The Linux Foundation joins forces with Google, Facebook, and others to prevent the next Heartbleed
Some of the world's largest technology companies are finally addressing the problems that led to the Heartbleed bug, a small coding error that made two-thirds of the Internet insecure. A new group called the Core Infrastructure Initiative is meant to "fund open source projects that are in the critical path for core computing functions" and has support from Google, Facebook, Microsoft, Intel, Cisco, and other large technology companies affected by the Heartbleed bug.
The Core Infrastructure Initiative plans to provide funds to open source projects that will allow them to receive independent security audits, face-to-face meetings of key developers, and full-time employment for some developers who previously worked on the projects on the side. The group's funds will be handled by the Linux Foundation, prominent developers, and its backers.
If this group is successful, it could solve one of the biggest problems the modern Internet faces: relying on software written by talented developers working in their spare time and, often, for no compensation. It will also ensure that these large companies are made aware of problems before they become as bad as Heartbleed, and focus more attention on Internet infrastructure.
I described this problem after the president of the OpenSSL Software Foundation asked for the funds to hire some developers full-time after Heartbleed was revealed earlier this month. In the post, I argued that the ability to see what's happening with an open source project actually helped the Heartbleed bug -- and other problems -- go undetected for the last two years:
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it’s amazing that anyone even bothered to look for the Heartbleed bug in the first place.
The OpenSSL Software Foundation is a group of “someone elses” looking to fix the problems that all of the “someones” relying on OpenSSL can’t be bothered to fix themselves. But the foundation is unable to employ anyone full-time, which means that its members are working on a critical aspect of online security in their spare time, or without reward commensurate to their work’s importance. The Core Infrastructure Initiative could change that. If it's able to attract the funds that it requires -- and with the backing of multiple companies that have spent billions of dollars on messaging apps and smart thermometers, it should -- it can help solve the biggest problem with the modern Internet: the fact that the people keeping it safe need to eat.
As I concluded in my post about what tech companies can do to avoid the next Heartbleed:
It’s time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry 'an enormous burden' that affects basically anyone who uses the Internet. We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?[Image via Thinkstock]