Menu
Clone of Alibaba (BABA) IPO Shares Jump 36%

Alibaba (BABA) IPO Shares Jump 36%

The Sexiest Halloween Costumes of 2014

The Sexiest Halloween Costumes of 2014

Mazda Miata 2016 model revealed

Mazda Miata 2016 model revealed

Miley Cyrus New Butt Gets in Trouble with Law

Miley Cyrus New Butt Gets in Trouble with Law

Larry Ellison Steps Down as CEO of Oracle

Larry Ellison Steps Down as CEO of Oracle

The Really Scary Aspect About Heartbleed

Apr 10 2014, 1:45pm CDT | by , in News | Technology News

The Really Scary Aspect About Heartbleed
 
 

YouTube Videos Comments

Full Story

The Really Scary Aspect About Heartbleed

Another day, another Internet security crisis. This time it’s a problem with the encryption protocol that many Internet sites use to protect their data. Yet again, users for whom the basics of Internet security are as obscure as the functioning of car engines are being told there are lots of “site lemons” out there and that they need to be careful.

For those who want the nitty-gritty on what the Heartbleed bug is and what went wrong with the “code library” it snuck into, read Rusty Foster in the New Yorker. As for whether it affects you and the sites you use, check out this tool from password service LastPass. (Yes, Netflix and HBOGo, for example, were vulnerable to the Heartbleed bug, meaning someone may have been able to ping those websites for people’s usernames and passwords, and you should change your credentials there when their sites are fixed.)

It will be fixed, just like Apple's GoToFail encryption bug was fixed, and this will blow over, and people will change their passwords, and everything will be fine…. unless, as Bruce Schneier points out, the flaw is in an embedded system that can’t be updated. Regardless, something like this will happen again. The bigger problem illuminated by this latest security crisis was spelled out in a report from the Wall Street Journal’s Danny Yadron. The OpenSSL code library on which so many companies rely for their Web security only has one dude working on the project full-time.

OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job.

And it is strapped for cash:

Writing encryption code is complex, so many website operators tap OpenSSL, which is free. It was created in the late 1990s by developers who wanted an easy-to-use encryption scheme for Internet traffic. Its website is bare bones, as are its finances. Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.

That’s despite the fact that up to two-thirds of the Web relies on it. The German developer Robin Seggelman responsible for Heartbleed, who introduced the coding version of a typo, did so an hour from New Year’s Eve in 2011, according to reports. Because it is an open-source project, anyone can review it, and the hope — one deeply rooted in the philosophy of the Internet age — is that through crowd-sourcing, mistakes will be inevitably by caught and scourged.

But it wasn’t spotted until two years later by Google security engineer Neel Mehta, who is not talking to the press, according to a Google spokesperson, who would only provide a statement from Google. “The security of our users’ information is a top priority,” she writes. “We fixed this bug early and Google users do not need to change their passwords.”

But what about the larger problem? Internet users big and small, from billion-dollar corporations like Google and Yahoo to little non-profits offering secure websites, relying on a volunteer project to provide the skeleton for their security.

“Heartbleed is further evidence that we don’t have our house in order when it comes to Internet security,” Princeton computer security expert Edward Felten tells Farjad Manjoo in the New York Times. He went on to compare the “culture of software development” with that of the “safety culture that is common in fields such as aviation” and finds the former lacking. That makes sense in a way: the Internet doesn’t usually kill you when it fails, but it can certainly be expensive for companies and troublesome for Internet users when something like Heartbleed happens.

So what’s the solution? Obviously, those tending to the security protocols that support the rest of the Web need better infrastructure and more funding. “Large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails,” writes Foster in the New Yorker.

He sees some change thanks to venture capital funding in open source code-infrastructure projects, like GitHub and the Node Package Manager. “But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts,” he writes. “It’s easy to take open-source software for granted, and to forget that the Internet we use every day depends in part on the freely donated work of thousands of programmers.”

We need to find ways to pay for work that is currently essentially donated freely. One promising project is Bithub, from Whisper Systems, where people who make valuable contributions to open source projects are rewarded (with Bitcoin of course). But the pool of Bitcoin is still donation based. The Internet has helped create a culture of free, but what we may need to recognize is that we get what we pay for. Well-funded companies pulling critical code from open source projects for their sites should have formal fee arrangements, rather than the volunteer group simply hoping these users will pony up some Benjamins for “prominent logo placement” on a website most people had never heard of before Heartbleed.

Anyone who gave OpenSSL $20,000 or more got its logo on their website according to their donation page.  There are no logos on their website.

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Facebook&#039;s out to copy Twitter news feeds
Facebook's out to copy Twitter news feeds
Facebook faced an oops when the site belatedly joined in the Ferguson coverage. Now the site's looking to compete with microblogging site Twitter.
 
 
Queen Latifah on community and domestic violence
Queen Latifah on community and domestic violence
Queen Latifah's active in community outreach and involvement. At the start of The Queen Latifah Show's second season, the host is opening up on how to be a better member of society.
 
 
Sophia Loren&#039;s stunning at 80
Sophia Loren's stunning at 80
Today, screen legend Sophia Loren turned 80 and she never looked more beautiful while putting her life on display in Mexico City.
 
 
Apple details out-of-warranty repair costs for the iPhone 6 family
Apple details out-of-warranty repair costs for the iPhone 6 family
The charges are separated into three categories – screen damage, battery and power, and other repairs.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.