By Stuart Thomson
Early in the afternoon of April 7, a website called Heartbleed.com went live, warning the public of a devastating new security bug that affected two-thirds of the Internet’s servers. Most of the world’s tech companies found out about it that day, along with everyone else, and raced to check their systems and fix the problem.
In Ottawa, e-commerce company Shopify scrambled its network security team and had a patch ready for their core servers by 7 p.m. and one for the secondary servers by midnight. The team worked all night and, by the next day, they had reissued all keys and certificates, which are the tools used to make sure data is encrypted.
A few days later, the company posted on its blog that it had patched the problem before companies like Yahoo and Google and that, as far as they knew, no sensitive data had been compromised.
The general public seemed to have shrugged off the matter, too.
“Despite public awareness of Heartbleed, we did not notice an overall reduction in e-commerce sales and activity in the more than 95,000 sites that use Shopify. Our data indicates that while consumers are aware of Heartbleed, they are happy and willing to continue to shop online,” said Craig Miller, vice president of growth at Shopify.
A breach at the Canadian Revenue Agency saw 900 social insurance numbers go missing, but with most of the Internet compromised it seems like the damage has been minimal.
Internet users are constantly told to change their passwords, to think up better passwords, not to use the same password twice and, above all, not to give their passwords to anyone. But in those few hours after the bug became public and before those patches had rolled out, we were all sitting ducks. There was absolutely nothing a person could do to keep their data safe, besides removing themselves from the grid and shacking up in the woods somewhere.
***
The Heartbleed security bug was almost laughably simple. When two computers connect for a secure connection they exchange a codeword during idle moments to keep the connection open. The computer tells the server the codeword and how many characters it is and the server responds by repeating the codeword.
It became a bug when programmers realized they could lie about how long the code word is. If they said it was 100 characters and it was actually only five, the server would respond with the code word and then 95 more characters of information stored in its memory. Whatever the computer was thinking about at that moment, it would just blurt it out.
It’s like plying a chatty friend with peach schnapps and then asking him for whatever secret is on his mind at the time. It might be nothing, but it also might be the juiciest piece of gossip you’ve ever heard.
Programmers also realized that someone could make the same request over and over again and then sort through the information, looking for patterns. Those patterns could be credit card numbers or social insurance numbers. Scariest of all, it could be the server’s encryption key, which could be used to access just about anything the server contains.
Illustration of the Heartbleed bug that affected internet technology and security around the world. (File photo)
On March 21, a programmer at Google discovered the breach and worked quietly with the OpenSSL team, the people who wrote the encryption software, to fix it. Then they sounded the alarms on April 7, encouraging companies like Shopify to patch their own software before the thieves got there first.
The bug had been in the code for two years and nobody can know for sure if it had been exploited in that time.
OpenSSL is open-source software — meaning it’s free for everyone to view and use — and it’s used in about two-thirds of the servers currently propping up the Internet. The team subsists on donations.
So that’s how it is: In the accelerating world of technology, where billions of dollars roll in every year, the main security software has one guy on the payroll, supported by a bunch of volunteers. Developers say open source software is subject to far more code reviews and can be patched a lot quicker than proprietary software but they also bemoan the lack of resources at projects like OpenSSL.
***
The smartphone was created in 2002 when Research in Motion added phone capabilities to a personal digital assistant and shipped it out to stores with the name BlackBerry stamped on the box. It was a landmark moment for technology, although we didn’t know it at the time.
A study published in the MIT Technology Review in 2012 showed how different technologies have gone from traction to maturation to saturation. To gain traction a technology needs 10 per cent market share, maturation is 40 per cent and saturation is 75 per cent.
According to the study, the march of technology has turned into a full-fledged sprint.
It took 25 years — from the day in 1876 when Alexander Graham Bell phoned his assistant to say “Mr. Watson, come here, I want to see you” — for the telephone to gain traction. Maturation took 40 more years and saturation took a further 17.
Smartphones only took seven years to gain traction and a few more years to pass 40 per cent market share. One study predicts that saturation will happen next year.
With the rate of new technology accelerating, we’ve hardly had a moment to think about all this. There is no off button and it’s nearly impossible to opt out.
The Canadian Revenue Agency has your social insurance number, Amazon has your credit card and dozens of other sites have your passwords. If you use one password for several sites, and it gets breached, incredible damage could be done in a matter of hours.
These days, an identity is an easy thing to lose.
***
In the wake of the Heartbleed bug, there was a similar scramble at a company called LastPass, the maker of password manager software by the same name. Developers rushed to check the company’s infrastructure and make sure they were safe. Like Shopify, the bug had no direct impact but they went to work reissuing keys and certificates and verifying their data was safe.
“Once we shut down any kind of (potential) vulnerability around the Heartbleed bug on our end we immediately went to work and, if you saw us, it doesn’t look like anyone slept in a week,” said Erin Styles, vice president of marketing for LastPass.
They built a web page that checks other sites for vulnerabilities and added a service to LastPass that scans all stored websites to see if they are affected.
Since then, the company has seen a 10-fold increase in new registrations. The software allows a user to store passwords safely in a “vault” and change them by clicking a button. Passwords can be automatically generated, so the user may not even know the password. Most importantly, it allows a person to have a unique password for each site, meaning one breach doesn’t automatically lead to several more.
This may be the world we live in now. Companies like Shopify and LastPass can’t afford to be lax about security because they would lose all their business if they did.
The situation isn’t so different for the average Internet user.
Checking credit card statements, staying abreast of the various threats and changing passwords every few months may just be a part of our lives now.
The Internet has brought about remarkable convenience: We can pay bills with the click of a button, order products delivered straight to our door, and file taxes without picking up a pencil and a calculator.
All these things don’t come for free, though. The price of convenience might just be eternal vigilance.
It’s natural to see the progress of technology as a steady climb toward newer and better things, but each summit brings new risks and technology has a way of getting away from us. One year after he successfully detonated the first atomic test bomb, Robert Oppenheimer delivered a letter to the U.S. Secretary of War demanding they be banned. The letter, not surprisingly, didn’t have much of an effect.
The stakes might not be so high for us right now, but in return for technology’s incredible convenience and the near eradication of boredom, we might be giving up a bit of ourselves in return.
There are many different ways to lose our identity.
Stuart Thomson is a web producer at the Edmonton Journal and creator of the blog ‘Caught in the Web.’