Open Source Heartbleed Bug Sends Internet “into a Panic”

Opponents of patents often point to the open source movement as an alternative. The Heartbleed bug illustrates a big downside to open source:

(p. B1) The encryption flaw that punctured the heart of the Internet this week underscores a weakness in Internet security: A good chunk of it is managed by four European coders and a former military consultant in Maryland.

Most of the 11-member team are volunteers; only one works full time. Their budget is less than $1 million a year. The Heartbleed bug, revealed Monday, was the product of a fluke introduced by a young German researcher.
. . .
The OpenSSL Project was founded in 1998 to create a free set of encryption tools that has since been adopted by two-thirds of Web servers. Websites, network-equipment companies and governments use OpenSSL tools to protect personal and other sensitive information online.
So when researchers at Google Inc. and Codenomicon on Monday stated that Heartbleed could allow hackers to steal such data, the Internet went into a panic.
. . .
(p. B3) Earlier in the day, a German volunteer coder admitted that he had unintentionally introduced the bug on New Year’s Eve 2011 while working on bug fixes for OpenSSL. . . .
Errors in complex code are inevitable–Microsoft Corp., Apple Inc. and Google announce flaws monthly. But people close to OpenSSL, which relies in part on donations, say a lack of funding and manpower exacerbated the problem and allowed it to go unnoticed for two years.
. . .
The OpenSSL Project counts a sole full-time developer: Stephen Henson, a 46-year-old British cryptographer with a Ph.D. in mathematics. Two other U.K. residents and a developer in Germany fill out the project’s management team.
Associates describe Mr. Henson as brilliant but standoffish and overloaded with work.
. . .
Geoffrey Thorpe, an OpenSSL volunteer on the development team, said he has little time to spend on the project because of his day job at a hardware technology company.

For the full story, see:
DANNY YADRON. “Internet Security Relies on Very Few.” The Wall Street Journal (Sat., April 12, 2014): B1 & B3.
(Note: ellipses added.)
(Note: the online version of the story was updated April 11, 2014, and has the title “TECHNOLOGY; Heartbleed Bug’s ‘Voluntary’ Origins; Internet Security Relies on a Small Team of Coders, Most of Them Volunteers; Flaw Was a Fluke.”)

Leave a Reply

Your email address will not be published. Required fields are marked *