Heartbleed Bug's 'Voluntary' Origins -- Update
Email
Printer
Friendly- Share:
-
Text
By Danny YadronThe encryption flaw that punctured the heart of the Internet this week underscores a weakness in Internet security: A good chunk of it is managed by four European coders and a former military consultant in Maryland.
Most of the 11-member team are volunteers; only one works full time. Their budget is less than $1 million a year. The Heartbleed bug, revealed Monday, was the product of a fluke introduced by a young German researcher.
"It's sort of shocking how few people are at the heart of it," said Kenneth White, an encryption expert at Social & Scientific Systems Inc. in North Carolina. "This is some of the most complex communication code that exists on the Internet."
The OpenSSL Project was founded in 1998 to create a free set of encryption tools that has since been adopted by two-thirds of Web servers. Websites, network-equipment companies and governments use OpenSSL tools to protect personal and other sensitive information online.
So when researchers at Google Inc. and Codenomicon on Monday stated that Heartbleed could allow hackers to steal such data, the Internet went into a panic.
The frenzy intensified Friday after Bloomberg News reported that the National Security Agency knew about the hole for two years but kept it secret to gather intelligence on foreign targets. The NSA, White House and Office of the Director of National Intelligence denied the report. "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House National Security Council spokeswoman Caitlin Hayden said.
Earlier in the day, a German volunteer coder admitted that he had unintentionally introduced the bug on New Year's Eve 2011 while working on bug fixes for OpenSSL. Robin Seggelmann, a 31-year-old who now works for T-Systems, a unit of Deutsche Telekom AG, said in a blog entry posted by the company that the error had been overlooked by multiple coders working on OpenSSL.
Errors in complex code are inevitable-- Microsoft Corp., Apple Inc. and Google announce flaws monthly. But people close to OpenSSL, which relies in part on donations, say a lack of funding and manpower exacerbated the problem and allowed it to go unnoticed for two years.
Heartbleed also raises questions about whether so much of the Internet should rely on a single technology to keep secrets. "Anytime you have a monoculture, one bug is going to make everyone insecure," said Matthew Green, an encryption expert at Johns Hopkins University.
The OpenSSL Project counts a sole full-time developer: Stephen Henson, a 46-year-old British cryptographer with a Ph.D. in mathematics. Two other U.K. residents and a developer in Germany fill out the project's management team.
Associates describe Mr. Henson as brilliant but standoffish and overloaded with work. On his website, he lists encryption questions that are "welcome and not welcome" and compares his responsibilities to those of Bill Gates when he managed Microsoft. "Yes, oddly enough some people have actually met me," Mr. Henson writes.
Of companies asking for free advice on using OpenSSL, he asks, "Well, how would your company respond if I contacted them and demanded large amounts of free consultancy?"
Here's how the OpenSSL Project works: The team is constantly refining a type of encryption called secure sockets layer (SSL) or transport layer security (TLS), which guards against hackers reading data that users send to websites. The basis for the now widely used software was developed in the 1990s by Eric Young, now an engineer in Australia for RSA, EMC Corp.'s security unit.
All members of the OpenSSL team are outside the U.S., to avoid arms export laws that apply to advanced encryption.
Geoffrey Thorpe, an OpenSSL volunteer on the development team, said he has little time to spend on the project because of his day job at a hardware technology company.
"You might say that it's like sewage processing in a way, messy, complicated and usually taken for granted right up until it goes wrong," said Mr. Thorpe, who lives in Quebec City.
Last decade, Steve Marquess, a former U.S. Defense Department consultant living in Maryland, started the OpenSSL Software Foundation to secure donations and consulting contracts for the group.
Mr. Marquess has helped garner sponsorships from the U.S. Department of Homeland Security and the Defense Department. He couldn't confirm the veracity of Friday's Bloomberg story.
The foundation has seen a slight uptick in donations since Heartbleed was disclosed, though most still come in $5 and $10 increments. More than anything, OpenSSL needs more manpower to audit code.
Qualys Inc., a California cybersecurity company, said it donated a small amount to the OpenSSL Software Foundation to work on security code. A company spokesman wouldn't disclose the amount, but said the fact OpenSSL lists Qualys as a "major contributor" indicates it is "woefully underfunded."
Corrections & Amplifications
The basis for the OpenSSL software was developed in the 1990s by Eric Young. An earlier version of this article incorrectly said Mr. Young invented the type of encryption.
Write to Danny Yadron at danny.yadron@wsj.com
end quote from:
No comments:
Post a Comment