A major flaw revealed this week in widely used encryption software has highlighted one of the enduring and terrifying realities of the Internet: It is inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all.
The Heartbleed bug, which security experts first publicly revealed on Monday, was a product of the online worlds makeshift nature. While users see the logos of big, multibillion-dollar companies when they shop, bank and communicate over the Internet, nearly all of those companies rely on free software often built and maintained by volunteers to help make those services secure.
Heartbleed, security experts say, was lodged in a section of code that had been approved two years ago by a developer that helps maintain OpenSSL, a piece of free software created in the mid-1990s and still used by companies and government agencies almost everywhere.
While the extent of the damage caused by the bug may never be known, the possibilities for data theft are enormous. At the very least, many companies and government agencies will have to replace their encryption keys, and millions of users will have to create new passwords on sites where they are accustomed to seeing the small lock icon that symbolizes online encryption.
This was old code. Everyone depends on it. And I think that just everyone assumed that somebody else was dealing with it, said Christopher Soghoian, principal technologist for the American Civil Liberties Union.
The group that was actually dealing with it consisted of fewer than a dozen encryption enthusiasts sprawled across four continents. Many have never met each other in person. Their headquarters to the extent one exists at all is a sprawling home office outside Frederick, Md., on the shoulders of Sugarloaf Mountain, where a single employee lives and works amid racks of servers and an industrial-grade Internet connection.
The total donations to the group last year, in support of work that keeps billions of dollars of commerce and countless personal secrets flowing safely across the Internet: less than $2,000. The group also makes money from consulting work.
When you consider how complicated and significant a piece of software it is, and how critical a piece of infrastructure it is, it is kind of mind-boggling, said Steve Marquess, president of the OpenSSL Software Foundation and a former federal technology contractor who works out of his Frederick-area house. Its such a thin thread.
The Internet grew from research by the Defense Department in the late 1960s, but there has never been a master plan. One group built the Web browser, another search technology, another payment networks. Still others made the encryption technology that is increasingly demanded and scrutinized in the aftermath of revelations by former National Security Agency contractor Edward Snowden about the power and pervasiveness of Internet surveillance.
Heartbleed, named for an OpenSSL feature called Heartbeat, was discovered by a Google researcher and, separately, by a Finland-based security company, Codenomicon.
Read the original here:
With a Web built on free code, Heartbleed bug magnifies online world's messy nature