The man responsible for Heartbleed has been identified as Robin Seggelmann. Here’s what we know about the man who caused one of the biggest Internet security problems of all time.
1. Robin Seggelmann Caused Heartbleed, a Security Flaw in OpenSSL
— The Daily Dot (@dailydot) April 10, 2014
Robin Seggelmann is the programmer responsible for the Heartbleed security flaw in OpenSSL.
The Sydney Morning Herald writes:
“Dr. Seggelmann…said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr. Stephen Henson.”
2. Robin Seggelmann is a German Programmer
Seggelmann is a German programmer who has written a number of papers. His website indicates that he wrote his doctoral thesis on “Strategies to Secure End-to-End Communication” in 2012. He earned his Ph.D. from the University of Duisburg-Essen.
Business Insider notes “Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn’t involved with the project any more.”
3. Robin Seggelmann Claims Heartbleed Was an Accident, Not a Malicious Plot
How many intel agencies are looking at connections to Robin Seggelmann right now? http://t.co/BW1uDquZmN
— Matt Brooks (@cmatthewbrooks) April 10, 2014
While some media outlets have reported that Seggelmann may have introduced Heartbleed maliciously, Seggelmann denies these allegations. The Daily Dot reports that Seggelmann’s Heartbleed programming error was “not intended at all.”
4. Robin Seggelmann Says Alcohol Was Not a Factor in Heartbleed Flaw
This #Seggelmann thing is turning into a witch hunt. Anyone thinking the patch reviewer might be as responsible? Bugs happen, people.
— Fabian A. Scherschel (@fabsh) April 11, 2014
According to MarketWatch, the Heartbleed flaw went live just before midnight on December 31, 2011. Since the flaw happened on New Year’s Eve, many have assumed that alcohol was a factor in the bug’s creation, or at the very least, a factor that explains why the bug went undiscovered by other members of the OpenSSL team. MarketWatch quotes Seggelmann, who says, “It’s only a coincidence that it [Heartbleed] was submitted during the holiday season.”
5. Robin Seggelmann Takes Responsibility, Regrets Oversight That Caused Heartbleed
— kennedyinberlin (@kennedyinberlin) April 11, 2014
In an interview with the Guardian, Seggelman stated:
“I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version…
I can only assume that it took so long [to notice Heartbleed] because it’s in a new feature which is not widely used and not a conceptual, but a simple programming error.
OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project.”
Find this author on Google+