Slashdot Mirror

← Back to Stories (view on slashdot.org)

Heartbleed Disclosure Timeline Revealed

Posted by samzenpus on from the when-did-you-know dept.

bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."

20 of 62 comments (clear)

  1. "Independent" discovery? by Red+Herring · · Score: 5, Interesting

    > Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2.

    Doesn't it seem strange that the flaw has existed for a long, long time (years?) but Codenomicon happens to find it less than a day after Google notified OpenSSL, and, per the article, "some infrastructure providers under embargo"? That just seems... unlikely. Not impossible, but it kind of makes you wonder who is leaking information...

    --
    #include "standard_disclaimer.h"
    1. Re:"Independent" discovery? by Albanach · · Score: 5, Interesting

      Not necessarily. It may be that the bug was known to others and that Google and Codenomicon were both monitoring channels used by more nefarious types. Both organizations may have independently 'discovered' the bug after each becoming aware that an exploit existed without having full details of the exploit.

    2. Re:"Independent" discovery? by AdhSeidh · · Score: 5, Interesting

      perhaps you have already forgotten about CVE-2014-1266 the Apple SSL/TLS bug from Februrary this is why every security group on the planet was looking for other encryption related loopholes

    3. Re:"Independent" discovery? by rmdingler · · Score: 4, Interesting
      In all likelihood, there was a "discovery" by Google that led to a sharing of information with Codenomicon... someone told an old college buddy or former co-worker.

      There were almost certainly folks who were aware of the vulnerability before Google.

      Were these folks criminals or government employees? And yes, there's a small difference... generally found in the probability for prosecution.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    4. Re:"Independent" discovery? by briancox2 · · Score: 4, Funny

      That's what Newton said to Leibniz.

      --
      We should learn what we need to know about issues, before we decide what we need to feel about them.
    5. Re:"Independent" discovery? by JustOK · · Score: 4, Funny

      Or NCC-1701-D

      --
      rewriting history since 2109
    6. Re:"Independent" discovery? by icebike · · Score: 2

      Not necessarily. It may be that the bug was known to others and that Google and Codenomicon were both monitoring channels used by more nefarious types. Both organizations may have independently 'discovered' the bug after each becoming aware that an exploit existed without having full details of the exploit.

      And the story should have been about WHEN those nefarious types first started mentioning it, not about when the white-hats actually found it.
      Did those blackhats find it by reading the code, or accidentally stumbling upon it in some way?

      I suspect it was the former, but I think that discussion is more important than when Google detected it. After all, the implication is that
      google discovered nothing, but simply heard about it in the hallway or something.

      --
      Sig Battery depleted. Reverting to safe mode.
    7. Re:"Independent" discovery? by ameen.ross · · Score: 2

      Thank you. I've been saying this from the beginning and am very annoyed that every time people write about Heartbleed, it links to Codenomicon's site. Even if it was an independent discovery (which it wasn't) then it's still too much credit. People should just link to the official CVE...

      --
      $(echo cm0gLXJmIC8= | base64 --decode)
  2. Negligence by Daniel+Ellard · · Score: 3, Interesting

    Why did Google wait ten days before notifying OpenSSL? (even if they didn't trust OpenSSL to handle it responsibly, it couldn't have taken ten days for Google to patch their systems)

    --
    Disclaimer: I work for a company, but I don't speak for them.
    1. Re:Negligence by batrick · · Score: 3, Insightful

      Negligence? They don't owe you a fucking thing.

      Also, the flaw has also existed for over two years. What does one more week hurt?

    2. Re:Negligence by Anonymous Coward · · Score: 5, Insightful

      Simple, to fully test and develop the patch (see: https://bugzilla.redhat.com/at... ). It's much better if someone who knows of both a problem and has the ability to fix it to sit on the announcement to keep from wider exposure. This helps keep the common knowledge exploitation period to a minimum.

    3. Re:Negligence by freeze128 · · Score: 5, Insightful

      Also, April 1st is the *WORST* day to notify ANYONE that there is a severe security flaw..

    4. Re:Negligence by Anonymous Coward · · Score: 2, Insightful

      10 days to figure out a patch that was: 1) secure 2) stable 3) well tested??? 4) passed legal?

      I mean... 10 days isn't a 'long' time for a big company like this to 'find' and then 'report' a big, especially of THIS magnitude

    5. Re:Negligence by pedantic+bore · · Score: 2

      Yeah, if that's what happened. But that's not what the article says.

      It says that on March 21st, Google had already fixed the flaw and rolled out the patches internally. Fine; they get to cover their own asses first. No argument.

      Then a week went by.

      --
      Am I part of the core demographic for Swedish Fish?
  3. Damn sleep... by Anonymous Coward · · Score: 3, Interesting

    Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed.

    I don't know why, but this reminded me of Cyril Evans. Never go to bed.

  4. Re:End result: mass panic by Anonymous Coward · · Score: 2, Insightful

    And you also see this same type of thing in proprietary software, where tons of losers are hired to work on the code, with predictably terrible results. The thing about open source is that anyone can see the source code, and people not part of the group that wrote the code can check it, so you at least have some chance of understanding what's going on.

    Anyone who claims that open source advocates claim that open source is 100% immune from all flaws is just spewing forth straw men.

  5. But when/if has it been exploited? by queazocotal · · Score: 2

    There are out there honeypot machines, which log all inbound and outbound packets.
    They can run retrospective analysis of these packets to work out if undetected exploit probes have occurred.

    Is anyone aware of this being done for heartbleed?

    It would be interesting if - for example - it went from no exploits to most honeypots probed 3 months ago.

    1. Re:But when/if has it been exploited? by rainer_d · · Score: 2
      There are various reports that efforts to exploit this vulnerability go back almost as far as the introduction of the bug to various distributions.

      I wonder if someone discovered the bug and sold it to the "vulnerability assessment" industry (which in turn supplies spooks and other government agencies with their exploits so they can perform "lawful interception").
      Such a bug would probably sell for a million these days. Or even more.

      --
      Windows 2000 - from the guys who brought us edlin
  6. Re:http://www.linuxadvocates.com by symbolset · · Score: 2

    He knows we are going to talk about how Microsoftie Howard Schmidt is chairman of the board of codenomicon.

    --
    Help stamp out iliturcy.
  7. Re:Is OpenSSL by [prev'ly DoD-funded] OpenBSD folk by kevin+lyda · · Score: 2

    OpenSSL did not come from OpenBSD. So right from the start your theory is broken.

    --
    US Citizen living abroad? Register to vote!