Friday, April 11, 2014

So much for open source, crowd source, and all other sources


The programming mistake that resulted in Heartbleed:
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features…In one of the new features, unfortunately, I missed validating a variable containing a length.”
After he submitted the code, a reviewer “apparently also didn’t notice the missing validation,”  Seggelmann said, “so the error made its way from the development branch into the released version.”
Dr Seggelmann said the error he introduced was “quite trivial,” but acknowledged that its impact was “severe.”
The model relies on crowds except when crowds are sparse (oxymoron?) and quick reaction. This model applies to Wikipedia and financial markets as well. It relies even more strongly on so-called "self-correcting" mechanisms since crowds can also act like herds.

Apparently, mistakes such as Seggelmann’s aren’t rare. Programmers on Reddit sympathized with him and swapped stories of their own coding errors.
“Really, the only reason that most of us haven’t caused such a massive f—up is that we’ve never been given the opportunity,” one wrote.
So if errors like these are easy to make and have potentially disastrous consequences, why isn’t something being done?
“It would be better if more people helped improving [OpenSSL],” Seggelmann told Mashable via e-mail. “The more people look at it, the less likely errors like this occur.”

Apparently not a conspiracy either:

Seggelmann, who lives in Münster, Germany, told the Herald he didn’t insert the error on purpose, as some conspiracy theorists have suggested.
“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. ”It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

But what if some agency hypnotized him to make the mistake? Conspiracies can never die - they just take on a different form.

No comments: