12 April 2014

My heart bleeds for the open source community.

Nearly everyone on the internet (that would be our entire planet and the folks on the ISS) has heard of the "Heartbleed" OpenSSL bug. In short, this coding error has allowed any mildly skilled hacker access to read the memory of any vulnerable system and likely is a favorite backdoor for your favorite Russian spam bot. Since OpenSSL is used on such a wide range of devices and web sites, this is quite possibly the biggest security hole to hit the internet since Windows 98. We are left with end users scrambling to change their passwords and geeks spending late nights at the office evaluating every server, switch and router under their guidance. While the implications are huge, I am equally concerned about the false image this paints of the open source community that developed, what is otherwise, a magnificent piece of software.

Before we dive into why I firmly believe open source software is still trustworthy and useful, I would be remiss if I did not tell you how to protect your online identity. If you are using a password manager the vendor should have notified you regarding any passwords to change and how to proceed safely going forward. There are articles out there that list the web sites you should be most concerned about, which is nearly everything except AOL. (Crazy, right?) I would also like to give a shout-out to all dual verification methods since using them will protect you against any future security holes like Heartbleed.

For the tech heads and part-time hackers out there, this site has an excellent explanation of what causes the bug and how it can be exploited. In addition to updating Linux servers, you will need to check with all of your software and device vendors to verify that there are no issues with their products as a result of this glitch. Even equipment by Cisco (routers, modems, switches) could be impacted so make certain you check everything. Comically, it is the businesses that were most up to date on software and hardware that are most at risk since the bug only came into existence a couple of years ago. I guess we must reluctantly give kudos to the cheapskates still running Windows XP and out-of-service Watchguard routers that they refuse to upgrade.

There are plenty of tinfoil hat theories (I'm looking at you, Wired) out there that the NSA paid the OpenSSL programmer, Dr. Robin Seggelmann, to put this flaw in his code so they could steal all of your critical information. The NSA denies they even knew about the issue and is pretending to be kicking themselves that they did not use it. While you can bet the kids college tuition that the Dr. Seggelmann did not intentionally add the bug for the government, it is a certainty that our fine nation took advantage of this minor heartache.

Let us start with the obvious: All programs have bugs. They are created by human beings and while we put our heart into the code, sometimes we miss a beat. Whether it is iTunes, Microsoft Office, Gmail or open source products like Firefox, Handbrake and Drupal - they all have bugs. The difference between the corporate versions and the ones coded by your neighbors is that the latter airs all their bloody laundry while the former does everything they can to keep them a secret (or ignore them).

Does that make open source more dangerous? That is all a matter of perspective. If you are living in Redmond then the answer is "absolutely". If you are dual booting Ubuntu on your MacBook Air then you may think corporate code is more risky. The problem for the individuals shouting the virtues of their open code is that the vast majority of us take the shrink-wrapped licensing approach.

While there is no doubt that this was a serious issue, there are countless other coding errors out there that naughty individuals (or governments) are using in nefarious ways. The NSA has little concern about the OpenSSL hole being filled since they have hundreds of others they are exploiting as I type this.

In the words of Bill Nye, please consider the following: If you were in charge of the NSA, where would you go to buy a trap door? An open source programmer, whose life work is open to everyone? Or would you offer a big payoff to a major software vendor where the source code is behind a locked door? Do you believe that corporations are any more bug-proof than collections of individuals that have their source information available to the universe? When you know that all programmers make mistakes, it is a safe bet that neither is more bug proof than the other. In fact, when competitions have been done to see whether an OS X, Windows or Linux workstation is hacked fastest the open source device is almost always left untouched.

It is human nature that is partially to blame. We all want the latest features and gadgets and I am equally guilty. When a new update is released, I rush to install it because we want whatever cool new stuff comes along with it. Most of the time that new software is better and more secure - but sometimes it is far more dangerous. There is value to taking our time to carefully evaluate the implications of every improvement we are making to our tech universe. Yes, we should all apply security updates as soon as we verify they do not break anything, but do we truly need to upgrade to the latest version the week it is made available? This Heartbleed incident is begging all of us to take our time.

Except about changing our passwords. We need to do that immediately.