TechSpot

German programmer who inadvertently introduced the Heartbleed bug admits 'oversight'

  1. The programmer who inadvertently introduced the critical Heartbleed vulnerability to OpenSSL has spoken up. Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open...

    Read more
     
  2. Why did it take 2 years to discover?
     
    Darth Shiv likes this.
  3. Lionvibez

    Lionvibez TS Evangelist Posts: 1,101   +345

    Because the NSA only stopped paying him recently to keep it quiet :p
     
    Raoul Duke likes this.
  4. hahahanoobs

    hahahanoobs TS Evangelist Posts: 1,630   +431

    "Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open source code."

    What power is he talking about?
     
  5. Camikazi

    Camikazi TS Maniac Posts: 816   +231

    That it only took 2 years as opposed to 3 years for a closed-source program? I have no idea really.
     
  6. dms96960

    dms96960 TS Addict Posts: 258   +28

    Amazing in this day and age to see an individual actually admitting an error and taking responsibility! I think, now, I would be more likely than not to hire him as a programmer, despite the admitted mistake.
     
    spectrenad likes this.
  7. spectrenad

    spectrenad TS Rookie Posts: 97   +18

    after all, you can't learn without making mistakes.
     
    Darth Shiv likes this.
  8. Heihachi1337

    Heihachi1337 TS Rookie Posts: 49   +11

    Um, pretty much yes. If you break it, you learn how you broke it and how to fix it. Much better to learn by that means than to follow something that holds your hand and then you forget and never really figure out how it works.
    Best teachers I've had encouraged us to break our programs or other people's programs so we learn how they were broke and how to fix them. The teachers that gave us instructions in an online course that lead us by the nose, I never learned a damn thing from them. ^^
     
  9. yukka

    yukka TechSpot Paladin Posts: 828   +54

    Anyone could look and see from the change logs anyway. As open source code it's been there for anyone to look through and find. If anyone found it to use for evil purpose, they wouldn't publish their findings would they. Double edged sword, this power of open source. He's right about the funding or lack of it though.
     
  10. I guess it's typical for our time that everybody uses the code but no one wants to make really safe by paying enough for an review process that would be as long and thorough as it takes to find a mistake.
    Perhaps the reviewer wasn't a PhD-student but only trainee or sth.?
     
  11. tonylukac

    tonylukac TS Evangelist Posts: 1,309   +56

    Why aren't people proclaiming that microsoft servers don't have open source and aren't vulnerable. My web site was hosted on microsoft servers. Just like I said 2 weeks ago, so much for open source.
     
  12. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,620   +376

    Source code availability does help find and fix bugs. The problem with OS is if hackers devote resources to finding these bugs more than white hats.

    Closed source still has a similar problem in that hackers can reverse engineer the code anyway which isn't as good as source code but still, you now only have the closed source code vendor vetting their own code rather than a community.

    Security through obscurity is not great. We have to look at this bug in perspective. The spec was fine. The architecture of the protocol is not in question here in OS. The bugfix was trivial.

    For closed source, you simply don't know if the architecture of their implementation is even ball-park solid. It could be trivial to break once someone reverse engineers it (which they can whenever they like given time).

    Take for example the original Philips Mifare implementation. Contactless smart cards used for transport systems (and probably other things). Closed source. The crack takes a couple of seconds on a netbook, once they found it because the architecture of the security was that bad. No patch was possible. The only solution was to create a whole new card spec and dump the entire inventory of old cards.
     
  13. sergeybelsky2

    sergeybelsky2 TS Rookie

    Who contributes to open source? Right, unemployed coders whom no serious company would hire. I looked at the OpenSSL code. It's a hopeless mess written in archaic language. Use pointers to process a ping?? Come on.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...