The Heartbleed bug revealed limitations with the software protecting banks and other key websites.
Last week’s Heartbleed Internet bug revealed a startling fact. The software protecting banks, email, social media and government is maintained by only a few people.
They’re all volunteers. And only one does it as a full-time job.
Their labor of love is OpenSSL, a free program that secures a lot of online communication. And it was a tiny coding slip-up two years ago that caused the Heartbleed bug, a hole that allows attackers to peer into computers. The bug forced emergency changes last week at major websites like Facebook, Google and Yahoo
But security experts say OpenSSL is severely underfunded, understaffed and largely ignored.
The bug wasn’t caught until recently, because the Open SSL Software Foundation doesn’t have the resources to properly check every change to the software, which is now nearly half a million lines of code long. And yet that program guards a vast portion of our commerce and government — including weapon systems and smartphones, the foundation claims.
“The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” Steve Marquess, the foundation’s president, said in an open letter.
When weighed against its critical importance to Internet security, OpenSSL has a shoestring budget. It has never received more than $1 million a year, Marquess said. The only federal support listed online was a single $20,000 renewal contract from the Department of Defense.
While the foundation receives money from the Department of Homeland Security, Citrix and others, the vast majority of its funding is from specific work-for-hire contracts. A company wants a certain feature added here, a specific function there. It keeps developers busy. But Marquess said there’s no money going toward reviewing the code or performing audits.
In fact, the only person working on this full-time is Stephen Henson, an extremely private mathematician living in England who referred to Marquess for comment. Only a handful of other developers pitch in with any consistency, and Marquess told CNN their total labor amounts to maybe two full-time workers.
Even in the aftermath of Heartbleed, the foundation has received only $9,000 — sparking Marquess to publicly call out companies that use OpenSSL for free.
“I’m looking at you, Fortune 1000 companies,” he wrote.
In the wake of Heartbleed, this lack of funding for OpenSSL may prove a wake-up call.
Startups and major corporations frequently use open-source software because it’s freely distributed and costs nothing. But they rarely contribute back in dollars or donated time. Without significant outside help — donating dedicated staff and money without strings attached — open-source projects like this are at risk of fizzling out or blowing up in our faces, said Azorian Cyber Security founder Charles Tendell.
“If you bought your car and knew it was put together by volunteers, how would you feel about that?” Tendell asked.
A select few firms provide some help. Facebook and Microsoft sponsor bug bounties via the HackerOne program — essentially paying hackers to find mistakes that need fixing. And it was a Google security researcher, Neel Mehta, who discovered the Heartbleed bug.
Others are convinced it’s time to chip in. The initial response by Marc Gaffan, cofounder of cloud-security provider Incapsula, was: “What do you expect? You got this for free. You get what you pay for.” But it turns out his company relies on OpenSSL too. When asked if he would lead by example, Gaffan promised his firm would make its first donation.
This recent scare has gotten the White House’s attention. The Obama administration is now “taking a hard look at widely used tools such as OpenSSL to see if there is more that the federal government needs to do — including supporting research and development,” said National Security Council spokeswoman Laura Lucas Magnuson.
There’s a catch, however. The government can only get so close without triggering fears that it’s actually undermining the security of online communications, especially after Edward Snowden’s disclosures about the National Security Agency’s extensive surveillance programs. Former NSA crypto engineer Randy Sabett, now a tech privacy attorney at the Cooley law firm, expects the open-source community will be apprehensive.
“The public does not want the government involved in the design of the commercial Internet,” he said. “They don’t want back doors put in.”