FacebookTwitterGoogle+RedditEmail

The Problem of Heartbleed

by

We truly live in fearful times. One utterance of a potentially dangerous virus – be it biological or structural – and a pall comes over the public conversation. The language used is that of climate catastrophe, ecological doom, or, in the case of the latest computer virus by the name of Heartbleed, a destruction of trust in the structural integrity of how the Internet is used.

Pandemics are considered the satanic killers, able to strike globally, and cripple populations with inexorable ease. They lurk, waiting to strike with biblical fury. Similarly, the notion that the Internet will suffer structural damage terrifies users and pundits. Information, if not controlled, monitored, and encrypted, will invalidate norms of engagement on the world wide web.

Last week, Heartbleed, the handiwork of a German software developer by the name of Robin Seggelmann, made screaming headlines about affecting some two-thirds of the Internet’s websites. It was uncovered by employees at a Finnish company, Codemonicon, and researchers from Google. Segglemann, of the Internet Engineering Task Force (IETF) seemed rather sanguine, even apologetic about a bug that introduced a flaw in the OpenSSL protocol. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.” The feature was also overlooked by the designated code reviewer.

The fuss would not have been so great but for the fact that the encryption software is employed in numerous social networking websites, banks, online shopping sites, and search engines for purposes of keeping data safe. It is a version of the Transport Layer Security (TLS) protocol, heir to the Secore Sockets Layer (SSL) protocol that shelters internet traffic from full view. Data exchanged through such protocols is scrambled. Little wonder, then, that both government and non-government entities make extensive use of it.

Jordan Robertson, writing in Bloomberg (Apr 12), claimed that, “Millions of smartphones and tablets running Google Inc. (GOOGS)’s Android operation system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices.” Google, realising a financial calamity around the corner, attempted to douse the flames by claiming that all versions of Android were immune to the flaw – except the version dubbed 4.1.1, released in 2012. Google’s own statistics show that 34 per cent of Android users use variations of the 4.1 software. Hardly a figure to inspire confidence.

The largest U.S.-mobile-phone based company, Verizon Wireless, similarly got the calming offensive, suggesting that it was “aware of the Open SSL security vulnerability referred to as ‘Heartbleed’, and we are working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1.”

The bug’s discovery even made the Canadian government suspend electronic tax filing. All federal departments employing Open SSL were shut down during the week while security patches were run, while the Canada Review Agency expressed confidence in a statement that it was making “good progress” in getting matters back online. It even decided to go easy on tax payers for the duration of the interruption.

A host of consequences, then, if a mildly capable hacker was to get down to exploit the flaw. Credit card details, intercept usernames, passwords and the like could be gathered by those familiar with the fault from a website’s server in plain text. With a degree of dissimulation, sites might well leak the information, including master encryption keys.

With a certain automatic reflex, the National Security Agency and their band of merry peeping toms was blamed. It seemed to, at least on the surface, have their calling card – a flaw in an encryption protocol, a weakening of security, an opportunity to exploit. Keeping the fences up while also inflicting breaches are, after all, their twin operating principles.

A steadfast denial was issued, an unusual feat by the standards of the intelligence community. An emailed statement from the Office of the Director of National Intelligence explained that, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

Seggelmann was also quick to scotch suggestions that signal spooks were meddling, calling the Heartbleed problem a “simple programming error in the new feature, which unfortunately occurred in a security relevant area.”

A side of the NSA often neglected is its Information Assurance Directorate, the section of the agency engaged in the business of keeping secrets and preserving the integrity of information. Heartbleed, while a problem that the NSA must combat – after all, several government branches employ the OpenSS protocol – can serve as a useful future weapon. Critical observers of NSA activity such as Julian Sanchez (Guardian, Apr 13) argue that the NSA would have been keeping an eye out for such a flaw, placing its offensive and defensive functions at loggerheads.

Little wonder, then, that accusations brewed the NSA not only knew about Heartbleed two years prior, but also exploited it to the full. (This says nothing of other vulnerabilities the NSA may have actually uncovered, and remain undisclosed.)

Sanchez correctly notes that the President’s own Review Group on Intelligence and Communications Technologies argued that the NSA “is and should not be a foreign intelligence organization” rather than “an information assurance organization.” With “multiple missions and mandates”, the NSA’s functions had proven “blurred, inherently conflicting, or both”.

The predicament our ever interconnected globe faces is collapse or corruption because of minor flaws that produce extraordinary consequences. But bodies, and hearts, need cleansing from time to time, which keeps those like Seggelmann busy in their efforts to avoid seizure and prevent a cardiac arrest. Viruses can be accidental, but also purposely engineered to test vulnerabilities. Acts of seeming triviality can doom a civilization to the chronicles, the murmur of a footnote. In Seggelmann’s own words, errors might themselves be “quite trivial”, but their impacts can be “severe”. Oscar Wilde would have chortled with approval.

Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge.  He lectures at RMIT University, Melbourne.  Email: bkampmark@gmail.com

Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: bkampmark@gmail.com

More articles by:
June 30, 2016
Richard Moser
Clinton and Trump, Fear and Fascism
Pepe Escobar
The Three Harpies are Back!
Ramzy Baroud
Searching for a ‘Responsible Adult’: ‘Is Brexit Good for Israel?’
Dave Lindorff
What is Bernie Up To?
Thomas Barker
Saving Labour From Blairism: the Dangers of Confining the Debate to Existing Members
Jan Oberg
Why is NATO So Irrational Today?
John Stauber
The Debate We Need: Gary Johnson vs Jill Stein
Steve Horn
Obama Administration Approved Over 1,500 Offshore Fracking Permits
Rob Hager
Supreme Court Legalizes Influence Peddling: McDonnell v. United States
Norman Pollack
Economic Nationalism vs. Globalization: Janus-Faced Monopoly Capital
Binoy Kampmark
Railroaded by the Supreme Court: the US Problem with Immigration
Howard Lisnoff
Of Kiddie Crusades and Disregarding the First Amendment in a Public Space
Vijay Prashad
Economic Liberalization Ignores India’s Rural Misery
Caroline Hurley
We Are All Syrians
June 29, 2016
Diana Johnstone
European Unification Divides Europeans: How Forcing People Together Tears Them Apart
Andrew Smolski
To My Less-Evilism Haters: A Rejoinder to Halle and Chomsky
Jeffrey St. Clair
Noam Chomsky, John Halle and a Confederacy of Lampreys: a Note on Lesser Evil Voting
David Rosen
Birth-Control Wars: Two Centuries of Struggle
Sheldon Richman
Brexit: What Kind of Dependence Now?
Yves Engler
“Canadian” Corporate Capitalism
Lawrence Davidson
Return to the Gilded Age: Paul Ryan’s Deregulated Dystopia
Priti Gulati Cox
All That Glitters is Feardom: Whatever Happens, Don’t Blame Jill Stein
Franklin Lamb
About the Accusation that Syrian and Russian Troops are Looting Palmyra
Binoy Kampmark
Texas, Abortion and the US Supreme Court
Anhvinh Doanvo
Justice Thomas’s Abortion Dissent Tolerates Discrimination
Victor Grossman
Brexit Pro and Con: the View From Germany
Manuel E. Yepe
Brazil: the Southern Giant Will Have to Fight
Rivera Sun
The Nonviolent History of American Independence
Adjoa Agyeiwaa
Is Western Aid Destroying Nigeria’s Future?
Jesse Jackson
What Clinton Should Learn From Brexit
Mel Gurtov
Is Brexit the End of the World?
June 28, 2016
Jonathan Cook
The Neoliberal Prison: Brexit Hysteria and the Liberal Mind
Paul Street
Bernie, Bakken, and Electoral Delusion: Letting Rich Guys Ruin Iowa and the World
Anthony DiMaggio
Fatally Flawed: the Bi-Partisan Travesty of American Health Care Reform
Mike King
The “Free State of Jones” in Trump’s America: Freedom Beyond White Imagination
Antonis Vradis
Stop Shedding Tears for the EU Monster: Brexit, the View From the Peloponnese
Omar Kassem
The End of the Atlantic Project: Slamming the Brakes on the Neoliberal Order
Binoy Kampmark
Brexit and the Neoliberal Revolt Against Jeremy Corbyn
Doug Johnson Hatlem
Alabama Democratic Primary Proves New York Times’ Nate Cohn Wrong about Exit Polling
Ruth Hopkins
Save Bear Butte: Mecca of the Lakota
Celestino Gusmao
Time to End Impunity for Suharto’’s Crimes in Indonesia and Timor-Leste
Thomas Knapp
SCOTUS: Amply Serving Law Enforcement’s Interests versus Society’s
Manuel E. Yepe
Capitalism is the Opposite of Democracy
Winslow Myers
Up Against the Wall
Chris Ernesto
Bernie’s “Political Revolution” = Vote for Clinton and the Neocons
FacebookTwitterGoogle+RedditEmail