Heartbleed is NOT an Open Source Issue


I was going to write a nice, calm post today when I came across Ralph Losey’s piece on the Heartbleed bug. It is a long piece and you can tell it was written by a lawyer. I have nothing against lawyers as two of my oldest and closest friends are lawyers. I’ve met and talked to Ralph before. He is a smart guy and general understands how technology can change the world. Ralph simply misses the point on Open Source.

Completely misses it.

This was a bug that was not caught before release, the same as happens in proprietary software. I know as I’ve released a few bugs in my day.

Open Source Security

This is the part of the post that really annoyed me (underline added),

It was small oversight. Segglemann forgot to add a single line of code limiting the size of memory access to a feature called heartbeat (thus the nickname for the bug, heartbleed). Oops. These things can happen. Easy to understand. Hey, it was, after all, one minute before midnight on New Years eve 2011 when he submitted his work. I kid you not. Segglemann knew that another expert was going to check his work anyway, so why should  he be too concerned? Too bad the supervising expert missed the error too. Oops again. Oh well, that’s open source for you.

The review process is better than many systems I worked on that were proprietary. The code would be written and submitted. If it passed testing, it was in the product. There was no code review unless we were ahead of schedule.

As for the midnight reference, speaking as a former programming geek in college, I wrote some great code late at night. In fact, I wrote most of my code late at night. I can also state without hesitation that being that geeky, having good plans on New Years was unlikely. It is just another night except that the neighbors are louder.

Let’s talk about the Open Source process though. The code is not just reviewed by an “expert”, it is available for review by everyone. Any organization that wants to take the time can perform a full audit of the code to check security. Many organizations do that, though they are less likely to do it for every patch.

The part that Ralph does not mention is the fact that every large organization that deployed the Heartbleed bug likely performed a lot of tests before deployment. You don’t release a new security framework without testing. OpenSSL passed those tests.

For two years.

This is a bug, and a bad one. It is not because it is Open Source. Bugs happen in all software packages. Bugs like Heartbleed are even more common because they create a flaw that has to be identified and exploited. Things did’t simply break.

Bugs from the Past

I want to take a moment to refresh our minds about some bugs from the past few years in other software. Two are from Microsoft as they represent the widest target for malicious hackers to target.

  • RDP Allowed Remote Code Execution: This was a big one. If your server had Remote Desktop Protocol (RDP) enabled, and many people had turned it on for administration purposes, then someone could send code to that server that would be executed. How widespread? SharePoint, Outlook Web Access, and Internet Information Server (IIS) are three systems that routinely expose themselves to the Internet.
  • Java Issues Patch for 50 Security Bugs: One year ago, a patch for 50 bugs was issued, 26 of which were at a level 10 in severity, out of 10. They could lead to someone taking over your computer. Given how often people don’t update Java, a large number of vulnerable systems are likely still out there.
  • Internet Explorer Allows Remote Code Execution: This was only seven months ago in September 2013. When announced, there wasn’t a fix out yet. While many people I know don’t use IE anymore, almost 60% were still using IE in 2014.
  • Google Chrome Stored Password Bug: Do you store your passwords automatically? From my talks with tech-savvy people, I am one of the few who never does saves a password. I forget passwords that way. Turns out, it keeps me safe as Google Chrome developed a bug that let people access those passwords.

Java is Open Source now but the other software solutions are not. All have security issues. While few have the same impact as the Heartbleed bug, all are critical and can lead to massive violations of your information.

Big But…

I am happy that Heartbleed is gaining such publicity. People need to know about these issues and learn to take action. Education is important. Wrong conclusions are starting to be drawn from the publicity and that is a problem.

  • The Internet is not anymore insecure than it was before. There are likely bigger, undiscovered bugs out there.
  • Most corporate systems can likely be hacked by paying a hacker a few hundred dollars.
  • The real problem is people. Phishing and other scams falling under human engineering are still huge problems. No technology bugs required.
  • Bugs happen in all software. The difference is that in Open Source there is a larger community that can work to find the bugs. If a bug survives years, it isn’t an obvious one.

Like most bugs, it is not the result of negligence. It is simply human error. The subtlety of the bug allowed it to survive for years unnoticed, and likely unexploited. Open Source had nothing to do with the bugs creation or perpetuation.

If this was a bug in Microsoft’s server, odds are it would still be undiscovered.

Note: XKCD published the best description of what the Heartbleed bug does.

6 thoughts on “Heartbleed is NOT an Open Source Issue

  1. Overall I agree with you – but I will quibble on one thing. You say that the strength of open source is that the code is available for “everyone” to review. That may be a theoretical strength.

    BUT, the fact that the bad code was not reviewed before release and that nobody saw the issue in the 2+ years that it was out there says to me that this process isn’t working as designed / evolved.

    I agree 100% that these breakdowns can and do happen in proprietary code, but the fact that the existing review process completely missed this on a very widely used package is problematic. We will never know if bad actors found the issue and used it to their own ends by reviewing the code but the takeaway from this (for me) is that the code review process needs to be much stronger. Also, large, wealthy, multinational companies who are going to deploy FOSS need to take on the responsibility themselves too (which would require hiring people with the requisite skills and abilities)

    Like

    • Your points are valid. I will say that for pretty much any proprietary software package that I worked with for 2+ years, there was a major security bug.

      Even if it was reviewed, if people don’t see it and it isn’t discovered in testing, is the whole business model at fault? My key point is that Open Source is not less secure. It has the potential to be more secure if people review and contribute back. How much that happens varies greatly from project to project.

      Like

  2. This is not just a simple programming error. It is the biggest in history, in terms of impact. Do you disagree with that distinct point? Can you name a software error with a bigger input. Yes, I remember very well the Y2K bug, and that was not one single error.

    I am urging dialogue and reconsideration of open source as sacrosanct. I am not calling for elimination of open source, but I am calling for reform. Even then I am focusing my criticism at using open source for security, especially something as important as security of 2/3 of the Internet. I like wordpress as much as the next blogger.

    Do you really believe that two people reviewing the code add-on is what was intended by crowd sourcing, which is the theory behind open source? That fact that in theory others “could” have looked at it, does not matter much. Potential and theory is trumped by hard realities. Two is never a crowd. Think of the harm done already. How many million people have wasted an hour or more changing passwords? What about the time and expense for host cos to fix things. How many hackers used the flaw before Google finally caught it, or after they caught it and before it was fixed?

    Just throwing some money at the problem does not seem like a smart fix to me. It seems to me that the Internet is way too dependent on OpenSSL. This was never intended that so few people (four people run it) would have so much power.

    This is bigger than any one group, and like it or not, lawyers are everywhere and concerned with people rights, including the right to restitution when harmed by another’s negligence. All types of people should be heard and empowered to have input on the Internet, yes even lawyers. Oh and, to paraphrase your own remarks about lawyers, some of my best friends are programmers 🙂

    By the way, Mr. Hart, I do find you name somewhat ironic.

    Like

    • Ralph, thanks for the reply.

      I do not believe that Open Source is sacrosanct. Neither for that matter, is any proprietary software. Some Open Source projects are not very mature while others are very solid. It is not entirely unlike what you see in closed-source software. My primary reaction to your piece was the dismissal of Open Source and the implication that this came about because it WAS Open Source.

      Let us keep in mind that proprietary software may not even be reviewed by two people. Code is often submitted and not reviewed, just tested. The fact that we even know anything about the review process for OpenSSL is more than we will get from most proprietary vendors (marketing spin aside). This bug is not because of Open Source, it is just a bug that happens in all software. Yes, it is bigger and has broader impact than most bugs, but that is random distribution. Bugs occur everywhere. All applications, all components. Apple had an SSL bug earlier this year that caused a lot of problems for people with iPads and Macs and those users had to change their passwords. I even had to break down and get iOS7 on my old iPad that was much happier before the upgrade.

      I am not trying to downplay the bug, just the allegation that Open Source played a part.

      The Internet is dependent on many technologies but some will always be more common than others. It is the nature of innovation in technology. Why try and solve the same problem 50 times when someone already has solved it? At every level of the technology stack, there are components that are widely used and could have as wide of an impact if a major exploit was introduced. The OpenSSL bug was inevitable given the scope of the Internet and more bugs will occur in the future that as as wide, if not bigger, impact.

      I have not addressed the bit about restitution because I’d rather not. In my non-legal opinion, it would seem to be hard to prove negligence on many parties. I would be more interested in any party that knew about the bug but didn’t report/fix it. When you use Open Source, you should “pay it forward” and contribute it back. Open Source is not supposed to be truly free. You are supposed to give back and apply your own due diligence.

      My name is ironic? How about the fact that I once had, no joke, a boss with the last name “Hartless”. We did not get along.

      Like

Comments are closed.