Linux Foundation and major tech cos finally committing money to stop next Heartbleed
Attempts to prevent another Heartbleed, the bug that left two-thirds of the Internet insecure for two years, received a significant boost today. The Linux Foundation has announced that it has allocated funds from many supporters -- including Google, Facebook, and Microsoft -- to perform annual security audits on critical infrastructure and hire two full-time developers who will work on one of the Internet's most widely-used technologies for pay instead of for passion.
The announcement follows months of worry about the Internet's reliance on technologies made and cared for by people working in their spare time with little or no compensation. Heartbleed was caused by a small problem in a few lines of code in OpenSSL – the software affected by the bug – introduced by someone who worked on the project for years without previously introducing other such dramatic vulnerabilities. (One would hope that something to shockingly catastrophic wouldn't happen often.)
The problem, as described by Quartz and the Washington Post, is that many people assume that open source projects are more secure than their proprietary counterparts because anyone can view and edit the code. I wrote about the effect this assumption has on security while discussing what technology companies can do to prevent the next Heartbleed from happening:
Consider it the digital version of the bystander effect, whereby an entire crowd will ignore a cry for help because everyone assumes that someone else will take care of the problem. The effect becomes more pronounced as the number of people witnessing the problem grows. This is like that, except it threatens the foundation of online security, and the crowd is so massive that it’s amazing that anyone even bothered to look for the Heartbleed bug in the first place.The Linux Foundation's announcement shows that technology companies are starting to take this seriously. Besides the OpenSSL Foundation, which oversees the technology after which it's named, funding has also been granted to the Open Crypto Audit Project, and will be allocated to other groups looking after the Network Time Protocol and OpenSSH. The group isn't just patching a weak spot in OpenSSL's infrastructure -- it's trying to secure other tools as well.
When I wrote about efforts to prevent the next Heartbleed from happening, I ended with a simple question: "We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?" It seems that the Linux foundation agrees, and given its latest announcement, the future of the Internet now seems a little less bleak than before.
[illustration by Brad Jonas for Pando]