The big tech news story of the last two days has been the Heartbleed security flaw, that might have compromised users’ passwords and other details.
Given the nature of the bug where a server can tricked into giving away bits of what’s stored in its memory, it’s hard to say exactly what has been compromised – on most sites you’d be very unlucky to have your password on banking details in the system at the precise millisecond a malicious attacker exploited the bug – but the risks are still real.
While webmasters and system admins around the world are frantically patching their systems, for the average user the best advice is to wait before changing your passwords as if the bad guys already have your details you’d have probably used them by now and changing your logins on a vulnerable server might actually increase the risk of crooks stealing your information.
The Internet of Things
The longer term risks with Heartbleed are actually in embedded systems and the Internet of Things; many systems will have hard coded implementations of the buggy software which may never be patched and these devices may be give up much richer data than a web server would.
It’s another illustration of how difficult the task of keeping embedded technologies up to date and how to secure the Internet of Things.
Open source blues
While there’s no shortage of similar security lapses in commercial software, the Heartbleed saga is going to concentrate the minds of open source community on how to tighten peer review and audit version updates.
Most open source projects are staffed by small groups of time poor volunteers, making auditing and quality control harder. That key parts of the internet and computer industries rely on these underfunded, and often unappreciated groups is a weakness for the entire sector.
No technological change is simple or without problems and securing information is one of the great challenges of today’s tech revolution and Heartbleed is a strong reminder of that, hopefully we’ll learn some lessons about building robust systems.