Users’ Stark Reminder: As Web Grows, It Grows Less Secure
April 11, 2014
"Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten of Princeton.
Eva Russo/Momenta Creative
It was the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.
The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” said Edward Felten, a computer security expert at Princeton University.
In some ways, the tech world today resembles the chaotic, unruly days of other essential industries, including the meatpacking industry depicted in Upton Sinclair’s “The Jungle” and the automobile business portrayed in Ralph Nader’s “Unsafe at Any Speed.” While those industries were made safe by a combination of regulation and industrywide cooperation, progress took time, and it came through trial and error.
But it’s not clear that the same solutions will work with technology. We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety. We’re constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable.
Even though security is an increasing area of concern for large technology companies, it is often considered an afterthought rather than an essential part of building all the goodies we use. Experts say that while instituting a more secure tech culture is possible, it will require a long-term investment in educating software engineers and improving core technologies.
“There’s a level of care in designing systems and sweating the details of their operations that’s missing in the culture of software development,” Mr. Felten said. “We don’t have the kind of safety culture that is common in fields such as aviation.”
That’s because enhanced safety will surely cost consumers in speed, novelty and convenience.
Matthew Green, a professor at Johns Hopkins, said strict standards would require programmers to spend significantly more time testing their work.
“We have standards for coding in mission-critical systems like the airline industry, but I’m not sure we would want those standards applied everywhere,” said Matthew Green, a cryptographer and research professor at Johns Hopkins University. Such strict standards require programmers to spend significantly more time testing their work — and neither technology companies nor consumers can stomach such delays. “I don’t think we want to wait 20 years for the next Google and Facebook,” Mr. Green said.
Like other similar bugs found recently — including one in Apple’s mobile and desktopdevices — the Heartbleed flaw had gone unnoticed for years. As far as researchers can tell, the problem was introduced by a programmer making a routine coding change onNew Year’s Eve in 2011. OpenSSL, the system in which the error was found, is an open-source program, which means that its code resides online and can be amended by anyone. In theory, such code is supposed to be more secure from bugs than a closed system; with enough programmers checking the code, the flaw should have been quickly detected.
But apparently that did not happen. “There just weren’t enough eyeballs on this — and that’s very bad,” Mr. Green said.
One problem might be basic economics. Many huge Internet companies depend on free technologies like OpenSSL to run their systems, but they don’t always return resources to the small teams that create the code. “If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won’t happen again,” Mr. Green said.
Unlike other potentially dangerous corners of modern life, like aviation or health care, the tech industry is unusually volatile. The companies that run the show today will inevitably be usurped by newer ones that offer supposedly better ways of doing things. Such constant upheaval makes industrywide coordination on security more difficult.
“I’m not sure there’s any other industry that handles as much change and as much usage in such a short amount of time,” said Kurt Baumgartner, a researcher at Kaspersky Lab, a digital security firm. Still, Mr. Baumgartner contends that the field is getting better. Compared with the slow, haphazard way that companies once responded to security threats, the industry’s response to Heartbleed was “pretty responsibly coordinated,” he said. Many large companies fixed their services before the problem was disclosed. “On the whole, things have been improving.”
But is it improving enough to keep up with an increasingly determined set of attackers? According to a recent study by Risk Based Security, a threat research firm, there were more than 2,000 data security breaches in 2013. The good news is that the number of intrusions was down from 2012, when more than 3,000 episodes were reported. The bad news is that the smaller number of attacks in 2013 resulted in more damage — about 814 million data records were exposed during the year (including the credit card you used at Target), about twice as many as in any other previous year on record.
The numbers point to another factor that adds to the difficulty in addressing digital threats: Attackers are intelligent, so, frequently, advances in security are matched by advances in attacks. This makes online security a more complicated problem than, say, improving the safety of automobiles.
If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one. “Over all, attackers have the competitive advantage,” said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. “Defenders need to defend everything. All attackers need to find is one vulnerability.”
If you aren’t worried enough yet, there’s one more reason to expect digital technology to remain prone to errors. “There’s an underlying process here, which says that as devices get more memory or power, people add more complexity to a product — until it becomes so complicated that it’s too difficult to understand,” Mr. Felten said. That “smart” watch you’re wearing today might not be very complex, but in a few years’ time, smartwatches might run processors that are as powerful as those in today’s laptops.
Companies will create hundreds of apps to take advantage of that power, and you’ll probably install them, because they’ll make your life more convenient or more fun. You’ll pour all your most precious data into your watch. Suddenly, without your noticing it, your watch will have become a target. And among one of those apps will be some threat that no one had anticipated. “As our engineering methods get better, our products get more complicated, so we’re always out at the edge of complexity that our engineering processes can handle,” Mr. Felten said.
Does this mean we’re doomed? Not necessarily; researchers are gratified that large hacks and vulnerabilities are receiving more attention, which might push the industry and consumers to take security more seriously. “Within the past year or so, it’s interesting to see how high-profile these threats have become,” Ms. Weedon said. “Now average people are talking about how to patch their systems. And that’s the best we can hope for, for now.”
Eva Russo/Momenta Creative
“'心臟出血'進一步證明，我們在網絡安全方面做得很糟糕，”普林斯頓大學(Princeton University)計算機安全專家愛德華·費爾滕(Edward Felten)說。
從某些方面來說，眼下的高科技世界跟其他一些關鍵產業昔日混亂、無序的局面不無相似，比如厄普頓·辛克萊(Upton Sinclair)在《屠場》(The Jungle)中描述的肉類加工業，以及拉爾夫·納德(Ralph Nader)在《任何車速都不安全》(Unsafe at Any Speed)中描繪的汽車業。雖然監管和整個行業的協作已經讓這些行業變得安全，但改善不僅需要時間，而且也需要不斷嘗試。
“對於航空等行業中的關鍵任務系統，我們對編程是有標準的，但我不知道把這些標準套用到所有地方是否合適，”密碼學家馬修·格林(Matthew Green)說，他也是約翰·霍普金斯大學(Johns Hopkins University)的研究教授。那種嚴格的標準要求程序員花費遠遠更多的時間來測試自己的程序，無論是科技企業還是消費者都無法忍受這樣的等待。格林說，“我覺得，我們不會希望等到20年後才出現下一個谷歌和Facebook。”
“我想沒有哪個產業會在這麼短的時間裡，應對這麼多的變化，這麼大的使用量，”數字安全公司卡巴斯基實驗室(Kaspersky Lab)的研究員庫爾特·鮑姆加特納(Kurt Baumgartner)說。不過，鮑姆加特納也表示，這個領域正在日益改善。科技企業回應安全威脅的方式曾經相當緩慢、沒有章法，但他說，相比之下，整個行業應對“心臟出血”時“相當負責任地進行了協調”。很多大公司在該問題曝光之前就已經對自己的服務採取了措施。“總體來說，事情已經在好轉。”
但改進的速度足夠快，能抵禦越來越頑固的攻擊者嗎？網絡威脅研究機構Risk Based Security近期的一項研究顯示，2013年發生了2000多起數據安全受到破壞的攻擊事件。好消息是這一數字與2012年的3000多起相比有所下降。但壞消息是，雖然2013年攻擊次數有所減少，但攻擊結果卻更具破壞性——大約8.14億條數據記錄在這一年裡被暴露（包括你在Target超市使用的信用卡信息），大約是有記錄以來過去任何一年的兩倍。