Wednesday, April 16, 2014

HeartBleed

It is hard not to hear about HeartBleed and its logo. Every where you look: news, company bulletins and emails... it is everywhere.

This is the a bug in SSL with a catchy name and somewhat scary logo... This is the very foundation of security of the internet. Most people will have no idea what this is. Yikes it has been out for so long, just how many passwords are taken? Ok, even if it does not get fixed, how many people actually know how to steal data? Fortunately, not many. There are just so many not-so-sophisticated people out there. But unfortunately it doesn't take too many sophisticated hackers to steal your data and do some damage.

Great coverage of this in Wikipedia: http://en.wikipedia.org/wiki/Heartbleed.

Oh this is... C!

Oh, these OpenSSL guys write their own malloc and free? and oh, this is a bounds checking issue.

It is entertaining to read these code changes: See here.

Now there is some 1 + 2 thing...(probably has to do with particular bits) and pointer madness. I am glad I am not assigned to fixed this.

Such important code... is it properly tested? Alas, if they work with typical QA that I have seen, they will probably ask: "how do you test this". For the record: No bus drivers ask me how to drive a bus. Some will even ask "Did you test this? where is your unit test plan." I hope you work with better ones.

Now is there more vulnerability to this code? I hope there are ethical experts out there who really tested this (and not turn a bug into hacking profit)

No comments: