“How I Explained Heartbleed To My Therapist”

This is an important post by Meredith L. Patterson:

“Remember back around April or May, when you had to change your passwords on all the websites you use? Facebook, Yahoo, LinkedIn, everywhere?” He nods, vigorously. “Do you remember hearing the word ‘Heartbleed’ back around then?” A blank look. Maybe I should have worn the T-shirt. Too late. I have to press on.

“That part’s not important. It doesn’t matter what the problem was called. What matters is, there’s one piece of software that nearly all those websites use to make sure that all the messages that go between your browser and their site are private. And nobody pays for it.”

“Nobody at all?”

“Nobody. The people who write it have been working on it for like fifteen years now, and they’re basically all working for free, the same way I’m doing on the work I’d rather be doing, even though Google and Facebook and practically every company with a website relies on that software these guys make. ‘Relies’ as in without this software, all their business evaporates.” I leave out the part where half of “these guys” are my dead husband’s friends and they’re not all guys; there will be time to talk about that at a later appointment. “And back around New Year’s in 2011, one of those guys made a little mistake with a really big consequence. The upshot of it was that any jerkoff could just ask whatever websites they wanted for whatever private information they had on hand at the time — your passwords, your calendar, whatever.

“And nobody in a position to fix it noticed until April of this year. Which is why you and everybody else had to change all your passwords. And in the meantime, who knows how many credit card numbers and god knows what else got snatched.” My e-cigarette is nearly empty but I fidget with it anyway, calculating on the back of the envelope in my head whether I can dredge just one more hit of nicotine without burning the coil to an ashy, taste-ruining wreck. Everything has become a cost-benefit analysis on the edge of a razor in this New New Economy that has become my life: how far can I stretch the resources I have before physics or information theory dictate they snap? “And even after a disaster like this, these poor fuckers are still running on handfuls of donations. They’re still overstretched and understaffed. It’s a tragedy of the commons problem.”

That’s a catchphrase you hear sometimes in sociology, a cousin dialect to the language of psychoanalysis he speaks. He leans forward. “In what way?” he asks. I hope it means I’ve given him firmer footing than all this computery shit he doesn’t speak.

“These bugs that happen, these mistakes in software that lead to vulnerabilities, they aren’t one-off problems. They’re systemic. There are patterns to them and patterns to how people take advantage of them. But it isn’t in any one particular company’s interest to dump a pile of their own resources into fixing even one of the problems, much less dump a pile of resources into an engineering effort to fight the pattern. Google could easily throw a pile of engineers at fixing OpenSSL, but it’d never be in their interest to do it, because they’d be handing Facebook and LinkedIn and Amazon a pile of free money in unspent remediation costs. They’ve got even less incentive to fix entire classes of vulnerabilities across the board. Same goes for everybody else in the game.

See also, “Your Consent Is Not Being Violated By Accident” and “Predator Alert Tool as a Game Theoretic Simulation of Countermeasures to Rape Culture,” two posts further describing the intentional abuse by the Silicon Valley for-profits against individuals and organizations who explicitly declare a “people over profit” motive. Also relevant is this short post about the so-called “sharing economy,” bluntly titled, “Get on your knees and thank the Silicon Valley elites for your chance to serve them.