run the 2014 version of the boston marathon. and everyone is -- fingers crossed for that. maria, thank you, appreciate it. that's all the time at that for this news hour i am tony harris in new york city, "inside story" is neck on al jazerra america. >> you hello, i'm ray suarez. in the past several days millions of you heard the bad guys, the vandals, the thieves

may have burrowed into the world of online commerce intruding on the back and forth conversations between your computer and your e-mail servers, between you and the places you buy things online. it's not completely clear what happened as a result, but are you lively confident about logging on to a sale site to see your packages as you were a couple of weeks ago, and the web is full of conflicting information over the past few days. change your password? no, not until the site has fixed its security settings. change your pas password? yes, any website worth its salt has already fixed this thing. what are you to do? i don't know, how are we going to find out? first, how we got here. >> heart bleed is a potentially critical flaw in widely used

encryption software that is supposed to protect online users personal information. the heart bleed bug has consisted for--existed for two years but only learned about by consumers and tech giants alike. it means that your personal information can be compromised and there is nothing that can be done about it until website upgrade their software. what is at risk? 500,000, two-thirds of the sites that use ssl the encryption software. >> this ssl layer. >> in basic terms computers using open ssl check to see if there is a website server at the other end of a secure connection. the server and the computer exchange data to verify they are still connected. it's called heart beats. that's where the bug comes in. a would-be hacker or criminal

can trick the server into providing much more data revealing user names, passwords, credit card or other account information. all the while consumers getting varying advice of how to act when online. one suggestion is to go to an internet security site like mcafee, and type in the website you want to visit to see if they have fixed the heart bleed bug. it proves that hackers can steal encryption keys using the bug and plan attacks. google has updated its customers on its blog announcing patches to its progress. google confirmed some android phones with software from 2012 are vulnerable. that could compromise up to

4 million phones in the united states and 50 million worldwide according to a an analytics fir. there will be major disruptions as companies scramble to repair encryption software. >> definitely make sure that you're keeping up with their website on their blog, to see whether they were infected at all. >> the heartbeat bug is right in the middle of the ongoing debate of security practices. reports that nsa knew about the bug and websites vulnerability right from the beginning. the office of the director of national intelligence issued a forceful denial saying no one in

government knew about the heart bleed prior to this april. >> joining us to help us understand how this latest to pick your pocket, we're joined by a staff technologist, she writes code with the focus on encryption and privacy for internet users. she joins us from san francisco. and with us from boston, robert, who works with products that protect online communications. and from new york, christina warren senior tech analysts should we take comfort in the fact that this slumbered away as a flaw in this widely used program for years until people

realized that it was there? >> well, we don't know whether anyone knew about this bug before it was publicly announced. there is no way to know that some hackers haven't found it. the open ssl software, it's code is open, anyone can read it and look for this bug. it's not hard to find it. it's hard to tell if anybody knew about it. >> i don't write code, if you're surveying an open source program, and looking for flaws in it, is it a needle in a haystack? or is it something that when you're looking for a flaw it's easy to find? >> well, with open ssl, the code, there is a lot of it, and it's kind of messy. you know, many people don't have the patience to just look through it. but if you--i would say if you're reasonbly skilled you could have found in bug. >> robert, how was this problem detected in the first place?

>> so researchers were able to detect it by looking at it. they found it. it was an eureka moment, and then they quickly disclosed it, and here we are in the midst of what would be one of the largest security crisis with the internet thus far. >> disclosed it, but disclosed it to the users and potential criminals at the same time. >> well, that's kind of how these things go. when you make the public aware of it, of course, you're going to make the bad guys aware of it, too. but with most flaws, most vulnerabilities if the researchers had had an opportunity to contact an individual company, then they will, depending on the nature of the hacker whether they're black hat, gray hat, white hat, they may disclose it publicly. they may go right to the

company. in this case they didn't have a choice. they had to go public because of how many were affected by it. >> christina warren, the very idea that the method a computer would use to talk to a server is a place where an opportunistic infection might be happening, that's stunning that no one realized that this was a flaw in the first place when this was put into widespread operation as a security device. >> well, absolutely. but to his point the code is sort of messy. and even if the project is used very widely, it actually has only a few committers. if there aren't that many people actively contributing to the project. i would compare t if you're looking at it closely you would find the story, you could find a flaw. but you've got a ton of code

there. it makes it that it could go unseen. that's a testament in part to how good open ssl had been in the past, and how reliant people have become on it. but at the same time it does say we're going to be using these tools, and if it's important we should be doing a better job of auditing the code, and making sure that things are the way they need to be. >> so the alarm goes out. the flare gets shot up into the sky. why does every individual site have to take care of this on their own? why isn't there a software that can then be distributed to all users in much the same way this credits distributed in the first place? christina? >> yes, that's kind of the problem. i think for regular users that's what makes it such a difficult bug to deal with because we don't have a lot of control over

it. the bottom line is that every server has to update itself on its end to be safe. every application, every web server, every device talking about a smart phone, router, has to be updated. unfortunately there is just not a way to push those updates out because they are being maintained by various companies. because various companies maintain them when the disclosure happens some companies were given advance warning and were able to patch things. some were able to do what they could to patch things before the vulnerability became public. but when you talk about a code that is used on 66% of the web, unfortunately, we don't have the mechanism to push and update. it would be great if we did, but we don't. >> what does this piano to me? are there different systems in place for different kinds of

vendors? are banks using the same kind of secure software protections as a potter, who runs a business oh outs of their own home, and runs ceramics out of the mail. is this all the same bees or using different kinds of items in this case. >> from google to a tiny website they run open ssl. because the spot connected in opening up a cell, a few temperatures might claim to have protection on top of that, but that would be foolish in this case. i think what people. have updated their software. and there is an encryption

layer. so when the site loses its encryption key it's still vulnerable. someone who has that encryption key to direct task or even impersonate that website. >> what can people do with bad inpent do in that little business of time. so we're go to whoever sites they determine are not properly directed. they'll begin to sniff in and they will agent extract the dat. in canada they were able to get a thousand social numbers from

canadian taxpayers then they use that data to commit fraud. they'll open new lines of credit. they'll take over existing accounts with the new names and passwords. the new name behind the "s" is security. encryption is essentially to protect that information. when the doors are not locked it allows the bad guy to get in. in this case it gives more n. more than likely it has occurred multiple times, and those infected may not find out for days, week, months, years. and it's possible that they have been affected in the past, and they'll only realize it in the future. >> now you know what the vulnerability looks like. we'll take a break and we'll

look at what consumers have to do. this is inside story. >> now inroducing, the new al jazeea america mobile news app. get our exclusive in depth, reporting when you want it. a global perspective wherever you are. the major headlines in context. mashable says... you'll never miss the latest news >> they will continue looking for suvivors... >> the potential for energy production is huge... >> no noise, no clutter, just real reporting.

the new al jazeera america mobile app, available for your apple and android mobile device. download it now real reporting that brings you the world. giving you a real global perspective like no other can. real reporting from around the world. this is what we do. al jazeera america.

>> welcome back to "inside story." i'm ray suarez. on this edition of our program we're talking about the heart bleed bug. it's been out there for two years, and raises the on ability that a hacker could get your information on a website that you and your company thought it was secure. christina, when news first came out that this was out there, my wife who does all the banking and pays all the bills. she said forget it. that's it. i'm going to let it go for a while until the dust settles. she also pays her mother's bills, and some of those bills had to be paid right away, and it felt like a risky thing to enter personal information into the computer. what is your best advice today. how should they pro seed i pro f

they've been conducts business online. >> you need to know if the site you're using has updated its software and security. we've been making a list of the banks, financial institutions, social networks, and there are utilities to see if there has been a patch and they have been updated. >> that means not necessarily going to the place itself, but going to some other source of the information? or should i go to the place itself, and they say, hey, we fixed it, don't worry. >> some sites will. some have been fourt forthcomine haven't. the next set, if you used a password on a site that has been

impacted on the heart bleed bug, regardless whether it's been update order not you need to change that password on every service that uses that password. you need to change the password on the services especially if it's a password that you of used multiple times. it needs to be unique to each service. there is not much more we can do. change your password. check with the places that you use the most. if it's a bank, if there is another way to make a payment. maybe go in in person or do it by phone. changing your password, and especially changing any passwords that you've used multiple times is really the best course of action that regular users can take rights now. >> robert, why do you have to change them all? and why do you have to go to places that you don't use as often or go to places where you

haven't signed on for a long time, and change the passwords even there? >> so the idea behind changing a password has been around for quite some time. aside from this particular issue. you should change your passwords periodically. at least semi annually if not annually. most corporations that have sensitive data requires their employees to change them quarterly. that's a good practice to get into. upper case, lower case, numbers, so forth. by changing your passwords you make it more difficult for a criminal to access your accounts as long as they are considered what iastrong pass ward. you should be changing your passwords quarterly, semi

annually. for those websites that you don't really visit and there isn't much data on them. an e-mail is a critical account. for a bad guy to own the e-mail, the bad guy owns the person. change that, social, the reason why these accounts are doctored critical, they are access to information, access to contacts. having different passwords like it was already said it's essential as well. having the same password across accounts makes it very easy for hackers to get into additional accounts. >> now take us into the mind of the people who are trying to break through these systems, and corruption them, and do arounds on these new passwords. the university of michigan put out data purposely as a kind of

honey pot operation, an found that they were attacked several times just since the word came out that heart bleed was out there. what is the state of the art for people? >> heart bleed is different from a lot of security vulnerabilit vulnerabilities. so when it came out it was an hour where people were very curious and they would try it out on various sites. this found very quickly by using one of these scripts once you could sometimes get passwords and log into people's accounts. >> once you do that, what do you do with that information? you got a cookie.

you got information from a security certificate. you got a password. what does that allow you to do? if they are keys, what doors do they open? >> there are two different questions in there. one is if you get a security certificate, if that happens you basically have the keys to the kingdom. you can pre-continued to be a website. you can basically say i'm google.com or i'm yahoo or bank of america, give me all your data. but that actually hasn't--we haven't seen evidence of people who have done that successfully. we have seen people get passwords and such. if you're a spammer and you get pass ward to a twitter account, you could say follow this family. or if you log into someone's e-mail you could e-mail their contacts with smal spam.

you could change their passwords on other website. >> we're going to take a short break. when we come back we'll talk about what stories like this and this is only the latest one in a long series, does to the future of internet commerce. this is "inside story."

well it's official... xfinity watchathon week was the biggest week in television history. but just when you thought it was over... what now? with xfinity on demand you can always watch the latest episodes of tv's hottest shows. good news. like hannibal... chicago fire.... ...and bates motel. the day after they air. xfinity on demand. all the latest episodes. all included with your service. it's like hi-fiving your eyeballs.

xfinity...the future of awesome. >> the heart bleed bug left to website vulnerable to attack. it effects the ssl that effect the security of the transaction. we're talking about the scathing impacts of the heartbeat bug and what it will cost companies to fix it. when we talk about the cost of everyone fixing this, is there a good rough guess on what it is

going to cost to fix? >> no, i really don't know. i think it's too soon to tell. the long-term costs will end up being what are much larger. for smaller companies that maybe don't patch the software as quickly and those vulnerabilities lead to major breaches, that's where we'll see the costs. the government such as canada having to shut down it's tax process, and having to do emergency updates, this all costs monday. there is definitely a very real cost right now, but i think it will be some time before we know how much it's going to cost. >> rewe talking about the millions with an "m" or billions with a "b"? >> right now we're talking about millions, but it could be billions depending on what happens in the future. i think it's very likely that

smaller companies that don't patch things internally, some of that soft wear will be breached, and it could be billion dollar breaches. right now i think it's definitely in the millions range. >> this is only the latest of a long line of stories where information is stolen, sensiti sensitive, valuable important information is stolen. does this have the possible consequences of hurting the advancement of on-line custome ? >> i think it will help the government and the security community a heads up that we need to take things a bit more seriously. certainly open source has been a great way to get things done, but there needs to be more oversight by this administration to make sure that something like this doesn't happen again.

certainly there has been a battle ensued between good and evil, good guys and bad guys, white hats and black hats. that is never going to stop. when you have vulnerabilities like this, it definitely makes the entire internet community pause, and to reevaluate and say what do we have to do in the future so this does not have to happen again. >> we're in a world where people are still using the word "password" as their password, and we're depending on them to do something to make the whole system safer?

>> yes, human nature will choose pass ward if you let them choose any password. if you needs your phone or finger scan to access, consumers are going to stay the way they are, and we have to do the best we can as engineers. >> people should take this seriously and make changes right away. >> that's right, always use security warnings as soon as they come out. >> thank you for joining us on this edition. that brings us to the end of "inside story." the program may be over but the conversation continues. we want to hear what you think about this or any day's show. log on to our facebook page where you have changed your pass ward or twitter. or reach me directly at ray suarez news. see you for the next inside stor"insidestory."

in washington, i'm ray suarez. an ancient city sacred to three different faiths. for jews, the sight of they're fist holy temple. for christians, the seen of jesus christ's death and resurrection. and for muslims the location of the prophet mohammed's ascent to heaven. this could only be one place... jerusalem. the visitor to jerusalem can not help but t