I was going to write a nice, calm post today when I came across Ralph Losey’s piece on the Heartbleed bug. It is a long piece and you can tell it was written by a lawyer. I have nothing against lawyers as two of my oldest and closest friends are lawyers. I’ve met and talked to Ralph before. He is a smart guy and general understands how technology can change the world. Ralph simply misses the point on Open Source.
Completely misses it.
This was a bug that was not caught before release, the same as happens in proprietary software. I know as I’ve released a few bugs in my day.
Open Source Security
This is the part of the post that really annoyed me (underline added),
It was small oversight. Segglemann forgot to add a single line of code limiting the size of memory access to a feature called heartbeat (thus the nickname for the bug, heartbleed). Oops. These things can happen. Easy to understand. Hey, it was, after all, one minute before midnight on New Years eve 2011 when he submitted his work. I kid you not. Segglemann knew that another expert was going to check his work anyway, so why should he be too concerned? Too bad the supervising expert missed the error too. Oops again. Oh well, that’s open source for you.
The review process is better than many systems I worked on that were proprietary. The code would be written and submitted. If it passed testing, it was in the product. There was no code review unless we were ahead of schedule.
As for the midnight reference, speaking as a former programming geek in college, I wrote some great code late at night. In fact, I wrote most of my code late at night. I can also state without hesitation that being that geeky, having good plans on New Years was unlikely. It is just another night except that the neighbors are louder.
Let’s talk about the Open Source process though. The code is not just reviewed by an “expert”, it is available for review by everyone. Any organization that wants to take the time can perform a full audit of the code to check security. Many organizations do that, though they are less likely to do it for every patch.
The part that Ralph does not mention is the fact that every large organization that deployed the Heartbleed bug likely performed a lot of tests before deployment. You don’t release a new security framework without testing. OpenSSL passed those tests.
For two years.
This is a bug, and a bad one. It is not because it is Open Source. Bugs happen in all software packages. Bugs like Heartbleed are even more common because they create a flaw that has to be identified and exploited. Things did’t simply break.
Bugs from the Past
I want to take a moment to refresh our minds about some bugs from the past few years in other software. Two are from Microsoft as they represent the widest target for malicious hackers to target.
- RDP Allowed Remote Code Execution: This was a big one. If your server had Remote Desktop Protocol (RDP) enabled, and many people had turned it on for administration purposes, then someone could send code to that server that would be executed. How widespread? SharePoint, Outlook Web Access, and Internet Information Server (IIS) are three systems that routinely expose themselves to the Internet.
- Java Issues Patch for 50 Security Bugs: One year ago, a patch for 50 bugs was issued, 26 of which were at a level 10 in severity, out of 10. They could lead to someone taking over your computer. Given how often people don’t update Java, a large number of vulnerable systems are likely still out there.
- Internet Explorer Allows Remote Code Execution: This was only seven months ago in September 2013. When announced, there wasn’t a fix out yet. While many people I know don’t use IE anymore, almost 60% were still using IE in 2014.
- Google Chrome Stored Password Bug: Do you store your passwords automatically? From my talks with tech-savvy people, I am one of the few who never does saves a password. I forget passwords that way. Turns out, it keeps me safe as Google Chrome developed a bug that let people access those passwords.
Java is Open Source now but the other software solutions are not. All have security issues. While few have the same impact as the Heartbleed bug, all are critical and can lead to massive violations of your information.
I am happy that Heartbleed is gaining such publicity. People need to know about these issues and learn to take action. Education is important. Wrong conclusions are starting to be drawn from the publicity and that is a problem.
- The Internet is not anymore insecure than it was before. There are likely bigger, undiscovered bugs out there.
- Most corporate systems can likely be hacked by paying a hacker a few hundred dollars.
- The real problem is people. Phishing and other scams falling under human engineering are still huge problems. No technology bugs required.
- Bugs happen in all software. The difference is that in Open Source there is a larger community that can work to find the bugs. If a bug survives years, it isn’t an obvious one.
Like most bugs, it is not the result of negligence. It is simply human error. The subtlety of the bug allowed it to survive for years unnoticed, and likely unexploited. Open Source had nothing to do with the bugs creation or perpetuation.
If this was a bug in Microsoft’s server, odds are it would still be undiscovered.
Note: XKCD published the best description of what the Heartbleed bug does.