Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community.
The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community.
Heartbleed originated in this community, in which these volunteers, connected over the Internet, work together to build free software, to maintain and improve it and to look for bugs. Ideally, they check one another’s work in a peer review system similar to that found in science, or at least on the nonprofit Wikipedia, where motivated volunteers regularly add new information and fix others’ mistakes.
This process, advocates say, ensures trustworthy computer code.
But since the Heartbleed flaw got through, causing fears — as yet unproved — of widespread damage, members of that world are questioning whether the system is working the way it should.
“This bug was introduced two years ago, and yet nobody took the time to notice it,” said Steven M. Bellovin, a computer science professor at Columbia University. “Everybody’s job is not anybody’s job.”
Once Heartbleed was revealed, nearly two weeks ago, companies raced to put patches in place to fix it. But security researchers say more than one million web servers could still be vulnerable to attack. Mandiant, a cyberattack response firm, said on Friday that it had found evidence that attackers used Heartbleed to breach a major corporation’s computer system, although it was still assessing whether damage was done.
What makes Heartbleed so dangerous, security experts say, is the so-called OpenSSL code it compromised. That code is just one of many maintained by the open-source community. But it plays a critical role in making our computers and mobile devices safe to use.
OpenSSL code was developed by the OpenSSL Project, which has its roots in efforts in the 1990s to make the Internet safe from eavesdropping. “SSL” refers to “secure sockets layer,” a kind of encryption. Those who use this code do not have to pay for it as long as they credit the OpenSSL Project.
Over time, OpenSSL code has been picked up by companies like Amazon, Facebook, Netflix and Yahoo and used to secure the websites of government agencies like the F.B.I. and Canada’s tax agency. It is baked into Pentagon weapons systems, devices like Android smartphones, Cisco desktop phones and home Wi-Fi routers.
Companies and government agencies could have used proprietary schemes to secure their systems, but OpenSSL gave them a free and, at least in theory, more secure option.
Unlike proprietary software, which is built and maintained by only a few employees, open-source code like OpenSSL can be vetted by programmers the world over, advocates say.
“Given enough eyeballs, all bugs are shallow” is how Eric S. Raymond, one of the elders of the open-source movement, put it in his 1997 book, “The Cathedral & the Bazaar,” a kind of manifesto for open-source philosophy.
In the case of Heartbleed, though, “there weren’t any eyeballs,” Mr. Raymond said in an interview this week.
Although any programmer may work on OpenSSL code, only a few regularly do, said Ben Laurie, a Google engineer based in Britain who donates time to OpenSSL on nights and weekends. This is a problem, he said, adding that the companies and government agencies that use OpenSSL code have benefited from it but give back little in return.
The Latest on: Open-source community
via Google News
The Latest on: Open-source community
- VVVVVV creator makes the game open source on its 10th anniversaryon January 10, 2020 at 10:55 am
Now, coming up on its 10-year anniversary, Cavanagh is giving his game to the community fully. He’s made VVVVVV open source. Terry Cavanagh made the announcement going open source with VVVVVV on his ...
- The ethical side of open sourceon January 9, 2020 at 9:13 am
- 2020 Red Hat Women in Open Source Award Nominations Now Openon January 9, 2020 at 8:00 am
Nominations for this year's awards will be accepted for two categories: Academic, open to women who are enrolled full-time, earning 12 or more credit hours, in college or university; and Community, ...
- The realities of running an open-source communityon January 9, 2020 at 6:40 am
Scarce resources. Starting a project or open-source community can be hard, especially when you don’t have backing from a company or organization, so resources are limited. Eclipse’s ...
Of the 34.2 percent that said “No,” the reasons were: They provide for the open source community They have good motivations and deliver They contribute the amount they pledge Of the 40.5 percent of ...
- The hottest thing in robotics is an open source project you've never heard ofon January 8, 2020 at 11:47 am
Given the importance of ROS to the swelling open source robotics community, it's worth learning a bit more about it. ROS has been around for over 10 years and has tens of thousands of developers ...
- Open source community lagging in diversityon January 8, 2020 at 3:17 am
However, when it comes to inclusivity within the open source community itself, there is still much to be done. This was one of the key findings in the DigitalOcean Currents – December 2019 report on ...
- With friends like AWS, who needs an open source business?on January 7, 2020 at 3:50 am
In December, a New York Times article suggested that AWS was strip-mining open source projects by providing managed services based on open source code, without contributing back to the community. In ...
- Diversity: Why open source needs to work on it in 2020on January 6, 2020 at 12:35 pm
According to that survey, women are far more likely to say they'd be more likely to contribute to open source "if the open source community was more inclusive." That inclusivity is often measured by ...
- The Schism at the Heart of the Open-Source Movementon January 3, 2020 at 10:58 am
Friedman noted that although GitHub is an enormous part of the open-source community, its contract with ICE is for a different product, the GitHub Enterprise Server—a version of the typical GitHub ...
via Bing News