Heartbleed Hotel: The biggest Internet f*ckup of all time

The heartbleed bug is the single biggest f*ckup in the history of the Internet.

For anyone that doubts the veracity of this claim let me state the plain and simple facts:

Since December of 2011 any individual with an Internet connection could read the memory of maybe half of the “secure” Web servers on the Internet.

For the layman, reading the memory of a Web server often means being able to read usernames, passwords, credit card numbers and basically anything else that the server is doing.

Shocking.

For over two years we’ve all had our pants down and no one even noticed.

Open Source Failed

For most developers, myself included, open source has been a mythical paradigm shift in software development that should be embraced without question.

What of bugs?  There’s a famous adage about bugs in open source:

Given enough eyeballs, all bugs are shallow

Applied to this case, the buffer overflow in the hearbeat protocol should have been easily found by someone.  But it wasn’t.

After the heartbleed bug, can this statement of open source fact still be considered valid?  What does it mean to have eyes on code.

If I wanted to look at the code for OpenSSL, I could have.  Guess what?  I never did, and I would bet that most of the people reading this article didn’t either.

The Ultimate Humiliation for Public Key Infrastructure

It’s long been known that our current public key infrastructure was horribly broken.  Mostly, proven by numerous compromises of the supposed “sources of trust”, the certificate authorities.

Broken and run roughshod over by the likes of the NSA, hackers and other government agencies over the globe.

This latest episode is really just icing on the cake.  Not only are the private keys of “secured” servers up for grabs, but so is their most sensitive and personal data.

I think it’s time we as an industry take a good hard look in the mirror, and reevaluate… everything.

Post Footer automatically generated by Add Post Footer Plugin for wordpress.

About Brad Carleton

Brad is a rockin' fun JavaScript coder who enjoys building cool stuff and long walks on the beach. As the Founder/CTO at TechPines, he has worked with large companies and startups to build cutting-edge applications based on HTML5 and Node.js. He is the creator of Bone.io, a realtime HTML5 framework, and is the author of Embracing Disruption: A Cloud Revolution Manifesto.
This entry was posted in heartbleed, internet, web and tagged . Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Tommy P

    Maybe in the future, open source software can/should start bragging about the number and quality of the peers who reviewed their code?

    • techpines

      That’s an interesting idea.

    • Rob Lang

      A good idea and one that academia has been doing for more than 200 years.

  • drhowarddrfine

    I can hardly wait till someone finds a mistake in your code. It took Google, and other security professionals, two years to find the problem and you act like it was right in front of their faces.

    • techpines

      1. You don’t have to wait, I write code that has mistakes and will continue to do so.

      2. Technically, it’s open source so it was in front of people’s faces.

      I’m not blaming any one person, but it is certainly an industry failure, a major one. This isn’t some theoretical exploit that affects some small portion of the Internet. This is a massive security bug.

    • Dustin Brown

      Everybody’s code has mistakes – that’s not the point. The point is that his was a *huge* bug, and the fact that it was right in front of everyone’s face (being open source) and still took years to discover means you can’t just trust the “given enough eyeballs, all bugs are shallow” argument of OSS

  • gilligan_MH

    I feel like this blog post should, if pointing out problems in the industry, should also at least point to potential solutions or avenues to solutions.

    • techpines

      You’re right. This article is certainly on the negative side, maybe the next one I’ll look into ways this could have been prevented or mitigated.

  • http://blog.decayingcode.com/ Maxime Rouiller

    I agree with the general sentiment that “This article is negative and doesn’t offer a solution”. The fact is, there is no real solution here. It’s a big fuck up. We patch and we move on.

    The solution won’t be picked by the author of this blog. It will be by the industry who are using the software. Sometimes, we do need to say that as an industry “We messed up”. I think that this blog post is one of those. We’ll come with long term solutions but we all needed to grasp the size of the mistake.

  • http://bitlucid.com/ Roy

    All pretty much makes sense to me, I just keep thinking: How can I try to build anything secure considering that so much out there is potentially compromised and will likely echo back to compromise me, and well, the fact that this happened at all? Very discouraging in general.

  • Daniel Marbach

    Ever thought about the possibility that it is not a coincidence that this bug was not found earlier? It is an art to hide hart to find bugs in code to be able to get access to information you need. Guess who is behind that ;) no matter whether it is OSS or closed source…

  • Jennifer Conwells

    Park Hotel Barcelona

    http://www.parkhotelbarcelona.com/

    Our Accommodation in
    Barcelona, Barcelona lodging, Barcelona port hotel and Boutique hotel are
    fully equipped with all facilities and services to satisfy our customers.

  • pso1

    Brad where can I report problems with search box on lostechies.com ? The search is not working, browsing posts by categories sometimes is also now working … .