The Lesson of Heartbleed

Heartbleed started out as such a simple thing. It was a single error in a line of code meant to keep data transmitted on the Internet secure. The code was part of a 2011 update to OpenSSL and was written by German software developer Robin Seggelmann. As its name suggests, OpenSSL is code freely available to anyone who wants to encrypt communications. And, it was used by companies large and small; by cellphones; by tablets; by the "internet of things" and, by now about two thirds of all servers on the World Wide Web. And, in every copy, the little error was sitting there, fragile and vulnerable.

The error was a kind of heart arrhythmia. When two servers want to share data they open up a line of communication. To keep that line active, one server sends another a bit of data, and asks for it to be echoed back. In other words, it shares what's called a heartbeat - a way of making sure the other server is alive and listening. The heartbeat was sure and steady and pumped in unison millions of times a day. But, thanks to the little error, it could also be made to generate a murmur, a rhythm that could send not just a reassuring echo, but a string of data nearby the echo on a server, a string that could include passwords, encryption keys - a fatal haemorrhage of secure data.

The error, now called Heartbleed, was discovered independently by researchers at Google and Codenomicon. It was a catastrophic security breach that security analyst Bruce Schneier said "went to eleven". IT staff worldwide scrambled to suture the bleed on their servers, users changed their passwords and used hastily-cobbled tools to see if their favourite sites were vulnerable. Mainstream media brought a whole new meaning to "if it bleeds, it leads".

But, the story turned darker, then darker still. Two unnamed sourced told Bloomberg that the NSA had discovered the Heartbleed vulnerability two years ago and had been exploiting it to gather intelligence.

If so, they would have turned the error into what's known as a "Zero Day" exploit, a vulnerability that IT teams would have zero days to patch, since they would be unaware of it.

The U.S. government used just such an exploit, called the Stuxnet Worm, in 2010 to cause Iranian uranium-enriching centrifuges to spin too fast and explode.

Last week the NSA, uncharacteristically, denied it had known about or used Heartbleed. And, besides, observers said, there was no evidence that encryption keys could be extracted using the now-famous vulnerability. That reassuring notion lasted two days until node.js team members managed to do just that.

Then, on Friday, U.S. President Barack Obama said that the government leaned towards announcing vulnerabilities like Heartbleed, rather than using them for intelligence gathering. But, he gave the NSA the freedom to do just the opposite in cases of national security. That's license we have already seen the NSA use with all the self-control of a three-year-old alone with a cookie jar.

So, in one just one week a hapless programmer's little error has escalated to a cardiac arrest across the Web, has cost billions to fix and has potentially been used by a secretive and near-rogue government agency to circumvent security and shred privacy.

Of course, if the NSA were aware of the error two years ago and had announced its discovery, all of this could have been prevented.

Maybe it didn't know. Maybe its possibly $10 billion in funding, lack of oversight, its lying to Congress, its track record for interpreting its mandate broadly and its purchasing and development of zero day exploits mean nothing. Or, maybe last week's little error was just a  defibrillation to remind us we're just a heartbeat away from the death of security.