Media's Heartbleed hysteria will only make the problem worse

Mark Leiser: I am a PhD Candidate in Cyber Law at the University of Strathclyde in Glasgow. I have written submissions for the Leveson Inquiry into the culture and ethics of the media and for the Scottish Parliament on the use of social media during trials. My PhD is supervised by Professor Andrew Murray at the London School of Economics and focuses on the effectiveness of cyber-regulation. My research and interests revolve around main areas of Internet law and policy including internet governance & regulation, democracy, social media, privacy, and intellectual property. My PhD research focuses on developing a system of modelling to measure the effectiveness and legitimacy of Internet Regulation. I write in a personal capacity.

Everyone take time off of work! All of your data is vulnerable! Call in sick from work and change your passwords! You know it's serious when the Heartbleed web bug is the lead story on the Lorraine show this morning. Not to have a go at our lovely Lorraine, but it is indicative of how the media doesn't know how technology works. Interestingly, Google's own security blog doesn't advise people to change their passwords, but rather the word comes from ambiguous "security experts". I wonder if it is the same company that claimed last year that a DDoS attack, "nearly broke the Internet".

The Heartbleed logo [Pic credit: Codenomicon]

For those who have somehow managed to avoid the Heartbleed coverage so far, here's a quick recap: it has been discovered that websites worldwide using the SSL service are vulnerable to hackers accessing the part of your computer that stores your information. It doesn't leave any trace or damage your computer in any way and theoretically your personal data could have been stolen at any point during the past two years.

Of course, changing passwords is one part of the solution, but that is only a worthwhile step after web companies using SSL fix the vulnerability on their websites. Otherwise, one is changing the password while the site is still vulnerable. Kind of defeats the purpose, doesn't it? And with an ignorant media all over this story like white on rice, no doubt there will be hackers now trying to exploit this vulnerability. It again begs belief. It is like discovering that someone stole the master key to a safe, and making everyone change their access codes, but not calling a locksmith to actually change the locks in the first instance. Now we have a massive hole in network security and a complicit media screaming, "there is a hole, come hack it!"

Furthermore, Heartbleed is only causing problems for one specific version of Android. Google Online Security Blog unequivocally stated how "all versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1.)" (For clarity, CVE-2014-0160 is Heartbleed).

What's worse is that there people may feel like they are more secure having done a password update. There might be the unfortunate situation where someone changes all of their passwords before the OpenSSL vulnerability is fixed and the user ignores warnings to update, because they have already done so. Now it is true that the manner in which this has happened is a successful example of what people call "responsible disclosure". Instead of disclosing the vulnerability to the public right away, the people notified of the problem tracked down the appropriate stakeholders and gave them a chance to fix the vulnerability before it went public. This model helps keep the Internet safe. But can the media be sure that the every website every where operating OpenSSL was able to fix any vulnerabilities?

What then should a poor boy do? Wait until the web company has announced they have fixed their own site and the Open SSL vulnerability. Then change your password. Don't take time off work. I don't know if I would go as far as say ignore the advice, but the onus is on Google, Facebook, the banks, and the credit card companies to keep your data safe. One must ask, if this was such a problem, why haven't all of these technology companies just forced everyone to reset everyone's password first? Tech company Evernote chose to do this last year when it discovered a vulnerability. Not doing so, and forcing the user to update, puts the onus on you and me, rather than the technology company which had integrated OpenSSL into its own product.

Secondly, why are our technology companies so integrated into OpenSSL that this type of vulnerability is allowed to occur in the first place? Talk about the centralisation of power in only a handful of places in the online environment. One cloud; one search engine; one social media company, and one Twitter. Everything else pales in comparison. So lets get this straight - the enduring promise of the network has always been that it is grassroots, decentralised and empowering force, but it can now break because of one measly line of code? We have bigger issues here.

Last year, the Guardian bought into the claim by a security company that a DDoS attack was capable of "nearly breaking the internet". The doomsday prediction made headlines all over the country, although it was about as likely as Nicole Scherzinger calling me up and asking for a date. Let's slow down. Let the pros fix THEIR problem and leave the doomsday predictions to the Daily Mail.

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.