Jackass Presents: Goofy Heartbleed Guy

Posted by Pete Apr.17, 2014 in Passwords & Security

We know better than to underestimate the stupidity of our fellow man, but we think the guy who made fun of the Heartbleed Bug in the comments section of a recent The Switch blog (Washington Post) was either pulling our leg or trying to get new followers on social media.

Let’s check out what happened, and see if there’s a lesson in his exhibitionism.

In the comments section of an article about the Heartbleed vulnerability slowing down Internet traffic, this guy goes on a rant about how much he doesn’t care about Heartbleed. Just in case you didn’t hear him the first time, he goes on and on to make sure that you know that he DOESN’T CARE!! (The guy doth protest too much, methinks!)

To prove it, he reveals 2 favorite passwords that he uses for his accounts and invites anyone to:

Sneak into my WaPo, NYT or CNN accounts and go crazy making comments in my name. Break-into my Facebook or Twitter profiles and change my hometown to Gas City Indiana, swap-out my avatar with a picture of your nads, make friends with people I don’t know.

The result was to be expected. Someone took him up on his offer and messed around with his accounts. As far as we can tell, whoever it was turned out to be a practical joker and not very malicious.

The thing is that this whole thing feels a lot more like a scene from a Jackass movie than real life.

Here’s what didn’t happen: he didn’t say that Heartbleed isn’t a problem and so he doesn’t think there’s any additional risk to him, and that to prove his point he wasn’t going to change any of the passwords he used for the past two years.

If he had said that, he could then have challenged bad guys to use the Heartbleed vulnerability to hack his accounts.

Bad guys, if you’re so bad, then use Heartbleed to find my login info on a site that I visit and prove to me and the world that this is a real threat.

That might have made sense – at least in terms of proving his point. (No, we’re not suggesting that you should do that. Don’t do that!)

Instead, here’s what he did do: he did say that he doesn’t believe in the Heartbleed Bug and to prove it, he did give out his passwords on a public site and ask people to show him that they can log in and do whatever they want.

But that’s not the problem with Heartbleed – is it?

Heartbleed is about anyone being able to surreptitiously siphon off data from affected servers: data that might include login credentials. Bad guys that go out of their way to get your data tend to have bad intentions.

All this guy did was to show that those really were the credentials to his accounts.

It’s like someone from the Jackass movies wearing a bike helmet and doing a swan dive off the roof onto a paved driveway as proof that wearing a helmet while riding your bike won’t help you if you fall. Goofy.

So, is there a lesson in this?

We think the lesson is in the limited imagination of this guy in terms of what can happen when someone hacks one or several of your accounts. Is it really only about changing avatars on social accounts and tweeting ‘I’m a jerk’ and a photoshopped pic to your 132 followers?

When people get past your password defense, there’s a lot more at stake: your money, your identity, your reputation, your job, health records, personal information, …

Make sure you change your password on sites that have been affected by Heartbleed. Check to see the status of the sites you visit here.

Oh, just in case you missed the obvious lesson, it looks like exhibitionism does pay after all.