The "Goto Fail" and "Heartbleed" Bugs

Final Words

There is a bright side. First, while these bugs were certainly enormous, they were not proven to be "catastrophic", as some well-known industry pundits have called them. If this was "catastrophic", then there would be no word to describe something that, say, shut down the entire Internet.

Second, the prompt industry response, and the ability of site managers to immediately generate new private keys to eliminate further Heartbleed threats, validates the overall administrative and technological capability of the system to recover from problems. Of course, conspiracy theorists will surmise that some nefarious groups, like foreign spy rings or our own NSA, deliberately inserted Goto Fail into Apple software, or planted Heartbleed into OpenSSL for their own use to decrypt all our e-mails. It's unlikely for these two bugs since their origins are pretty indisputable. Either way, no one can say there are no more such bugs yet to be discovered. So, we should use these episodes as a learning experience both in a negative sense (to consider whether we might want to stop sharing certain types of information with ordinary secure websites), and in a positive one (by understanding that the system is resilient, and even the most terrible bugs are unlikely to be exploited significantly by criminals before the industry can fix it).

The proximity and similarity of these two bugs sheds light on the fact there is no clear winner in the debate over the quality of big-company proprietary software vs. free software made by small, scrappy companies. Apple is worth hundreds of billions of dollars, while the OpenSSL Project was a volunteer group of eleven people. Both produced a grievous security hole in their software installed on computers and devices worldwide.

Notice also that neither of these bugs is a "virus". If you read an article referring to these as such, we must gravely question the author's expertise. A virus is unwanted software that gets installed on the victim's computer to do its wicked deeds. Both Goto Fail and Heartbleed are faults in legitimate software. If you want describe these bugs with a term that better emphasizes their effects, you could more appropriately say "security flaws" or "security holes", but not "viruses".

In 2018, as mentioned in the introduction to this article, the world of information technology was rocked by the discovery of another pair of serious and consequential flaws. Click here to read about Meltdown and Spectre.