US Government Is Paying To Undermine Internet Security, Not To Fix It

from the bleeding-heart-security dept

The Heartbleed computer security bug is many things: a catastrophic tech failure, an open invitation to criminal hackers and yet another reason to upgrade our passwords on dozens of websites. But more than anything else, Heartbleed reveals our neglect of Internet security.

The United States spends more than $50 billion a year on spying and intelligence, while the folks who build important defense software — in this case a program called OpenSSL that ensures that your connection to a website is encrypted — are four core programmers, only one of whom calls it a full-time job.

In a typical year, the foundation that supports OpenSSL receives just $2,000 in donations. The programmers have to rely on consulting gigs to pay for their work. "There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work," says Steve Marquess, who raises money for the project.

Is it any wonder that this Heartbleed bug slipped through the cracks?

Dan Kaminsky, a security researcher who saved the Internet from a similarly fundamental flaw back in 2008, says that Heartbleed shows that it's time to get "serious about figuring out what software has become Critical Infrastructure to the global economy, and dedicating genuine resources to supporting that code."

The Obama Administration has said it is doing just that with its national cybersecurity initiative, which establishes guidelines for strengthening the defense of our technological infrastructure — but it does not provide funding for the implementation of those guidelines.

Instead, the National Security Agency, which has responsibility to protect U.S. infrastructure, has worked to weaken encryption standards. And so private websites — such as Facebook and Google, which were affected by Heartbleed — often use open-source tools such as OpenSSL, where the code is publicly available and can be verified to be free of NSA backdoors.

The federal government spent at least $65 billion between 2006 and 2012 to secure its own networks, according to a February report from the Senate Homeland Security and Government Affairs Committee. And many critical parts of the private sector — such as nuclear reactors and banking — follow sector-specific cybersecurity regulations.

But private industry has also failed to fund its critical tools. As cryptographer Matthew Green says, "Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding so they can keep doing their job."

In the meantime, the rest of us are left with the unfortunate job of changing all our passwords, which may have been stolen from websites that were using the broken encryption standard. It's unclear whether the bug was exploited by criminals or intelligence agencies. (The NSA says it didn't know about it.)

It's worth noting, however, that the risk of your passwords being stolen is still lower than the risk of your passwords being hacked from a website that failed to protect them properly. Criminals have so many ways to obtain your information these days — by sending you a fake email from your bank or hacking into a retailer's unguarded database — that it's unclear how many would have gone through the trouble of exploiting this encryption flaw.

The problem is that if your passwords were hacked by the Heartbleed bug, the hack would leave no trace. And so, unfortunately, it's still a good idea to assume that your passwords might have been stolen.

So, you need to change them. If you're like me, you have way too many passwords. So I suggest starting with the most important ones — your email passwords. Anyone who gains control of your email can click "forgot password" on your other accounts and get a new password emailed to them. As a result, email passwords are the key to the rest of your accounts. After email, I'd suggest changing banking and social media account passwords.

But before you change your passwords, you need to check if the website has patched their site. You can test whether a site has been patched by typing the URL here. (Look for the green highlighted " Now Safe" result.)

If the site has been patched, then change your password. If the site has not been patched, wait until it has been patched before you change your password.

A reminder about how to make passwords: Forget all the password advice you've been given about using symbols and not writing down your passwords. There are only two things that matter: Don't reuse passwords across websites and the longer the password, the better.

I suggest using password management software, such as 1Password or LastPass, to generate the vast majority of your passwords. And for email, banking and your password to your password manager, I suggest a method of picking random words from the Dictionary called Diceware. If that seems too hard, just make your password super long — at least 30 or 40 characters long, if possible.

Republished from ProPublica

Heartbleed Explanation

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Anonymous Coward, Apr 18th, 2014 @ 10:06am

    Get with the programme.

    Blame those who "exploit" the bug. Not those who don't donate the $2000 (total yearly) for the tech they use. They done nothing wrong.

    reply to this | link to this | view in thread ]

  2. icon
    aldestrawk (profile), Apr 18th, 2014 @ 10:21am


    I believe the gist of this story is not so much blaming someone it's that both government and industry rely on an Internet which needs funding for critical areas involving security. One of the NSA's primary roles is ensuring the security of the Internet. That role can be filled by a government agency that provides, at least, funding to create and maintain the underlying code. There will never be trust in code used for confidentiality and authentication unless it is open source. Also, as many people are saying, the NSA can't play this role when it also has the role of spying on communications.

    reply to this | link to this | view in thread ]

  3. identicon
    Manok, Apr 18th, 2014 @ 10:27am

    Shelling out multiples of $1,000,000,000 for buying 12 person startups, and then not being able to toss OpenSSL a bone? Priorities have gone askew!

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, Apr 18th, 2014 @ 10:39am

    Nice obligatory xkcd!

    reply to this | link to this | view in thread ]

  5. icon
    aldestrawk (profile), Apr 18th, 2014 @ 10:56am

    password length

    It is good advice to suggest longer passwords. Unfortunately, many websites have a length limit which is too short. My credit union, a Silicon Valley financial institution no less, had an upper limit of 12 characters for passwords used for online banking. I discussed the problem with them about such a limit 3 months ago. As it happened they were in the midst of making changes directed towards making the site more secure. As a result, they increased the limit to 20 characters which is tolerable but not ideal.

    A randomly generated password of 12 characters, using a good sized character set significantly larger than the set of alphanumeric characters, is fairly safe. This works well if you use a password manager and don't have to type, much less memorize, such a password. Passwords that don't require a lot of effort to memorize contain less entropy, so they need to be longer to be secure. I suggest 20 characters as a minimum. I used to use book titles along with a random 4 digit number. No longer is that safe. Now, for my 94 passwords, I use random sentence fragments from books along with numbers (I won't disclose any more, security through obscurity does have limited value). I keep all my passwords in an encrypted file. I find I can remember passwords that I use at least once a week. I don't need mobile access so I have not utilized a password manager. My solution is not the only good one and I do test it with a password cracker.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Apr 18th, 2014 @ 11:06am

    Do NOT use any real words in a password. Period. Very few attacks use a true brute force method, they almost always start with a dictionary.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, Apr 18th, 2014 @ 11:09am

    Response to: Anonymous Coward on Apr 18th, 2014 @ 10:06am

    When a company profits billions of dollars a year without giving a dime back, that's wrong in my book.

    reply to this | link to this | view in thread ]

  8. identicon
    Tom Ward, Apr 18th, 2014 @ 11:16am

    Actually, the market determines how much security is needed. Target failed to keep their customers data secured, they lost business, you better believe they will have tighter security in the future than most other retailers. Same exact freaking thing will happen with the internet and SSL.

    Heartbleed = overblown. Your article = nonsense.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, Apr 18th, 2014 @ 11:40am


    I used that xkcd to explain to my mom what heartbleed was. She was calling it "the heartbleed virus".

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, Apr 18th, 2014 @ 11:54am


    "overblown"? Feh.

    You clearly have failed to understand even the merest rudiments of security. I suggest extensive remedial education, starting with "everything ever written by Schneier, Bellovin, Cheswick, Spafford, Ranum, Felten, Edelmen, Ferguson, Halderman, Forno, Appelbaum, Kaminsky, Vixie, Soghoian, Zalewski, Marlinspike, Honeyman, and anybody that's part of Team Cymru".

    reply to this | link to this | view in thread ]

  11. identicon
    Rollie, Apr 18th, 2014 @ 11:54am

    What a coincidence, the US govt. seems to be working counter to the interests of its citizens. I'M SURE IT'S JUST A FLUKE.

    reply to this | link to this | view in thread ]

  12. icon
    Derek Kerton (profile), Apr 18th, 2014 @ 12:09pm


    Love it. One libertarian tries to school another.

    Let's assume that you're correct: that the market will fix the problem. How long after the first major, publicly sensational breach, do you think the market should take to respond?

    Cuz, I'm thinking, it your assertion is correct, the market would have responded by now. There has been breach after breach, as long as there has been a www. Somehow, the market hasn't fixed the problem.

    Your libertarian utopia would require perfect information for the market to function perfectly. Consumers would have to know exactly what kind of security each vendor offered, and UNDERSTAND that technology, and understand the risk profile it presents. Consumers would have to have that information each time they buy something like bedsheets from either or Sound reasonable to you?

    reply to this | link to this | view in thread ]

  13. icon
    aldestrawk (profile), Apr 18th, 2014 @ 12:19pm


    I agree that a single word, either untouched or mangled, is not secure. This is true regardless of what language is used. Back in the 90's I used to use Hungarian words thinking that language was fairly obscure, only 11 million speak it. Wrong, it is now one of the standard languages used for dictionary attacks.

    The current state of password cracking allows secure use of passphrases though. A coarse attack against a passphrase using a dictionary of 20,000 words requires an effort of 20,000 ^ N, where N is the number of words. If N is 2 that effort is 400,000,000 (actually 200 million on average) This is still not secure. 3 words requires an average effort of 4 trillion guesses. This is still not secure particularly if the words are not random but a sentence fragment. The security can be increased with mangling but it is better to choose a basic length without considering mangling. 5 random words requires and average effort of 1.6 x 10 ^ 21. This is very roughly equivalent to a binary key of length 70 (70 bits of entropy) and with mangling can approach a password that, depending on the hashing algorithm employed, even the NSA will, currently, have a hard time cracking in a reasonable time. If one uses a larger dictionary, say 1 million words including all sorts of technical words, a random 3 word passphrase requires an effort of, roughly, 10 ^ 18 guesses.
    Finally, if a, nonrandom, grammatical phrase is used, it should not be well known (e.g. book title, song title, lyric, famous quote, or a spelled out TLA)

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, Apr 18th, 2014 @ 12:52pm

    Great advice Mike! I personally prefer KeyPass for Windows and KeyPassX for Linux. The reason I prefer KeePass over LastPass, is due to KeePass being a offline password manager. This means the FISC court can't compel a company to push a backdoor update to a specific user, through the use of National Security Letters.

    Plus, KeyPass is free and open source software. :)

    reply to this | link to this | view in thread ]

  15. identicon
    Anonymous Coward, Apr 18th, 2014 @ 12:52pm

    Re: Re:

    That's because the news was calling it a virus. It boiled my blood when I heard that.

    reply to this | link to this | view in thread ]

  16. icon
    John Fenderson (profile), Apr 18th, 2014 @ 2:04pm


    "the market determines how much security is needed."


    The market determines the minimum amount of security that people will put up with. This is substantially less than how much security is needed.

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, Apr 18th, 2014 @ 2:11pm

    "No trace"

    "The problem is that if your passwords were hacked by the Heartbleed bug, the hack would leave no trace."

    Not *necessarily* true. Such a hack leaves no trace in standard web server (or other application) logs.

    However, either compiling with debug logging enabled, or recording IP traffic with a sniffer or logging firewall and decrypting with the web site's certificates shows the exploit attempt.

    The security community has rapidly responded to Heartbleed and most of the major intrusion detection products now pick up Heartbleed.

    Google "snort heartbleed" for one example.

    It's true that a lot of media folk and Internet startups don't run an IDS.. Any financial institution and most publicly traded companies will have one though.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, Apr 18th, 2014 @ 4:21pm

    Spelled KeePass wrong

    I meant to say KeePass. I also meant to say Julia, not Mike. Oops!

    reply to this | link to this | view in thread ]

  19. identicon
    Second Reasoner, Apr 18th, 2014 @ 11:17pm

    Let's go one step further here with the blame:

    There's an editorial from Tim Berners-Lee emphasizing heavily that OpenSSL is mostly maintained by 4 EUROPEAN programmers, but used extensively by AMERICAN corporation, and that it is a disgrace that the product is not supported more by those who benefit from it.

    Now I'm not sure why Tim would emphasize the EUROPEAN part, without pointing out why that is the case: Because most open source product dealing with cryptography are maintained and developed by non Americans and have to put restrictions on the participation of Americans because .... of US government policy reaching back decades....

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, Apr 19th, 2014 @ 2:01am


    -Do NOT use any real words in a password. Period

    That is dumb advice, there are more words than characters so words have more entropy.
    Using twelve words for your password is just as safe, if not safer, than using twelve characters in your password.
    Twelve words also has the benefit of being easier to remember.

    Which password is easier to brute force crack?
    Which one is easier to remember?
    A: "1/d#dkD'QBgn"
    B: "my dog ate my homework and the teacher did not believe me."

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, Apr 19th, 2014 @ 2:13am

    Re: "No trace"

    It is not always possible to decrypt logged SSL traffic even if you have the sites private keys. So no, it is not as simple as you stated.

    Modern browsers implement forward secrecy, now we just need to get all websites to support it too.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, Apr 19th, 2014 @ 6:36am

    I was being snarky....just finished reading that Canadian Kid story and was pissed

    It's one of the few articles written by a writer who "gets it".

    If security is the NSA's job then they are to blame.
    The companies that use openssl and didn't support it are also at fault.

    The PR and "viral marketing" say otherwise. That Canadian kid is to blame. It was a bug that they could do nothing about. Remember that Canadian kid? Yeah, that evil kid is to blame. This [insert corp here] did nothing wrong.

    There are way too many idiots who fall for "viral marketing" spin and PR. They can't blame the coders though. They won't. It exposes how awful they were by not funding the coders. ($2000 per year) what?

    These type of stories come up, time to time.(A voice using facts against a PR campaign) I regret that the writer is pissing in the wind. It literally is sad. All the blame will go to everyone except those who should be blamed. PR will make it happen and idiots will lap it up.

    There is "at fault" here. PR is misdirecting it.

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, Apr 19th, 2014 @ 6:52am

    59 character "WPA2 password" master race reporting in.


    Brute force OR Dictionary style attacks is what you are generally defending against. If you have to physically remember a pass. Make it lot's of words in a unique custom sentence. Replacing some letters with symbols, Capitals and numbers will massively secure it further.

    reply to this | link to this | view in thread ]

  24. identicon
    Clownius, Apr 20th, 2014 @ 11:46am

    Re: Re:


    Its a sentence which is a silly thing to use

    reply to this | link to this | view in thread ]

  25. identicon
    Pragmatic, Apr 22nd, 2014 @ 9:12am

    Re: Re:

    Libertarianism is a misnomer, and assumes a golden state of affairs where there is equal opportunity to enter "the market" and enough information available to make informed decisions.

    That whole "Private enterprise can do no wrong" idea is overblown.

    That's not the most annoying thing about them, though. It's the way they mendaciously reframe common concepts to create a false impression of the issues that grinds my gears.

    The demand side of the market will not force the supply side to sort out security because the vast majority of us don't understand the complexities of encryption and security online. Okay, I don't understand the complexities of encryption and security online. I just know that the one time I fell for a phishing scam I had to change my passwords, no biggie. I've been more careful about following links that ask me to log in, i.e. provide my username and password, since then. Am I really the only one?

    John Fenderson is right, per my personal experience.

    Again, "the market" won't solve the problem because "the market" is not a single entity. It's not even a gestalt of supply and demand. It's a hell of a lot more complex than that because it's made up of individuals and is therefore incapable of solving problems in and of itself. Can we please stop pretending that it can?

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, Apr 23rd, 2014 @ 4:53pm

    Re: password length

    What's worse is when a bank (like mine) has no upper limit, but they only use the first 8 characters of input.

    reply to this | link to this | view in thread ]

  27. icon
    GEMont (profile), Apr 24th, 2014 @ 8:52pm


    Am I misreading this whole thing, or doesn't the virus in question leak data? If it leaks data and your brand spanking new 32 character Password is data, then what's to stop your new password from being leaked into the same hands that have been milking this cow for 2 years???

    I can't help but get this feeling that the "instruction" to create a new password, is nothing more than an attempt to make the public "feel" secure in a totally insecure situation and make those responsible for the situation appear to be "on top of the problem".

    Tell me my new password is somehow safe from the HeartBleed Virus.

    reply to this | link to this | view in thread ]

  28. identicon
    Delroy Arnett, Jul 30th, 2014 @ 1:00am

    CYBER CRIME => a Global Nightmare!

    YOUR Current Anti-Virus Protection Software CANNOT Stop these Cyber Crimes because they operate in REAL TIME unless you have been educated and presented with the BEST CYBER PROTECTION in the World.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.