Developer who introduced 'Heartbleed' OpenSSL bug speaks
The Sydney Morning Herald conducted what was probably the first interview of the German software developer who was responsible for introducing the critical security flaw into the Heartbleed bug. Made more than two years ago in December 2011, the security vulnerability allows attackers to have unimpeded acccess into the memory contents of any server that makes use of the highly popular OpenSSL library.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," says Dr. Robin Seggelmann to The Herald. In the report, he explained that he had missed validating a variable containing a length; an error which he says was "quite trivial". The mistake was also missed by a reviewer before the code was committed into the development branch of the released version.
In response to conspiracy theories that the bug was actually orchestrated by the National Security Agency as a way to break into the SSL protected communications of targets, Seggelmann denied putting the bug into the code intentionally. He admitted, however, that it was entirely possible that intelligence agencies have been making use of it for the last two years, as reported on Bloomberg.
Ultimately, Seggelmann does not deny that the impact of the bug was "severe". In that vein, he called for more contribution to help keep an eye over the code in various open-source software. "It's unfortunate that it's used by millions of people, but only very few actually contribute to it," he said. For example, it was separately reported that there are some 420,000 lines of code in the OpenSSL software alone, most of it non-trivial to its function.
In other news, The Register notes that it may be illegal to actually test the security of third-party websites without permission under U.S. and U.K. laws, though it is unclear if action can be enforced against websites that offer the ability to test for the vulnerability.
Security vulnerability with its own logo and marketing: Did 'Heartbleed' backfire? [FierceEnterpriseCommunications]
Details on Heartbleed bug, what the enterprise can do