Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2025Amazon Kiro — The 13-Hour Outage2025Operation Chrysalis: The Notepad++ Supply Chain Hijack2025Replit Agent — The Vibe Code Wipe2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the SecretEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2014breachPublic

Heartbleed — The Internet's Open Wound

A missing bounds check in OpenSSL's heartbeat extension allowed attackers to read up to 64KB of server memory per request — private keys, passwords, session data. Approximately 17% of all secure web servers were vulnerable.

2 min read
Root Cause

The TLS heartbeat message includes a payload length field. OpenSSL read that many bytes from memory without checking whether the actual payload was that long. The bug existed for over two years before discovery. OpenSSL was maintained by a handful of underfunded volunteers.

Aftermath

Led to the creation of the Core Infrastructure Initiative (later the Open Source Security Foundation) to fund critical open-source projects. Accelerated adoption of perfect forward secrecy. The Heartbleed logo became the first 'branded vulnerability' — changing how the industry communicates about security flaws.

The Incident

On April 7, 2014, a vulnerability in OpenSSL's implementation of the TLS heartbeat extension was publicly disclosed. Designated CVE-2014-0160, it was given a name — Heartbleed — and a logo, making it the first "branded" vulnerability. Approximately 17% of all secure web servers on the internet were affected.

The Root Cause

The TLS heartbeat protocol allows one side of a connection to send a payload and request the other side to echo it back — a keepalive mechanism. The message includes a field declaring the payload length. OpenSSL's implementation read the declared length and returned that many bytes from memory — without checking whether the actual payload was that long.

An attacker could send a heartbeat message claiming a payload of 64KB while sending only a single byte. The server would return 64KB of whatever happened to be in memory adjacent to the actual message — potentially including private keys, session cookies, passwords, and other users' data. The attack left no trace in server logs.

The vulnerable code had been in OpenSSL since December 31, 2011. It was introduced in a commit that added heartbeat support and went unnoticed for over two years.

The Broader Failure

Heartbleed exposed a systemic problem: the most critical piece of security infrastructure on the internet — the library that encrypted traffic for banks, governments, healthcare systems, and millions of websites — was maintained by two developers, one of whom was working on it full-time, funded by donations that averaged less than $2,000 per year.

Why It Matters

A single missing bounds check exposed the private keys of millions of servers. The vulnerability existed for 27 months before discovery. The internet's encryption infrastructure was maintained by underfunded volunteers. Heartbleed proved that open-source security is not guaranteed by the "many eyes" theory — if the eyes aren't funded to look carefully, they don't see.

Techniques
buffer overreadmissing bounds check