Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Why Doesn’t Anybody Fire Those Responsible for Heartbleed Getting by OpenSSL? Because Nobody Hired Them! Just a Few Volunteers Maintain This Critical Software.

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

When the Heartbleed glitch left hackers a wide-open back door in OpenSSL, the software that protects banks, email, social media, government and just about everything else online, it even got the attention of people who were still using Windows 95.

No one has a handle on how much damage may have been caused. Or if the majority of cybercriminals were as clueless about the Heartbleed flaw as the rest of us. One thing is certain. Heartbleed virtually had the entire virtual world in crisis mode. And when an event of this magnitude occurs, there is always a call for finding out who’s responsible and making them pay. So why hasn’t this happened?

Writing on, Jose Pagliery explains who was holding their fingers in the dike and why holding them (the people, not their fingers) responsible would be like blaming a friend who was house-sitting for a burglary that took place while he was at work. (Note: the following has been modified to fit our format.)

They’re all volunteers. And only one does it as a full-time job.

Their labor of love is OpenSSL, a free program that secures a lot of online communication. And it was a tiny coding slip-up two years ago that caused the Heartbleed bug, a hole that allows attackers to peer into computers. The bug forced emergency changes last week at major websites like Facebook, Google and Yahoo.

But security experts say OpenSSL is severely underfunded, understaffed and largely ignored.

The bug wasn’t caught until recently, because the OpenSSL Software Foundation doesn’t have the resources to properly check every change to the software, which is now nearly half a million lines of code long. And yet that program guards a vast portion of our commerce and government — including weapon systems and smartphones, the foundation claims.

“The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” Steve Marquess, the foundation’s president, said in an open letter.

When weighed against its critical importance to Internet security, OpenSSL has a shoestring budget. It has never received more than $1 million a year, Marquess said. The only federal support listed online was a single $20,000 renewal contract from the Department of Defense.

While the foundation receives money from the Department of Homeland Security, Citrix and others, the vast majority of its funding is from specific work-for-hire contracts. A company wants a certain feature added here, a specific function there. It keeps developers busy. But Marquess said there’s no money going toward reviewing the code or performing audits.

In fact, the only person working on this full-time is Stephen Henson, an extremely private mathematician living in England who referred to Marquess for comment. Only a handful of other developers pitch in with any consistency, and Marquess told CNN their total labor amounts to maybe two full-time workers.

Even in the aftermath of Heartbleed, the foundation has received only $9,000 — sparking Marquess to publicly call out companies that use OpenSSL for free.

“I’m looking at you, Fortune 1000 companies,” he wrote.

In the wake of Heartbleed, this lack of funding for OpenSSL may prove a wake-up call.

Startups and major corporations frequently use open-source software because it’s freely distributed and costs nothing. But they rarely contribute back in dollars or donated time. Without significant outside help — donating dedicated staff and money without strings attached — open-source projects like this are at risk of fizzling out or blowing up in our faces, said Azorian Cyber Security founder Charles Tendell.

“If you bought your car and knew it was put together by volunteers, how would you feel about that?” Tendell asked.

A select few firms provide some help. Facebook and Microsoft sponsor bug bounties via the HackerOne program — essentially paying hackers to find mistakes that need fixing. And it was a Google security researcher, Neel Mehta, who discovered the Heartbleed bug.

Others are convinced it’s time to chip in. The initial response by Marc Gaffan, cofounder of cloud-security provider Incapsula, was: “What do you expect? You got this for free. You get what you pay for.” But it turns out his company relies on OpenSSL too. When asked if he would lead by example, Gaffan promised his firm would make its first donation.

This recent scare has gotten the White House’s attention. The Obama administration is now “taking a hard look at widely used tools such as OpenSSL to see if there is more that the federal government needs to do — including supporting research and development,” said National Security Council spokeswoman Laura Lucas Magnuson.

There’s a catch, however. The government can only get so close without triggering fears that it’s actually undermining the security of online communications, especially after Edward Snowden’s disclosures about the National Security Agency’s extensive surveillance programs. Former NSA crypto engineer Randy Sabett, now a tech privacy attorney at the Cooley law firm, expects the open-source community will be apprehensive.

“The public does not want the government involved in the design of the commercial Internet,” he said. “They don’t want back doors put in.”

By ThreatMetrix Posted