By Ed McLaughlin and Wyn Lydecker
The Internet is buzzing over Heartbleed this week. Heartbleed is a simple human error that has compromised millions of transactions people thought were secure because they were performed using SSL (Secure Sockets Layer) encryption. Users are encouraged to change passwords, accounts, and cards to foil hackers of affected sites. There is a recurring theme in the press coverage of Heartbleed’s discovery besides that advice to users: it’s amazing that it went so long undetected. What on earth happened?
The encryption being used by many of these transaction powerhouses was built on open-source code, which is where the error originated. In a Q&A with the Bits Blog by the New York Times, Zulfikar Ramzan, CTO for the cloud security startup Elastica, expressed some of the same surprise the rest of the industry seems to be feeling.
It’s amazing — when I looked at the flaw myself I said, “Obviously, this is a pretty simple error.” This comes down to the issue that there’s so much code out there right now, and there’s so much code people are writing. There was a particular protocol called Heartbeat that did not get as much scrutiny.
The corporations putting their trust in SSL built on open-source code were relying on the fact that open-source code is freely visible to thousands of coders. Statistically, this should mean a Heartbleed-level mistake is impossible. There are so many capable coders looking at the code every day that someone should have caught it. No one did. Scrutiny, as Ramzan points out, is not evenly distributed. This means that the faith in open-source is misplaced. Those thousands of eyes are not looking at everything, they’re looking at some things, and assuming someone else has already looked at the part they don’t care about.
What does this have to do with entrepreneurship? Two things, one tactical and one strategic: We need to understand the risks associated with the tools we choose, and we need to be incredibly vigilant when we build our own products and companies.
Tactically, we need to be careful with technology. We need to master sufficient understanding of security to protect customers and ourselves. We don’t all have to learn to code, but we do need to understand the consequences for our finances and those of our clients if that security levee fails. Technology is easy to un-see when it makes our lives convenient. Focus on your technology use, especially for transactions, and secure it. Unfortunately, this will not be the last time you have to do this. The web is getting so big and the codes so long that no one could possibly see it all. As the New York Times reports, “…As The Web Grows It Grows Less Secure,” rather than being too big to fail, the amount of data and code we have floating around is too big not to fail, security-wise. Take the time to understand the technology you use at least enough to do so safely.
Strategically, starting a business involves reams on reams of information that all have to be processed correctly, decision upon decision that have to be made exactly right to end in success. We cannot afford assumptions about all the pieces working right. We have to preempt the small mistakes that can grow into a Heartbleed-like problem.
Finding those mistakes means scrutinizing every element of your startup. It means reading things backwards to see everything your brain plasters over when reading forwards. It means taking a total novice and explaining every step of your plan to him so he understands and it makes sense. It means taking an expert and explaining every step of your plan to her so she understands it and it makes sense. That means taking yourself through your plan and making sure that every bit of it hangs together. All these checks need to happen before you get out there in the world, only to discover that you have a pinhole that is going to sink the ship.
Ed McLaughlin is currently co-writing the book “The Purpose Is Profit: Secrets of a Successful Entrepreneur from Startup to Exit” with Wyn Lydecker and Paul McLaughlin.
Copyright © 2014 by Ed McLaughlin All rights reserved.