Don't Lose Sleep Over Heartbleed Hysteria
Published: 17th April 2014 04:00 PM |
Security software is a huge industry that has a vested interest in keeping us afraid
Remember Lovebug? This was the computer virus that swept through a young and fresh-faced internet in May 2000. Back then we were told it would do to cyberspace what the Black Death had done to Europe in the 14th century. We all got funny emails with "ILOVEYOU" attachments and when we tried to open them our computers exploded.
Or rather they didn't, though you wouldn't have known that from the hysteria. Then along came MyDoom, Netsky, Witty and Melissa and, now, the deliciously named Heartbleed bug, which the US security expert Bruce Schneier has described as "catastrophic" and which has got the internet in such a tizzy that Heartbleed now has its own website and even a logo. Apparently, all our personal details are up for grabs, our bank accounts will be emptied and someone in a dark lair stroking a white cat will become privy to the name of our first pet and our memorable place.
Heartbleed is not a virus, but a glitch in a piece of software called OpenSSL, which is used by about 60 per cent of all websites to ensure a basic level of security. A simple programming mistake ensured a loophole whereby it was possible for someone with malicious intent to gobble up the contents of any computer hard drive (including stored passwords) 50 kilobytes at a time.
One of the sites affected by Heartbleed was Mumsnet, whose users have been warned to change their passwords. Once again, fear stalks the silicon corridors of cyberspace. But here's the thing. In each and every one of these cases the hype, hysteria and panic was unmatched by what actually happened - and my guess is that Heartbleed will, once again, be the wolf that fails to show up at the door.
Software engineers wrote patches for bugs, created anti-virus software to defeat the malware and the internet marched on unscathed. Heartbleed itself has, it seems, been more or less fixed. As Professor Alan Woodward, a computer scientist at Surrey University, says: "There is nothing like a headline saying 'the internet is on fire' to get everyone panicking. But the truth is it is very difficult to bring the internet down."
You would have thought this would have sunk in by now. The fact that it hasn't shows what an extraordinary machine the internet is - quite different to any technology that has gone before it. When the Lovebug struck, few of us lived our lives online. Back then we banked in branches, shopped in shops, met friends and lovers in the pub and obtained jobs by posting CVs. Tweeting was for the birds. Cyberspace was marginal. Now, for billions, the online world is their lives. But there is a problem. Only a tiny, tiny percentage of the people who use the internet have even the faintest clue about how any of it works. "SSL", for instance, stands for "Secure Sockets Layer".
I looked it up and sort of understood it - for about five minutes. While most drivers have at least a notion of how an engine works (something about petrol exploding in cylinders and making pistons go up and down and so forth) the very language of the internet - "domain names" and "DNS codes", endless "protocols" and so forth - is arcane, exclusive; it is, in fact, the language of magic. For all intents and purposes the internet is run by wizards.
And the trouble with letting wizards run things is that when things go wrong we are at their mercy. The world spends several tens of billions of pounds a year on anti-malware programs, which we are exhorted to buy lest the walls of our digital castles collapse around us. Making security software is a huge industry, and whenever there is a problem - either caused by viruses or by a glitch like Heartbleed - the internet security companies rush to be quoted in the media. And guess what, their message is never "keep calm and carry on". As Professor Ross Anderson of Cambridge University says: "Almost all the cost of cybercrime is the cost of anticipation."
No wonder the rumour that some of the nastiest viruses are created not by some teenage geek in a malodorous Shanghai bedroom but by the anti-virus companies themselves is so persistent.
A few years before the Lovebug virus struck, internet users got into an even greater panic courtesy of the Millennium Bug. This was a software glitch that was going to be the end of the world as we knew it. There were confident predictions that the global banking system would collapse; even that the Third World War would start. IT consultants rubbed their hands with glee as we happily handed over between $0.3 trillion and $1.4 trillion (estimates vary) to make Y2K go away. The whole thing was hype, of course, but that is the thing with wizards; they are very good at magicking money out of thin air and gullibility.
'In the Interests of Security' by Michael Hanlon and Tracey Brown will be published by Little Brown in July