Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
PayPal
Square Cash Shop at amazon
as an LGF Associate!
Recent PagesClick to refresh
‘I Begged Them for Help’ — Wells Fargo Foreclosure Nightmare Corporate greed writ large. I can not imagine the impact on the families. Facts don't tell the story of stress, sleepless nights, the deep dread a family feels when their home is threatened. New York (CNN Business)Foreclosures can be ...
Unshaken Defiance
17 hours, 13 minutes ago
Views: 133 • Comments: 0 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Avenatti: “Cohen Just Got 3 Years. Donald Trump Is next.” Michael Avenatti is taking no prisoners: "Michael Cohen was sentenced today," said attorney Michael Avenatti, who noted Cohen will report to prison on the same day a lawsuit was filed on behalf of adult film star Stormy Daniels. "Donald ...
Khal Wimpo (the extinguisher of tiki torches)
20 hours, 43 minutes ago
Views: 95 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Day After Neo-Nazi Is Convicted of Murder, Associates of a Violent Skinhead Group Charged With Hate Crimes Travis David Condor, a member of the band Birthrite and head of hate-music record label American Defense Records, was among nine people arrested at a bar in Lynwood, Washington, early Saturday morning. The Snohomish County Sheriff's Office said in ...
Thanos
3 days, 21 hours ago
Views: 312 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
Embattled Washington Rep. Matt Shea Is Skirting State Law to Funnel Campaign Funds to Far-Right Groups Shea uses his office and campaign funds to spearhead a partitionist effort to split Washington into two states, and may have violated state laws by using surplus campaign funds to make at least $5,500 in contributions to far-right nonprofit ...
Thanos
3 days, 23 hours ago
Views: 206 • Comments: 0 • Rating: 1
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
The Outer Worlds - Official Announcement Trailer Watch the official announcement trailer for The Outer Worlds, a new single-player first-person sci-fi RPG from Obsidian Entertainment and Private Division. In The Outer Worlds, you awake from hibernation on a colonist ship that was lost in transit to ...
Thanos
4 days, 12 hours ago
Views: 186 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
The Umbrella Academy When it rains, it pours. Here's your first look at The Umbrella Academy. Coming to Netflix February 15. A dysfunctional family of superheroes comes together to solve the mystery of their father's death, the threat of the apocalypse and ...
Thanos
4 days, 12 hours ago
Views: 173 • Comments: 0 • Rating: 0
Tweets: 2 • Share to Facebook
Shares: 0
Comments: 0
: 0
Elvis Costello & the Imposters - Suspect My Tears The new deluxe album ‘Look Now’ out now, order here: elviscostello.lnk.to Explore more music from Elvis Costello: lnk.to Follow Elvis Costello:Facebook: facebook.comInstagram: instagram.comTwitter: twitter.comWebsite: elviscostello.com Director & Original Story - MustashrikExecutive Production - Whitney JacksonProduced by Partizan VFX Supervisor ...
Thanos
4 days, 13 hours ago
Views: 224 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
VULFPECK /// Half of the Way (Feat. Theo Katzman) VULFPECK /// Half of the Waybuy on bandcamp → vuuulf.com Theo Katzman — vocalsLarry Goldings — piano, composerRyan Lerman — guitar, composer, engineerJoey Dosik — saxWoody Goss — tambourineJack Stratton — drums, mixingJoe Dart — fender bassCory Wong — ...
Thanos
4 days, 13 hours ago
Views: 142 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
Storyhill - Blazing Out of Sight (Live at Radio Heartland)Storyhill perform "Blazing Out of Sight," from their 2007 self-titled album as well from the 2018 compilation, "Stages," live at Radio Heartland.
Thanos
4 days, 13 hours ago
Views: 163 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0
How Smooth Jazz Took Over the ’90s You should give smooth jazz a chance. Subscribe to our channel! goo.gl Smooth jazz has gotten a bad rap for decades. It’s often associated with background music for elevators or the soundtrack at the dentist office. Smooth jazz is ...
Thanos
5 days, 23 hours ago
Views: 191 • Comments: 1 • Rating: 1
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0