CVE-2017-5638, the Heartbleed Virus and Quality at CBC

admin Sunday March 26, 2017

Taxes are very important. So much so that I learned about 2 critical security vulnerabilities in important free software components, namely CVE-2014-0160 (Heartbleed) and more recently CVE-2017-5638, by watching CBC, because both affected the CRA's website during the income tax returns filing period.

I confess that learning about Heartbleed on The National was exciting in a sense - because I was learning of free software usage by the federal government on TV, because I was learning about free software in a national broadcast, because I had never heard about a free software bug on TV before, and because I was discovering the first named free software bug (it is after watching the report that I discovered Heartbleed had its Wikipedia article).

Unfortunately, I was less excited when a similar scenario repeated with CVE-2017-5638 and The National broadcast this report. In part because CVE-2017-5638 is much less interesting than Heartbleed, in part because I do not use Apache Struts, and in part because the report did not mention the vulnerability anyway. But mostly because the report refers to what is possibly the world's most known bug as "the Heartbleed virus".

My ears are almost done bleeding from hearing the report. It was broadcast nearly 2 weeks ago, and still features uncorrected. How can Canada's public broadcaster make such a flagrant error and fail to correct it for weeks? A 2014 article from CBC itself asks "What is Heartbleed?" and describes it as a bug or software vulnerability, obviously never as a virus.

Margo McDiarmid is a parliamentary reporter, and surely cannot be expected to know each field deeply. For the first part of the question, one could think that having to publish each news story first, CBC put the story out quickly, before having the time to have it reviewed by someone knowledgeable about information security. This hypothesis breaks down when we see that the report was broadcast on 2017-03-13, more than 2 days after a story with no major error was written by the CBC, and even after private media had published articles identifying the vulnerability more specifically (the Globe and Mail and MoneySense, the latter specifically mentioning Apache Struts). Less than 12 hours later, even the CBC had written a quality story with all the necessary details. That story was written by CBC's Matthew Braga, Senior Technology Reporter, who should have been able to catch such an error. The rush hypothesis seems even invalidated by the fact that the CBC could have requested the report to be reviewed by the very expert interviewed in the report.

As for the second part, the webpage which contains the report has a "Report Typo or Error" link. Should I feel guilty for not having reported the error instead of complaining? Not a chance; click on it, and you find a simple form, without any indication of previous reports. Does the CBC really expect me to send a benevolent report without even being sure that the problem has not been reported already?!

There is probably no simple answer. The conservative government's 2012 cuts may still mean CBC's information sector is unable to guarantee a minimal level of quality. I sincerely hope that budget restoration will make the CBC a source of information which can be trusted.

I do not frequently notice gross errors from our public broadcaster, but then I am ignorant about the vast majority of the world. Most of the serious errors I hear from the CBC and from the media in general are about computer science, my own field of "expertise". At these times, I ask myself how such a lack of rigor is possible, but also how bad the problem is. How specific to computer science are errors in media coverage? Is health coverage also unreliable? If our public broadcaster can't tell software viruses and vulnerabilities apart, can it distinguish biological viruses from genetic diseases? Looking at the efforts (or lack thereof) it makes to fix errors post-publication, I doubt it; the issue with quality is systemic. If this has to do with budget, here is one more confirmation that taxes are very important.