German programmer who inadvertently introduced the Heartbleed bug admits 'oversight'

[Himanshu Arora]

The programmer who inadvertently introduced the critical Heartbleed vulnerability to OpenSSL has spoken up. Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open source code.

"I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version", Seggelmann said.

Part of the Open-SSL project, the code in question is a simple function called Heartbeat which sends a random data packet along with its length to the server, which then sends back the same data to the client (or the sender). The process confirms that the server is listening.

But due to a programming bug, a client can lie about how much data is in the packet. For example, the client may send an 8 byte data packet, but falsely claim to have sent 128 bytes of data. Unaware of this, the server may try to send back 128 bytes, filling the rest of the packet with any other information which is in its memory at the time.

At Yahoo, this 'other' information included usernames and passwords of users logging in at the same time, while at DuckDuckGo, it was the full text of search queries, the report notes.

Seggelmann, who worked on the OpenSSL project during his PhD studies from 2008 to 2012, said that he submitted the code at 11:59 pm on New Year's Eve 2011, but denied that the mistake had anything to do with the festive season. He also said that the Open-SSL project is under-resourced, having millions of users but only few contributors.

Permalink to story.

https://www.techspot.com/news/56359-german-programmer-who-inadvertently-introduced-the-heartbleed-bug-admits-oversight.html

 

[Guest]

Why did it take 2 years to discover?

 

[Lionvibez]

Why did it take 2 years to discover?

Because the NSA only stopped paying him recently to keep it quiet

 

[hahahanoobs]

"Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open source code."

What power is he talking about?

 

[Camikazi]

"Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open source code."

What power is he talking about?

That it only took 2 years as opposed to 3 years for a closed-source program? I have no idea really.

 

[sdms96825]

Amazing in this day and age to see an individual actually admitting an error and taking responsibility! I think, now, I would be more likely than not to hire him as a programmer, despite the admitted mistake.

 

[spectrenad]

Amazing in this day and age to see an individual actually admitting an error and taking responsibility! I think, now, I would be more likely than not to hire him as a programmer, despite the admitted mistake.

after all, you can't learn without making mistakes.

 

[Heihachi1337]

Amazing in this day and age to see an individual actually admitting an error and taking responsibility! I think, now, I would be more likely than not to hire him as a programmer, despite the admitted mistake.

after all, you can't learn without making mistakes.

Um, pretty much yes. If you break it, you learn how you broke it and how to fix it. Much better to learn by that means than to follow something that holds your hand and then you forget and never really figure out how it works.
Best teachers I've had encouraged us to break our programs or other people's programs so we learn how they were broke and how to fix them. The teachers that gave us instructions in an online course that lead us by the nose, I never learned a damn thing from them. ^^

 

[yukka]

Anyone could look and see from the change logs anyway. As open source code it's been there for anyone to look through and find. If anyone found it to use for evil purpose, they wouldn't publish their findings would they. Double edged sword, this power of open source. He's right about the funding or lack of it though.

 

[Guest]

I guess it's typical for our time that everybody uses the code but no one wants to make really safe by paying enough for an review process that would be as long and thorough as it takes to find a mistake.
Perhaps the reviewer wasn't a PhD-student but only trainee or sth.?

 

[tonylukac]

Why aren't people proclaiming that microsoft servers don't have open source and aren't vulnerable. My web site was hosted on microsoft servers. Just like I said 2 weeks ago, so much for open source.

 

[Darth Shiv]

Why aren't people proclaiming that microsoft servers don't have open source and aren't vulnerable. My web site was hosted on microsoft servers. Just like I said 2 weeks ago, so much for open source.

Source code availability does help find and fix bugs. The problem with OS is if hackers devote resources to finding these bugs more than white hats.

Closed source still has a similar problem in that hackers can reverse engineer the code anyway which isn't as good as source code but still, you now only have the closed source code vendor vetting their own code rather than a community.

Security through obscurity is not great. We have to look at this bug in perspective. The spec was fine. The architecture of the protocol is not in question here in OS. The bugfix was trivial.

For closed source, you simply don't know if the architecture of their implementation is even ball-park solid. It could be trivial to break once someone reverse engineers it (which they can whenever they like given time).

Take for example the original Philips Mifare implementation. Contactless smart cards used for transport systems (and probably other things). Closed source. The crack takes a couple of seconds on a netbook, once they found it because the architecture of the security was that bad. No patch was possible. The only solution was to create a whole new card spec and dump the entire inventory of old cards.

 

[sergeybelsky2]

Who contributes to open source? Right, unemployed coders whom no serious company would hire. I looked at the OpenSSL code. It's a hopeless mess written in archaic language. Use pointers to process a ping?? Come on.