It’s been fascinating to watch news of heartbleed, the massive OpenSSL exploit, spread on the web. After years of quietly putting us at risk, the general web user became aware of the exploit only a few days ago, and probably via heartbleed.com.
The site, which appeared almost overnight, was full of interesting info on the exploit, had a handsome minimalist design and included a nice logo. Someone had taken a bit of time to build an attractive and usable site.
But I was curious: how did heartbleed.com happen? When major exploits appear they are usually proliferated through wonky pages on security researcher sites. These “old-fashioned” exploit pages included a brief description, some references, and mention of the researchers involved. No images, just text.
But this exploit now had its own logo, its own website, and had taken on a life of its own. In short, Heartbleed was one of the first “branded” exploits, a computer bug that has been professionally packaged for easy mass consumption.
Not everyone was happy about this. One Twitter user writes:
☑ register http://t.co/ZGfyHkwhcr domain
☑ get custom graphic designed
☐ disclose to distros in advance
☑ disclose to public
Priorities— keyist (@keyist) April 8, 2014
While it’s fun to think that someone is profiting from exposing this exploit, the facts are much more mundane. With a bit of not particularly difficult sleuthing, I found the registrar listing for the site. It belonged to a company in Finland, Codenomicon who registered it a mere four days ago, a day or so after the exploit became “popular.”
The company was happy to answer questions about the site and stated emphatically that they were just trying to help the community.
“The content started as an internal Q&A which we wrote when trying to understand this bug and its impact,” said Miia Vuontisjärvi of Codenomicon. “Within hours of discovery we contacted NCSC-FI to handle the vulnerability coordination. When we tried the attack against ourselves and saw the disclosure of secret keys we understood that the Internet community has a new kind of vulnerability remediation challenge to solve.”
“Experiencing the pain of the bug first hand we got a nagging feeling that this calls for a ‘Bugs 2.0’ approach in getting the message out in an emergency. Ossi, one of our experts came up with Heartbleed as an internal codeame and from there on thing lead to the other. The domain was available and our artist Leena Snidate did a an excellent job in putting our pain into the logo. It all went much faster than expected.
“When the vulnerability became public we realized that this is going to be a crisis communication. We said what we had to say in the Q&A with as little litter as possible. We put it available on a low latency and high bandwidth content delivery network so that it is very accessible for anyone in the need. Based on initial reactions we did some minor edits but we quickly saw the Internet community picked the issue up in an astonishing way.”
The idea of a branded exploit – one that is carefully curated for easy consumption – is a new one. Historically obfuscation, either real or inadvertent, has been the watchword in computer security mostly because not everyone cared about major exploits. Heartbleed, in a way, was different. It was worldwide, very dangerous, and oddly photogenic. Whereas a Java exploit or Adobe Reader problem is “invisible” to the average user, the idea of a hacker watching your passwords scroll, Matrix-like without security systems setting off alarm bells is compelling and frightening. By creating a “bugs 2.0” page for the exploit, Codenomicon inadvertently allowed the average user to understand and potentially react to the problem.
It worked.
“It is amazing to see such a community reaction to address this: internet wide scans, detection tools, pressure on passive service providers, top-notch reactions from progressive service providers (including re-keying and password changes), users advising each other and useful analysis by the media worldwide,” said Vuontisjärvi. “All this is making security more democratic, this issue was too big for the security community to handle alone. Seeing almost one tweet per second at its peak on normal users reacting to this has been reassuring and is restoring our trust into the Internet.”
Comment