Tech Talk / By Martha Knight

One good thing about the NSA spying on our communications is that if there are any bugs out there, NSA will notice them and will warn us. Or warn somebody. Or stop the hackers. Right?

Wrong. Turns out the NSA did know about the Heartbleed bug two years ago, maybe longer. When NSA found Heartbleed, the agency said, “Oh, goody! We can exploit this and use it to gather intelligence,” or words to that effect. And it didn’t tell us.

A number of popular sites have used a system called OpenSSL (for secure sockets layer) for encryption of our sensitive data. Companies have relied on it to keep their trade secrets, to comply with privacy laws, and for security of various kinds.

But there was this itty-bitty coding error in OpenSSL nicknamed Heartbleed, that enables hackers to snitch data from vulnerable sites.

FireEye, a network security company, says so far we do not know that crackers have exploited the bug.

Still, Tor Project, which helps people browse anonymously, says those with a serious need for privacy might want to stay mostly offline for a few days.

Oh, but we want to go online to see how they are doing, getting rid of the danger of being on the net! What to do, what to do?

But maybe it isn’t quite that bad. Dare we hope?

Well, not all sites on the internet use OpenSSL. Yahoo, Flickr, Eventbrite and OKCupid do, and here is a site lets you check to see whether specific sites are vulnerable: http://filippo.io/Heartbleed/#www.motherjones.com

Google and Facebook have stated they are not at risk because of Heartbleed.

So should all sites using SSL get rid of it? No way. Not all SSL is OpenSSL, and not all OpenSSL security has resulted in breaches.

When is SSL used, in the main? When there is sensitive stuff being transmitted, such as bank information, identity items like social security numbers, credit card numbers, passwords. Lots of the information doesn’t have strategic value of military and diplomatic importance, no state secrets, usually, but hey, some of our spies could have been caught earlier if their spending and saving had been known, or if their conspicuous consumption had been noticed.

Not using SSL at all would be risky. Empty the bathinet, but hang on to the baby.

Not all of our communications are all that sensitive. In fact, some of them are downright crude. Some of the comments we read… well, let’s just say good number of our emails and tweets and posts are trivial. If people were concerned about the content being intercepted, they wouldn’t be chattering away on their cells, in the store or the restaurant or wherever, where we overhear them without even trying.

An SSL breach wouldn’t necessarily give a cracker access to all the information on a site. But if a flaw allows access to passwords that were used recently, that’s serious enough for me.

In Canada taxpayers are expected to file their taxes a few weeks from now, but even so, the Canada Revenue Agency decided to close its online center for now so it can get its Heartbleed problems sorted out. Meanwhile, our very own IRS assures us it has no Heartbleed difficulties. And all this time we thought they just had no heart.

I hope that is true, about no Heartbleed, because I filed online yesterday. No, not my tax return—my 4868, the reprieve form, the one that gives me more time to file. But I had to set up a password and provide my SSN, so I wouldn’t want the IRS leaking those. Although I can’t imagine why crackers would bother with me while there are so many people with more money. Almost everyone, actually.

Trend Micro, a security outfit based in Japan, says the disclosure of the Heartbleed bug has set off a race between security experts and hackers, the former trying to keep the latter from exploiting the vulnerability. That would be the good being blown by the ill wind, for the security companies. Or the silver lining behind the cloud. Oh, that’s right! Cloud storage! Not so safe as we thought. Meanwhile, the bad guys are sharing their tips and tricks, helping each other find ways of using the Heartbleed bug.

You might wonder what to do if you see hackers have been snooping around. But a better question might be, how will you know? Some bugs and backdoors reveal when they have been used. Heartbleed doesn’t. It isn’t as if you will look around and see that thieves have made off with copy, your patents, your bank records, your love letters, passwords and encryption keys. You still have those. They just aren’t private anymore. If others have them too, that is not apparent to you. Of course if someone starts posting those love letters on Facebook, or draining your CheckFree or online bank accounts, it’s like when you find a minnow in the milk: you are entitled to be suspicious.

They’ll fix it, right? Well, actually OpenSSL has a new, fixed version that can be downloaded, but it is not that easy to apply. And what if there is a new coding error while the IT folks are putting this new OpenSSL in place and getting a new SSL certificate? Hmm.

Meanwhile, should you change all your passwords? If there is still treacherous SSL on a site you access with that new pw, it can be captured too, so why bother until you know, or at least hope to heck, the site is squeaky clean?

So what can you do?

Simple. Just stay off the net!