So, here’s a thing I don’t see many people posting about: how and when it’s best to share unpleasant technical information. It seems really relevant today, when most of the web (well, OK, all the stuff I bothered checking) seems to be patched up after Heartbleed (more on that below, if this term is new to you), and therefore everybody ought to be changing all of their passwords soon.
We had a discussion, in my department (Systems), about how best to share this information—and whether sharing it was the right call. There’s an argument that we should have waited for campus IT to do it, but 1) it felt a little unethical to keep this to ourselves, and 2) we were worried that a well-meaning but less-techy coworker would send out something panic-stricken in the meantime. There’s something to be said for—and forgive me if this sounds cynical, because that isn’t how I intend it—controlling the message. Put more positively, it helps build trust when the Systems (or IT) department tells people about issues of possible concern in a timely manner and a straightforward-but-not-too-jargony way.
While we don’t email the library about every exploit or vulnerability out there, when Bruce Schneier says “catastrophic”, um, it merits comment.
So, we picked a couple of good articles (one for “what the issue is” and another for “how to respond”), and I composed (with edits from others in the department) the following, which I am sharing in hopes that other tech/Systems/IT librarians will adapt to their own tastes and purposes and share with their colleagues who don’t live on Twitter. I think it was good to send today; other people are saying “on Friday.” Use your judgment.
You may have heard in the news about a security vulnerability, “Heartbleed.” It’s a flaw in OpenSSL, which many websites use for security. The BBC wrote about it yesterday, if you’d like to better understand what it is.
Short version: an unknown number of sites were affected by this vulnerability for two years; it’s impossible to tell how many of them were hacked; and the “good guys” have only known about and been fixing this issue for a few days.
Logins on Facebook, Yahoo, Tumblr, Google, and a number of other popular sites are confirmed to have been vulnerable, but it’s confirmed that those four—and most things on the web—are patched, at this point. Your usernames and passwords on any sites that were vulnerable might still be compromised, even if the site is now patched.
This is a good time to change all of your passwords on banking, finance, email, and social media sites. Avoid using the same password for multiple sites; that is the main way to limit the damage these kinds of hacks will cause. Here’s a good article about password security, written in response to the Heartbleed vulnerability: The 5 Things To Do About the New Heartbleed Bug.*
*This one was actually displayed as a bit.ly link, rather than a linked headline, because we wanted to know how many people would click on it. :)
Actually, this was the version that went out to the state library association mailing list. The version internal to my library had a slightly different second paragraph:
Short version: an unknown number of sites were affected by this vulnerability for two years; it’s impossible to tell how many of them were hacked; and the “good guys” have only known about and been fixing this issue for a few days. We believe the risk for [the universities’ and the library’s] services is minimal, and our web server is patched. I’m sending this out because logins on Facebook, Yahoo, Tumblr, Google, and a number of other sites …[same from there]
Because, if you can honestly say your site is patched, that will help with confidence and trust and, uh, actual security. (How many library websites are major hacker targets? I could believe we’ve been targeted, perhaps, but our university usernames are so long and obnoxious that I imagine the username/password combos any malicious entities would get are wildly different from the ones any of us use on other sites. Perhaps your institution uses similar security-through-absurdity tactics. Still, patching is good.) And if you can’t say that, you really should fix it, or lean on whoever’s job it is to fix it.
Perhaps you got angry at me for my imprecision, oh geeky reader. (I was almost embarrassed, posting it.) But you have to look at what people’s tech tolerance is.
My coworkers are smart enough to understand the details about this exploit, about exactly how bad this situation is, etc., if they cared to do so. Which they don’t.
I could tell them all the gruesome details and then reassure them with the information about what version of OpenSSL we’re on, when we did our last patch, and when we did the patch before that one. But I know for a fact that several of them email their passwords to one another, despite knowing … well, they know we hate that, but maybe they don’t really remember why.
My point is, most of them have a very low technology tolerance. Tech isn’t an interest of theirs, nor is security. Their computers, email, the internet, and the protocols and procedures to keep all of it going: these things are just tools, tools they prefer not to have to notice.
So I simplify, in hopes that I’m using enough words to help them understand the importance and make good decisions, but not so many that they get bored or decide they’re too busy to deal with my email.
I may have struck the balance wrong, on this; while I can defend the choices I made, re: what to share and what to simplify, I won’t go so far as to claim they were the right choices, necessarily. The email’s probably a smidge too long. People might not have the presence of mind to think to themselves “Systems never sends out stuff about security unless it’s REALLY BAD, so this must be important!” or, worse, they might not remember my department head is out of town (making me the acting department head) and think “Eh, if it were important, Mike would have sent it”—so it’s possible the urgency of my tone should have been kicked up a notch. Or I could come in to panic and bedlam in the morning, in which case I’ll know it should have been kicked down a notch. ;) (This is unlikely.)
I will admit to one major mistake: instead of “Change your passwords,” my subject line read “Heartbleed – OpenSSL vulnerability.” Look, it was after 4pm, and I’d had a long day and cold medicine.
Anyway, I’m really interested in other Systems/IT folks’ opinion on this:
1) Are you going to send out an email to your less-techy coworkers? General library mailing lists?
2) How detailed do you think it’s worthwhile and productive to be?
3) What tone do you try to strike, when writing an email like this?
4) Any tips you want to share?