The Heartbleed “bug” which has affected millions of computer systems and countless hardware devices ranging from telephones, to video conferencing systems, to routers and firewalls –was the result of work done by a German software developer named Robin Seggelmann. Seggelman says it was a coding error that caused Heartbleed, and the error was not “caught” by an auditor inside the Open SSL Project. Open SSL is the security code that is widely used by industry to support encrypted connections on the Web, and to manage encryption on everything from wireless telephones to Cisco routers.
At the time of this writing, we do not know the full “team” who produces the Open SSL software.
The Open SSL Project works on a voluntary basis. Its headquarters is in Maryland but, according to their own description, the participants are on three continents and cover 15 time zones. If there are “rules” regarding membership in the Open SSL project, they are not transparent to the outsider.
The theory behind Open SSL is that if you gather together the “best” community of programmers to tackle a hard problem, you will get the best result that benefits everyone. Underlying is a sort of philosophical notion thatpeople in the “community” join together out of good will, and everything they contribute will be based on pure altruism. The Open SSL project is, by far, not the only community based programming project.
In his interview with the London-based Telegraph newspaper, Seggelmann admits “it was possible that the US National Security Agency (NSA) and other intelligence agencies had used the flaw over the past two years to spy on citizens.”
There is no reason to suppose that intelligence organizations would not have discovered the bug in their routine scanning of the Internet.*** Today the Internet carries much more than data traffic; it is increasingly how telecommunications are managed. The fact that we now know that some of the top VOIP (Voice Over Internet Protocol) telephone systems made by Cisco are infected with the “Bug” makes this crystal clear. You can add to this a large number of Cisco routers (the world’s most popular router system), video conferencing systems, multiple servers used to manage communications traffic, and even firewalls that protect internal networks.
While a good deal of focus has been put on the NSA, thanks mainly to the leaks and revelations coming from Edward Snowden, the truth is that intelligence agencies around the world try to spy on just about everything they can. The British, French, Germans, Italians, Russians, Chinese, Israelis, Iranians and many others have built massive capabilities. It would be foolish to think they are not taking advantage of damaged encryption systems such as Open SSL.
In short, there is big possibility that, aside from causing untold computer damage, people may have lost their lives because of the Open SSL “Bug.” Say you were an Iranian dissident and you send what you thought was a secret message to your compatriots. The knock on the door comes, and the Iranian government arrests you and accuses you of being an Israeli spy. You know the rest.
There is also clearly a link between some foreign intelligence organizations and general criminal activity. Anytime money is involved in spying, as is the case with the Open SSL breach (which affects credit card transactions, banking and other forms of trading information), some intelligence agencies and their criminal colleagues exploit the opening to make money, lots of money. For years we have been watching the Russian mafia carry out these exploits and attack banks in the U.S. and elsewhere in the world. How much they have stolen is anyone’s guess, because banks don’t like to let on about their security failures.
A critical question is why anyone would rely on a misty group of international volunteers for security? Keep in mind that one of the sponsors of the Open SSL is the U.S. Department of Homeland Security! (Whoever in DHS supported this endeavor ought to find work elsewhere.)
An additional problem today is that the agencies we rely on domestically for security, NSA and NIST (the National Institute for Standards and Technology) have, themselves, been caught bugging security codes so they could exploit computers and communications globally, including the PC’s, tablets and phones of Americans. NSA’s and NIST’s bugging activity has compromised them fatally.
Today in the United States we lack an independent security agency that can provide guidance on security for Americans, public and private. Thanks to NSA and NIST the U.S. government has thoroughly bugged itself, as well as everyone else. A critical task for Congress, aside from investigating the various NSA escapades, is to come up with a new, independent government organization that supports security for Americans. The Agency should have nothing to do with spying and should be prevented by law from cooperating with spy agencies.
***Bloomberg is now reporting that NSA exploited the Open SSL bug for two years.