News
HMS Is Facing a Deficit. Under Trump, Some Fear It May Get Worse.
News
Cambridge Police Respond to Three Armed Robberies Over Holiday Weekend
News
What’s Next for Harvard’s Legacy of Slavery Initiative?
News
MassDOT Adds Unpopular Train Layover to Allston I-90 Project in Sudden Reversal
News
Denied Winter Campus Housing, International Students Scramble to Find Alternative Options
If lack of abundant policing and decentralization are the principal virtues of the Internet, they’re not without their downsides. That much was made clear by the disclosure of a major vulnerability in OpenSSL—a key Internet security method—that researchers have since dubbed the “Heartbleed” bug.
Up to two-thirds of websites—including major sites like Facebook and Google— relied on the flawed OpenSSL protocol after the bug was introduced by a single German programmer in an update two years ago. The code was reviewed by an OpenSSL developer, but neither the programmer nor that developer noticed the flaw before it was adopted by millions of sites to encrypt sensitive information such as passwords, credit card numbers, and health records sent between users and company servers.
While there has not been any evidence that hackers exploited the bug to gain access to unauthorized information, the thought that the world’s most technologically sophisticated companies were unaware of a major security flaw for two years is not reassuring.
As it stands todays, cybersecurity rests on a house of cards, with much of the Internet’s users relying on open-source software that usually works well. But when it doesn’t, it’s up to the good will of cybersecurity researchers or self-motivated people to inform the rest of the world of the latest security vulnerabilities. Today, Internet usage is a necessity for most, but it’s one that leaves us always dependent on the kindness of strangers.
Broadly speaking, there are two groups that exploit security flaws like Heartbleed: criminals and intelligence agencies. And while it doesn’t appear that malcontented hackers made use of the loophole, an article published in Bloomberg alleged that the National Security Agency had known of the flaw and exploited it for years. The Obama administration and NSA have both issued denials.
Even if the NSA knew of Heartbleed, the collection of vulnerabilities is not altogether sinister. After all, the essential job of the NSA is to get into places other people do not want them to be.
There is a broader conversation to be had about the wisdom of stockpiling of so-called “zero-day vulnerabilities”—flaws that developers have zero days to repair. The President’s Review Group on Intelligence and Communications Technologies urged that the government “should generally move to ensure that zero days are blocked” and only use them rarely for “high priority intelligence collection.”
As the benefits from an Internet-dependent world accelerate, so too do the rewards of exploiting security flaws for intelligence agencies and criminals alike.
Striking the correct balance between the needs for collectively decided security protocols and decentralization will be a difficult task. But it’s one that will need to happen soon.
Want to keep up with breaking news? Subscribe to our email newsletter.