Heartbeat, complexity, and common-mode failure

“The Heartbleed problem can be blamed on complexity; all Internet standards become festooned with complicating option sets that no one person can know in their entirety. The Heartbleed problem can be blamed on insufficient investment; safety review for open source code is rarely funded, nor sustainable when it is. The Heartbleed problem can be blamed on poor planning; wide deployment within critical functions but without any repair regime.”

Quote is from Dr. Dan Geer’s must-read “Heartbleed as Metaphor” article on Lawfare.  Brilliant examination of the true lessons we need to learn from this software exploit’s ‘success’, in order to best prepare for the next common-mode failure. Another quote worth sharing (but I still recommend reading the article in its entirety):

The critical infrastructure’s monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them.  As the monocultures build, they do so in ever more pervasive, ever smaller packages, in ever less noticeable roles.  The avenues to common mode failure proliferate. 

Thanks to common-mode proliferation, we don’t have the luxury of worrying about If something will happen any longer – it’s now just a matter of When.

Heartbleed, explained.

Heartbleed, explained: brought to you by the stick figure wisdom of xkcd.

Time 2 ch@ng3 y0ur p@55w0rd5

“Heartbleed” security exploit of OpenSSL causing heartache for millions of internet users. Major websites affected include Yahoo & GitHub, among others.  According to the UK Daily Mail:

Heartbleed, so called because it creates a ‘bleeding’ leak of security, is a flaw in OpenSSL, the software used by the majority of websites to keep data secure. Continue reading Time 2 ch@ng3 y0ur p@55w0rd5 →