Originally, my AtoZchallenge was gonna be about writing, marketing and tech, so today, it seems only right to encourage everyone to understand what’s going on right now on the internet. And I hate to say it, but this has been a while coming.
I didn’t even know about this. I don’t think anyone did, but lots of pundits in the internet security community are telling us that this has been a bug that’s been in place for two years. And yet….all of the big breaches and big data losses have been tracked down pretty fast, and I don’t believe any of it has been attributed to this.
Do I believe that hackers are sitting on information they’ve stolen over the last two years?
No, I don’t. I think if they’d really been serious about exploiting this, they’d have done it by now. Someone would have put two and two together.
But is this really serious? Yes, I think it is. And I think it warrants looking at how we use passwords and security (and lack of it online) in general.
My understanding of this…
Basically, heartbleed comes down to a specific function not checking the length of a message and returning data, in the memory, to match the length it claimed to be.
There is a patch for it, so we all have to wait patiently until its patched, then change our passwords.
The first thing you need to know is the majority of sites out there, that don’t sell, and don’t use encryption, are the majority of sites you’re visiting. Y’know, all the funny meme blogs, and here…. So taking the “memory” on this server is an exercise in futility. It doesn’t get into the database unless it first exposes the way in, in the memory, which isn’t as easy or common as it could be
. The server itself…that’s a different matter, and one that I’ve addressed and am continuing to address. Not because I believe the server is a target, but because its the responsible thing to do.
My hosting payment system is locked down until I know how to proceed, and I don’t hold anything else myself – I use a lot of third party processing sites. In my case, it’s not passing the buck, it’s compliance. I don’t have the time, or the manpower to do compliance, so I use Third party sales and processing systems. Like Paypal, KDP, Smashwords….
But, I did want to say that those hosted by me, right now, have the best protection I can offer. I’ve patched everything that I can, and tonight, the server is telling *everyone* to change their passwords, and to be aware that if I discover that the patch wasn’t complete, to do it again when we do find the complete solution.
Sites like Yahoo, and Facebook though…they’re targets. And while it’s true the underlying server is vulnerable, it’s important to keep a perspective on this. Mine isn’t though – I ran patches today, so the blogs, as far as I know are safe. I’m not assuming anything though, until I’ve had the all clear from
Sites however, that store lots of user information, have your debit or credit card or more are vulnerable. But in the coming days, expect to see lots of emails and blog posts from responsible site owners and server management teams like this one from Mojang (the people behind Minecraft).
And while I’m fairly eloquent in private and do understand a bit (a very little bit) about hacking and how it works, instead of taking up your time and talking to you about what it is and isn’t, I thought I’d increase the signal on this article.
Don’t panic. While this is a serious, egregious breach in the security of the net at large, it’s being dealt with and is being patched. And ok, we all have to change our passwords. Maybe now’s the time to shake up how we view passwords in the first place. And it’s maybe not the time, RIGHT NOW, to change passwords either.
I leave you with two XKCD’s. Both perfectly appropriate for this situation and might bring a smile to some face.