No, Heartbleed isn’t likely to have been purposely introduced by the NSA/FBI/Mossad/Moon Nazis

As a rule, stupidity is more likely than malice. The simple proof of this is that it’s easier to be incompetent than it is to be some grand chessmaster who sees all the pieces and manipulates them at a high level. So it is with Heartbleed.

Consider what had to go wrong for this bug to be introduced:

  • Automatic checks in memory allocators were slow on a handful of platforms
  • OpenSSL devs decide to put in a compile flag for using their own allocator, which is fast on all platforms
  • OpenSSL devs stop testing builds compiled without the custom allocator
  • OpenSSL is a general mess, making verifying the code difficult, and for bugs to generally go unnoticed for a long time
  • The actual bug is introduced

A group that wanted to deliberately subvert OpenSSL would need all of that to go wrong. If OpenSSL had tested builds for all combinations of compile flags, Heartbleed wouldn’t have happened. If they hadn’t built a custom allocator in the first place, Heartbleed wouldn’t have happened.

Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Bookmark the permalink.

One Response to No, Heartbleed isn’t likely to have been purposely introduced by the NSA/FBI/Mossad/Moon Nazis

  1. Marc says:

    in my optinion a third party could have taken the chance that the first 4 points where already set up and made it extremely easy to introduce such a “bug”.
    But if those condition were not met there would have been other ways for NSA and co.
    Nontheless I dont believe neither that heartbleed was actively introduced.
    But I am sure that there is a NSA program to find new severe exploits in security software. Which means it is very likely that they knew about and used heartbleed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.