Why is Heartbleed like bananas and did the NSA know?


I love free open source software. There are literally thousands of FOSS projects that are unbelievably creative, beautifully engineered, and incredibly useful but as compelling as they might be, when they become enormously popular you wind up with a potentially huge problem.

When some code in the FOSS world has that special voodoo that addresses a well-defined and mission critical need, is easy to implement, easy to manage, and robust, it's likely to become a market standard. Great examples include Linux, Apache, Sendmail ... there's a long list of FOSS projects that have become dominant in their niche.


But dominance in the software world has a parallel in the natural history of biological ecosystems. When a biological monoculture becomes dominant it's guaranteed that a pest or disease that exceeds some level of virulence can threaten the entire biome, which is exactly what's happening with bananas because the bananas you buy at the supermarket are overwhelmingly of one variety: Cavendish. 

The Cavendish, which originally came from Vietnam, is the result of centuries of selective breeding of a mutant, a cross between Musa acuminata and Musa balbisiana, two wild South Asian species. Unfortunately because the Cavendish is a hybrid, it is sterile (just like the mule which is a cross between a donkey stallion and a horse mare).

So, because the Cavendish is sterile it has to be propagated by suckers with the result that all Cavendish banana plants have the same genome. This, in turn, means that a virus or fungus that is aggressive and destructive and relies on a specific taregt biology has, in the case of Cavendish bananas, a huge population to exploit ... which is exactly what's happening today.

Currently there's an outbreak of a new strain of a disease called Black Sigatoka, which destroys Cavendish bananas and which originally appeared in a less virulent form in 1970's. This has re-emerged along with another contagion, Panama Disease. These two contaigions are successful simply because there are some many identical hosts so close together. 

Experts say that it's only a matter of time before these two diseases decimate or, most likely, obliterate the single most cultivated and valuable banana variety in the world today. This, in turn, will have economic consequences on a biblical scale. But enough of bananas; let's talk about contagions in computer ecologies ...

The most commonly recognized computer contagions are computer viruses and malware but we also have to also include hackers. Like biological contagions, all of these computer contagions attack specific hosts which are the targets they are adapted for or can adapt to. And when there's a large population of identical targets, these computer contagions, like their biological counterparts have more opportunity to propagate and thereby become harder to eradicate.

In the case of OpenSSL, its adoption by a huge market meant that the bug de jour, the Heartbleed bug, became the entry point for computer contagions much as the specific biology of Cavendish bananas is exploited by Black Sigatoka and Panama Disease.

What I find so interesting about this vulnerability is that government agencies such as the NSA must have known about the flaw and said nothing to the world at large. You doubt this? Just think, if you''re in signals intelligence and you find out about a way to extract information from supposedly secure systems in a way that is undetectable, aren't you going to use it and keep quiet about it?! And if the NSA didn't know about Heartbleed then they should all be fired for incompetence.

So, the takeaways from all of this are simple. First, if you elect to use the most popular product in the market, whether it's FOSS or proprietary, be warned; one flaw in what you've deployed can expose you to a much greater level of risk than using less well-known products.

Second? Take a short position on banana futures. 

Invest your thoughts below then follow me on TwitterApp.net, and Facebook.


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022