Forgot your password?
typodupeerror
Security

Heartbleed Disclosure Timeline Revealed 62

Posted by samzenpus
from the when-did-you-know dept.
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."
This discussion has been archived. No new comments can be posted.

Heartbleed Disclosure Timeline Revealed

Comments Filter:
  • by Red Herring (47817) on Monday April 14, 2014 @06:18PM (#46751463)

    > Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 2.

    Doesn't it seem strange that the flaw has existed for a long, long time (years?) but Codenomicon happens to find it less than a day after Google notified OpenSSL, and, per the article, "some infrastructure providers under embargo"? That just seems... unlikely. Not impossible, but it kind of makes you wonder who is leaking information...

    • by Albanach (527650) on Monday April 14, 2014 @06:25PM (#46751519) Homepage

      Not necessarily. It may be that the bug was known to others and that Google and Codenomicon were both monitoring channels used by more nefarious types. Both organizations may have independently 'discovered' the bug after each becoming aware that an exploit existed without having full details of the exploit.

      • by icebike (68054)

        Not necessarily. It may be that the bug was known to others and that Google and Codenomicon were both monitoring channels used by more nefarious types. Both organizations may have independently 'discovered' the bug after each becoming aware that an exploit existed without having full details of the exploit.

        And the story should have been about WHEN those nefarious types first started mentioning it, not about when the white-hats actually found it.
        Did those blackhats find it by reading the code, or accidentally stumbling upon it in some way?

        I suspect it was the former, but I think that discussion is more important than when Google detected it. After all, the implication is that
        google discovered nothing, but simply heard about it in the hallway or something.

    • by AdhSeidh (193409) on Monday April 14, 2014 @06:28PM (#46751559)

      perhaps you have already forgotten about CVE-2014-1266 the Apple SSL/TLS bug from Februrary this is why every security group on the planet was looking for other encryption related loopholes

    • by rmdingler (1955220) on Monday April 14, 2014 @06:36PM (#46751607)
      In all likelihood, there was a "discovery" by Google that led to a sharing of information with Codenomicon... someone told an old college buddy or former co-worker.

      There were almost certainly folks who were aware of the vulnerability before Google.

      Were these folks criminals or government employees? And yes, there's a small difference... generally found in the probability for prosecution.

      • by BVis (267028)

        Were these folks criminals or government employees? And yes, there's a small difference... generally found in the probability for prosecution.

        There's always one, isn't there.

    • by briancox2 (2417470) on Monday April 14, 2014 @06:47PM (#46751685) Homepage Journal
      That's what Newton said to Leibniz.
    • by Anonymous Coward

      No, this is not uncommon at all in research. The idea that two groups are both looking into how [X] works, and how [Y] responds to [X] is quite common. Being a security researcher myself (slightly different sub-field, but still reason for anon posting) I can say that it is quite an easy possibility that both teams were checking the ENTIRE ISO~TCP/IP stack from lvl 0 up to lvl (whatever 'top' is in your outlook/naming scheme) And that they both found it around the same time.

      Until I see _any_ evidence to poin

    • Thank you. I've been saying this from the beginning and am very annoyed that every time people write about Heartbleed, it links to Codenomicon's site. Even if it was an independent discovery (which it wasn't) then it's still too much credit. People should just link to the official CVE...

  • Negligence (Score:4, Interesting)

    by Daniel Ellard (799842) on Monday April 14, 2014 @06:24PM (#46751507)
    Why did Google wait ten days before notifying OpenSSL? (even if they didn't trust OpenSSL to handle it responsibly, it couldn't have taken ten days for Google to patch their systems)
    • Re:Negligence (Score:4, Insightful)

      by batrick (1274632) on Monday April 14, 2014 @06:30PM (#46751569)

      Negligence? They don't owe you a fucking thing.

      Also, the flaw has also existed for over two years. What does one more week hurt?

    • Re:Negligence (Score:5, Insightful)

      by Anonymous Coward on Monday April 14, 2014 @06:32PM (#46751585)
      Simple, to fully test and develop the patch (see: https://bugzilla.redhat.com/at... [redhat.com] ). It's much better if someone who knows of both a problem and has the ability to fix it to sit on the announcement to keep from wider exposure. This helps keep the common knowledge exploitation period to a minimum.
      • by rahvin112 (446269)

        The problem is that we don't know how the discovery was made.

        The NSA has apparently known about heartbleed since the start. And I would be surprised if Google and other major corps aren't monitoring criminal forums where these exploits are sold. Which makes me wonder if Google discovered it though monitoring the criminal channels or it's own audits.

        • by swillden (191260)

          And I would be surprised if Google and other major corps aren't monitoring criminal forums where these exploits are sold.

          I think you would be surprised. I also think that the process one would have to go through to get vetted and get access to those forums probably requires actions that a major corp wouldn't take. FWIW, I work in security at Google and have never heard of any sort of monitoring of criminal forums.

          • by GryMor (88799)

            If it happens at all, it's using independent contractors.

            • by swillden (191260)

              If it happens at all, it's using independent contractors.

              Which would amount to hiring criminals. Seems unlikely to me.

        • The NSA has apparently known about heartbleed since the start

          Source?

    • Re:Negligence (Score:5, Insightful)

      by freeze128 (544774) on Monday April 14, 2014 @06:46PM (#46751675)
      Also, April 1st is the *WORST* day to notify ANYONE that there is a severe security flaw..
      • by dkf (304284)

        Also, April 1st is the *WORST* day to notify ANYONE that there is a severe security flaw..

        Major public holidays (e.g., Christmas) are much worse, as there's a really good chance nobody will even look at the warning, and may decide that their family time trumps fixing security problems.

        April 1 is just the worst day to announce a major breakthrough or groundbreaking new product.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      10 days to figure out a patch that was: 1) secure 2) stable 3) well tested??? 4) passed legal?

      I mean... 10 days isn't a 'long' time for a big company like this to 'find' and then 'report' a big, especially of THIS magnitude

    • You don't think it could take 10 days to find a flaw, fix it, make sure you've fixed it, and roll the fixes out to prod? And then "notif[y] some infrastructure providers under embargo" and let them fix it and roll it out to prod?

      You may disagree with Google looking out for themselves first here, but the fact is they'd be negligent (and foolish) to spread this more widely until they'd ensured it was fixed for themselves and (by extension) their customers/users.

      • Yeah, if that's what happened. But that's not what the article says.

        It says that on March 21st, Google had already fixed the flaw and rolled out the patches internally. Fine; they get to cover their own asses first. No argument.

        Then a week went by.

        • You must be reading a different article than I am. I see "The patch is then progressively applied to Google services/servers across the globe." which implies to me that the 21st was the start of the clock. I could easily imagine that it would take several days to update everything.

          Then the clock starts ticking for whoever the "infrastructure providers under embargo" are. I emphasized "then" in my original post - presumably they wouldn't share the flaw even with trusted partners until they'd fixed it themsel

    • by Anonymous Coward

      Why did Google wait ten days before notifying OpenSSL? (even if they didn't trust OpenSSL to handle it responsibly, it couldn't have taken ten days for Google to patch their systems)
      Are you serious? They can see that there is a problem, but a patch or fix is not necessarily readily available. It would take a small team --very well versed in cryptography and networking-- several days to wade through all of the code. OpenSSL might sound like a nice little library, but is over 370,000 lines of source code,

  • Damn sleep... (Score:3, Interesting)

    by Anonymous Coward on Monday April 14, 2014 @06:27PM (#46751545)

    Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed.

    I don't know why, but this reminded me of Cyril Evans [wikipedia.org]. Never go to bed.

  • by queazocotal (915608) on Monday April 14, 2014 @06:57PM (#46751733)

    There are out there honeypot machines, which log all inbound and outbound packets.
    They can run retrospective analysis of these packets to work out if undetected exploit probes have occurred.

    Is anyone aware of this being done for heartbleed?

    It would be interesting if - for example - it went from no exploits to most honeypots probed 3 months ago.

    • by rainer_d (115765)
      There are various reports that efforts to exploit this vulnerability go back almost as far as the introduction of the bug to various distributions.

      I wonder if someone discovered the bug and sold it to the "vulnerability assessment" industry (which in turn supplies spooks and other government agencies with their exploits so they can perform "lawful interception").
      Such a bug would probably sell for a million these days. Or even more.

      • I don't know what the information about such a vulnerability would sell for.

        Personally, I would recommend turning it into a multi-year deal as opposed a single large bonus check, but I'm old, boring, and practical.

        We just don't know if it was discovered by a TLA or sold to a TLA, but because they would bid the highest at any auction you can conceive, they undoubtedly had it way, way before Google.

  • I don't understand why Sidhpurwala didn't have a back up contact in another time zone that could have been contacted when he was asleep.

  • There's the trouble. Google's disclosure came on a day when nobody believes what they read on the Internet.

Anyone can do any amount of work provided it isn't the work he is supposed to be doing at the moment. -- Robert Benchley

Working...