We’d rather open the door to an intruder than lock ourselves out of the digital world.
“Good security practices get in the way of our click-and-go culture,” Saffo said. “The biggest risk to the consumer is the consumer himself.”