Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
PayPal
Square Cash Shop at amazon
as an LGF Associate!
Recent PagesClick to refresh
The New Respects - Come as You AreMusic video by The New Respects performing Come As You Are. (C) 2017 Credential Recordings vevo.ly
Thanos
16 hours, 14 minutes ago
Views: 305 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
The Isley Brothers, Santana - I Remember (Audio)Music video by The Isley Brothers, Santana performing I Remember (Audio). (P)(C) 2017 Starfaith, LLC and RI Top Ten, LLC, under exclusive license to Sony Music Entertainment vevo.ly
Thanos
16 hours, 16 minutes ago
Views: 170 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
They Kept Us as Slaves: AP Reveals Claims Against ChurchThey kept us as slaves: AP reveals claims against church SPINDALE, N.C. (AP) -- When Andre Oliveira answered the call to leave his Word of Faith Fellowship congregation in Brazil to move to the mother church in North Carolina at ...
Shiplord Kirel, live from behind wingnut lines
21 hours, 51 minutes ago
Views: 175 • Comments: 1 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Stranger Things Season II Trailer The first trailer for Stranger Things 2 is here. It’s 1984 and the citizens of Hawkins, Indiana are still reeling from the horrors of the demogorgon and the secrets of Hawkins Lab. Will Byers has been rescued from the ...
Thanos
2 days, 18 hours ago
Views: 372 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
‘Silent Coup’: Limbaugh Says ?!?! In an impassioned commentary, Rush Limbaugh said he believes the Washington establishment - both Democrats and Republicans - are involved in a "silent coup" against President Trump. Silent coup? Wrong and wrong. As silent as Rachael Maddow, Keith Olberman ...
Unshaken Defiance
5 days, 23 hours ago
Views: 725 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Immigration: Focus LocallyIn these days of Trump and the Republicans attacking everything decent about America, it's too easy to focus on the immediate threat. Trump's Muslim band is back, but everyone is paying attention to the Republicans trying to steal our healthcare. ...
jhncsy
6 days, 21 hours ago
Views: 504 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
‘Submit to Your Husbands’: Women Told to Endure Domestic Violence in the Name of God (Australian Broadcasting Corporation) The culprits were obvious: it was the menopause or the devil. Who else could be blamed, Peter screamed at his wife in nightly tirades, for her alleged insubordination, for her stupidity, her lack of sexual pliability, her refusal to ...
Birth Control Works
1 week ago
Views: 962 • Comments: 0 • Rating: 2
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
West Virginia Families, Just Learning About Health-Care Access, Fear It Will Be Taken Away - Rewire In Vienna, West Virginia—just north of Parkersburg, along the Ohio River separating the two states—the only Planned Parenthood health center in the state sits among a scattering of gray and tan buildings beside the main road. A few days ...
Birth Control Works
1 week ago
Views: 970 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Trump Election Commissioner Used Dubious Data to Allege an “Alien Invasion” - Mother Jones Election officials and experts say there’s plenty of reason to doubt those claims.But they could still provide a blueprint for Trump’s commission, which has so far hinted at tighter restrictions on voting in the name of cracking down on ...
Thanos
1 week, 1 day ago
Views: 977 • Comments: 0 • Rating: 1
Tweets: 2 • Share to Facebook
Shares: 0
Comments: 0
: 0
Inside the Middle East’s First Rape & Domestic Violence Crisis Program For the last year and a half, there’s been a new sight in the Kingdom of Bahrain. Lodged into stacks of newspapers, stuck to mirrors in restaurant bathrooms, and pinned to grocery store notice boards are small, blue-and-white fliers ...
Birth Control Works
1 week, 2 days ago
Views: 927 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0