Heartbleed

11 Apr 2014

So, Heartbleed. Straight-up dodged a bullet on this one at $WORK: we use CentOS 5 for nearly everything, and it does not come with a vulnerable version of OpenSSL -- it's stuck at 0.9.8something. As for home servers, I'm using Debian 7; IMAP was affected, and so was the HTTPS I run on my own site. I need to change the certs for those, but it's a low priority. I've been reading lots of assurances from my banks that they weren't affected, so there's that. I haven't dug into my wireless router yet, but the news cannot possibly be good.

The reading about this has been really, really interesting. First, hot off the presses, XKCD has a truly awesome explanation of the bug:

I am in awe of someone who can explain things this clearly.

Next, there's this from @Indy_Griffiths on Twitter

But enough with the funny. My new favourite blogger, Patrick McKenzie, writes about "What Heartbleed Can Teach The OSS Community About Marketing". You really need to read the whole thing, but here are just a few choice bits:

There exists a huge cultural undercurrent in the OSS community which suggests that marketing is something that vaguely disreputable Other People do which is opposed to all that is Good And Right With The World, like say open source software. Marketing is just a tool, and it can be used in the cause of truth and justice, too.

As technologists, the Heartbleed vulnerability posed an instant coordination problem. We literally had to convince hundreds of thousands of people to take action immediately. The consequences for not taking action immediately were going to be disastrous. [...]

Given the importance of this, we owe the world as responsible professionals to not just produce the engineering artifacts which will correct the problem, but to advocate for their immediate adoption successfully. If we get an A for Good Effort but do not actually achieve adoption because we stick to our usual "Put up an obtuse notice on a server in the middle of nowhere" game plan, the adversaries win. [...]

This makes marketing an engineering discipline. We have to get good at it, or we will fail ourselves, our stakeholders, our community, and the wider world.

"This makes marketing an engineering discipline." That stopped the coffee cup halfway to my mouth, I tell you what.

Then, awaking from a yearlong hibernation, Dan Kaminsky wrote about the failure of, like, everything that led to Heartbleed. Quote:

The larger takeaway actually isn't "This wouldn't have happened if we didn't add Ping”, the takeaway is "We can't even add Ping, how the heck are we going to fix everything else?".

The Wall Street Journal wrote two days ago:

Matthew Green, an encryption expert at Johns Hopkins University, said OpenSSL Project is relatively neglected, given how critical of a role it plays in the Internet. Last year, the foundation took in less than $1 million from donations and consulting contracts.

Donations have picked up since Monday, Mr. Marquess said. This week, it had raised $841.70 as of Wednesday afternoon.

I'm gonna give this a couple weeks to calm down, then I'm sending them a hundred dollars. It's not much, and Lord knows it's way short of the sustainable funding they should really have, but it's something.

(Incidentally, if you aren't following Runa A. Sandvik, Colin Percival, Matthew Green, and Matt Blaze on Twitter, you're missing out on some really interesting conversations by people who know what they're talking about.)

And now it's time to post.