Heartbleed. To most of us, it’s that mysterious annoyance that has caused us to change passwords for many of our on-line accounts. But can Heartbleed be explained in a way it’s not seen as a fatal hole in the “magic” of the Internet?
While many sites have explained Heartbleed’s literal failures through code and even comic, I felt an explanation with some everyday analogies and metaphors was still lacking…. until I stumbled across Eric Limer’s article on Heartbleed over at Gizmodo. Not only has Eric saved me the time of crafting an explanation, he’s done an admirable job of making the magic of computer code and internet communication simple through his real-world examples.
First, Eric explains how Heartbleed derives it’s name — from “heartbeat,” a standard operation that two computers must use to make sure they’re talking to each other in sync. Since a personal computer and an Web server are disconnected until they have a reason to talk to each other (over the Internet), they must have some way to check to make sure they both stay connected to each other during their conversation. Like calling your bank via telephone, you don’t want to have your phone call disconnected until your business transaction is finished. This “heartbeat” operation is a way to ensure nothing has gone wrong at either end during the computers’ conversation. Eric uses a clever reference to old audio cassette tapes to illustrate this:
It’s like making sure that both spindles in a cassette tape are moving when you’re playing it. If one spindle stops and the other keeps going, something will break.
Heartbleed was named as such because the recently uncovered flaw is in this “heartbeat” operation, or more specifically, the coded instructions for the “heartbeat” procedure that the Web server follows. As I’ve explained in my book, computers don’t have common sense. They follow only the instructions provided (in the form of code), literally. Like a robot/zombie chef, they follow the recipe exactly as written. So the problem of Heartbleed is actually one of an oversight in the written recipe for the “heartbeat” function. And while a human might be able to recognize this type of sloppy instruction in a recipe and compensate, computers cannot.
So what’s the problem? The problem is that when a person with ill-intent understands the glitch, the glitch can be exploited since the computer (Web server) has no idea it is being taken advantage of. Again, Eric weaves a story to help us understand. Scroll down to and read the section “A Clumsy Metaphor” in Eric’s article right now if you haven’t yet. It’s not clumsy at all. It’s a brilliant example of a “Heartbleed glitch” in the real world, and begins:
Imagine you have a whole bunch of photos, and you’re going to a store for a box to keep them in. The guy who runs the store is very stupid, and can’t count at all.
The guy behind the counter — perhaps we could refer to him as “robot guy” — represents the Web server, of course. But the nefarious “customer” is a human, potentially anyone. And when a human finds a weakness in a robot, it’s really no contest. And as Eric says, there’s more than just photos to be uncovered by Heartbleed. It’s not like someone peering over your shoulder while you’re writing down your bank account number. It’s more like someone discovering the pattern for a master key to all the safety deposit boxes at the bank. Not only can it allow them to go exploring in other people’s secret stuff, until the oversight is fixed, they can continue to do so completely undetected.
I hope this explanation is helpful, and again, I’d like to thank Eric for the time he took to craft his clever open-heart explanation of Heartbleed.