And We’re Slow to Acknowledge the [Gaping Holes in Our Security], or Heart It Bleeds Some More

Summary of my understanding of what’s going on here. Don’t feel bad.

So if you’ve been living on the internet for the last couple days, you’ve probably heard about Heartbleed, a staggering security bug that is ravaging somewhere between 1/3 and 2/3s of the internet, depending on who you ask. Or maybe you live on the internet and haven’t heard about this- that’s okay, too. I’ve been pretty surprised that this isn’t front page news, a trending topic on Twitter, and the name of a vegan cafe in Berkeley already; it’s hugely important but flying mostly under the radar.

This isn’t a tech site, obviously, and I’m not any kind of expert on computer security, but I try to be helpful and explain stuff in layman’s terms. If this ends up getting like, three of my readers’ ish locked down, I’ll consider it worth it. I talked to a couple tech-y friends (some in security, some just more knowledgeable about systems, and a few bona fide geeks who love this stuff), took a ton of notes, asked a lot of questions, and got some info about what’s going on, how concerned you should be, and what steps you should take. If you’ve been paying attention so far, you probably saw that this is almost certainly going to touch you in some way, so maybe take some of these steps. The right people are pretty freaked out about this- I plan to take their advice and I think you should too. The worst thing you can do is assume this is no big deal and take no action.

What is Heartbleed? It’s a very serious bug in OpenSSL, an open-source encryption library. If you’re not a tech person, this is something you give little or no thought to, but it’s definitely something that is in your life if you use the internet in any capacity. The apps you use and the sites you visit probably encrypt your data, and it’s very likely they use OpenSSL to do so. Apache, the server that powers something like 50% of sites on the internet (whoa, okay, think about that for a sec) uses OpenSSL. I’m not going to detail to you how this works because I barely understand it, but this bug has been around for about 2 years, and makes it possible to trick virtually any system using OpenSSL into revealing big chunks of encrypted data. You know, like your passwords, your SSN, your credit card information…all the stuff you probably would really, really not like to have a stranger having and possibly using. If you’ve been using the internet during this decade, you’re in its sights.

Well, great! Super. What now? Well, contrary to what makes sense to me, we’re apparently supposed to wait for a couple of days to do anything. Affected sites need a chance to perform emergency surgery on the wide open wounds they just noticed their security systems have, so changing the password now just means you still have a potentially vulnerable password, just a different one. Let’s agree we’ll all change this stuff around on Friday or Saturday. It should only take about ten minutes, and it’s probably time to do it anyway.

A lot of large sites that take security seriously haven’t been affected, according to folks in the know, but this list will give you an idea of how large in scope this is. If you use Yahoo or linked services, you’re particularly at risk. Even if nothing you use regularly appears on that list, and comes up clear on this test, it wouldn’t hurt to brush up on your internet security hygiene now, while you’re thinking about it. Here’s what you should do:

1. Figure out what sites are holding potentially sensitive information. That would be your email, banking/finance/insurance. and social media accounts. Mine numbered about ten, all told, and I think that’s accurate for most people. Those are the places where you need to do your due diligence most, because that’s going to be where you can get in to real trouble.
2. Change all those passwords. Never, ever, ever, for any reason, use the same password for two sites that matter. Every single person I talked to about Heartbleed says that this is the number one most common security mistake people make, and that, okay, yes, it’s a pain to have different passwords, but it’s a bigger pain to have to prove that your identity was stolen and rebuild your life. A good password has a mix of upper and lowercase letters, numbers, characters, etc., and isn’t word-based (MacaRONI12 isn’t good, bAP7MZq^ is). I use a password generator to make sure mine are truly random. Several people I spoke with also recommended changing them regularly. None of these particular things would matter retroactively in the instance of Heartbleed, but are good practice.
3. Use a password manager (everyone recommended LastPass) if it’s too hard to remember all the passwords for your different accounts.

Alright, take action! This is an easy fix of a major problem, so there’s no reason not to do it. If you’re using your birth date as your gatekeeper for online banking, or your high school mascot as the lone guardian of your gmail account, end that today.

Got other questions for my legions of tech-savvy friends? Let me know and I’ll get it broken down for you.