Programmer Who Introduced ‘Heartbleed’ Bug Speaks

“Quite trivial”
Image via Shutterstock

The Sydney Morning Herald has a piece on the man who made a lot of Internet system administrators’ lives miserable this week, the German programmer who introduced the Heartbleed bug into the OpenSSL code.

There’s been way too much embarrassing noobish speculation from some quarters of the journalistic arena that the NSA might have planted this bug deliberately, years ago, and has been spying on their emails and cat pictures ever since, but no — developer Robin Seggelmann says it was “a simple programming error,” as I had assumed.

The type of programming mistake he describes is known as a “bounds checking error.” They’re depressingly common and are often the cause of serious security problems.

Mr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

And about that noobish speculation:

A number of conspiracy theorists have speculated the bug was inserted maliciously.

Mr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Mr Seggelmann said.

Seggelmann is correct on that last point; the really awful part of Heartbleed is that it leaves almost no trace it grabbed everything in your web server’s memory. (And I only say “almost no trace” because at this point I don’t believe anyone has a system for detecting it, but it might be possible by analyzing server logs.)

Since the bug has been deployed in the OpenSSL service on countless web servers for more than two years, it’s not wild speculation to think it’s probably already been exploited, and national security services are usually among the first to find these things; but I’m less worried about the NSA than I am about criminal hacking gangs who operate with tacit approval from the Russian and Chinese governments.

And this is a great time to remind everyone that it would be an excellent idea to change your LGF password now (and don’t reuse a password you’ve used somewhere else!), because we have completed all the necessary steps to make sure our servers are no longer vulnerable to this exploit.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Recent PagesClick to refresh
On Trump and RussiaPresident Trump’s remarks regarding Russia as a candidate for President of the United States should have alarmed Americans regardless of party. Candidate Trump went out of his way to praise Vladimir Putin’s Russia, while simultaneously belittling the President of the ...
HappyWarrior
6 hours, 58 minutes ago
Views: 135 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Work, Not Sex? the Real Reason Chinese Women Bound Their Feet Girls who had their feet bound didn't lead a life of idle beauty but rather served a crucial economic purpose, especially in the countryside, where girls as young as 7 weaved, spun and did work by hand, Bossen said.Read ...
Birth Control Works
14 hours, 32 minutes ago
Views: 239 • Comments: 1 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Why Are All the Anti-Abortion Democrats Men? A troubling pattern emerges if you start looking at who in the Democratic Party supports women's reproductive rights and who doesn't. Though disappointing, it's far from surprising that all of the anti-abortion Democrats are men. Let me put that ...
Birth Control Works
14 hours, 45 minutes ago
Views: 286 • Comments: 1 • Rating: 1
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Virtual Reality Can Help You Feel More Empathy for Women Harassed at Abortion Clinics It's hard to understand what it feels like to be confronted or bullied outside a women's health center — until it happens to you. I'd never had that experience until last year, while reporting on the Supreme Court case ...
Birth Control Works
15 hours, 20 minutes ago
Views: 303 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Families of Chechen Gay Men Pressured to Sign ‘No Complaint’ Documents, Org Says The existence of anti-gay pogroms in Chechnya first surfaced in the independent Russian newspaper Novaya Gazet in April, reporting that hundreds of people had been detained and at least three are now thought to have died. Since then, police ...
Birth Control Works
15 hours, 36 minutes ago
Views: 253 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Indonesia’s Mass Rape Victims Are Waiting for Justice That May Never Come On July 15, 1998, then president BJ Habibie condemned the violence against women in a formal government apology. His new Reformasi government established a fact-finding committee to investigate the riots shortly after Suharto's fall. The National Commission on Violence ...
Birth Control Works
15 hours, 37 minutes ago
Views: 266 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Read a Book, Gamble With Your Life In 19th-century England, fears over women reading hit hysterical highs. Doctors — male and female — worried novels’ sensational plots could make ladies insane, infertile or prematurely “developed” (there were no such worries about men, whose constitutions were believed ...
Birth Control Works
15 hours, 47 minutes ago
Views: 239 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
Weiner Must Pay for His “boner.”blog.timesunion.comBy Rob Hoffman on May 22, 2017 at 5:30 AM0(Editor’s note – This blog is dedicated to Fred Merkle, and his infamous “boner” on the base paths which cost the New York Giants the National League Pennant in 1908. Rest ...
rhoffman
20 hours, 16 minutes ago
Views: 268 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 1
Comments: 0
: 1
The Major Takes Farhad Manjoo and the New York Times to the WoodshedThe Major takes @fmanjoo and the @nytimes To the woodshed: https://t.co/goi4C3piaH — TheMajor (@TheMajorsViews) May 21, 2017
The Major
1 day, 16 hours ago
Views: 244 • Comments: 0 • Rating: 0
Tweets: 0 • Share to Facebook
Shares: 0
Comments: 0
: 0
White Racial Resentment Before, During Obama Years What impact did the first African-American U.S. president, Barack Obama, have on racial attitudes in the U.S.? Did race relations improve, stay the same or get worse during his administration -- the last perhaps as a result of a ...
Birth Control Works
1 day, 18 hours ago
Views: 421 • Comments: 0 • Rating: 0
Tweets: 1 • Share to Facebook
Shares: 0
Comments: 0
: 0