Is the Heartbleed bug panic over now?
Now that they had six weeks, were the system administrators able to update their OpenSSL software and fix their computers?
The security researchers have done their job. Some of them found the bug and immediately reported it in a responsible manner. Some others analyzed it, and warned the Internet community about its seriousness.
Almost the same day, the OpenSSL team created a new version of their software, and millions of servers updated their software within a few days.
About a week ago, a researcher reported his scan shows that of the 1.5 million servers he detected about a month ago, more than 300,000 still remain vulnerable. These numbers are difficult to discern more detailed information; more than half of the servers in the world do not use OpenSSL, and also many do not support the feature that was discovered to be buggy. However, it is safe to say that about a month ago more than five percent of servers were vulnerable, and now that percentage is more than halved.
What does this teach us? There are several lessons. The biggest lesson I would argue is that our system works.
Perhaps I should explain what this system is and the lessons from my teaching of it could be useful for other aspects of human organizations; I do believe even a company that makes chocolate chip cookies can benefit to see how our system deals with software bugs.
The first and the foremost observation is that the system has an openness about it that is functioning remarkably well. Almost every aspect of the system I summarize below is accessible to anyone to view, inspect, investigate and contribute. Everyone working in my field knows everything I report here; nothing is kept or can be kept secret. There are no nondisclosure agreements or lawsuits to speak of.
Every one of us has several tens of software packages and applications on our laptops or company servers. We are constantly using such software. Many others are accessible via the web, which we are using without even being aware. These software pieces are developed, maintained and sold or made available free of charge to users by the software teams in charge of (or owning of) them.
Apache, Adobe Acrobat, Microsoft Office, Open Office, Apple iTunes, Firefox, Thunderbird are some names to clarify what I am talking about. Some of them are proprietary software owned by their respective companies (Apple, Microsoft, Adobe, Oracle, et cetera) while some others are managed by open source software teams (Mozilla, Apache, and many other names you will not recognize).
Who finds the bug, who reports it and who fixes it?
You can imagine that all these software packages are used out in the fields by people just like us daily or even by the minute.
Whenever there is a problem, for example, the application crashes while it is running; it has a built-in provision that reports the problem automatically to the team. Humans could also do this reporting; some companies have testing and verification teams that test their own software or other related software that makes their software work.
Bugs are continually being found; some of them are innocuous; there is no hurry to correct them. Some of them are serious to the application; it needs to be fixed more immediately.
Some of them are beyond serious: the Heartbleed bug made us all panic, and we could not wait a day to fix it.
Reporting is in the open. There are websites at several organizations (for example, NIST) funded by public money to report software bugs and vulnerabilities. Why not directly report to the team (or the company)? Because, during the fixing process, which could take hours to days, the public needs to know. If you are a serious user or if your organization's IT team know your job well, they will be continuously monitoring the reported bugs on the software your organization is using. They need to assess the gravity of the bug with respect to their operations and your company's mission.
Once reported, the team or the company owning the software can start working on fixing the problem, coming up with a new version of the software, and publishing it for everyone to update. That is why software update is important and you should never ignore it!
I trust the completely open nature of this system that we have established over 40 years. I trust our open system more than I would trust any organization or any company, regardless of how competent they claim to be or how much resources they seem to have.