The Internet is very convenient. You and I can find out what we want to know—and so can a whole bunch of other people. Here are three situations that give some idea of the scope:
The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the “catastrophic bug” known as Heartbleed, “On the scale of 1 to 10, this is an 11,” it’s safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL.
Heartbleed is as bad as it is possible for a security flaw to be. It can be easily exploited by anyone on the Internet without leaving a trace, and it can be used to obtain login names, passwords, credit-card information, and even the keys that keep our encrypted communications safe from eavesdroppers. The bug first appeared in OpenSSL code that was released in March, 2012—so the vulnerability has been open to exploitation for more than two years. The Internet-security firm Netcraft reported that up to five hundred thousand sites thought to be secure were, in fact, vulnerable—including Twitter, Yahoo, Tumblr, and Dropbox.
But as with anything of this sort, we don’t know how serious it actually has been. The underlying problem is
How did such a catastrophic bug remain undetected for two years? OpenSSL, which is used to secure as many as two-thirds of all encrypted Internet connections, is a volunteer project. It is overseen by four people: one works for the open-source software company Red Hat, one works for Google, and two are consultants. There is nobody whose full-time job it is to work on OpenSSL.
The project’s code is more than fifteen years old, and it has a reputation for being dense, as well as difficult to maintain and to improve. Since the bug was revealed, other programmers have had harsh criticisms for what they regard as a mistake that could easily have been avoided. Theo de Raadt, the project leader for an open-source operating system called OpenBSD, put it bluntly in a message to a mailing list: “OpenSSL is not developed by a responsible team.” The portion of the code where the bug was found is written in a programming language called C, which was first developed, at Bell Labs, between 1969 and 1973. C is a finicky and old-fashioned language that puts great demands on programmers to manage the use of system memory. No modern language would let this sort of memory leakage take place, because newer languages automatically manage memory use.
It doesn’t seem like a class act to blame the volunteers who happened to be on duty. Essentially, most of the people who have been enjoying, using, or making money off the Internet have only been paying for security for their own operations, not for the system overall. But then the question is, who should we trust security to?
At 3:30 p.m., in the back office of Eleven Madison Park, maître d’ Justin Roller is Googling the names of every guest who will come in that night. It’s a well-known tactic of the restaurant, an effort to be as familiar as possible with the diners. Anyone can Google some names and faces, but Roller is going deeper. “I’m looking for chef’s whites and wine glasses,” he says. A shot of a guest wearing whites means a chef is probably coming to dinner. Wine glasses signify a potential sommelier (or at least a wine geek). This is just the beginning. If, for example, Roller discovers it’s a couple’s anniversary, he’ll then try to figure out which anniversary. If it’s a birthday, he’ll welcome a guest, as they walk in the door, with a “Happy Birthday.” (Or, if it seems to Roller that a guest prefers to keep a low profile, “I’ll let them introduce themselves to me,” he says.) Even small details are useful: “If I find out a guest is from Montana, and I know we have a server from there, we’ll put them together.” Same goes for guests who own jazz clubs, who can be paired with a sommelier that happens to be into jazz. In other words, before customers even step through the door, the restaurant’s staff has a pretty good idea of the things it can do to specifically blow their minds. More.
No surprise he can afford the time; his restaurant charges $225 per person. But while most of us won’t eat anywhere near that expensively, we may at some point buy a house or car. Negotiation partners are also likely looking up information about us on the Internet. The bottom line is, at one time, only well-known people were as easy to trace as most of us will soon be.
3. Government can now find out via monitoring the Internet who is talking to whistleblower journalists. (Feel safer?)
Journalists are fighting back: Here’s an example of how, as a result, some are starting to encrypt communication and stories in transit and why:
Denyse O’Leary is a Canadian journalist, author, and blogger.