Sunday, June 1, 2014

Heartbleed: Just Another Technobug Bump in the Road

This post was co-authored with author and former economist D.S. Kane

Heartbleed is the latest technobug to strike fear into the minds, and hearts, of Web users, but it most certainly won't be the last vulnerability in Internet security.

This flaw affects the OpenSSL (Open Secure Sockets Layer) used by websites to determine the legitimacy of visitors (aka prospective customers) and has the potential to "bleed" private data, such as passwords and credit card numbers, into the hands of hackers. The OpenSSL is responsible for secure handling of the flow of user identification and passwords, which are encrypted before they are transmitted to a website, where they are then decrypted. The difficult-to-notice vulnerability of Heartbleed had been there for years before the greater threat was announced to the general public. Now that everyone knows it exists, companies are scrambling to fix it.

Following the history of tech yields a perspective on not just this security issue, but also many previous technobugs, and offers lessons on what we can expect in the future.

Let's start with Moore's Law. In 1965, Intel co-founder Gordon Moore (the law's namesake) predicted that the "number of transistors incorporated in a chip will approximately double every 24 months," which translates to mean that the complexity of computer processors advances twice as much within a two-year cycle. Following this logic, the handmaidens of tech, the venture capitalists, realized that tech customers would come to expect significant product improvements in one- or two-year cycles and began incorporating planned obsolescence (designs with a limited lifespan) in tech products. Before old products were even obsolete new ones were being introduced to consumers, providing a continuous up swing in sales for tech companies. Anyone who's ever discovered the need to replace a computer part or upgrade to a newer tech product within what seems to be a relatively short amount of time can most likely relate to this frustrating phenomenon.

This abbreviated product cycle requires additional support staff and tech developers, all of who are in need of continuous training in the rush to develop new tech product versions. The complexities can become overwhelming for some tech companies and the ability to understand the constant advances in product design worsens. It's a cyclical function of time, with no end in sight.

The result is that often, in a rush to get a product to the market, developers leave insufficiently tested functionality embedded in their code. This offers hackers, who are usually the brightest programmers, a chance to exploit the code's flaws. And, in an open system like OpenSSL, where the code is public and anyone can study it, hackers can easily find opportunities for personal gain or notoriety. Misha Glenny wrote about the ease of criminal hacking in DarkMarket: How Hackers Became the New Mafia, and in Parmy Olsen's book, We Are Anonymous, social radicals are the ones to fear.

As the public continues its demand on the next generation of high tech products, even while a current model is being introduced, tech developers will continue to speed up production to generate greater sales. And so go the basic tendencies of supply and demand -- only in this case, the two aren't equal; supply now supersedes demand. Don't believe it? Check out The Friction Free Economy, written by computer scientist Ted Lewis in 1997, to see how vastly the market has changed in the past 17 years, to the detriment of consumers.

The alarming truth is that every new generation of tech products will come to market before it can be fully tested out. Before all those technobugs can be squashed. With that said, Heartbleed is just another headline.

--

In 1984, on the topic of computer fraud and countermeasures, the co-author of this article (aka David Spiselman) was quoted in an international newspaper of money management, Pension & Investment Age, saying, "Nothing in the field of data security has really changed over the past seven years, only the prominence of the problem ... Banks are unwilling to publicly admit that networks are insecure, and this makes progress in the field very slow." It's safe to say that in the past 30 years, nothing good has changed in data security.

D.S. Kane is an author and former economist, intelligence service operative and university faculty member. The first novel in his techno-thriller series, Bloodridge, is set for release in summer 2014. He has also written articles on computer fraud and countermeasures, banking, economics and other finance topics. Sharing only some of his intelligence service knowledge with others, he has spoken at numerous writers events, including the Pikes Peak Writers Conference on True Lies: Writing Covert Training and Missions into Fiction, and twice served as the keynote speaker at the Maui Writers Conference. He also teaches fiction writing.

No comments:

Post a Comment