US Government Is Paying To Undermine Internet Security, Not To Fix It
from the bleeding-heart-security dept
The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software — in this case a program called OpenSSL that ensures that your connection to a website is encrypted — are four core programmers, only one of whom calls it a full-time job.
In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. "There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," says Steve Marquess, who raises money for the project.
Is it any wonder that this Heartbleed bug slipped through the cracks?
Dan Kaminsky, a security researcher who saved the Internet from a similarly fundamental flaw back in 2008, says that Heartbleed shows that it's time to get "serious about figuring out what software has become Critical Infrastructure to the global economy, and dedicating genuine resources to supporting that code."
The Obama Administration has said it is doing just that with its national cybersecurity initiative, which establishes guidelines for strengthening the defense of our technological infrastructure — but it does not provide funding for the implementation of those guidelines.
Instead, the National Security Agency, which has responsibility to protect U.S. infrastructure, has worked to weaken encryption standards. And so private websites — such as Facebook and Google, which were affected by Heartbleed — often use open-source tools such as OpenSSL, where the code is publicly available and can be verified to be free of NSA backdoors.
The federal government spent at least $65 billion between 2006 and 2012 to secure its own networks, according to a February report from the Senate Homeland Security and Government Affairs Committee. And many critical parts of the private sector — such as nuclear reactors and banking — follow sector-specific cybersecurity regulations.
But private industry has also failed to fund its critical tools. As cryptographer Matthew Green says, "Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job."
In the meantime, the rest of us are left with the unfortunate job of changing all our passwords, which may have been stolen from websites that were using the broken encryption standard. It's unclear whether the bug was exploited by criminals or intelligence agencies. (The NSA says it didn't know about it.)
It's worth noting, however, that the risk of your passwords being stolen is still lower than the risk of your passwords being hacked from a website that failed to protect them properly. Criminals have so many ways to obtain your information these days — by sending you a fake email from your bank or hacking into a retailer's unguarded database — that it's unclear how many would have gone through the trouble of exploiting this encryption flaw.
The problem is that if your passwords were hacked by the Heartbleed bug, the hack would leave no trace. And so, unfortunately, it's still a good idea to assume that your passwords might have been stolen.
So, you need to change them. If you're like me, you have way too many passwords. So I suggest starting with the most important ones — your email passwords. Anyone who gains control of your email can click "forgot password" on your other accounts and get a new password emailed to them. As a result, email passwords are the key to the rest of your accounts. After email, I'd suggest changing banking and social media account passwords.
But before you change your passwords, you need to check if the website has patched their site. You can test whether a site has been patched by typing the URL here. (Look for the green highlighted " Now Safe" result.)
If the site has been patched, then change your password. If the site has not been patched, wait until it has been patched before you change your password.
A reminder about how to make passwords: Forget all the password advice you've been given about using symbols and not writing down your passwords. There are only two things that matter: Don't reuse passwords across websites and the longer the password, the better.
I suggest using password management software, such as 1Password or LastPass, to generate the vast majority of your passwords. And for email, banking and your password to your password manager, I suggest a method of picking random words from the Dictionary called Diceware. If that seems too hard, just make your password super long — at least 30 or 40 characters long, if possible.
Republished from ProPublica
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: heartbleed, nsa, open source, security, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Blame those who "exploit" the bug. Not those who don't donate the $2000 (total yearly) for the tech they use. They done nothing wrong.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I was being snarky....just finished reading that Canadian Kid story and was pissed
If security is the NSA's job then they are to blame.
The companies that use openssl and didn't support it are also at fault.
The PR and "viral marketing" say otherwise. That Canadian kid is to blame. It was a bug that they could do nothing about. Remember that Canadian kid? Yeah, that evil kid is to blame. This [insert corp here] did nothing wrong.
There are way too many idiots who fall for "viral marketing" spin and PR. They can't blame the coders though. They won't. It exposes how awful they were by not funding the coders. ($2000 per year) what?
These type of stories come up, time to time.(A voice using facts against a PR campaign) I regret that the writer is pissing in the wind. It literally is sad. All the blame will go to everyone except those who should be blamed. PR will make it happen and idiots will lap it up.
TL;DR
There is "at fault" here. PR is misdirecting it.
[ link to this | view in chronology ]
Response to: Anonymous Coward on Apr 18th, 2014 @ 10:06am
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
password length
A randomly generated password of 12 characters, using a good sized character set significantly larger than the set of alphanumeric characters, is fairly safe. This works well if you use a password manager and don't have to type, much less memorize, such a password. Passwords that don't require a lot of effort to memorize contain less entropy, so they need to be longer to be secure. I suggest 20 characters as a minimum. I used to use book titles along with a random 4 digit number. No longer is that safe. Now, for my 94 passwords, I use random sentence fragments from books along with numbers (I won't disclose any more, security through obscurity does have limited value). I keep all my passwords in an encrypted file. I find I can remember passwords that I use at least once a week. I don't need mobile access so I have not utilized a password manager. My solution is not the only good one and I do test it with a password cracker.
[ link to this | view in chronology ]
Re: password length
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The current state of password cracking allows secure use of passphrases though. A coarse attack against a passphrase using a dictionary of 20,000 words requires an effort of 20,000 ^ N, where N is the number of words. If N is 2 that effort is 400,000,000 (actually 200 million on average) This is still not secure. 3 words requires an average effort of 4 trillion guesses. This is still not secure particularly if the words are not random but a sentence fragment. The security can be increased with mangling but it is better to choose a basic length without considering mangling. 5 random words requires and average effort of 1.6 x 10 ^ 21. This is very roughly equivalent to a binary key of length 70 (70 bits of entropy) and with mangling can approach a password that, depending on the hashing algorithm employed, even the NSA will, currently, have a hard time cracking in a reasonable time. If one uses a larger dictionary, say 1 million words including all sorts of technical words, a random 3 word passphrase requires an effort of, roughly, 10 ^ 18 guesses.
Finally, if a, nonrandom, grammatical phrase is used, it should not be well known (e.g. book title, song title, lyric, famous quote, or a spelled out TLA)
[ link to this | view in chronology ]
59 character "WPA2 password" master race reporting in.
Brute force OR Dictionary style attacks is what you are generally defending against. If you have to physically remember a pass. Make it lot's of words in a unique custom sentence. Replacing some letters with symbols, Capitals and numbers will massively secure it further.
[ link to this | view in chronology ]
Re:
That is dumb advice, there are more words than characters so words have more entropy.
Using twelve words for your password is just as safe, if not safer, than using twelve characters in your password.
Twelve words also has the benefit of being easier to remember.
Which password is easier to brute force crack?
Which one is easier to remember?
A: "1/d#dkD'QBgn"
B: "my dog ate my homework and the teacher did not believe me."
[ link to this | view in chronology ]
Re: Re:
Its a sentence which is a silly thing to use
[ link to this | view in chronology ]
Heartbleed = overblown. Your article = nonsense.
[ link to this | view in chronology ]
Re:
You clearly have failed to understand even the merest rudiments of security. I suggest extensive remedial education, starting with "everything ever written by Schneier, Bellovin, Cheswick, Spafford, Ranum, Felten, Edelmen, Ferguson, Halderman, Forno, Appelbaum, Kaminsky, Vixie, Soghoian, Zalewski, Marlinspike, Honeyman, and anybody that's part of Team Cymru".
[ link to this | view in chronology ]
Re:
Let's assume that you're correct: that the market will fix the problem. How long after the first major, publicly sensational breach, do you think the market should take to respond?
Cuz, I'm thinking, it your assertion is correct, the market would have responded by now. There has been breach after breach, as long as there has been a www. Somehow, the market hasn't fixed the problem.
Your libertarian utopia would require perfect information for the market to function perfectly. Consumers would have to know exactly what kind of security each vendor offered, and UNDERSTAND that technology, and understand the risk profile it presents. Consumers would have to have that information each time they buy something like bedsheets from either Target.com or Walmart.com. Sound reasonable to you?
[ link to this | view in chronology ]
Re:
No.
The market determines the minimum amount of security that people will put up with. This is substantially less than how much security is needed.
[ link to this | view in chronology ]
Re: Re:
That whole "Private enterprise can do no wrong" idea is overblown.
That's not the most annoying thing about them, though. It's the way they mendaciously reframe common concepts to create a false impression of the issues that grinds my gears.
The demand side of the market will not force the supply side to sort out security because the vast majority of us don't understand the complexities of encryption and security online. Okay, I don't understand the complexities of encryption and security online. I just know that the one time I fell for a phishing scam I had to change my passwords, no biggie. I've been more careful about following links that ask me to log in, i.e. provide my username and password, since then. Am I really the only one?
John Fenderson is right, per my personal experience.
Again, "the market" won't solve the problem because "the market" is not a single entity. It's not even a gestalt of supply and demand. It's a hell of a lot more complex than that because it's made up of individuals and is therefore incapable of solving problems in and of itself. Can we please stop pretending that it can?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Plus, KeyPass is free and open source software. :)
[ link to this | view in chronology ]
Spelled KeePass wrong
[ link to this | view in chronology ]
"No trace"
Not *necessarily* true. Such a hack leaves no trace in standard web server (or other application) logs.
However, either compiling with debug logging enabled, or recording IP traffic with a sniffer or logging firewall and decrypting with the web site's certificates shows the exploit attempt.
The security community has rapidly responded to Heartbleed and most of the major intrusion detection products now pick up Heartbleed.
Google "snort heartbleed" for one example.
It's true that a lot of media folk and Internet startups don't run an IDS.. Any financial institution and most publicly traded companies will have one though.
[ link to this | view in chronology ]
Re: "No trace"
Modern browsers implement forward secrecy, now we just need to get all websites to support it too.
http://en.m.wikipedia.org/wiki/Perfect_forward_secrecy
[ link to this | view in chronology ]
There's an editorial from Tim Berners-Lee emphasizing heavily that OpenSSL is mostly maintained by 4 EUROPEAN programmers, but used extensively by AMERICAN corporation, and that it is a disgrace that the product is not supported more by those who benefit from it.
Now I'm not sure why Tim would emphasize the EUROPEAN part, without pointing out why that is the case: Because most open source product dealing with cryptography are maintained and developed by non Americans and have to put restrictions on the participation of Americans because .... of US government policy reaching back decades....
[ link to this | view in chronology ]
QuertyYuiopSays100
I can't help but get this feeling that the "instruction" to create a new password, is nothing more than an attempt to make the public "feel" secure in a totally insecure situation and make those responsible for the situation appear to be "on top of the problem".
Tell me my new password is somehow safe from the HeartBleed Virus.
[ link to this | view in chronology ]
CYBER CRIME => a Global Nightmare!
[ link to this | view in chronology ]