Heartbleed: Each week, Educating Modern Learners will pick one interesting current event – whether it’s news about education, technology, politics, business, science, or culture – and help put it in context for school leaders, explaining why the news matters and how it might affect teaching and learning (in the short or in the long run). We’re not always going to pick the biggest headline of the week to discuss; the application to education might not be immediately apparent. But hopefully we can provide a unique lens through which to look at news stories and to consider how our world is changing (and how schools need to change as well). This week (April 14), Audrey Watters looks at the Heartbleed bug and why we should be concerned about the ed-tech industry’s response.
What you should know about this week is something that you probably heard about first last week: the Heartbleed bug, a major vulnerability in one of the technologies that is supposed to encrypt data transmitted online. News of the vulnerability was made public at the same time that a patch was released, but “the fix” is still ongoing as many, many sites have yet to address the problem.
What is the problem?
From Heartbleed.com, one of the best technical “explainers” on the bug:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
About 17% of secure web servers are believed to have been vulnerable to the bug. While that might sound like a small proportion (it’s roughly half a million sites) the vulnerability, which has apparently been in existence for over 2 years, has been called “catastrophic.” Since the news broke, there have been reports that the US National Security Agency has been using the bug to gather intelligence. By exploiting rather than fixing Heartbleed, the security of all Internet users has been compromised.
How does this impact Internet users?
Many in the media have urged Internet users to change all their passwords in light of the Heartbleed bug. But wait! It’s important to make sure that sites have actually been fixed first. The tech blog Mashable has published a list of “the passwords you need to change right now” and Lastpass, a password management tool, created a site that lets you see if websites you use were affected by Heartbleed and/or have addressed the issue.
And then yes, eventually (and regularly, of course), you should change all your passwords.
How does this impact schools?
“Change all your passwords” is a huge undertaking for all of us, but particularly burdensome for those who manage students’ accounts. For those looking for guidance, Jessy Irwin has written a great post on KQED’s education blog Mindshift detailing how educators can help protect their students’ data from this and other security breaches.
Irwin also penned an article for the ed-tech industry site Edsurge, urging entrepreneurs to be more forthright with their users about Heartbleed. Indeed, that seems to be one of the major frustrations in the wake of Heartbleed (second to changing all your passwords, of course): there just hasn’t been very good communication from many companies or IT departments about what if any systems were affected and what steps need to be taken as a result. A handful of companies have issued statements, assuring users that they didn’t ever use OpenSSL, for example, or indicating that they’ve addressed the problem. If in doubt, check with vendors to confirm if security patches have been or need to be applied.
As Irwin writes, “While this flaw in OpenSSL is one of the most serious and widespread security vulnerabilities that the web as ever seen, it presents an excellent opportunity to be open, proactive, and transparent about how your company protects the grades, content, learning analytics and other precious student information in 21st century classrooms everywhere.” That same advice applies to school leaders who also need to address the privacy of student data and be increasingly vigilant about computer security.
Image credits: Shezamm