National Security & Defense

unhappycamper

(60,364 posts) Sun Apr 13, 2014, 09:34 AM Apr 2014

How Heartbleed Broke the Internet — And Why It Can Happen Again

http://www.wired.com/2014/04/heartbleedslesson/

Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all.

How Heartbleed Broke the Internet — And Why It Can Happen Again
By Robert McMillan
04.11.14 | 6:30 am

Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week.

The key moment arrived at about 11 o’clock on New Year’s Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who’s an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web.

Two years would pass until the rest of the world discovered this, but this tiny piece of code contained a bug that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it’s bad. People have used it to steal passwords and usernames from Yahoo. It could let a criminal slip into your online bank account. And in theory, it could even help the NSA or China with their surveillance efforts.

It’s no surprise that a small bug would cause such huge problems. What’s amazing, however, is that the code that contained this bug was written by a team of four coders that has only one person contributing to it full-time. And yet Henson’s situation isn’t an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. And that needs to change. Heartbleed has shown — so very clearly — that we must add more oversight to the internet’s underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.

1 replies

= new reply since forum marked as read

Highlight:

How Heartbleed Broke the Internet — And Why It Can Happen Again (Original Post) unhappycamper Apr 2014 OP

Yes, Heatbleed has been a big issue. TM99 Apr 2014 #1

TM99

(8,352 posts)

1. Yes, Heatbleed has been a big issue.

Reply to unhappycamper (Original post)

Sun Apr 13, 2014, 10:42 AM

Apr 2014

And this is still why I support the open source software at the heart of the internet and the movement in general and am wary of too much oversight.

This bug was discovered because it is open source. Any one could take the code and discover its vulnerabilities or issues. With proprietary code, only the actual company and team responsible for the software can do so. Security issues like we have seen with Apple and Microsoft can take much more time for a fix, and even then we must wait until update Tuesday for the roll-out.

Will the engineering task force be kept open and free from corporate and excessive government influence? If it is not, how can I trust that the internet is private or that the software running it does not have back-doors for spying. If Heartbleed was used by the NSA, then its discovery and fix will stop that vector of privacy invasion. Where is the community oversight then? A dialog on where oversight needs and how much is worthy of discussion.

Reply to this discussion