Friday, 11 April 2014

Who is Robin Seggelmann and did his Heartbleed break the internet?

Heartbleed is a programming flaw in Heartbeat, an extension for OpenSSL, itself an encryption tool to help make websites and online communication more secure. Heartbleed is a programming flaw in Heartbeat, an extension for OpenSSL, itself an encryption tool to help make websites and online communication more secure.
German computer programmer Robin Seggelman has been outed as the man whose coding mistake, now known as Heartbleed, has left millions of internet users and thousands of websites vulnerable to hackers.
The discovery, by a Google engineer and Finnish security firm Codenomicon, has prompted experts to call on people to change their passwords to most, if not all, websites they subscribe to after site owners have fixed their vulnerabilities.
Dr Seggelman, 31, from the small town of Oelde in north-west Germany, is a contributor to the Internet Engineering Task Force (IETF), a not-for-profit global group whose mission is to make the internet work better. He is attached to the Munster University of Applied Sciences in Germany, where, as research associate in the networking programming lab in the department of electrical engineering and computer science, he has published a number of papers, including his thesis on strategies to secure internet communications in 2012. He has been writing academic papers and giving talks on security matters since 2009, while still a PhD student.
Advertisement
His academic research influence index score of two, based on the number of scientific citations of his work, suggests an influential thinker at the early stages of his scientific career.
According to his Xing profile, Dr Seggelman has worked for Deutsche Telekom IT services subsidiary T-Systems, possibly the largest such consultancy in Germany, since 2012, as a solutions architect.
Is this a man who would purposefully leave a gaping hole in the internet, which the US National Security Agency could have been exploiting to spy on people's communications?
Dr Seggelman denied this in an interviewwith Fairfax Media on Thursday. He said: "It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area.
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he said.
OpenSSL is an open-source software project. Open-source projects are by their nature open to others to contribute. No one owns the code; no one is liable.
Willy Susilo, director of the Centre for Computer and Information Security Research at the University of Wollongong, said computer science students are encouraged to contribute to open source and are taught the ethics of the movement. They are taught to take their role responsibly, with the pressure to get it right looming higher depending on the project they are working on. But they also know that someone else in the community will review their work.
In the case of Heartbleed, the reviewer, Dr Stephen Henson, a UK consultant on OpenSSL, also missed the mistake.
Professor Susilo said that is not unusual. "It was just a development mistake when creating the algorithm. It's a serious mistake but a normal mistake."
He points to another encryption coding mistake discovered in 2004 on a version of GNU Privacy Guard, itself a version of Pretty Good Privacy, a popular email encryption tool.
Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that "bad cryptography is much more frequent than good cryptography", and the "fact that a source code can be read does not imply that it is actually read, especially by cryptography experts".
"A reviewer would only look at the way [the algorithm] works, not at the code of the program that was submitted. The same happened with GNUPG, the reviewer accepted the code."
Professor Dr Michael Tuexen who supervised Dr Seggelmann's PhD told Fairfax Media Heartbleed was a mistake, a "small bug with a huge impact. Nothing less, nothing more."
"Please note that he initially also fixed several bugs in the OpenSSL. Most of the submitted patches were finally accepted by the project. So adding the feature was not his first patch. Unfortunately, this patch contained the bug," Dr Tuexen said.
Meanwhile, Dr Seggelmann evaded questions on how he feels about being the author of such an infamous mistake and what it means for his current and future work. In an indication that he may fear the repercussions, he instead requested Fairfax Media not use any photos of him, although some are publicly available on the internet.
"It does not help anyone if this bug is associated with me personally," he said.
And he suggested that the more contributors to the open-source movement, the better the chance of mistakes being averted.
"I would prefer that you use the opportunity to make people aware that security is an important issue, and that incidents like this can best be prevented by more people participating in development and reviews of security-relevant software."
Professor Susilo said the open-source movement had already mobilised to fix the fault and it was now up to individual websites using the OpenSSL encryption to patch their systems.
"There is no one to blame. The code is always evolving," he said.
He reminded people to change passwords on all sites they subscribe to as it was just about impossible for individual users to tell which sites used OpenSSL.
Mashable has compiled a handy chart to guide users. Change passwords now for: Facebook, Instagram, Pinterest, Tumblr, Google, Yahoo, Dropbox, Minecraft and Amazon Web Services.

No comments:

Post a Comment