TwitterFacebook

Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Technology • Views: 11,743
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

^ back to top ^

TwitterFacebook

Turn off all ads for a full year by subscribing!
For about 33 cents a day (per month) or 22 cents a day (per year), our subscription option turns off all advertisements at LGF!
Read more...

► LGF Headlines

  • Loading...

► Tweeted Articles

  • Loading...

► Tweeted Pages

  • Loading...

► Top 10 Comments

  • Loading...

► Bottom Comments

  • Loading...

► Recent Comments

  • Loading...

► Tools/Info

► Tag Cloud

► Contact

You must have Javascript enabled to use the contact form.
Your email:

Subject:

Message:


Messages may be published unless you request otherwise.
Tech Note:
Using the Contact Form
LGF Pages

This button leads to the main index of LGF Pages, our user-submitted articles. You can post your own LGF Pages simply by registering a free account with us.

Create a Page

This is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.

Or... you can just click this button to open the Pages posting window right away.

Last updated: 2014-03-07 2:19 pm PST

LGF User's Guide
Recent Pages
_RememberTonyC
Qatar, Bergdahl, and Hamas
One thing we have learned in the current conflict is that Hamas has three main sponsors: Turkey, Iran, and Qatar. So when Bergdahl was released and the five taliban bigs were released into the "custody" of Qatar, we basically handed ...

6 hours, 6 minutes ago
Views: 77 • Comments: 0
Tweets: 0 • Rating: 0
Randall Gross
Android Crypto Blunder Exposes Users to Highly Privileged Malware
The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, ...

17 hours, 5 minutes ago
Views: 188 • Comments: 0
Tweets: 10 • Rating: 1
Skip Intro
Outside Money Drives a Deluge of Political Ads
WASHINGTON -- An explosion of spending on political advertising on television -- set to break $2 billion in congressional races, with overall spots up nearly 70 percent since the 2010 midterm election -- is accelerating the rise of moneyed ...

1 day, 16 hours ago
Views: 194 • Comments: 1
Tweets: 4 • Rating: 3
Rightwingconspirator
Washington, D.C., Handgun Carry Ban Is Ruled Unconstitutional
I agree. Bans are not an option. Jurisdictions like DC will just have to deal with the fact that regulation is the path. Bans don't work. Bans are illegal and unwise. It's simple. we as a society have chosen to ...

2 days, 11 hours ago
Views: 501 • Comments: 95
Tweets: 1 • Rating: 5
Romantic Heretic
Preventing Poverty Not Allowed As A Goal for Charity
The Canada Revenue Agency (Canada's equivalent of the IRS) has told OXFAM Canada that it cannot list 'preventing poverty' as a goal, only 'alleviating' it. The reason is "Relieving poverty is charitable, but preventing it is not." This is just ...

4 days, 13 hours ago
Views: 472 • Comments: 12
Tweets: 0 • Rating: 4
FemNaziBitch
Safer Era Tests Wisdom of ‘Broken Windows’ Focus on Minor Crime
While the apparent chokehold fueled much of the initial public outcry, community leaders have begun asking whether focusing police officers so intently on such petty offenses makes sense in a city that is far different and far safer than ...

4 days, 20 hours ago
Views: 356 • Comments: 2
Tweets: 0 • Rating: 1
Mentis Fugit
Frisson
Over at the quirky Riddled blog, I encountered this music video link. I have the album, but I had last listened long ago, and I had forgotten the lyrics. The lengthy, moody intro slowly drew me back thirty five years, ...

1 week ago
Views: 262 • Comments: 0
Tweets: 0 • Rating: 0
BadExampleMan
The painful futility of war
This makes me furious. These men pledged their loyalty to their country and their country betrayed them. It treated them as disposable, throwing their lives away in a war that was premised on lies, that was chosen gleefully, and that ...

1 week, 1 day ago
Views: 434 • Comments: 0
Tweets: 1 • Rating: 1
MichaelJ
Mick Fanning Wins J-Bay Open 2014
More: MICK FANNING WINS J-BAY OPEN Finals day for the contest was run in perfect Supertubes conditions. Too bad Kelly Slater and Jordy Smith were eliminated in lesser quality surf - it would have been amazing to have both of ...

1 week, 2 days ago
Views: 348 • Comments: 0
Tweets: 0 • Rating: 2
Thrazidun
Paris: Jews Fight Back Against Islamist Mob - Jewish World - News - Arutz Sheva
More: Paris: Jews Fight Back Against Islamist Mob - Jewish World - News - Arutz Sheva

1 week, 4 days ago
Views: 1,011 • Comments: 5
Tweets: 0 • Rating: 2
 Frank says:

The Future is scary! (Yes, it sure is!)