Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Heartbleed coder: bug in OpenSSL was an honest mistake

nk497 (1345219) writes | about 6 months ago


nk497 (1345219) writes "The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Seggelmann told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length." His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

Link to Original Source

Sorry! There are no comments related to the filter you selected.

An honest mistake? - Even better (1)

formfeed (703859) | about 6 months ago | (#46718245)

The linked Sydney Morning Herald goes on:
"Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years."

One can assume said intelligence agencies would run their own software review and routinely check the source code of critical security software for obvious flaws. And if some agency even states Internet security as one of their goals, one can be certain they audit new patches.

It is very, very likely that they knew about this bug and used it to access servers outside their jurisdiction, where they couldn't simply access it with a letter in their hand. It being just an honest mistakes makes it even a sweeter deal, perfect deniability.

(And no, open source doesn't make a difference, if you wear the right colored tie, you can get any source code.)

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?