Of course, if you've read my books or sat at the bar with me for an evening will know that I'm reasonably receptive to the odd conspiracy theory. I've also been around long enough to realise that people goof up often enough to make it normal behaviour to be ready to apply Occam's razor too. Here's my take: I don't believe the Heartbleed code to be the work of a criminal activity unless this is a very specialised criminal with very specific goals. Because many of us change passwords relatively frequently, but not as frequently perhaps as industry suggests, there remains a sizeable proportion of people who rarely change theirs. The longer you leave a password, the greater the chance it will be compromised would appear to be an intuitive rule, but of course it's wrong. It's how often you use it and what it protects that forms a greater rule regarding its potential to be hacked. Nonetheless Heartbleed has been around for two years and no major uptick in cyber crime reported. There's been an increase at attempts, sure, but these are from players who were clearly unaware that they simply had to take the key off the hook.
So it's probable that the fault has lain dormant and unnoticed all along. The criminals attempting to break into our bank accounts have been using the equivalent of bricks, crowbars and TNT when the key was under the plant pot. The biggest risk was the period between the news breaking and the patches being applied, when the criminal fraternity would be scrabbling to take advantage of the problem. There remains a residual problem that the security certificates may have been copied, in that virtual bar of soap, so servers need new certificates to be sure. My take is that a lot of organisations are going to incur some cost over the next few months (although this precaution should be done now for high risk servers) and some certificate salespeople are going to get a really good bonus this year.
So much for the rational side of the brain, what about the conspiracy theory? Well the NSA and GCHQ agencies have come under a lot of stick lately for reading our emails etc. As I've said before, they can read mine anytime they like, I'll bcc them if it helps, but wouldn't something like Heartbleed be a cheaper and easier way of getting around encryption than developing super-powerful computers to decrypt our last minute shopping lists (milk, coffee, C4, timer, bread)? And maybe leaking a security breach before Snowden reveals it anyway, but after a more secure and harder to find backdoor has been developed, is a convenient way of diverting attention?
But don't mind me, I've just finished writing a book, Assassin, that deals with a future British government so paranoid about terrorism that it would do anything from curtailing civil liberties to reading every email of its subjects just to try and control events. I didn't put Heartbleed in - that story broke after I finalised the book and set it up for pre-order, but it would have fitted like a glove. If governments gone wrong is your bag, be sure to check out Assassin.
Visit my Book Website here
Visit Project: Evil Website here Visit DLF Website here
Follow me on Twitter - @RayASullivan
Join me on Facebook - use firstname.lastname@example.org to find me