How Heartbleed Broke the Internet — And Why It Can Happen Again
http://www.wired.com/2014/04/heartbleedslesson/Some of its most important pieces are controlled by just a handful of people, many of whom arent paid well or arent paid at all.
How Heartbleed Broke the Internet And Why It Can Happen Again
By Robert McMillan
04.11.14 | 6:30 am
Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.
The key moment arrived at about 11 oclock on New Years Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic whos an expert in internet protocols. Henson reviewed the code an update for a critical internet security protocol called OpenSSL and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.
Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and its bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.
Its no surprise that a small bug would cause such huge problems. Whats amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Hensons situation isnt an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom arent paid well or arent paid at all. And that needs to change. Heartbleed has shown so very clearly that we must add more oversight to the internets underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.
TM99
(8,352 posts)And this is still why I support the open source software at the heart of the internet and the movement in general and am wary of too much oversight.
This bug was discovered because it is open source. Any one could take the code and discover its vulnerabilities or issues. With proprietary code, only the actual company and team responsible for the software can do so. Security issues like we have seen with Apple and Microsoft can take much more time for a fix, and even then we must wait until update Tuesday for the roll-out.
Will the engineering task force be kept open and free from corporate and excessive government influence? If it is not, how can I trust that the internet is private or that the software running it does not have back-doors for spying. If Heartbleed was used by the NSA, then its discovery and fix will stop that vector of privacy invasion. Where is the community oversight then? A dialog on where oversight needs and how much is worthy of discussion.