Die Flagge des Marasek

Dekostreifen

Deutsch

Current Texts Comic Imprint Calendar Search PHP-Classes Container-Wizard main.s21

Categories

Class Library
Computers
Gaming
Global Politics
Programming
Society
Weblog
World Outlook
{{login}}

The worst bug ever

Permalink
Previous: The Debian SSL IssueNext: Die erste Klimakatastrophe
Assigned keywords: Computer

As mentioned before, I deem the Debian/OpenSSL-Bug to be the worst software bug in history (of software, obviously). Let me sum up why:

  • There is an evil cause/effect ratio. The maintainer commented two lines out in order to get rid of warning messages in a debugging tool, which is an aesthetic change, and broke the program entirely.
  • it went officially unnoticed for about two years. "officially" because you really don't know who knew about it and probably you don't want to. But I'm sure that quite some black hat and secret service guys suffer from Priapism right now.
  • it affects not only the present, but the past. Having a buffer overflow in some software means that you install the patch and be done with it, or set up the system anew if you have to fear that it has been compromised. But with the Debian bug, encrypted communication worth two years becomes compromised.
  • it strikes at one of the most sensitive areas of information technology: encryption. The damage done by compromised ranges from embarassment when your collection of SM poetry is revealed to economic damage when internal data is revealed up do mortal danger if content is revealed that some dictatorial regime considers illegal.
  • it is difficult to estimate the expenses that are necessary to repair the damage, even if the problem of the compromised encryption is left out. The resulting effort may be as small as to patch your home server and generate a new key to reissuing all of your certificates - think of an university that has Wireless LAN secured by OpenVPN and SSL certificates.
    The situation is even worsened by having up to date no entirely reliable tools for checking keys, since the tools available do not cover all possibilities yet.
  • it is the first massive failure of the Open Source principle, as OS did not live up to one of it's key promises: that flaws will be discovered more quickly as more people can read the source. Proponents of CS have always countered that argument that this is only valid if people actually read the source and be competent enough to do it, and obviously, there are not many people who do that when it comes to more complicated subjects such as encryption. So guess that makes another Priapism for Ballmer and friends.
  • it just showed how invincible everyone is. Especially High Nerds often display a terrible level of arrogance, likening security issues to stereotype secretaries working with Windows, that deserve to be reminded by High Nerd Hackers of their incompetence. Linux users often stress that they are in full control of their system, but the bug clearly showed that this control is in reality just an illusion. And a false sense of security can be worse than no security at all.
  • With Debian being a typical server distribution, we have a small but high profile "target audience" of higher strategic value.

Given these points, I find it absolutely reasonable to name this bug the worst bug ever.

Comments

Please note: comments posted won't be visible immediately, as they will be checked for harmful content.

* Title  
* Nickname  
* Comment