LibrarianShipwreck

"More than machinery, we need humanity."

The Heartbreak of Heartbleed

Periodically when a person uses a computer one may receive notifications that contain phrases such as “do you trust this connection” or “do you trust this site.” While it is unlikely that such prompts are intended to send users tumbling into an existential abyss they nevertheless carry a very important question bundled in the guise of a simple yes or no (“allow” or “don’t allow”) moment. That question: “do you trust…”

Well…do you?

Using technological systems in contemporary society (in particular “high technological” systems) is often premised upon an oft unspoken level of trust, which relies as much (if not more so) on subconscious consent. We trust that our devices will function the way we have been led to expect them to function, we trust that the applications we use will do what they advertise, we trust that the passwords we use are being kept secret by the sites to which they correspond, we trust that the little “lock” logo that sometimes appears in our web browser actually means something, and so forth.

Using these systems requires such extensive granting of good faith that it becomes second nature. We stop thinking about it, and this is at least partially because investing such trust is necessary if we want to be able to continue using these systems. We trust sites like Yahoo because the seeming societal consensus is they can be trusted. Yet, of late, there have been many instances that have made it so that this subconscious trust has been dredged up to the conscious level and it has forced many to evaluate the way this trust has been placed. Like a closely relied upon confidant being revealed as an enemy spy (at which your life tailspins into a noir film!) this crack in the façade may make lead us to find ourselves feeling a bit heartbroken…or at the very least like we are experiencing heartbleed.

Heartbleed, of course, is the name given to a rather serious bug (even deemed “catastrophic” by some), which has revealed that some of our trust may have been sorely misplaced. The bug has already been gnawing away at sites using OpenSSL for a rather disheartening amount of time, but it has chewed through the surface recently.

So, why does this matter? Well, as the Guardian put it, SSL is a common security tool used online – it allows for the flow of information to be encrypted; what Heartbleed allows is for prying eyes to get a glance at that encrypted data – including passwords and the like. Heartbleed has been sinking its pincers and mandibles into many sites including aspects of the Yahoo empire (like Tumblr), as well as other sites such as Eventbrite, Imgur, and (in a bit of irony) OKCupid. Evidently that was not Cupid’s arrow but the stinger of a bug…

As with all revelations about bugs there is a bit of hyperventilating panic (“catastrophic”) and then the exterminator shows up, makes a droll assessment, sprays some of this and that about, and explains that while the infestation was quite bad it has now been seen to. The exterminator was summoned in time. Phew! Stay away from the worst spots for a few days, keep an eye out, but don’t worry, everything is fine, and if you’re worried here’s a helpful resource, and you can always call the exterminator again. But the issue with such bugs is in that they lay bare, even if only for a moment or two, the degree to which our placing trust in certain technological systems makes us susceptible to certain kinds of bugs.

At risk of being grossly overly simplistic: many people who use high-tech devices and platforms have only a vague understanding of everything (emphasis on everything) that goes on in and around such devices. Even those who consider themselves technologically savvy and quite computer literate might still find themselves stumped by some of the questions that crop up around certain code (which comes in many different languages). After all, Heartbleed is a bug that impacted quite a few prominent platforms (and it is not as if past bugs have not hit other companies [see: Apple]) which were conceivably being managed by highly technologically skilled individuals. All of which is a roundabout way of saying – when we use a high tech device or platform our use of it is in some ways a statement (by deed) of trust. There is only a limited amount of choice (for most people) in this regard – and while there are some options these are generally still options based around which sites we want to trust (Yahoo or Google, Tumblr or Facebook, Apple or Microsoft, etc…). Life in technological society requires placing trust in those building the infrastructure, but it seems that these may not be certified architects…

Part of what makes us so susceptible to unhappy discoveries such as Heartbleed is the fact that high tech devices/platforms put us at a disadvantage in regards to fully understanding our tools – once we decide to use high tech devices we are at their mercy to a certain extent. Consider – as a counter example – a bicycle: a person with a basic manual, some time on their hands, and maybe a helpful friend or two can come to understand how such a machine works, where its problems may be, and how to fix it when things go wrong. It is not quite a “simple machine” but it is “simple enough” that an individual can understand it confidently; it does not have layers of secrets. Now consider a smart phone, a computer or a (closed/proprietary) operating system – a person with a manual, some time on their hands, and maybe a helpful friend or two can learn a great deal – but the sheer complexity of the machine will make it so that their mastery over the device is always wanting, always wanting (exceptions certainly exist, but the majority of users are not exceptions).

The more complicated a device (the less “convivial” [Illich], “democratic” [Mumford] or ”appropriate” [Schumacher]) the more we are forced to put our trust not in our skills, or those of our friends but in those who represent the device – those whose interests are tied up in the device functioning in particular ways. It is not so much that bugs are “catastrophic” accidents as that bugs are part of the deal we consent to when we click “agree” on the Terms of Service contract.

What bugs such as Heartbleed demonstrate to a galling (if not necessarily “catastrophic” extent) is the degree to which our placing of trust may be, if not highly misguided, at least not fully considered. From the NSA revelations to Heartbleed we are witnessing ever more evidence that for all of its utopian promises technological society may just be a wonderful paint job on a building being devoured by termites. When the bugs break through the paint the exterminators descend quickly to sort out the issue, but as long as we stay in this house it will only be a matter of time before we spot evidence of an infestation in another room. The techno-utopians who hurriedly painted the house and their comrades the exterminators may speak convincingly and offer seemingly wonderful things, but it seems increasingly that part of the price of “free” is societal trust. And really, they’ve bought that pretty cheap.

Heartbleed may not lead to many cases of genuine heartbreak, but it should serve as a reason to reassess this relationship – to these companies, and to their tools.

If we insist on dining on the free lunch that tech companies serve up, we cannot be truly surprised when the crunchy content of the sandwich turns out to be bugs.

Related Content

And the Bandwidth Played On…

The Book: A Convivial Tool

The Panoptic Con

“More than Machinery, We Need Humanity”

Luddism for these Ludicrous Times

[Image Notethe Hearbleed logo was designed by Leena Snidate / Codenomicon and released under a CC license, the background image “Internet Map 1024” was created by the Opte Project and released under a CC license]

About Z.M.L

“I do not believe that things will turn out well, but the idea that they might is of decisive importance.” – Max Horkheimer librarianshipwreck.wordpress.com @libshipwreck

57 comments on “The Heartbreak of Heartbleed

  1. segmation
    April 14, 2014

    Want out for bugs can mean so much. It can mean look for the bugs outside or bugs in the ever growing technology world. I think this is scarey!

  2. Frankly Making Money
    April 14, 2014

    Unfortunately, I can’t exactly agree with the idea that OpenSSL is something that should be viewed as lesser because it’s a “free lunch”. I think that it’s something necessary to ensure that people are able to secure themselves with an open-source library.

    I do, however, think that the people using OpenSSL should be more affirmative in giving back to the project. Heartbleed is so dramatic because of all the large companies that use OpenSSL.

    The question I’d last to ask is this: how many of them have contributed to upgrading and revising OpenSSL to secure it against bugs like this?

    The only answer I can provide is possibly companies like Google that encourage their software engineers to work on volutneer projects and other things in their free time. I’m sure that, if other companies followed suit, things of this severity wouldn’t happen as frequently.

    • spikey1one
      April 15, 2014

      While we have a public mentality that ‘allows’ the existence of ‘horrors’ like the NSA, these problems will always surface from time to time. Although I do agree with you on the ‘contribution’ point.

  3. globegalaxy
    April 14, 2014

    Reblogged this on GlobeGalaxy.

  4. awax1217
    April 14, 2014

    A computer virus is like an unwanted bed bug.

  5. marisaalvarez95
    April 14, 2014

    Reblogged this on Marisa's Blog.

  6. demonicking9
    April 14, 2014

    I like your comment

  7. Through Pain to Victory
    April 14, 2014

    The Internet and the Real World are becoming indistinguishable – both teeming with heroes and monsters, Both very dangerous places. And in both, love and beauty can be found – at considerable risk. Thanks for a great post.
    Gerhard
    Through Pain to Victory

    • vanpangita2014
      April 16, 2014

      U R absolutely right, Well put!!

  8. missjelena92
    April 14, 2014

    Reblogged this on missjelena92.

  9. chaitu8688
    April 15, 2014

    LOVE…makes u fell like an heaven…..at the same time it can hurt like an hell…

  10. DBug
    April 15, 2014

    Reblogged this on Gnosis bits && Bytes and commented:
    Very well said…

  11. Arkar
    April 15, 2014

    Reblogged this on BB vs RY and commented:
    Beware of Heartbleed!

  12. theotherdarby
    April 15, 2014

    I said Bill Gates want retire 6 years ago…

  13. appslotus
    April 15, 2014

    Reblogged this on Apps Lotus's Blog.

  14. Shelley Kiff
    April 15, 2014

    Reblogged this on ShelleyMarie x.

  15. idylltootsie
    April 15, 2014

    Reblogged this on idylltootsie and commented:
    Love this blog had to repost.

  16. civilkiller
    April 15, 2014

    Reblogged this on civilkiller and commented:
    This is so true guys. In fact, the really scary thing is that this happened to anyone with iOS 7 on their iPads/iPhones/iPods with the exact same piece of security code: the OpenSSL

  17. civilkiller
    April 15, 2014

    That’s scary as hell

  18. mileyzhu
    April 15, 2014

    Good article. Yes, I do not trust it. But still

  19. rohitmaiya
    April 15, 2014

    Well well well… Is it for real?? I got a mail or perhaps on FB asking me to change the password for the social networking sites and emails I use. I just ignored it. I had received quite a few such alerts in the past all of it turned out to be hoax.

  20. quietannoyed
    April 15, 2014

    The openSSL library is just that. Open .The entire source code is visible and there are hundreds of talented developers working for free on openssl.

    While the bug is considered catastrophic by the media it is much less catastrophic ( mildly catastrophic?) than if a large corporation had control. There are several bugs in Apple and Microsoft software that first went unnoticed and then un-patched for months. This is common practice. In contrast the heartbleed bug was discovered on the 7th of April by two separate people in high tech roles and patched the same day by a developer.

    The vast majority of enterprise servers would have been updated within hours and many older servers are not vulnerable at all. .

    Things like this will always happen in any software but in the open source world developers, sys-admins and security sites sound alarm bells very publicly to get the word out as fast as they can.. In many cases openssl would have been updated automatically and as soon as the fix hit the update servers.

    Without openSSL, Without open source software the Internet would not exist as we know it and I would not be typing a post on WordPress either.

  21. obzervashunal
    April 15, 2014

    I’d love to know why the ‘fixes’ for Android-based phones and tablets using the affected 4.1.1 architecture have been so slow in coming? It’s estimated that this affects thirty-four percent of all Android phone users… yet …

  22. Kishore Patil
    April 15, 2014

    Web world has become very scary..
    Reblogged this on http://blog.kishorepatil.com/2014/04/the-hearbreak-of-heartbleed/

  23. antonio ierano
    April 15, 2014

    Reblogged this on The Puchi Herald Reblog.

  24. Chic Fatale Fashion
    April 15, 2014

    COME CHECK MY BLOG OUT WHEN YOU GET A CHANCE

  25. The Wayne Random
    April 15, 2014

    Reblogged this on The Wayne Random.

  26. bakdor
    April 15, 2014

    Thanks for the words of caution. Your post gives me more reason for preferring hard cash or paper transactions to digital.

  27. emmadol
    April 15, 2014

    Reblogged this on emmadol's Blog.

  28. Jorge Díaz
    April 16, 2014

    Reblogged this on Jorge Díaz.

  29. ww7ba
    April 16, 2014

    Reblogged this on Linux for Ham Radio.

  30. hplpeleven
    April 16, 2014

    Reblogged this on H P L P and commented:
    Really informative!

  31. sallyember
    April 16, 2014

    Reblogged this on Sally Ember, Ed.D. and commented:
    More about internet security and “Heartbleed” issues.

  32. Desire
    April 16, 2014

    I’m just trying to get used to Windows 8 and my constantly crashing Office 2013!

  33. g2gcomputerservices
    April 16, 2014

    Reblogged this on g2gcomputerservices and commented:
    very interesting and Good to know

  34. speakingwins
    April 16, 2014

    Is it trust, or is it risk assessment? When we get into a car and drive on the highway, we have to trust other drivers to stay in their own lanes and follow the rules of the road. They don’t always stay in their lanes, and twice I’ve been in cars hit by these exceptions to the trust rule. Yet, I still get into cars. I put on my seatbelt, I drive defensively, and I stay off the road after midnight on New Year’s. That’s mitigating the risk, just as creating strong passwords and sticking with established websites is mitigating the risk. I may trust a website to do its best to withstand something like Heartbleed, but I recognize there will always be a risk.

  35. jewelrycandles24
    April 17, 2014

    Reblogged this on Jewelry in Candles.

  36. 60enlevementepave
    April 17, 2014

    Reblogged this on Automobile 2014 and commented:
    Good blog ! I put that on my facebook !!
    See u..
    Fred

    http://www.enlevement-epave-ile-de-france-idf-60-77-78-75-91-92-93-94-95.fr/

  37. mrpatoh
    April 17, 2014

    Reblogged this on MrPatoh's Network.

  38. amlakyaran
    April 17, 2014

    very nice post…

  39. riterrick
    April 17, 2014

    Reblogged this on RiterRick.

  40. MissFit
    April 17, 2014

    It’s interesting. At some point long long ago we decided as a culture that it was a superior notion to divide ourselves into clans and specialize in certain areas of “civilization”. When we did this we operated on an honor code that the Butcher would do his best with the meat and the Baker with his bread because the Baker too wants meat and the Butcher bread… somewhere along the line we allowed the code to be corrupted. ..

  41. norhankeshik
    April 17, 2014

    Some people only trust because trusting is the only option they have. If you don’t trust the use of a particular app or website would you be willing to not use it or are you more likely to take the risk? I think most of us just take risks.

  42. rikstadelux
    April 18, 2014

    Reblogged this on rikstadelux and commented:
    The risks we take, glad to see they overcoming the bleeding bug.

  43. melissafergusson
    April 19, 2014

    Reblogged this on melissafergusson.

  44. neha2022
    April 20, 2014

    aww..

  45. vampirequeen1
    April 20, 2014

    nice post, i love your picture

  46. A.L.E.X.
    April 21, 2014

    Reblogged this on Yet another fine blog … 😀 and commented:
    While the emergence of the heartbleed’s bug, is terrible – to say the least. Still, I’d rather keep using open – free lunch – systems, as opposed to closed proprietary ones. Because God (or the flying spaghetti monster) forbid, if bugs in such systems, would never see the light of day.

  47. ijn1
    April 21, 2014

    Reblogged this on joe ijomah and commented:
    The heartbleed bug story

  48. sureshmano
    April 22, 2014

    Reblogged this on Interesting Topics about current trends and commented:
    nice post

  49. annkelley14
    April 24, 2014

    Reblogged this on Ann'sRazzJazz.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Information

This entry was posted on April 14, 2014 by in Privacy, Technology, The Internet and tagged , .

Ne'er do wells

Archive

Categories

Creative Commons License

libshipwreck

%d bloggers like this: