- How to cut the cord when you’re broke 5 Years Ago
- Jazz pianist turns Cardi B flex video, James Charles apology into viral bops 5 Years Ago
- How to watch Netflix on Linux 5 Years Ago
- Fortnite streamer Tfue sues gaming organization FaZe Clan over contract dispute Today 12:28 AM
- Report finds some users can’t opt out of Facebook’s face recognition Monday 7:27 PM
- Get emotional over this real-life pastor baptizing an anime girl in virtual reality Monday 6:53 PM
- Twitter wants to know what Jack in the Box did to offend Kim Kardashian Monday 6:38 PM
- ‘Game of Thrones’ meme claims King’s Landing is an ‘inside job’ Monday 6:06 PM
- Report: Personal data of 49 million Instagram influencers exposed online Monday 4:57 PM
- ‘Stranger Things’ season 3 trailer teases a wet, hot American summer Monday 4:02 PM
- What Daenerys’ biggest ‘Game of Thrones’ scenes have in common with Nazi propaganda Monday 3:12 PM
- Here’s what’s coming to Amazon Prime in June Monday 2:11 PM
- Where did Jon Snow go? Unpacking the ‘Game of Thrones’ ending Monday 2:04 PM
- So, did anyone actually win ‘Game of Thrones’? Monday 1:29 PM
- The surprising religious subtext of ‘John Wick: Chapter 3’ Monday 12:53 PM
Meet Robin Seggelmann, the man who accidentally created Heartbleed
Believe it or not, the Web’s worst security flaw apparently started with one over-tried tech worker.
While much of the world was out celebrating the new year of 2012, Robin Seggelmann was writing late-night code that would lead to the worst disaster in recent Internet history.
Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.
That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.
Photo source: Linuxtag
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
The man who reviewed his code, Dr. Stephen Henson, managed to miss the error completely as well.
By exploiting that small mistake, an attacker can steal a big slice of data from a computer’s main memory, which can contain usernames, passwords, and content that can endanger much of the Web’s most private content.
In the wake of Edward Snowden’s revelations of massive NSA Internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the Internet’s most important security tools.
Seggelman has denied deliberately inserting the flaw, saying it could “be explained pretty easily.” He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced.
How many intel agencies are looking at connections to Robin Seggelmann right now? http://t.co/BW1uDquZmN
— Matt Brooks (@cmatthewbrooks) April 10, 2014
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Seggelmann said.
A year after writing the catastrophic bug, Seggelmann would finish up his PhD thesis titled “Strategies to Secure End-to-End Communication” at the University of Duisburg-Essen.
The OpenSSL team, including Seggelmann and Henson, is small and receives essentially no pay despite maintaining one of the world’s most popular and important pieces of open-source software. With this notable exception, the team has a stellar security record, as OpenSSL has been expanded to support the massive count of over 80 platforms.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Edward Felten, a computer security expert at Princeton University, told the New York Times.
OpenSSL is open-source software, meaning that anyone can look at the code under the program’s hood. In theory, that also means that more eyeballs can check the code for errors.
It didn’t work that way this time, of course, in no small part because a tiny volunteer team of 13 individuals is maintaining one of the Internet’s most important technologies. Like many key open-source projects, OpenSSL needs more help in the form of eyeballs and even money.
“Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, recently wrote, “so they can keep doing their job.”
Illustration by Fernando Alfonso III
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.