Does the Internet security disaster known as “Heartbleed” mean we need regulation of Internet security software, so that our passwords won’t be leaked and our personal information compromised?
Heartbleed is a vulnerability in OpenSSL. OpenSSL is an open-source security program used by a wide variety of websites—including Facebook, Netflix, the Washington Post’s site, and some Google services —to protect data traveling between them and their users. Those sites and many others have now eliminated the vulnerability, but while it was there, Heartbleed made it possible for hackers to get your username and password for those sites. Here are Wikipedia’s explanation and, if you want the simplest version, geeky webcomic xkcd’s .
James Lyne, security research chief for the security software firm Sophos suggests that governments can help protect us from future Internet security disasters. “This should be stuff that’s taken seriously— regulated even —given the serious role that it plays in the internet,” he said. And there is an argument that the open-source movement as we know it, which produces a lot of key Internet software, has a fundamental weakness that contributed to Heartbleed. Still, anyone who wants to run to government to solve the problem should remember what the last great Internet security disaster was. It’s known as “the United States Government.”
The full scope of the government’s monitoring of Internet users’ communications is still unknown— because the government works hard to keep it unknown. But we do know that the government tries to get a great deal of information about people’s online communications, both through ostensibly lawful demands with which Internet companies comply and through hacking. We know that in at least one case, it demanded security keys that completely obliterated an email provider’s ability to keep users’ information—including their passwords—private. And we know that one of the most important technology companies, Microsoft, has labeled government surveillance an “advanced persistent threat.”
So the proposal is to rely on an advanced persistent threat to keep your information secure. But the U.S. government’s policies and actions make clear that its goal for your information is to devour it, not to keep it safe. And other governments, most notably Britain’s , have been right alongside it.
Heartbleed itself may give us a preview of what government regulation of Internet security would be like. According to two Bloomberg sources, the National Security Agency actually knew about Heartbleed and deliberately left it in place so that it could exploit it to spy on people. The NSA denies this . But the NSA has actively worked to make encryption less secure . Would a separate agency, accountable to the same president who supervises the NSA, have done differently?
Now, people do argue that the government needs access to our information in order to keep us safe from other threats. That’s a debate worth having. In the offline world, the police have the technological ability to bust down our doors and ransack our homes—and with proper warrants, they have the legal right to do it. And sometimes that’s justified, to solve real crimes.
But whether or not it should be, the fact is the government is trying to get a lot of access to our private information. That means it values having our information be accessible to at least some people—its spies and investigators—against our will. That means it can’t focus uncompromisingly on keeping our information secure.
If we want better security, we’d better look elsewhere.
استكشف:
EXPLORE IN PERSON: