The world’s largest internet companies have come together to create a $4m fund which will help to maintain open source software, with the aim of avoiding issues like the Heartbleed bug which hit the headlines a couple of weeks ago.
Big names including Cisco, Microsoft, Amazon, Dell, Facebook, Google, IBM and more will all be donating $100 000 (R1.1m) to the Core Infrastructure Initiative, which will be administered by the Linux Foundation. Other firms and individuals can donate via this page.
The role of the CII will be to fund the development and maintenance of software projects which are widely used but never paid for. It is a direct response to Heartbleed, because the internet as we know it almost ground to a halt thanks to a fatal flaw in a popular but relatively little known encryption layer called OpenSSL. The bug, which was introduced into the software in 2011, meant that any server could be cajoled into revealing the current content of some of its active RAM – including usernames, passwords and cryptographic keys that might be stored there.
The OpenSSL foundation has been maintaining the critical piece of software used by 60% of servers, including Yahoo! mail, LastPass, several banks and more, on a budget of less than $2 000 (R21 000) a year. It will be the first recipient of cash from the new fund. As Heartbleed made clear, there are many small and little known pockets of open source software which are vital to the continued functioning of the internet as we know it, but which receive little or no official support.
Many open source projects are sponsored directly by companies that benefit from them, but others are simply taken for granted. OpenSSL spokesperson Steve Marquess tried to explain the situation on his personal blog after the bug was discovered.
“These guys don’t work on OpenSSL for money,” Marquess wrote, “They don’t do it for fame (who outside of geek circles ever heard of them or OpenSSL until “heartbleed” hit the news?)… It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smart phones, industry, government, everywhere. Knowing that you’ll be ignored and unappreciated until something goes wrong.
“There should be at least a half dozen full time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.”
Heartbleed was originally thought to affect 60% of servers on the net. While that number has since been revised down (since older versions of OpenSSL weren’t affected), as John Miller – security research manager at Trustwave – explains:
“Web servers are only one class of target,” says Miller, “Email servers, file servers, and a host of other protocols rely on SSL and may also be impacted by this event. Heartbleed affects both servers and client software, so users may have applications on their devices that are vulnerable to leaking sensitive information if they connect to a malicious server. There will be a lot of work in the coming months to identify and remediate these issues.”
The Heartbleed bug was discovered by independent researchers and a team from Google, and Miller warns that it may not be unique.
“It is important to recognize that Heartbleed was not a flaw in the mathematical underpinnings of the SSL/TLS encryption, which still remains a strong foundation for security,” he says, “It does, however, showcase the danger of implementation bugs that can lead to bypass of encryption. Unfortunately, bugs are a common fact of life in software development and there is no reason to believe we’ve seen the last of them.”
Hopefully with new money more bugs can be uncovered before harm is done – and existing ones fixed.
[Via Ars Technica]
