The newly-discovered “Heartbleed Bug” exposed millions of usernames, passwords and credit card numbers to hackers. But there’s a subtler, secondary reason the security flaw is on so many minds today: Its name.
What’s in a name? Think about it! Does “RFC6520 vulnerability” have quite the same resonance? Does “a missing bounds check in the handling of the TLS heartbeat extension” make a good hashtag? Part of Heartbleed’s scariness, and its shareability, springs from the weird poetry of its assumed name. And while the shorthand names of news events often evolve organically — think Snowmaggedon or 9/11 — the Heartbleed bug was branded on purpose.
So first things first: What does heartbleed mean? The bug, as my colleague Lindsey Bever explained Tuesday night, is in a type of software called OpenSSL, which is used to encrypt sensitive information on Web servers. OpenSSL, in turn, contains something called a “heartbeat extension,” or RFC6520, which essentially checks that a connection between two servers or devices is live. (This is getting a little in the weeds, but it’s called heartbeat because it’s a type of “keepalive” connection, and we’ve talked about machines as “live” or “dead” for quite some time.) Unfortunately, there’s a glitch in the heartbeat code that lets one device grab bits of memory from the other. So in its initial security alert about the flaw, OpenSSL refers to the bug as a “TLS heartbeat read overrun.”
Not very sexy.
But a computer security firm called Codenomicon, which claims its engineers found the bug at the same time, quickly swooped in and rebranded it. They christened the bug “Heartbleed” and launched the domain name Heartbleed.com only an hour after the OpenSSL alert. They wrote a long FAQ that explained the vulnerability to both tech administrators and the slightly-less-savvy. They even — and this is weird, when you think about it — made a logo for the bug, which has since appeared on an untold number of media Web sites (… including this one).
We rarely conceptualize news events in terms of “branding,” but that’s exactly what Codenomicon has done with Heartbleed. That’s not the criticism of the firm or a question of its motives — on the contrary, if the bug didn’t have such an evocative, fantasy-novel-esque name, it may not have attracted quite so much attention, so quickly. This is, in fact, the very reason the Weather Channel began naming winter storms: “naming a storm raises awareness,” the channel wrote of the decision in 2012, and “in today’s social media world, a name makes it much easier to reference in communication.”
As if to prove that point, #heartbleed has been tweeted some 79,000 times. RFC6520? A mere 98.