- Facebook denies moderating comments under Zuckerberg’s big free speech live stream 6 Years Ago
- ‘My headphones’ meme proves our music is sadder than we look Today 1:53 PM
- ‘Time for an upgrade’ meme shows Kamala Harris’ team is too online Today 1:35 PM
- Prison guards reportedly mocked trans inmates in private Facebook groups Today 1:33 PM
- Gradient is the new celebrity look-alike app winning over influencers Today 12:46 PM
- Trolls accuse cosplayer of ‘appropriating’ Joker culture Today 12:28 PM
- Every Studio Ghibli movie will stream exclusively on HBO Max Today 12:24 PM
- ‘Stranger Things’ season 3 saw its highest viewer numbers yet Today 12:01 PM
- ‘We vape, we vote’ movement insists it’s real in wake of bot reports Today 12:01 PM
- Netflix will finally start cracking down on password sharing Today 11:48 AM
- PSAT memes are back! This year on TikTok and amid College Board crackdown Today 11:20 AM
- Scotland grants pardons to men, trans women convicted under homophobic laws Today 10:45 AM
- Cole Carrigan again accuses Austin McBroom of sexual assault Today 9:58 AM
- Trump’s condolences for Elijah Cummings ripped apart Today 9:24 AM
- How to watch ‘Hocus Pocus’ right now Today 9:18 AM
Meet Robin Seggelmann, the man who accidentally created Heartbleed
Believe it or not, the Web’s worst security flaw apparently started with one over-tried tech worker.
While much of the world was out celebrating the new year of 2012, Robin Seggelmann was writing late-night code that would lead to the worst disaster in recent Internet history.
Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.
That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.
Photo source: Linuxtag
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
The man who reviewed his code, Dr. Stephen Henson, managed to miss the error completely as well.
By exploiting that small mistake, an attacker can steal a big slice of data from a computer’s main memory, which can contain usernames, passwords, and content that can endanger much of the Web’s most private content.
In the wake of Edward Snowden’s revelations of massive NSA Internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the Internet’s most important security tools.
Seggelman has denied deliberately inserting the flaw, saying it could “be explained pretty easily.” He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced.
How many intel agencies are looking at connections to Robin Seggelmann right now? http://t.co/BW1uDquZmN
— Matt Brooks (@cmatthewbrooks) April 10, 2014
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Seggelmann said.
A year after writing the catastrophic bug, Seggelmann would finish up his PhD thesis titled “Strategies to Secure End-to-End Communication” at the University of Duisburg-Essen.
The OpenSSL team, including Seggelmann and Henson, is small and receives essentially no pay despite maintaining one of the world’s most popular and important pieces of open-source software. With this notable exception, the team has a stellar security record, as OpenSSL has been expanded to support the massive count of over 80 platforms.
“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Edward Felten, a computer security expert at Princeton University, told the New York Times.
OpenSSL is open-source software, meaning that anyone can look at the code under the program’s hood. In theory, that also means that more eyeballs can check the code for errors.
It didn’t work that way this time, of course, in no small part because a tiny volunteer team of 13 individuals is maintaining one of the Internet’s most important technologies. Like many key open-source projects, OpenSSL needs more help in the form of eyeballs and even money.
“Maybe in the midst of patching their servers, some of the big companies that use OpenSSL will think of tossing them some real no-strings-attached funding,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, recently wrote, “so they can keep doing their job.”
Illustration by Fernando Alfonso III
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.