Software is built in layers. First programmers get something simple working, test it, then build on top of it. More testing, then more building. Build, test, build, test, over and over. This process has been going on for a long time.
The “stack” that we use today was started in the late 1960s. We’re still running software, deep in the heart of the computers we use, that was written forty years ago.
The deeper in the stack you go, the more systems are affected, and the harder it is to fix any problems you come across.
OpenSSL is not the deepest technology we have, but it’s close. It’s built into a lot of things we use all the time. The most serious problems, the hardest ones to address, will be the places where it’s built-in where updates are either hard or impossible. But first we have to locate and patch all the easy places. That process began just yesterday, we hope! We don’t know much about what the companies that run our services are doing.
The worst case scenario, the one we all have to plan for, is that the management of affected companies aren’t responding to the problem. This will certainly happen in some cases. If it happens at a bank, the results could be very bad.
That’s why the best thing you can do is to let the companies know that a quick competent response is necessary. This is a time when we find out which vendors are prepared for the world we live in today, or whether they have to catch up, in real-time, while their systems are vulnerable.
Along the way today I used a picture I had been holding on to. I thought it was interesting that you can now read Ted Nelson’s seminal Dream Machines and Computer Lib on an iPhone. Carl Sagan said: “We are the local embodiment of a Cosmos grown to self-awareness.” On a smaller, humbler, human scale, the iPhone is an imperfect representation of the visions documented in Nelson’s books. That it can present the work that led to itself is amazing evidence of how much we’ve gotten done in our generation. It’s all there and it fits in the palm of your hand! 🙂
It’s kind of hidden in his usually impersonal blog, PressThink, but there’s a great story buried in there, about the family he grew up in. Well worth reading, esp because it explains the mindset of a natural-born blogger. We’re the people who witness insanity, and wish to advise people on how not to be that way. It’s a pointless job, and Jay explains why, but I won’t spoil it.
I would like to type in a paragraph now and see what wordpress gives me back.
Another paragraph. More sentences in the same paragraph. Now a color: RED. And a state: NEW JERSEY.
I’m hoping this will actually be saved to the wordpress site.
I said on Twitter last night that Heartbleed is bigger than Watergate or the war in Iraq. I got a little pushback on that. Of course the numbers don’t match up yet, but long before there were hundreds of thousands dead in Iraq, we were on an inexorable path to that. Iraq is a relatively small and contained geography, and the war started before the explosion of networking. Today, the scope of the net, things we use it for, reach into every corner of civilization. Even a slight collapse at the core of the net could disrupt things, and not in the nice way that creates 20-something billionaires.
Look, sooner or later there will be a meltdown of the net. We were headed for that long before Heartbleed. I never said what I believed because I didn’t want to be the first to say it. But we have been building more complex systems and more life-sustaining dependencies on a fragile and insecure system. The ability to do harm increases with every new dependency. When the network equivalent of Katrina happens, it will be felt everywhere.
Imho the owners of tech are soon going to wish they didn’t own it. So far it’s been a very profitable thing. It’s been changing for a long time, but till now the changes haven’t been visible. It’s hard to understand, but when we all feel it, we won’t need analogies to explain it.