Category Archives: information security

Brazil plans to lay trans-Atlantic cable free from NSA surveillance and U.S.-made technology

Bloomberg reports: Brazil is planning a $185 million project to lay fiber-optic cable across the Atlantic Ocean, which could entail buying gear from multiple vendors. What it won’t need: U.S.-made technology.

The cable is being overseen by state-owned telecommunications company Telecomunicacoes Brasileiras SA, known as Telebras. Even though Telebras’s suppliers include U.S. companies such as Cisco Systems Inc., Telebras President Francisco Ziober Filho said in an interview that the cable project can be built without any U.S. companies.

The potential to exclude U.S. vendors illustrates the fallout that is starting to unfold from revelations last year that the U.S. National Security Agency spied on international leaders like Brazil’s Dilma Rousseff and Germany’s Angela Merkel to gather intelligence on terror suspects worldwide.

“The issue of data integrity and vulnerability is always a concern for any telecom company,” Ziober said. The NSA leaks last year from contractor Edward Snowden prompted Telebras to step up audits of all foreign-made equipment to check for security vulnerabilities and accelerated the country’s move toward technological self-reliance, he said. [Continue reading…]

Facebooktwittermail

How a scanner infected corporate systems and stole data: Beware Trojan peripherals

Kurt Marko writes: A new form of highly targeted cyber attack patently demonstrates the shift in malware sophistication and motivation. Annoying hacker pranks done for fun and sport have been supplanted by sophisticated, multi-stage software systems designed for espionage and profit. The new attack, discovered by TrapX, a developer of security software formerly known as CyberSense, is one of an increasingly common genre known as an Advanced Persistent Threat (APT) of the type that stole debit card numbers from Target or sensitive data and login credentials from any number of companies. What makes this recent attack noteworthy isn’t its basic design, operation or targets, but means of initial delivery: contaminated firmware on a type of industrial barcode scanner commonly used in the shipping and logistics industry. Similar to the technique used to introduce the infamous Stuxnet worm that took out Iranian centrifuges and managed to penetrate ostensibly highly secure networks via ordinary USB thumb drives, the so-called Zombie Zero worm invaded corporate data centers through a back door. [Continue reading…]

Facebooktwittermail

Serious security flaws found in Israeli-made surveillance gear used by law enforcement

Ars Technica reports: Software used by law enforcement organizations to intercept the communications of suspected criminals contains a litany of critical weaknesses, including an undocumented backdoor secured with a hardcoded password, security researchers said today.

In a scathing advisory published Wednesday, the researchers recommended people stop using the Nice Recording eXpress voice-recording package. It is one of several software offerings provided by Ra’anana, Israel-based Nice Systems, a company that markets itself as providing “mission-critical lawful interception solutions to support the fight against organized crime, drug trafficking and terrorist activities.” The advisory warned that critical weaknesses in the software expose users to attacks that compromise investigations and the security of the agency networks. [Continue reading…]

Facebooktwittermail

Study: 97% of companies using network defenses get hacked anyway

Ars Technica: A security study drawing data from more than 1,600 networks over a six-month period found that 97 percent of the networks experienced some form of breach—despite the use of multiple layers of network and computer security software. The study, performed by analysts from security appliance vendor FireEye and its security consulting wing Mandiant, compared current network defenses to the Maginot Line, the infamous French fortress chain that the Germans bypassed during their May 1940 invasion.

The data collected from network and e-mail monitoring appliances from October 2013 to March 2014 also showed that three-quarters of the networks had command-and-control traffic indicating the presence of active security breaches connected to over 35,000 unique command-and-control servers. Higher-education networks were the biggest source of botnet traffic.

Facebooktwittermail

Computers, and computing, are broken

Quinn Norton writes: Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can’t tell you who he is because he doesn’t want to go to Federal prison, which is what could have happened if he’d told anyone that could do anything about the bug he’d found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn’t extraordinary at all. Spend much time in the hacker and security scene, you’ll hear stories like this and worse.

It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.

For a bunch of us, especially those who had followed security and the warrantless wiretapping cases, the revelations weren’t big surprises. We didn’t know the specifics, but people who keep an eye on software knew computer technology was sick and broken. We’ve known for years that those who want to take advantage of that fact tend to circle like buzzards. The NSA wasn’t, and isn’t, the great predator of the internet, it’s just the biggest scavenger around. It isn’t doing so well because they are all powerful math wizards of doom. [Continue reading…]

Facebooktwittermail

America’s double standards on cybercrime and national security

The New York Times reports: The National Security Agency has never said what it was seeking when it invaded the computers of Petrobras, Brazil’s huge national oil company, but angry Brazilians have guesses: the company’s troves of data on Brazil’s offshore oil reserves, or perhaps its plans for allocating licenses for exploration to foreign companies.

Nor has the N.S.A. said what it intended when it got deep into the computer systems of China Telecom, one of the largest providers of mobile phone and Internet services in Chinese cities. But documents released by Edward J. Snowden, the former agency contractor now in exile in Russia, leave little doubt that the main goal was to learn about Chinese military units, whose members cannot resist texting on commercial networks.

The agency’s interest in Huawei, the giant Chinese maker of Internet switching equipment, and Pacnet, the Hong Kong-based operator of undersea fiber optic cables, is more obvious: Once inside those companies’ proprietary technology, the N.S.A. would have access to millions of daily conversations and emails that never touch American shores.

Then there is Joaquín Almunia, the antitrust commissioner of the European Commission. He runs no company, but has punished many, including Microsoft and Intel, and just reached a tentative accord with Google that will greatly change how it operates in Europe.

In each of these cases, American officials insist, when speaking off the record, that the United States was never acting on behalf of specific American companies. But the government does not deny it routinely spies to advance American economic advantage, which is part of its broad definition of how it protects American national security. In short, the officials say, while the N.S.A. cannot spy on Airbus and give the results to Boeing, it is free to spy on European or Asian trade negotiators and use the results to help American trade officials — and, by extension, the American industries and workers they are trying to bolster. [Continue reading…]

Facebooktwittermail

Israel won’t stop spying on the U.S.

Jeff Stein reports: Whatever happened to honor among thieves? When the National Security Agency was caught eavesdropping on German Chancellor Angela Merkel’s cell phone, it was considered a rude way to treat a friend. Now U.S. intelligence officials are saying—albeit very quietly, behind closed doors on Capitol Hill—that our Israeli “friends” have gone too far with their spying operations here.

According to classified briefings on legislation that would lower visa restrictions on Israeli citizens, Jerusalem’s efforts to steal U.S. secrets under the cover of trade missions and joint defense technology contracts have “crossed red lines.”

Israel’s espionage activities in America are unrivaled and unseemly, counterspies have told members of the House Judiciary and Foreign Affairs committees, going far beyond activities by other close allies, such as Germany, France, the U.K. and Japan. A congressional staffer familiar with a briefing last January called the testimony “very sobering…alarming…even terrifying.” Another staffer called it “damaging.”

The Jewish state’s primary target: America’s industrial and technical secrets.

“No other country close to the United States continues to cross the line on espionage like the Israelis do,” said a former congressional staffer who attended another classified briefing in late 2013, one of several in recent months given by officials from the Department of Homeland Security (DHS), the State Department, the FBI and the National Counterintelligence Directorate. [Continue reading…]

Facebooktwittermail

Emails reveal close Google relationship with NSA

Jason Leopold reports: Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying.

Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law.

But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure.

On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.”

“The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over.

Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help.

“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”

Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.” [Continue reading…]

One of the most corrosive effects of the revelations about the NSA’s exploitation of information security flaws is that this has created a perception that any kind of interaction between the NSA and Silicon Valley should be viewed with suspicion. In reality, information security would be undermined if the NSA wasn’t talking to the tech companies. The real problem comes when the NSA applies a definition of national security interests that conflicts with public interests.

Facebooktwittermail

FBI keeps internet flaws secret to defend against hackers

Bloomberg reports: The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.

The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.

The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates. [Continue reading…]

Facebooktwittermail

Stop using Microsoft’s IE browser until bug is fixed, U.S. and U.K. warn

If you don’t already use Firefox, it’s probably time to install it.

CNET reports: It’s not often that the US or UK governments weigh in on the browser wars, but a new Internet Explorer vulnerability — one that affects all major versions of the browser from the past decade — has forced them to raise an alarm: Stop using IE.

The zero-day exploit, the term given to a previously unknown, unpatched flaw, allows attackers to install malware on your computer without your permission. That malware could be used to steal personal data, track online behavior, or gain control of the computer. Security firm FireEye, which discovered the bug, said that the flaw is being used with a known Flash-based exploit technique to attack financial and defense organizations in the US via Internet Explorer 9, 10, and 11. Those versions of the browser run on Microsoft’s Windows Vista, Windows 7, and Windows 8, although the exploit is present in Internet Explorer 6 and above.

While the Computer Emergency Readiness Team in England and the US regularly issue browser advisories, this is one of the few times that the CERT team has recommended that people avoid using a specific browser. [Continue reading…]

Facebooktwittermail

Two major threats to the internet: The U.S. government and the Russian government

Ars Technica: Hector Xavier Monsegur, the hacker known as “Sabu,” became a confidential FBI informant following his 2011 arrest. But he continued to direct other hackers to attack more than 2,000 Internet domains in 2012, including sites operated by the Iranian, Syrian, and Brazilian governments.

Based on documents obtained by the New York Times, those attacks were carried out with the knowledge of the FBI agents supervising Monsegur. The Times report suggests that the data obtained in the attacks—including information on Syrian government sites—was passed to US intelligence agencies by the FBI.

Russian President Vladimir Putin clearly wants to exploit the climate of distrust that has been generated by the NSA and other branches of the U.S. government that have undermined internet security and sees in this the opportunity to push for a Russian internet — one in which the Russian government can exercise greater control over social media.

Vesti.ru reports (translation):

“The Internet emerged as a special project of the CIA USA, and continues to be developed as such,” said Putin [at the conference Mediaforum in St. Petersburg today]. Moreover, the president noted that the national search engine Yandex and the social network VKontakte are trying to develop business, mathematical and informational programming in Russia. “Our companies didn’t have resources free for such capital investments, but now they have appeared,” said the head of state. Putin expressed the hope that the Russian Internet would develop rather intensively and rapidly and will secure the interests of the Russian Federation.”

Meanwhile, ITAR-TASS reports:

Russia’s popular bloggers will now have to brace for considerable restrictions of their rights. The State Duma has just adopted a law introducing new rules they will have to abide by. The document incorporates a package of bills for effective struggle against terrorism and extremism. Earlier, the bill drew a mixed response from society, including sharp criticism from human rights activists.

The law introduces a new term: “Internet user called blogger.” Bloggers will be obliged to declare their family name and initials and e-mail address. Those authors whose personal website or page in social networks has 3,000 visitors or more a day must have themselves registered on a special list and abide by restrictions applicable to the mass media. In other words, registration requires the blogger should check the authenticity of published information and also mention age restrictions for users. Also, bloggers will have to follow mass media laws concerning electioneering, resistance to extremism and the publication of information about people’s private lives. An abuse of these requirements will be punishable with a fine of 10,000 to 30,000 roubles (roughly 300 dollars to 1,000 dollars) for individuals and 300,000 roubles (10,000 roubles) for legal entities. A second violation will be punishable with the website’s suspension for one month.

The Russian investigative journalists Andrei Soldatov and Irina Borogan write:

The NSA scandal made a perfect excuse for the Russian authorities to launch a campaign to bring global web platforms such as Gmail and Facebook under Russian law—either requiring them to be accessible in Russia by the domain extension .ru, or obliging them to be hosted on Russian territory. Under Russian control, these companies and their Russian users could protect their data from U.S. government surveillance and, most importantly, be completely transparent for Russian secret services.

Russia wants to shift supervision and control of the Internet from global companies to local or national authorities, allowing the FSB more authority and latitude to thwart penetration from outside. At December’s International Telecommunications Union (ITU) conference in Dubai, Moscow tried to win over other countries to its plan for a new system of control. The key to the project is to hand off the functions of managing distribution of domain names/IP-addresses from the U.S.-based organization ICANN to an international organization such as the ITU, where Russia can play a central role. Russia also proposed limiting the right of access to the Internet in such cases where “telecommunication services are used for the purpose of interfering in the internal affairs or undermining the sovereignty, national security, territorial integrity, and public safety of other states, or to divulge information of a sensitive nature.” Some 89 countries voted for the Russian proposals, but not the United States, United Kingdom, Western Europe, Australia, or Canada. The result is a stalemate.

Web services would be required to build backdoors for the Russian secret services to access what’s stored there. Prominent Russian MP Sergei Zheleznyak, a member of the ruling United Russia party, has called on Russia to reclaim its “digital sovereignty” and wean its citizens off foreign websites. He said he would introduce legislation this fall to create a “national server,” which analysts say would require foreign websites to register on Russian territory, thus giving the Kremlin’s own security services the access they have long been seeking. Of course, building such a national system would defeat the global value of the Internet.

Shane Harris writes:

When U.S. officials warn of the threat foreign cyber spies pose to American companies and government agencies, they usually focus on China, which has long been home to the world’s most relentless and aggressive hackers. But new information shows that Russian and Eastern European hackers, who have historically focused their energies on crime and fraud, now account for a large and growing percentage of all cyber espionage, most of which is directed at the United States.

Individuals and groups in Eastern Europe, and particularly in Russia and Russian-speaking countries, are responsible for a fifth of all cyber spying incidents in the world, according to a global study of data breaches conducted by Verizon, published this week. The spies are targeting a range of companies as varied as the global economy itself, and are stealing manufacturing designs, proprietary technology and confidential business plans. The cyber spies steal information on behalf of their governments in order to manufacture cheaper versions of technologies or weapons systems, or to give their home country’s corporations a leg up on their foreign competitors.

Facebooktwittermail

As we sweat government surveillance, companies like Google collect our data

Dan Gillmor writes: As security expert Bruce Schneier (a friend) has archly observed, “Surveillance is the business model of the internet.” I don’t expect this to change unless and until external realities force a change – and I’m not holding my breath.

Instead, the depressing news just seems to be getting worse. Google confirmed this week what many people had assumed: even if you’re not a Gmail user, your email to someone who does use their services will be scanned by the all-seeing search and the advertising company’s increasingly smart machines. The company updated their terms of service to read:

Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

My system doesn’t do this to your email when you send me a message. I pay a web-hosting company that keeps my email on a server that isn’t optimized for data collection and analysis. I would use Gmail for my email, if Google would let me pay for service that didn’t “analyze (my) content” apart from filtering out spam and malware. Google doesn’t offer that option, as far as I can tell, and that’s a shame – if not, given its clout, a small scandal. [Continue reading…]

Facebooktwittermail

The U.S. government: Paying to undermine internet security, not to fix it

By Julia Angwin, ProPublica, April 15, 2014

The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.

The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software 2014 in this case a program called OpenSSL that ensures that your connection to a website is encrypted 2014 are four core programmers, only one of whom calls it a full-time job.

In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. “There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work,” says Steve Marquess, who raises money for the project.

Is it any wonder that this Heartbleed bug slipped through the cracks?

Continue reading

Facebooktwittermail

It’s time to encrypt the entire internet

Wired reports: The Heartbleed bug crushed our faith in the secure web, but a world without the encryption software that Heartbleed exploited would be even worse. In fact, it’s time for the web to take a good hard look at a new idea: encryption everywhere.

Most major websites use either the SSL or TLS protocol to protect your password or credit card information as it travels between your browser and their servers. Whenever you see that a site is using HTTPS, as opposed to HTTP, you know that SSL/TLS is being used. But only a few sites — like Facebook and Gmail — actually use HTTPS to protect all of their traffic as opposed to just passwords and payment details.

Many security experts — including Google’s in-house search guru, Matt Cutts — think it’s time to bring this style of encryption to the entire web. That means secure connections to everything from your bank site to Wired.com to the online menu at your local pizza parlor.

Cutts runs Google’s web spam team. He helps the company tweak its search engine algorithms to prioritize certain sites over others. For example, the search engine prioritizes sites that load quickly, and penalizes sites that copy — or “scrape” — text from others.

If Cutts had his way, Google would prioritize sites that use HTTPS over those that don’t, he told blogger Barry Schwartz at a conference earlier this year. The change, if it were ever implemented, would likely spur an HTTPS stampede as web sites competed for better search rankings. [Continue reading…]

Facebooktwittermail

How Heartbleed broke the internet — and why it can happen again

Wired reports: Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.

The key moment arrived at about 11 o’clock on New Year’s Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who’s an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.

Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it’s bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.

It’s no surprise that a small bug would cause such huge problems. What’s amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Henson’s situation isn’t an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. And that needs to change. Heartbleed has shown — so very clearly — that we must add more oversight to the internet’s underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.

The sad truth is that open source software — which underpins vast swathes of the net — has a serious sustainability problem. [Continue reading…]

Facebooktwittermail

NSA pretends it can increase national security while diminishing internet security

The New York Times reports: Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.

But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.

The White House has never publicly detailed Mr. Obama’s decision, which he made in January as he began a three-month review of recommendations by a presidential advisory committee on what to do in response to recent disclosures about the National Security Agency.

But elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers. [Continue reading…]

Facebooktwittermail

New evidence that the NSA poses a major threat to global security

When it comes to intelligence officials, past or present, it seems much safer to assume that they are not acting in national interests than to assume otherwise. It doesn’t matter which nation or which agency, the business of intelligence is deception.

There is an inherent conflict between the declared need of such agencies to operate in secrecy and the need to provide those operations with the oversight they require in order to prevent the abuse of power.

After the latest revelations about the CIA’s torture programs and NSA operations which undermine the security of the internet, are we not already far past the point where it must be faced that the U.S. intelligence community has systemic flaws? These should not just be patched over. It’s time to ask fundamental questions about the function of the intelligence agencies.

Bloomberg reports: The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

The NSA’s decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts.

Heartbleed appears to be one of the biggest glitches in the Internet’s history, a flaw in the basic security of as many as two-thirds of the world’s websites. Its discovery and the creation of a fix by researchers five days ago prompted consumers to change their passwords, the Canadian government to suspend electronic tax filing and computer companies including Cisco Systems Inc. to Juniper Networks Inc. to provide patches for their systems.

Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.

“It flies in the face of the agency’s comments that defense comes first,” said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. “They are going to be completely shredded by the computer security community for this.” [Continue reading…]

Update — DNI states: NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

The problem for the DNI, NSA, CIA, and the rest of the intelligence community, is that they can’t restore trust simply by issuing statements or through cosmetic reform. It’s no good saying, we wouldn’t do something like that, when we already know they already have.

Facebooktwittermail

How to stop the next Heartbleed bug: Pay open-source coders to protect us

Dan Gillmor writes: Yes, it is beyond worrisome that a bug this big existed for so long. But the discovery of Heartbleed – a truly mind-boggling flaw in OpenSSL, the widely used web security technology run on open-source code – led to one of the most rapid responses I’ve ever seen in the encryption world.

We’re not nearly finished repairing this gaping hole in our online safety, with potentially hundreds of thousands of email accounts and sites relying on a secure connection exposed to Heartbleed. And, yes, the National Security Agency probably knew about it before you did. But still, thousands of sites have moved quickly to mitigate at least some of the immediate damage.

So why is everyone pointing fingers at the beleaguered developers of OpenSSL? Because someone should have found this programming error two years ago? Sure, but don’t blame this tiny team of volunteers; go change your password (but only if your favorite sites have been updated). These aren’t just some lazy coders letting your bank account login leak into the online slipstream; they’re heroes, who have worked tirelessly during the past few years on software that can be freely downloaded and modified, that brings online safety, at a low cost, to all of us. And, seriously, there are only like 17 of them.

The last thing we want to do, as some fear-mongers have suggested this week amidst ‘the worst thing to happen to the internet‘, is turn over our communications infrastructure from open-source software to for-profit companies that want to extract cash from the ecosystem. The more eyes we have on open programming instructions, the more likely someone will find a bug. [Continue reading…]

Facebooktwittermail