As I’m sure everybody involved in the tech industry is aware by now there was a rather important security vulnerability in OpenSSL made public today, the so called “Heartbleed Bug“. Two factors come together to make this a particularly nasty incident; the impact of the bug allowing an attacker to view the contents of the memory on the compromised machine, and the widespread nature of vulnerable systems. With numbers such as “500,000” websites, and “millions of vulnerable systems” being thrown around, it’s easy for anybody to see how serious this is.
…or is it?
Have you heard anyone outside of the tech industry exhibit any concern? While it was mentioned on popular news outlets such as The BBC, and The Guardian, it didn’t ever feature in the most viewed articles of the day. Heck it didn’t even make the top 3 technology articles on The Guardian.
For the general public the layout of twitter is of more importance than the mysterious technobabble of “encryption” and “servers”. This is something that we as an industry need to address. How do we get users to engage with technology? How do we get users to engage with technological security? How could we have got the word out quick and wide enough that a majority of people stopped logging into Yahoo for example?
For a start I believe terminology. Does the average person on the street know what a server is? Encryption? A bug? This is a genuine question, I don’t know. Perhaps we need to start out with some research into how far tech words have reached into the general population. We cannot make any assumptions on this front as we all exist within the bubble. Assuming people do not understand those words, what would be a better headline? What gets people’s attention?
- “Global Website Security Compromised”
- “Internet Crisis – Your Passwords Are Not Safe”
- “INTERNET DISASTER – CRIMINALS VIEW ALL PASSWORDS AND BANK DETAILS GLOBALLY”
Is it worth being a little alarmist in such situations? I mean all the advice this morning was to avoid critical systems online until websites were patched. Did anybody outside of tech circles follow that advice? Did any actually see that advice? Certainly all the people still logging into Yahoo didn’t.
Secondly other than terminology is the problem that those in prominent communication positions (news outlets, politicians etc.) largely do not seem to understand technology themselves. If somebody from the tech department were chief editor of a newspaper, then I’d be willing to bet this would have been their front page story of the day.
What can we do? As individuals all we can do is continue to proselytise, keep your non-tech friends informed, keep writing to your politicians about technology issues. The more voices we add to the mix the more we will be listened to in future. Change in mindset will happen, not quickly but eventually.
But hold on a second… what if… maybe we’re looking at it from the wrong angle, maybe it isn’t about users not understanding technology.
Perhaps ultimately users shouldn’t have to care about technology.
Much of Apple’s success globally is down to the very principle that they shouldn’t. Are there technical measures that could have been implemented to safeguard customers without them needing to do anything? I realise this is drastic, but what would people have thought if an ISP blocked access to Yahoo for example until their vulnerability was fixed? Initial anger at not being able to access their mail, followed by a warm realisation that their ISP saved them from criminals stealing their passwords? As an industry we need to standardise on a single global voice for situations like this in future. If users do not understand enough to protect themselves then we need to do it for them. Far too many sites kept running instead of taking everything down until the problem was resolved. The action and onus should be on us to ensure end users are protected at all costs. If that means a sysadmin taking a unilateral decision to take down their multimillion dollar global website for a few hours then so be it. Explain it to the non-technical board/management afterwards. At the end of the day user safety and the reputation benefit is worth more to a company than a day of profit.
If users don’t care about technology, not a problem, we just have to make sure they don’t need to.