Click amount to donate direct to CounterPunch
  • $25
  • $50
  • $100
  • $500
  • $other
  • use PayPal
Support Our Annual Fund Drive! CounterPunch is entirely supported by our readers. Your donations pay for our small staff, tiny office, writers, designers, techies, bandwidth and servers. We don’t owe anything to advertisers, foundations, one-percenters or political parties. You are our only safety net. Please make a tax-deductible donation today.
FacebookTwitterGoogle+RedditEmail

The Problem of Heartbleed

by

We truly live in fearful times. One utterance of a potentially dangerous virus – be it biological or structural – and a pall comes over the public conversation. The language used is that of climate catastrophe, ecological doom, or, in the case of the latest computer virus by the name of Heartbleed, a destruction of trust in the structural integrity of how the Internet is used.

Pandemics are considered the satanic killers, able to strike globally, and cripple populations with inexorable ease. They lurk, waiting to strike with biblical fury. Similarly, the notion that the Internet will suffer structural damage terrifies users and pundits. Information, if not controlled, monitored, and encrypted, will invalidate norms of engagement on the world wide web.

Last week, Heartbleed, the handiwork of a German software developer by the name of Robin Seggelmann, made screaming headlines about affecting some two-thirds of the Internet’s websites. It was uncovered by employees at a Finnish company, Codemonicon, and researchers from Google. Segglemann, of the Internet Engineering Task Force (IETF) seemed rather sanguine, even apologetic about a bug that introduced a flaw in the OpenSSL protocol. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.” The feature was also overlooked by the designated code reviewer.

The fuss would not have been so great but for the fact that the encryption software is employed in numerous social networking websites, banks, online shopping sites, and search engines for purposes of keeping data safe. It is a version of the Transport Layer Security (TLS) protocol, heir to the Secore Sockets Layer (SSL) protocol that shelters internet traffic from full view. Data exchanged through such protocols is scrambled. Little wonder, then, that both government and non-government entities make extensive use of it.

Jordan Robertson, writing in Bloomberg (Apr 12), claimed that, “Millions of smartphones and tablets running Google Inc. (GOOGS)’s Android operation system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices.” Google, realising a financial calamity around the corner, attempted to douse the flames by claiming that all versions of Android were immune to the flaw – except the version dubbed 4.1.1, released in 2012. Google’s own statistics show that 34 per cent of Android users use variations of the 4.1 software. Hardly a figure to inspire confidence.

The largest U.S.-mobile-phone based company, Verizon Wireless, similarly got the calming offensive, suggesting that it was “aware of the Open SSL security vulnerability referred to as ‘Heartbleed’, and we are working with our device manufacturers to test and deploy patches to any affected device on our network running Android 4.1.1.”

The bug’s discovery even made the Canadian government suspend electronic tax filing. All federal departments employing Open SSL were shut down during the week while security patches were run, while the Canada Review Agency expressed confidence in a statement that it was making “good progress” in getting matters back online. It even decided to go easy on tax payers for the duration of the interruption.

A host of consequences, then, if a mildly capable hacker was to get down to exploit the flaw. Credit card details, intercept usernames, passwords and the like could be gathered by those familiar with the fault from a website’s server in plain text. With a degree of dissimulation, sites might well leak the information, including master encryption keys.

With a certain automatic reflex, the National Security Agency and their band of merry peeping toms was blamed. It seemed to, at least on the surface, have their calling card – a flaw in an encryption protocol, a weakening of security, an opportunity to exploit. Keeping the fences up while also inflicting breaches are, after all, their twin operating principles.

A steadfast denial was issued, an unusual feat by the standards of the intelligence community. An emailed statement from the Office of the Director of National Intelligence explained that, “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

Seggelmann was also quick to scotch suggestions that signal spooks were meddling, calling the Heartbleed problem a “simple programming error in the new feature, which unfortunately occurred in a security relevant area.”

A side of the NSA often neglected is its Information Assurance Directorate, the section of the agency engaged in the business of keeping secrets and preserving the integrity of information. Heartbleed, while a problem that the NSA must combat – after all, several government branches employ the OpenSS protocol – can serve as a useful future weapon. Critical observers of NSA activity such as Julian Sanchez (Guardian, Apr 13) argue that the NSA would have been keeping an eye out for such a flaw, placing its offensive and defensive functions at loggerheads.

Little wonder, then, that accusations brewed the NSA not only knew about Heartbleed two years prior, but also exploited it to the full. (This says nothing of other vulnerabilities the NSA may have actually uncovered, and remain undisclosed.)

Sanchez correctly notes that the President’s own Review Group on Intelligence and Communications Technologies argued that the NSA “is and should not be a foreign intelligence organization” rather than “an information assurance organization.” With “multiple missions and mandates”, the NSA’s functions had proven “blurred, inherently conflicting, or both”.

The predicament our ever interconnected globe faces is collapse or corruption because of minor flaws that produce extraordinary consequences. But bodies, and hearts, need cleansing from time to time, which keeps those like Seggelmann busy in their efforts to avoid seizure and prevent a cardiac arrest. Viruses can be accidental, but also purposely engineered to test vulnerabilities. Acts of seeming triviality can doom a civilization to the chronicles, the murmur of a footnote. In Seggelmann’s own words, errors might themselves be “quite trivial”, but their impacts can be “severe”. Oscar Wilde would have chortled with approval.

Dr. Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge.  He lectures at RMIT University, Melbourne.  Email: bkampmark@gmail.com

Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: bkampmark@gmail.com

More articles by:

2016 Fund Drive
Smart. Fierce. Uncompromised. Support CounterPunch Now!

  • cp-store
  • donate paypal

CounterPunch Magazine

minimag-edit

September 29, 2016
Robert Fisk
The Butcher of Qana: Shimon Peres Was No Peacemaker
James Rose
Politics in the Echo Chamber: How Trump Becomes President
Russell Mokhiber
The Corporate Vice Grip on the Presidential Debates
Daniel Kato
Rethinking the Race over Race: What Clinton Should do Now About ‘Super-Predators’
Peter Certo
Clinton’s Awkward Stumbles on Trade
Fran Shor
Demonizing the Green Party Vote
Rev. William Alberts
Trump’s Road Rage to the White House
Luke O'Brien
Because We Couldn’t Have Sanders, You’ll Get Trump
Michael J. Sainato
How the Payday Loan Industry is Obstructing Reform
Robert Fantina
You Can’t Have War Without Racism
Gregory Barrett
Bad Theater at the United Nations (Starring Kerry, Power, and Obama
James A Haught
The Long, Long Journey to Female Equality
Thomas Knapp
US Military Aid: Thai-ed to Torture
Jack Smith
Must They be Enemies? Russia, Putin and the US
Gilbert Mercier
Clinton vs Trump: Lesser of Two Evils or the Devil You Know
Tom H. Hastings
Manifesting the Worst Old Norms
George Ella Lyon
This Just in From Rancho Politico
September 28, 2016
Eric Draitser
Stop Trump! Stop Clinton!! Stop the Madness (and Let Me Get Off)!
Ted Rall
The Thrilla at Hofstra: How Trump Won the Debate
Robert Fisk
Cliché and Banality at the Debates: Trump and Clinton on the Middle East
Patrick Cockburn
Cracks in the Kingdom: Saudi Arabia Rocked by Financial Strains
Lowell Flanders
Donald Trump, Islamophobia and Immigrants
Shane Burley
Defining the Alt Right and the New American Fascism
Jan Oberg
Ukraine as the Border of NATO Expansion
Ramzy Baroud
Ban Ki-Moon’s Legacy in Palestine: Failure in Words and Deeds
Gareth Porter
How We Could End the Permanent War State
Sam Husseini
Debate Night’s Biggest Lie Was Told by Lester Holt
Laura Carlsen
Ayotzinapa’s Message to the World: Organize!
Binoy Kampmark
The Triumph of Momentum: Re-Electing Jeremy Corbyn
David Macaray
When the Saints Go Marching In
Seth Oelbaum
All Black Lives Will Never Matter for Clinton and Trump
Adam Parsons
Standing in Solidarity for a Humanity Without Borders
Cesar Chelala
The Trump Bubble
September 27, 2016
Louisa Willcox
The Tribal Fight for Nature: From the Grizzly to the Black Snake of the Dakota Pipeline
Paul Street
The Roots are in the System: Charlotte and Beyond
Jeffrey St. Clair
Idiot Winds at Hofstra: Notes on the Not-So-Great Debate
Mark Harris
Clinton, Trump, and the Death of Idealism
Mike Whitney
Putin Ups the Ante: Ceasefire Sabotage Triggers Major Offensive in Aleppo
Anthony DiMaggio
The Debates as Democratic Façade: Voter “Rationality” in American Elections
Binoy Kampmark
Punishing the Punished: the Torments of Chelsea Manning
Paul Buhle
Why “Snowden” is Important (or How Kafka Foresaw the Juggernaut State)
Jack Rasmus
Hillary’s Ghosts
Brian Cloughley
Billions Down the Afghan Drain
Lawrence Davidson
True Believers and the U.S. Election
Matt Peppe
Taking a Knee: Resisting Enforced Patriotism
FacebookTwitterGoogle+RedditEmail
[i]
[i]
[i]
[i]