Heartbleed Exploit Catch 22 - Shame on CodenomiconPosted on by Sean Dempsey
Ok, first of all some context – anyone with an eye on I/T or security has recently heard of the ‘Heartbleed’ vulnerability — one of the “scariest web exploits in the last half century.” It has unilaterally turned the web infrastructure world on its face because of the need to stop everything you’re doing and rush to secure your servers.
But am I the only one here thinking and saying to myself – “Screw Codenomicon!” I mean, come on – this is more than partially their fault! Almost everything I read on this topic praises their ingenuity and dedication for helping to find and explain this serious issue to the public. But to quote Will Ferrell from Zoolander “I feel like I’m taking crazy pills!!!”
I say the opposite – SHAME on them! Codenomicon, for those who don’t know, is the company/’heroes’ responsible for uncovering this bug.
However, they couldn’t have gone about this in a worse way. Instead of quietly making the vulnerability known to OpenSSL folks and a select few in the security circles, they SHOUTED it from the rooftops to everyone they could. They actually rushed to make almost a marketing campaign out of this exploit (see http://heartbleed.com/). If I didn’t know any better, I would say they were trying to tell every single hacker, even those living under a rock, that this problem exists and exactly how to exploit it.
Let’s look at the sequence of events and their own description of what happened:
- These are security geeks looking to explore holes in systems; it’s what they do for a living (unlike a hacker – who typically uses known exploits to circumvent infrastructure, not create their own)
- They explain that the exploit was extremely obscure. It was like accidentally finding a needle in a stack of needles (my words, not theirs).
- They explain even they just stumbled upon the bug – “We were in the right place with the right tool”
- They discover that this is a wide-reaching problem, “impacting 66% of all known websites”
- They share the bug with the OpenSSH team (this is good!)
- They then [and this is speculation] share with their management who ask themselves “hmmm, how can we make this about us and turn this into a huge media circus to add a spotlight on our company??”
- They then purchase a web domain, explain the exploit, CREATE A FREAKIN’ LOGO, and launch a giant advertising campaign to push out knowledge about this exploit to everyone and their mother
And we’re (IT administrators) are now supposed to thank them like this is a huge favor to the security community. I don’t think so. I was perfectly happy letting a sleeping giant lay. Odds are no one would ever have found out about this bug if they didn’t decide to spread the message like wildfire.
Now, instead of having a contained situation that a few ‘inside’ people know about and can work to devise a plan to silently fix, we have raging pandemonium which may not fully sort itself out for many years to come. For example, there may be networking devices or systems out there which may not ever be patched.
This is exactly why in aliens-attacking-the-earth movies when the President finds out they’re coming, the first thing he DOES NOT say is “Let’s go tell the press! We should cause an immediate riot with this information.” Because we all know knowledge of this kind, in a rampant and undigested form, is often destructive. In this case, the people who really shouldn’t find out about the issue are the first to know and probably the first to exploit people’s systems.
So in conclusion – while many continue to herald Codenomicon as pioneers and innovators in their space — I will say: curse them and the way they went about this sticky mess. They should have let sleeping dogs lie, quietly communicated the vulnerability, and the standard OpenSSL release management process would have fixed the problem over time. Instead, they decided to try to capitalize on this find and make a name for themselves.
Because at the end of the day, this is a true Catch 22. Since this is a highly-used open source protocol, if the security community DOESN’T tell everyone about the bug, it’s considered being non-transparent and unethical.
However, if they DO tell everyone about the bug, then nay-sayers like me say they have awoken The Kraken–who would have laid dormant and/or unknown by the world. And Codenomicon is like Eric Cartman riding on its shoulder, capitalizing on the destruction of the Internet. Praise to them for their “innovation.” Bah!
Poorly executed, Codenomicon! I have nothing but disdain for how you handled this situation.