The Heartbleed Bug, for the rest of us

This morning while getting reading for work I heard Fox 5 news talk about the Heartbleed Bug. Fox business correspondent Lauren Simonetti referred to it as the “Heartbleed bug virus.” Since it’s a live segment, I figured it was just a verbal gaffe, so I double checked against the recorded segment she does daily for Fox Business:

“Today is the day to refrain from online banking and plugging other sensitive information into the web. That’s because security experts have found a virus called the “Heartbleed bug.” It attacks the software used to provide encryption of 2/3rds of all servers on the Public Internet.” (emphasis mine)

It’s easy to make light of non-techie explanations of software problems, but the blame really is on us. We don’t do a great job of non-technical explanations. If you’re looking for a technical explanation of Heartbleed, here’s one.

For the non-techies among us (especially news anchors), I’ll try to provide a good non-technical metaphor for what the Heartbleed bug is.

The Heartbleed bug is a software bug, *just like any other software bug*. The term ‘bug’ may be confusing here, but we mean a bug to mean a defect in a line of code somewhere, causing the software to behave in a manner that wasn’t intended by its author. They’re named ‘bugs’ because the first computer software error *was literally caused by a bug in the computer*.

It’s called “Heartbleed” because programmers love cute names. I haven’t actually found a credible source for its naming, so I default to the ‘cute’ reasoning. It’s accurate in general, if nothing else.

In human terms, viruses are referred to as ‘bugs’. They’re often used interchangeably, as in “Thanks for giving me that bug that’s going around.”

In software terms, they mean completely different things.

A virus is a piece of software *intentionally* written to infect computers. They can do many different things, from turning on your web cam without you knowing to just being really annoying.

Bugs are *unintentional* defects in software.

In the case of the Heartbleed bug, the defect is the digital equivalent of you leaving your house unlocked for two years in plain view of everyone in the world, and them able to get into your house, listen to your conversations, watch everything you do and record absolutely everything you’ve looked at on the internet for the past two years, while you were looking at it2. Any website, any financial transaction, anything. All without you knowing.

Normally you’d just change your locks, but that wouldn’t help you here. They have the digital equivalent of a skeleton key to 2/3rds of the locks in the world1. Until the company that makes the lock revoke the skeleton key and issues a new one, there’s nothing you can do. Changing your locks won’t help until then.

That’s how serious this software bug is. In your daily travels on the internet, I can guarantee at least one site you use is affected by it.

So what can you do?

– Don’t log into your bank or any sensitive site until they’ve confirmed that they’re not affected by this bug, or they’ve issued new SSL certificates for their site.
– Change your password for each site *after* it has revoked its security certificate.
– Never use the same password on two sites. If you do, at least make sure your bank and other sensitive sites have their own passwords that aren’t used by any other site (or used on each other).
– Follow these helpful instructions to make sure Chrome looks for certificate revocations:

To leave you with a bit of levity and to put this gaffe in context,
It’s not as if this is the first time a news anchor has made a technical gaffe. It’s even pretty low on the scale: The king of all tech gaffes would have to be Katie Couric and Bryant Gumbel’s hilarious description of what an email address and the internet is.


1: Techies will note that I’m conflating terms here between the skeleton key (SSL certificates) and your house lock (your password). Sometimes there just aren’t non-digital equivalents, so we make do.

2: Heartbleed allows the attacker to see 64K of what’s in memory at the given moment of attack. This is trivial to automate.

Leave a Reply