Transparency and Heartbleed



Dear Internet,

I was having conversations recently on Twitter about vendors and institutional responses, or lack thereof, to Heartbleed. To wit: MPOW’s response to my inquiry as to how they were handling it was the following (from two separate emails): 

I.T. does not have an official statement concerning the heartbleed bug. […]  I know my team and the ISO have addressed the OpenSSL issues and I’m sure they have it handled.

My original inquiry was via the I.T. ticketing system, which the first line of the quote comes from, and was immediately closed. I received a follow up email from the head of Infrastructure within minutes that included the second line of the quote and with a request to direct questions to him and his team directly rather than open up a ticket. So I did. 

No response.

TheHusband, when I reported this back to him that same evening, just shrugged and said some I.T. departments handle things differently. I, obviously, disagree. When you have a bug that is so permeated in everything we do and affects directly or indirectly damn near everyone who gets online, you would think transparency would be the utmost importance.

In the conversations that I alluded to at the beginning of this, many also agreed with me. We discussed who should be reporting to whom and in what situations, because it seemed there seemed to be no best practices in place. I am the contact for the library’s SSL certs from that vendor and they notified us immediately, but others like database, and other product vendors? Not a even a mention.

On the personal side, random emails were appearing from various sites I belong to, some forcing password resets to enhance security, but overall the responses being sent to users seems to be thin on the ground.
As I was working this out over Twitters, I realized I never made an update to my own blog about our patching of Heartbleed, which was done near instantaneous after its discovery. EPBaB and my professional site both have SSL integration, something TheHusband was insistent on when we migrated to our new host in the spring of 2013. While we may not be allowing accounts other than our own, thus not storing passwords or other personal data of others, having SSL does help protect against other forms of attacks. The only hiccup we ever found was the inability to add my sites to Feedburner as they do not support HTTPS sites.
In the upcoming week, I’m going to be moving through lists I’ve started of vendors I use for personal AND professional spaces to see who is reporting (or not) on Heartbleed and how. I am extremely curious as what the results will be and right now, from the cursory research I’ve done: it will not be pretty.  And what is worse, what it really says about the state of tech transparency today.

This Day in Lisa-Universe: 2013