Make us your home page

As Web grows, its grows less secure

It was the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.

The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers' online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today's digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.

"Heartbleed is further evidence that we don't have our house in order when it comes to Internet security," said Edward Felten, a computer security expert at Princeton University.

In some ways, the tech world today resembles the chaotic, unruly days of other essential industries, including the meatpacking industry depicted in Upton Sinclair's The Jungle and the automobile business portrayed in Ralph Nader's Unsafe at Any Speed. While those industries were made safe by a combination of regulation and industrywide cooperation, progress took time, and it came through trial and error.

But it's not clear that the same solutions will work with technology. We have decided, as a society, to rush headlong into a world ruled by digital devices, continually weighing convenience versus safety. We're constantly storing more of our important information on more new kinds of hardware run by more complicated software. All of it is increasingly interdependent, which makes the whole ecosystem more vulnerable.

Even though security is an increasing area of concern for large technology companies, it is often considered an afterthought rather than an essential part of building all the goodies we use. Experts say that while instituting a more secure tech culture is possible, it will require a long-term investment in educating software engineers and improving core technologies.

"There's a level of care in designing systems and sweating the details of their operations that's missing in the culture of software development," Felten said. "We don't have the kind of safety culture that is common in fields such as aviation."

That's because enhanced safety will surely cost consumers in speed, novelty and convenience.

"We have standards for coding in mission-critical systems like the airline industry, but I'm not sure we would want those standards applied everywhere," said Matthew Green, a cryptographer and research professor at Johns Hopkins University. Such strict standards require programmers to spend significantly more time testing their work — and neither technology companies nor consumers can stomach such delays. "I don't think we want to wait 20 years for the next Google and Facebook," Green said.

Like other similar bugs found recently, including one in Apple's mobile and desktop devices, the Heartbleed flaw had gone unnoticed for years. As far as researchers can tell, the problem was introduced by a programmer making a routine coding change on New Year's Eve in 2011.

OpenSSL, the system in which the error was found, is an open-source program, which means its code resides online and can be amended by anyone. In theory, such code is supposed to be more secure from bugs than a closed system; with enough programmers checking the code, the flaw should have been quickly detected.

But apparently that did not happen. "There just weren't enough eyeballs on this, and that's very bad," Green said.

One problem might be basic economics. Many huge Internet companies depend on free technologies like OpenSSL to run their systems, but they don't always return resources to the small teams that create the code. "If we could get $500,000 kicked back to OpenSSL and teams like it, maybe this kind of thing won't happen again," Green said.

Unlike other potentially dangerous corners of modern life, like aviation or health care, the tech industry is unusually volatile. The companies that run the show today will inevitably be usurped by newer ones that offer supposedly better ways of doing things. Such constant upheaval makes industrywide coordination on security more difficult.

"I'm not sure there's any other industry that handles as much change and as much usage in such a short amount of time," said Kurt Baumgartner, a researcher at Kaspersky Lab, a digital security firm. Still, Baumgartner contends that the field is getting better. Compared with the slow, haphazard way that companies once responded to security threats, the industry's response to Heartbleed was "pretty responsibly coordinated," he said. Many large companies fixed their services before the problem was disclosed. "On the whole, things have been improving."

But is it improving enough to keep up with an increasingly determined set of attackers? According to a recent study by Risk Based Security, a threat research firm, there were more than 2,000 data security breaches in 2013. The good news is that the number of intrusions was down from 2012, when more than 3,000 episodes were reported. The bad news is that the smaller number of attacks in 2013 resulted in more damage — about 814 million data records were exposed during the year (including the credit card you used at Target), about twice as many as in any other previous year on record.

The numbers point to another factor that adds to the difficulty in addressing digital threats: Attackers are intelligent, so, frequently, advances in security are matched by advances in attacks. This makes online security a more complicated problem than, say, improving the safety of automobiles.

If you fix one Internet security bug, you can be sure that attackers will just find another, potentially more dangerous one. "Over all, attackers have the competitive advantage," said Jen Weedon, who works on the threat intelligence team at the security company Mandiant. "Defenders need to defend everything. All attackers need to find is one vulnerability."

If you aren't worried enough yet, there's one more reason to expect digital technology to remain prone to errors.

"There's an underlying process here, which says that as devices get more memory or power, people add more complexity to a product — until it becomes so complicated that it's too difficult to understand," Felten said.

That "smart" watch you're wearing today might not be very complex, but in a few years' time, smartwatches might run processors that are as powerful as those in today's laptops.

Companies will create hundreds of apps to take advantage of that power, and you'll probably install them, because they'll make your life more convenient or more fun. You'll pour all your most precious data into your watch. Suddenly, without your noticing it, your watch will have become a target. And among one of those apps will be some threat that no one had anticipated.

"As our engineering methods get better, our products get more complicated, so we're always out at the edge of complexity that our engineering processes can handle," Felten said.

Does this mean we're doomed? Not necessarily; researchers are gratified that large hacks and vulnerabilities are receiving more attention, which might push the industry and consumers to take security more seriously.

"Within the past year or so, it's interesting to see how high-profile these threats have become," Weedon said. "Now average people are talking about how to patch their systems. And that's the best we can hope for, for now."

As Web grows, its grows less secure 04/11/14 [Last modified: Friday, April 11, 2014 5:05pm]
Photo reprints | Article reprints

Copyright: For copyright information, please check with the distributor of this item, New York Times.

Join the discussion: Click to view comments, add yours

  1. John Morgan 'prepared to invest $100M' in medical marijuana

    State Roundup

    John Morgan spent nearly $7 million pushing two statewide ballot initiatives to expand medical marijuana throughout the state of Florida.

    Personal injury lawyer John Morgan says he's ready to invest $100 million in medical marijuana. [SCOTT KEELER | Tampa Bay Times]
  2. Google tracking real-world sales as well as online ads


    SAN FRANCISCO — Google already monitors your online shopping — but now it's also keeping an eye on what you're buying in real-world stores as part of its latest effort to sell more digital advertising.

     Google already monitors your online shopping - but now it's also keeping an eye on what you're buying in real-world stores as part of its latest effort to sell more digital advertising. 
[Associated Press]

  3. Labor Department green-lights retirement savings rule

    Personal Finance

    WASHINGTON — A Labor Department rule that would set higher standards for the advice brokers give to retirement savers will go into effect June 9 without further delay, Labor Secretary Alexander Acosta said Monday.

  4. Report: CEOs got biggest raise since 2013 with Charter Communications CEO on top


    NEW YORK — The typical CEO at the biggest U.S. companies got an 8.5 percent raise last year, raking in $11.5 million in salary, stock and other compensation last year, according to a study by executive data firm Equilar for The Associated Press. That's the biggest raise in three years.

    Charter Communications CEO Thomas Rutledge -- whose company took over Bright House Networks last year -- was the highest paid CEO in 2016, according to a study carried out by executive compensation data firm Equilar and The Associated Press. 
[Associated Press file photo]
  5. For Gov. Rick Scott, 'fighting' could mean vetoing entire state budget

    State Roundup

    Every day, Gov. Rick Scott is getting a lot of advice.

    The last time a Florida governor vetoed the education portion of the state budget was in 1983. Gov. Bob Graham blasted fellow Democrats for their “willing acceptance of mediocrity.”