‘Heartbleed’ bug can’t be simply blamed on coders

The Guardian:

Were you a thriller writer seeking a name for an apocalyptic software security flaw that threatened the future of civilisation as we know it, then “Heartbleed” would be hard to beat. Last week saw the discovery of such a flaw, and Heartbleed was the name assigned to it.

Most security flaws are of interest only to specialists, but this one was different. Why? Because it’s been around for something like three years, during which time it could have exposed the passwords and credit card numbers that countless millions of people had provided to online stores and other services. Heartbleed would enable attackers to eavesdrop on online communications, steal data directly from services and users, and impersonate both services and users. It could have affected up to two-thirds of the world’s internet servers. And unlike some earlier such problems, the solution isn’t as simple as immediately changing one’s password. It was, said Bruce Schneier, a security expert not much given to hyperbole, a “catastrophic” flaw. “On the scale of one to 10,” he wrote, “this is an 11.”

Most open-source software – and Open SSL is no exception – is produced voluntarily by people who are not paid for creating it. They do it for love, professional pride or as a way of demonstrating technical virtuosity. And mostly they do it in their spare time. Responsible corporate use of open-source software should therefore involve some measure of reciprocity: a corporation that benefits hugely from such software ought to put something back, either in the form of financial support for a particular open-source project, or – better still – by encouraging its own software people to contribute to the project.

If the giant internet companies had taken the latter approach to OpenSSL, then they might have spotted the Heartbleed vulnerability earlier. In which case we wouldn’t be in the mess that we are in now. Sometimes the ethical thing to do turns out also to be the prudent thing to do.

Let’s see the big companies using OpenSSL paying a voluntary contribution to ensure the code is fully maintained.  I’ve just watched Mumsnet site’s founder Justine Roberts on the BBC News explain how she was let down by OpenSSL   Instead of free-riding on other people’s efforts, I hope she’ll contribute something back.