5 New Developments Related to the Heartbleed Bug

anyone-who-logs-into-yahoo-imgur-okcupid-could-lose-their-password-thanks-to-heartbleed-bug-300x225With vulnerabilities on giant servers like Google, Amazon, Twitter and Facebook, the Heartbleed Bug is one of the largest security mishaps to ever hit the Internet.

But as the story unfolds, there are a few details that may come as surprise. Here is a list of Heartbleed’s most recent developments.

1. One arrest has been made.  

Canadian police arrested 19-year-old Solis-Reyes in London, Ontario last week. He is accused of exploiting the Heartbleed Bug vulnerability to steal social security numbers from servers of Canada’s tax collection agency and is charged with one count of mischief in relation to the data.

The accusation comes two days after the Canada Revenue Agency announced that the sensitive information of 900 Canadians had been compromised. But law enforcement has not made any direct connection.

The teenager’s lawyer tells a story of when Solis was only 14 and proved that his high school’s computer system was vulnerable to hacking when administration didn’t believe him. It’s very possible that when the Heartbleed Bug news hit mainstream media, he became curious and tested it out for himself. On Tuesday, the Solis-Reyes turned himself in.

2. The company responsible for the OpenSSL software has just 1 full-time employee.  

The breach was the result of a flaw in OpenSSL, a platform designed to provide users with a free set of encryption tools that prevent hackers from obtaining user data.

The irony is that although two-thirds of all websites use this software, the foundation’s revenue stream is so insignificant that it can’t afford a full security audit or to pay a full staff. Therefore, the foundation is comprised of 1 full time employee and 10 volunteers.

Steve Marquess, founder of OpenSSL Software Foundation, released an open statement explaining:

“These guys don’t work on OpenSSL for money. They don’t do it for fame (who outside of geek circles ever heard of them or OpenSSL until “heartbleed” hit the news?). They do it out of pride in craftsmanship[9] and the responsibility for something they believe in.”

3. One small error in one line of code can lead to something like Heartbleed. 

German developer Robin Seggelmann believes he accidentally made the coding error that was overlooked by a reviewer, and made it’s way to the released version of OpenSSL two years ago. He was submitting bug fixes at the time when he made the mistake.

Being an “open source” platform– free, attainable, and open to everyone– hypothetically anyone could have spotted a vulnerability like Heartbleed. But few users participate in this way, leaving a small group of people essentially in charge of hundreds of thousands of lines of complex code, used by banks, governments, and social media sites everywhere.

4. OpenSSL had the flaw, but underfunding is to blame.  

The company’s revenue stream relies heavily on donations, which amount to about $2,000 a year. They also sell annual commercial software support contracts worth $20,000 a year. Most volunteers make their money from “work-for-hire” consulting.

How does it make sense that such a widely used resource is so short-staffed and underfunded?  In his statement, Marques makes it clear that he believes OpenSSL is ignored and should be paid for by the Fortune 1000 companies and governments that use it extensively.

“I stand in awe of their talent and dedication, that of Stephen Henson in particular. It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smart phones, industry, government, everywhere. Knowing that you’ll be ignored and unappreciated until something goes wrong.”

5. High priority websites have been fixed, but there is still affected websites.  

New SSL certificates have been issued to affected websites, clearing them of the vulnerability. Also, Apple issued a statement that Apple’s desktop and mobile operating systems were never affected. But it is reported that there are still nearly 500,000 or more vulnerable SSL certificates.

********

Ed Felton, a computer scientist at Princeton University makes a valid analogy: “Open SSL is like Public infrastructure without a tax base”. Do you feel corporations and government should help to fund Open SSL and not be “free riders”? Let us know what you think in the comment section below.

Comments

  1. Jeff Henderson says

    I think that OpenSSL should take the initiative and provide special support to people who find this a critical aspect of their business. That support would clearly require funding. However, it would be a very flawed assumption that funding alone will make the ultimate difference as far as vulnerability is concerned. Clearly exploitation of weaknesses is not based upon how much money is thrown at the problem. There is a relationship that involves complexity of the code and operating system interactions and the like. Sometimes fixing a leak causes another type of leak. Personally, it is a good thing when open systems are not run by people with “vested interest”. The best employees are those who do it mainly for pride and not for gain or recognition. So as much as leaving only about 11 people in charge of something might be bad, I think the good outweighs it hands down. It is not like OpenSSL just started up before this problem appeared. That would be bad form indeed, but this is probably not an everyday event and not the only of its kind throughout OpenSSL history..

    Clearly, buyer beware definitely applies to Corporations wanting to take advantage of open systems. If they want to just take the trust me card, then they can do that to their own peril. If I were making decisions like that for my organization, I would want a level of support and assurance that is appropriate for the things I am protecting.

Leave a Reply