If Mumsnet, which takes the privacy of its users very seriously, has been compromised by heartbleed, who is safe? Until I read that Mumsnet had been affected, I was planning to say that incidence shows the strength, as well as weakness, of the open source software that runs the Internet. If the Wikipaedia article on Heartbleed is correct is correct, the weakness may have been two years old but it was found, publicised and the source identifed rather faster than with comparable proprietary software. However, the source of the weakness, a lack of bounds checking , took me back to the days when I like to think I was competant.
Part of the acceptance testing of any new system when I worked at STC Microwave and Line in last 1960’s was the “peer review”. Thus, when I thought my first system was ready for customer testing, I had to put up £5 (£70 in today’s money). Any member of the department could then put up 10/- (£7 in today’s money) to wreck my system, using any possible means of sabotage – short of actually bribing the operators of our new IBM 360/40. To add insult to injury, failure also meant buying a round for the entire department. The chief programmer warned me that he would lead the assault by finding a weakness in my bounds checking. He failed. The systems analyst for whom I usually worked and the senior programmer in the bay next to me said they were not going to try because they had given their ideas on the short cuts I might have taken to the chief programmer. I drank free that evening with what my apprentice “masterpiece” intact.
When I see reports of systems being hacked because of lack of bounds checking and/or buffer overflow I groan at how much and how little the world has moved on. Of course bounds checking is a pain in the butt and it is lovely to have tools to help check that you have done the job, but this is not just a technical gripe.
Mumsnet runs forums where privacy, security and anonymity really matter, including for those at risk from violent partners and honour killings. If they have been compromised, who is safe?
The recommendations made as a result of the publicity for heartbleed do not help rebuild confidence: initially “change your password”, then “change your password, but do not do so until any infected systems you use have been updated to remove the vulnerabilty.”
Much better and clearer is the advice on the Get Safe On-line website.
Looking at the wider issues of confidence, if Government is serious about wanting more of us to transact with it on-line, then it needs to give far more support to Get Safe On-line as the UK’s “first stop shop” for guidance when incidents like this occur. In particular it should fund GSOL to serve as the “public face” of the new UK Cert when incidents like this occur. There is a link on the CERT website but where is the routine for e-mailing the technical correspendents of the media with a link to the relevant advice on the GSOL website with guidance on what do, as a result of the latest CERT alert?