There is a big hole in the Internet and it’s bleeding passwords. Or at least that is what one would understand from following various media reports about “Heartbleed”, that ominous flaw in the design of the Internet’s basic encryption method, the SSL. Just by reading (and listening to and watching) the media, one could be excused of thinking that the Internet as we know it has come to an end. Slogans like “Internet safety is gone” and “Replace all your passwords now!” were being shouted repeatedly (didn’t they tell us that passwords were useless anyway? and didn’t they say that 99.9% of the passwords are 123456 anyway?)
Regardless of the actual severity of this flaw, two things come to mind when analyzing the public and media’s behavior regarding Heartbleed. The first is that the media is thirsty for cyber-related stories, and is willing to blow any story out of proportion just to make the headlines – especially if it can be said to be “relevant to everyone” and “puts us all in danger.” But this is not surprising – there is a very unhealthy relationship between the media, the Cybersec industry and the public – each doing its share to evoke panic and misinformation.
What I find more disconcerting is that some people and organizations use such incidents to increase awareness of cyber threats and turn this into a call for action. While there is nothing wrong with raising awareness, I do believe that using it too much – i.e scaring people – achieves the opposite effect. Want an easy way of verifying this? Just ask the people around you (normal folk, not industry techies) if they have heard of Heartbleed. Many of them (especially in the U.S.) will probably say yes. Then ask how many of them have changed their passwords as a result of this being made public. I can almost guarantee that the answer will be zero. The explanation for this is simple – when people are presented with a catastrophe, they tend to do absolutely nothing. If nothing is safe anymore, than why bother doing something?
And that is exactly the problem. By creating panic, we also create apathy, when we should evoke emotion and move people to act – seek professional advice, check their systems for breaches, whatever. We should be stating very clearly the REAL threats and the REAL remedies, even if they make less appealing headlines. Only then do we stand the slightest chance that the “Average Joe” will stop, listen and act differently than before. “Make them aware, not scared” should be our motto.