Internet giants unite to fight against a second Heartbleed
The discovery of that major glitch last month revealed that the open-source program used to encrypt and protect sensitive data across roughly two-thirds of the web was exploitable for nearly two years, theoretically compromising an immeasurable amount of credit card information, passwords and just about everything else meant to be secured by the OpenSSL protocol.
On Thursday this week, the Linux Foundation announced the creation of the Core Infrastructure Initiative, or CII — a multi-million dollar endeavor intended to fund and support critical elements of the global information infrastructure, according to a statement on the non-profit’s website.
“After the Heartbleed crisis we asked ourselves: How did this happen and what role can The Linux Foundation play to be sure it doesn’t happen again?” Amanda McPherson, the chief marketing officer of The Linux Foundation, asked Klint Finley at Wired this week. “We decided to do what we always do: work with the industry to raise money and fund developers directly so they can do what they do best, develop, while we give them the assistance the way we do Linus Torvalds.”
Torvalds — the Finnish-American software engineer credited with developing the open-source Linux kernel used to power the operating system of the same name — has for years been hailed by many in the tech community for the contributions he’s made by opening up his projects for other developers to improve upon. The CII now hopes that with the help of a dozen backers, other open-source engineers working on endeavors critical to the future of the web will be able to receiving the sufficient funding and support to help perfect those projects.
OpenSSL, Finley wrote for Wired, is run by a team of just four programmers, essentially putting one of the internet’s most important tools in the hands of a team with “limited time to test and audit and perfect the project’s code.”
Countless other projects have it even worse, however, and the inability to conduct those audits may once again allow for another Heartbleed to silently emerge and stay undetected for two years. On Wednesday, Linux Foundation Executive Director Jim Zemlin told the New York Times that the CII will work to not only help make sure programmers have the resources to keep their projects afloat, but that they’ll also be able to efficiently collaborate in a post-Heartbleed environment.
“This is not just about the money, but the forum,” Zemlin told Nicole Perlroth at the Times. “Instead of responding to a crisis retroactively, this is an opportunity to identify crucial open-source projects in advance. Right now, nobody is having that conversation, and it’s an important conversation to have.”
In addition to the aforementioned Silicon Valley giants, Amazon, Dell, Facebook, Fujitsu, NetApp, RackSpace and VMware have all signed-on to support the CII and agreed to each pledge $100,000 annually over the next three years.Combined, the 12 companies that are currently members of the consortium have pledged, at a minimum, a total of $3.6 million.
But after reports emerged in the aftermath of the Heartbleed scandal accusing the United States National Security Agency of knowing about the bug since nearly the beginning, the millions of dollars amassed by the CII might not be enough to outmatch the US government. Earlier this month, Bloomberg News reported that the NSA knew about the massive vulnerability for years but failed to alert Silicon Valley, and instead used the exploit to attack foreign targets. The NSA has since dismissed those allegations as false but, nevertheless, proper testing and auditing — backed with a few million dollars — are likely to ensure that at least a couple important web projects receive enough funding to keep from falling victim to an exploit like OpenSSL did.
"Maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone's interest," Professor Eben Moglen of Columbia Law School said in a statement released by the CII on Thursday. "The Linux Foundation, and the companies joining this Initiative, are enabling these dedicated programmers to continue maintaining and improving the free and open source software that makes the net work safely for us all."