Elisberg Industries
  • Home
  • Blog
  • Products
    • Books
    • Movies
  • About Elisberg Industries
    • Our Corporate Board
    • Information Overstock
    • Elisberg Industries Entertainment Information
    • Elisberg Statistical Center of American Research
    • Consultancy Service
  • Contact
    • How to Find Us
  • Kudos
  • Good Things to Know
    • The BOB Page
    • Sites You Might Actually Like
Decent Quality Since 1847

Be Still My Heartbleed

4/15/2014

0 Comments

 
You probably have read about the Heartbleed Internet bug.  If you haven't, you should.  Seriously.  To be clear, Heartbleed is a bug, not a virus.  There's a huge difference.  It's a hole in coding for security certificates that websites need -- it's not an attack that others are making.  But it opens a vulnerability for attack. A huge vulnerability.

Friends have asked me my thoughts about it and what I think they should do.  The truth is -- I don't know.  It's outside of my paygrade.  I've read a bit and do have some thoughts, but I don't have a clue how valid they are.

(UPDATE:  After writing this article
, I checked with my high-techie friend Ed Bott to see if I was way wrong or on the right track with what I write here.  Happily, I actually seem to have been pretty close.  Go figure.  I'll include his comments at the very end.  Okay, back to what I was saying...)

This article here, though, in the Washington Post is very good and well-worth reading.  "Well-worth" in this case means important.  Being in WaPo, rather than a tech journal, it's written in a reasonably accessible style for the general public, not for a techie crowd.


Just so you know a  lot of high-end tech sites are recommending that people change ALL their passwords.  While that's probably the best tech advice -- I'm not sure if it's the most feasible advice, or even necessarily worthwhile.  I could be very wrong on that, but here's my thinking:  what most people don't realize is that the vulnerability created by the Heartbleed bug has actually been around for two years.  So, there have been two years when you and everyone has been vulnerable already.  (Yes, there have been big attacks on websites, but they haven't necessarily been because of Heartbleed.)

The additional issue to consider is that even i
f you change all your passwords -- but the websites in question don't upgrade their own security certificate -- it doesn't matter what's you've done.  You'd still be vulnerable.  (And as the Washington Post article also notes -- "Changing your passwords won't protect you if you give them unwittingly to a hacker pretending to be your Web mail provider.")  On the other hand, if a website hasn't yet been hit, and they do change (or have already changed) their security certificate...then you're safe, whether or not you've changed your own password.

The thing to keep in mind, to repeat, is that this Heartbleed thing is about websites upgrading their security certificates to get the vulnerability fixed.  Not that there is a virus (there isn't) or an attack going on.  There isn't.

It's also important to keep in mind that the log-in sites to be most concerned about are the high-end ones
that hold significant data, like banks and credit card information and such -- and those are the ones that studies have shown to have patched the hole already or (even better) didn't have a problem in the first place.  As that Washington Post states --

"The good news is that many of the Web's most critical sites — those belonging to banks and governments — were not vulnerable to Heartbleed in the first place, and so they won't have to reissue their certificates. Other businesses, such as Facebook, Dropbox, OkCupid and Netflix, were affected by Heartbleed and are either in the process of reissuing their certificates or have already completed the process. But hundreds of thousands of other sites may still be exposed."

The biggest problem from those "hundreds of thousands" of sites, according to the article, doesn't seem to be that you'll have your password stolen (keep in mind, again, that you've been at risk for the past two years -- and also these "lesser" sites don't have any of your critical data) but that updating hundreds of thousands of websites at once could slow the Internet to a literal craaaaaaaaaaawl during the process.  (The article explains why.)

Now, it's likely that all these smaller sites that require log-ins won't upgrade at the same time.  That's a problem, of course, but these are lesser sites where little or even no data of any kind is at risk, just your sign-in.  Maybe some of these sites also required your address and phone number -- but that's already available on any phonebook site.

By the way, here's a very good site to check out periodically -- it's a continually-updated list from CNET of the top 100 sites and whether they've fixed their security certificate yet.  You can find it here.  As for all the "lesser" sites, if you're concerned you can always just contact them directly and ask.  Not a bad thing to consider.

Probably the most important thing to do for the next while (a few weeks or months perhaps) is not to click on any links to a website that requires a log-in, since those can be spoofed, sending you to a fake site.  But if you manually type the URL address, you're guaranteed to go to the real site.  (To be clear, that real site still has to upgrade it's security certificate -- and hopefully it already has by now.)

And if you feel most comfortable changing your passwords on the most high-end, visible sites
you visit which require passwords (Facebook, Twitter, Dropbox, Netflix, and so on), that would be a good thing.  As long as they've already implemented the security fix.  It may not be necessary, but it certainly would add a layer of security, and in the end might indeed protect you.

Again -- I don't know if any of this is good advice or smart.  It might be horrible advice.  (UPDATE:  as I said above, according to the guru Ed Bott the advice is pretty reasonable.  See below for his addendum.)  But...I think it's the most "realistic" advice.  After all, I think it's a fantasy land to think that everyone in the world is going to change all their passwords.  I think it's a fantasy to think most people -- or even more than 5% of people (and that might be high) will.  To be clear, this isn't head-in-the-sand-advice, trying to suggest there's no problem.  There is a very real, big problem.  But it's giving (I think...) the most real-world thoughts on what the problem appears to actually be, and how to most realistically deal with it in a way that people actually act.

Telling everyone in
the world to check all their engine settings and cords and fluid levels and test tire tread and manually adjust what's needed to factory conditions every time before they start their car might be the best way to drive safely, but it's not going to happen.  Ever So, figure out the best way that people actually use their cars and address that.  (And no, that's not a comparable example of what's at risk, but the overriding issue holds.)

The Y2K Problem was a real problem, as well, and dire calamity was predicted.  There were some issues that resulted, but overall things were addressed, and worked out.  Heartbleed is a very different problem, but it appears to be that it's being addressed by those who know how to do such things and are in a position to.  As long as you are aware of the issue and take care when you browse and click on your websites that require passwords, and change the few passwords of your most-critical sites when appropriate, it seems like your risks should be limited.

But read other, smarter articles, too.  And start with this one here on the Washington Post.
  (Not to worry, no sign-in is necessary.)

Updates as they occur.  Or if I'm told smarter things to say...


UPDATE:  Okay, here's the note I got back from Ed Bott, a really smart tech guy who has written a column for many years on the tech site, ZDNet, and has his own blog here.  He wrote
back to me --

"I think it's prudent for any user to go through his or her list of websites, focusing first on those that are most crucial: banks and any site with credit card or sensitive personal information stored. Confirm that the site is not currently vulnerable to Heartbleed and then change your password. If the site was never vulnerable, changing the password is optional. Everyone should use a password manager.

"BTW several of those lists are wrong in listing Microsoft as having patched the vulnerability. Microsoft services were never vulnerable."

0 Comments



Leave a Reply.

    Picture
    Picture
    Elisberg Industries gets a commission if you click here before shopping on Amazon.
    Picture
    Follow @relisberg

    Author

    Robert J. Elisberg is a political commentator, screenwriter, novelist, tech writer and also some other things that I just tend to keep forgetting. 

    Elisberg is a two-time recipient of the Lucille Ball Award for comedy screenwriting. He's written for film, TV, the stage, and two best-selling novels, is a regular columnist for the Writers Guild of America and was for
    the Huffington Post.  Among his other writing, he has a long-time column on technology (which he sometimes understands), and co-wrote a book on world travel.  As a lyricist, he is a member of ASCAP, and has contributed to numerous publications.

    Picture
           Available on Amazon

    Picture
           Available on Amazon

    Picture
           Feedspot Badge of Honor

    Archives

    June 2025
    May 2025
    April 2025
    March 2025
    February 2025
    January 2025
    December 2024
    November 2024
    October 2024
    September 2024
    August 2024
    July 2024
    June 2024
    May 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013

    Categories

    All
    Animals
    Audio
    Audio Land
    Books
    Business
    Chicago
    Consumer Product
    Education
    Email Interview
    Entertainment
    Environment
    Fine Art
    Food
    From The Management
    Health
    History
    Huffery
    Humor
    International
    Internet
    Journalism
    Law
    Los Angeles
    Media
    Morning News Round Up
    Movies
    Music
    Musical
    Personal
    Photograph
    Piano Puzzler
    Politics
    Popular Culture
    Profiles
    Quote Of The Day
    Radio
    Religion
    Restaurants
    Science
    Sports
    Technology
    Tech Tip
    Theater
    The Writers Workbench
    Tidbits
    Travel
    Tv
    Twitter
    Video
    Videology
    Well Worth Reading
    Words-o-wisdom
    Writing

    RSS Feed

© Copyright Robert J. Elisberg 2025
Contact Us    About EI    Chicago Cubs
  • Home
  • Blog
  • Products
    • Books
    • Movies
  • About Elisberg Industries
    • Our Corporate Board
    • Information Overstock
    • Elisberg Industries Entertainment Information
    • Elisberg Statistical Center of American Research
    • Consultancy Service
  • Contact
    • How to Find Us
  • Kudos
  • Good Things to Know
    • The BOB Page
    • Sites You Might Actually Like