So what's up with all this HeartBleed
nonsense?
What could possibly be behind the greatest crisis in
Internet security since the invention of phishing emails?
How could this possibly happen? What could possibly jeopardize the security
of thousands of websites and secure services we take for granted like Google,
Tumblr and even banking sites?
I have an easy answer and it points right back to the
Achilles heel of Open Source.
While proponents will argue the merits of solutions that
don't come from commercial sources the one inescapable fact of Open Source
software is that it's developed under mob rule.
Therein lies the problem.
While nobody questions the benefits of Open Source software
like cost and ease of customization, proponents tend to gloss over the fact
that some projects are better managed than others.
Take the case of OpenSSL.
It's the foundation for thousands of web services like Google, Yahoo and
even your bank. Except that somebody wasn't minding the store
and for two years the mechanism that was supposed to secure your
communications...didn't.
The flaw was inadvertently discovered
by Google's Neel Mehta during a routine security sweep but the flaw had been in
existence for 2 years. Overlooked by one
of OpenSSL's core developers, Stephen N. Henson, the vulnerability came as the result of additional but apparently untested new functionality known as a
Heartbeat for OpenSSL. The functionality
was supposed to function as little more than an "I'm still here!"
beacon to whatever service you're connected to.
The short of it is this...
The problem comes from not bothering to check that what's
sent matches what was requested. A
crafty hacker can take advantage by continually sending heartbeat requests
claiming to be of a certain size but not actually being that size. The server dutifully responds by sending back
a response of the claimed size to the client and inadvertently dumping the
contents of its memory to fill the otherwise empty space of the response. The contents of which have been shown to
contain user credentials among other compromised information.
It's apparently a simple fix but it's taken two years for
anyone to notice.
Meanwhile, nobody knows how long the bad guys have been aware
of the flaw. How can something like this
get by the supposed vigilance of security gurus and major corporations
alike?
I can tell you how, it's endemic, it's cultural and it's
arrogance...
It's a misguided belief that oversight of a product is best
left to a community regardless of its qualifications to do so. A community that frequently finds itself more
concerned with the technical wizardry of its products than the users who deploy
them
It's the same mindset that's kept other Open Source
offerings like Linux in the shadows of Windows.
Let's be honest here. You can
only stomach so many unintelligible whitepapers or narcissistic support forum
posts before you just give up. The
inmates are indeed running the asylum...
Heartbleed shines a light on the failure of the Open Source
community in that it lays open the lack of even the most basic oversight of a
critical and widely used service. It's
not so much about the failure of OpenSSL but rather that nobody including its
chief stewards noticed the problem for two years.
This is nothing less than a reality check on the entire Open
Source community. One that should be
raising questions in anyone that relies on their wares.
