All your password are belong to us, or my heart bleeds

Change all your passwords. Now. And then do it again in a week. Of course, there’s no evidence that any passwords have been exploited, but isn’t the lack of substantive evidence a suspicious fact in and of itself? It can be if you want it to be.

My favorite presentation at the RSA Conference was from Nawaf Bitar who introduced the immediately popular hashtag #firstworldoutrage.  It neatly captures the idea that when a people are relatively comfortable and secure, they will start inventing things to be vocally outraged about.

As a case in outrageous point, I was disappointed with much of the recent media commentary on the GM ignition switch issue that misleadingly characterizes the fix as a simple matter of replacing a $.50 component.  In a recent article, “In Defense of GM: No one is asking the right question: Was the company’s risk assessment about the faulty ignition switch reasonable?”  I actually had asked that question, and the article provides a compelling explanation that it wasn’t worth the money to fix what is a statistically insignificant source of fatality.

So I ask the same ‘acceptable risk’ question about Heartbleed. Is this truly a Spinal Tap moment in the infosec world in which every single Internet citizen needs to take heroic measures to change the majority of their passwords?   While it has been demonstrated that the vulnerability can be used to collect random chunks of data from Internet servers, including password and username pairs, it has not been shown as a practical mechanism to capture large amounts of  passwords.

Now that everybody knows about this bug, the race is on to close the SSL holes before they are significantly exploited.  There’s no question that the code needs to be fixed, but it is going to cost the collected IT world a lot of time and money to identify all the vulnerable systems, and patch them.

The urgency of password change for the millions of Internet citizens is less obvious. What will be the net social cost of every Internet citizen changing a dozen passwords?  I have over 250 myself, most of which probably haven’t even been used during the 2 year vulnerability window (Neustar told Gartner this week that the average is c. 50 passwords/user)  I wonder how much the overall support cost will be to recover from the inevitable password change failures?  Will it all have been worth it?

One cost will be the cultural impact of one of the Internet’s biggest incidents of ‘crying wolf’.  Most people assume that a wolf was sighted just outside the doors of Facebook.  When the digital dust finally clears, my expectation is that very few password exploit incidents will be documented, but that will be old news for a world looking for new forms of outrage on a daily basis. But if we do experience more incidents like this,  people will start asking questions about whether or not these ignition switches always need to be changed, and over time, they will lose whatever appetite they have for the fun of warning their Facebook friends that they better change all their passwords

What this incident has turned into is yet another example of the inherently flawed nature of passwords.  A more unusual lesson to derive from this incident is that the global Internet rests upon widely shared code that represents the potential for more single points of failure.  Major public cloud service providers, financial service firms, social networking services, hardware devices, and countless other Internet-enabled technologies not only turned out to be dependent upon the same SSL source code, but like much of the open source code that defines our digital world, it was developed by a small group of part-time volunteers.  That seems an insufficiently substantial foundation to support the global expectations of privacy, confidentiality, and reliability.  Perhaps that’s why they call it the cloud.