Nowadays, it’s unusual for someone to step up and take responsibility, But Seggelmann, a German developer, did just that.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features…In one of the new features, unfortunately, I missed validating a variable containing a length.”After he submitted the code, a reviewer “apparently also didn’t notice the missing validation,” Seggelmann said, “so the error made its way from the development branch into the released version.”Dr Seggelmann said the error he introduced was “quite trivial,” but acknowledged that its impact was “severe.”
Seggelmann, who lives in Münster, Germany, told the Herald he didn’t insert the error on purpose, as some conspiracy theorists have suggested.
“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Codenomicon, a Finnish security firm, discovered the bug now known as “Heartbleed” last week. But for the past several years, users’ passwords, credit card numbers, e-mails and other personal data have been available to anyone who knew how to exploit the weakness, like hackers or the National Security Agency.
Seggelmann told the Herald that intelligence agencies could have exploited the flaw to spy on people.
“It is a possibility,” Seggelmann said, “and it’s always better to assume the worst than best case in security matters.”
Who is Segglemann? According to Australia’s The Age:
Seggelman, 31, from the small town of Oelde in north-west Germany, is a contributor to the Internet Engineering Task Force (IETF), a not-for-profit global group whose mission is to make the internet work better. He is attached to the Munster University of Applied Sciences in Germany, where, as research associate in the networking programming lab in the department of electrical engineering and computer science, he has published a number of papers, including his thesis on strategies to secure internet communications in 2012. He has been writing academic papers and giving talks on security matters since 2009, while still a PhD student.
Apparently, mistakes such as Seggelmann’s aren’t rare. Programmers on Reddit sympathized with him and swapped stories of their own coding errors.
“Really, the only reason that most of us haven’t caused such a massive f—up is that we’ve never been given the opportunity,” one wrote.
So if errors like these are easy to make and have potentially disastrous consequences, why isn’t something being done?
“It would be better if more people helped improving [OpenSSL],” Seggelmann told Mashable via e-mail. “The more people look at it, the less likely errors like this occur.”
Farhood Manjoo, writing in the New York Times, called the error “the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.”
The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.