TwitterFacebook

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 11,863
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
Hyped Up On Ganja
Lindsay Lohan reveals she’s voting for Mitt Romney because ‘employment is really important’
Asked to expound on her comment, Miss Lohan giggled, and replied "Wingnut Mormons are so $$#@#$ hawt and junk" / But this was not the first time the fledgling political pundit has jumped into the presidential twitter fray. In early ...

12 minutes ago
Views: 11 • Comments: 0
Tweets: 0 • Rating: 0
Randall Gross
The Emotional Re-Opening of Mumbai’s Jewish Center
I missed this when it occurred, but since we covered this event extensively I thought it good to post this follow up. Rabbis from across Asia commemorated the re-opening of a Jewish center in Mumbai, which was attacked in 2008 ...

7 hours, 54 minutes ago
Views: 76 • Comments: 0
Tweets: 0 • Rating: 2
Souliren
Natalie MacMaster
21 hours, 56 minutes ago
Views: 89 • Comments: 0
Tweets: 0 • Rating: 1
The War TARDIS
Doctor Who “Into the Dalek” Open Thread
This episode will echo old Dalek episodes, both with a bit of a twist. Also, Clara will be finding someone, as she seems to be moving from her feelings of the 11th. But, this for talking.

1 day, 23 hours ago
Views: 243 • Comments: 37
Tweets: 0 • Rating: 4
FemNaziBitch
Roger Goodell: ‘I Didn’t Get It Right.’ -NFL TAKES A NEW STANCE DOMESTIC VIOLENCE
NFL commissioner Roger Goodell admits he was wrong on the Ray Rice decision, and Goodell took an important step Thursday towards showing the league is serious about cracking down on domestic violence as well as sexual assault. In a ...

3 days, 5 hours ago
Views: 219 • Comments: 1
Tweets: 0 • Rating: 3
sagehen
Doctor Who Spoiler Thread
For those who want to post immediately... live... without having to hide spoilers behind the button.

1 week, 1 day ago
Views: 689 • Comments: 99
Tweets: 0 • Rating: 6
EiMitch
Escapist: Maniac Cop
escapistmagazine.com Link broken? The gist is that this is an impressively sarcastic review of an old slasher flick based on the "unrealistic" premise of a cop abusing his power to murder people.

1 week, 2 days ago
Views: 504 • Comments: 1
Tweets: 0 • Rating: 1
Rightwingconspirator
A Lizard’s Regenerating Tail
Don't ya hate it when that happens? You feel so short for a month. Anoles are curious little lizards capable of ditching their tails when they feel threatened. This self-amputation, called autotomy, takes about 25 days for the tail to ...

1 week, 3 days ago
Views: 519 • Comments: 1
Tweets: 0 • Rating: 5
CriticalDragon1177
Io9 - Everything You Need To Know About Lemuria, The Lost Continent Of Lemurs
Esther Inglis-Arkell talks about the weirdest lost continent myth, I've ever heard. Its the only one I know of that ever included giant telepathic lemurs. No seriously! In 1858 a young zoologist, playing around with an idea, came up with ...

1 week, 3 days ago
Views: 702 • Comments: 4
Tweets: 0 • Rating: 7
Laughing Gas
Scumbag “HBD believer” claims Michael Brown charged officer
WARNING: LINK TO HATE SITE He links to some ijreview, a right wing site: This guy makes me sick.

1 week, 6 days ago
Views: 1,585 • Comments: 6
Tweets: 1 • Rating: 1
 Frank says:

My best advice to anyone who wants to raise a happy, mentally healthy child is: Keep him or her as far away from a church as you can.