This is like a slow motion 9/11 — it really is that serious.
No one is alarmed. The companies that should be safing-up their servers are moving too slowly.
This is very much like the buildup to the war in Iraq when the media didn’t carry the real story.
Only this time there is a lot that we should be doing that we aren’t doing.
What we should be doing
- Locating and updating the vulnerable servers.
There is no number 2.
Changing passwords is security theater. It doesn’t fix anything if hackers have access to your passwords, they have access to the new ones too.
What we should be doing: Specifics
In a comment below, I outlined a plan. I thought it should be in the post itself.
First, I think we need leadership. Then we need to have a surefire way to discover vulnerable servers. You have to figure the hacking community is working quickly to figure out how to do this, if they haven’t already done so.
Then we have to enlist the help of users in discovering those servers.
A simple feature added quickly to all the major browsers that lights up when you’re on a server that’s not secure. And that event goes into a database, and that information is quickly shared with the owner of the system, when they can be located (some are not going to be easily located).
Then again, if we had some leadership we could just isolate those systems. Cut them off the net, so that they themselves can be damaged, but they can’t be used themselves to cause damage. Again I’m sure we’re falling behind the bad guys as we speak. Of course they aren’t running press releases. That’s probably the major reason the press isn’t carrying any of the urgent messages that need to get out there.
A Kickstarter project, that was immediately funded to do this work would be a good sign. Then we have to get the Netcraft people involved, and Schneier, and maybe a few other organizations that are good at communicating with programmers — O’Reilly, the developer programs at the big tech companies — Google, Apple, Facebook, Amazon, Microsoft, Twitter, Oracle, IBM, Salesforce, etc. Stack Exchange, Hacker News, Slashdot.
The goal is to develop a communication system, quickly, to help locate and fix the vulnerable systems. And then brace for what comes next.