On April 1, Google notified workers at OpenSSL that they had discovered Heartbleed, an online bug that caused a fatal flaw in OpenSSL that left many users’ data vulnerable. OpenSSL is a tool used for data encryption by major websites such as Google, Yahoo, and Amazon. While bugs are commonplace on the web, Heartbleed leaves the backdoor to your private information wide open.
Unlike a coding mistake that may mess up how a website is displayed or not loading a website properly, this bug gives hackers the ability to literally eavesdrop and monitor all information between users and web services. This creates a giant liability for many users, who use these services on a daily, almost constant basis. Although smaller bugs may be easier to dismiss, OpenSSL is prominently used throughout the web; the compromise of OpenSSL has left almost no user untouched.
In response, the Office of Information Technology, on Friday, sent an email “strongly encourag[ing]” students to change their passwords. Although sent to all Princeton email users, it appears that the email was not enough. Many students asked either ignored the email, keeping their password the same, or at most, changed their login information on a few other major websites that were supposedly affected.
Granted, something is better than nothing. Nonetheless, this is a flawed and irresponsible approach. In an age where we blindly trust technology to be impervious and our data to be secure, many students will not be self-motivated to change their passwords themselves, especially when they truly do not appreciate the depth of this breach.
While one obviously hopes that students would be responsible and take the initiative themselves, we must face the fact that many will not. Despite the surprising extent of technology in our everyday lives, the majority of users are tech-illiterate. Many do not realize that behind its appearance as a flawless monolith, the Internet is comprised of millions of lines of code, where one faulty line written by an inattentive programmer can have huge consequences.
Only by forcing students to change their passwords will the importance of changing our passwords be signified to the student body. This is especially pertinent, seeing as the majority of Princeton students access their mail through Gmail, one of the compromised web services, which became the school’s default mail client two years ago.
Additionally, users might not change their passwords to every other site where the username or password is the same, which is also problematic. While certain sites may have been protected, hackers, if they acquired your information from a compromised site and if you use that same password/username on the protected site, will be able to access your accounts there as well.
I, and I am certain many of my fellow students, am guilty of using the same password for multiple sites. Passwords obtained could be used to compromise people’s banking, tax or insurance accounts, creating room for a wide range of headaches and financial woe.
And this is a real problem. It only took 24 hours after disclosure for hackers to try to use the exploit against a major company, successfully using the flaw, and this is just out of the cases known. There are potentially many other compromises still unknown on companies that contain the user information of millions.
Princeton had the perfect opportunity to fix this with the recent process of class registration for the upcoming term. By requiring students to change their passwords to register for classes, a required activity for all students who will be attending in the fall, each student will be able to, at the very least, protect their Princeton account, which has access to finances, email, and other important services.
The lack of response reflects a larger flaw, not only among our student body, but societally, as we have formed a technological apathy to the plethora of problems that exist. While we constantly hear about these bugs and flaws in all of the technology that surrounds, we rarely are ever plagued by the consequences of it. When credit card information is obtained through a phishing scam or because the user information was compromised, the first reactions of many are to cancel the card, and while they may understand that something went wrong they have little idea of the exact details or even worse, how to prevent it in the future.
Regardless of the University’s response, this should be an opportunity for students to educate themselves, given how important our user information is and living in an age where we keep so much on the web. By learning of the potential magnitude of the problem and the ability to take easy, yet very strong, preventative steps, we can all go a great way to making our information safer.
On that note, I stress each student to change their password as soon as possible. Mashable recently posted a list of known sites where information may have been compromised, showing whether your password should be changed. With so much on the line, it is simply not worth the risk to stand by and hope for the best.
Benjamin Dinovelli is a sophomore from Mystic, Conn. He can be reached at firstname.lastname@example.org.