Major tech companies back 'Heartbleed' prevention measure

After the OpenSSL flaw, nicknamed 'Heartbleed,' potentially exposed over two-thirds of websites to hackers, a group of major tech companies such as Amazon, Google, and Facebook, are donating funds to improve open-source security systems.

|
Pawel Kopczynski/Reuters/File
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered 'Heartbleed' bug that exposes data to hackers, at least not until vulnerable Web sites upgrade their software.

The world's biggest technology companies are donating millions of dollars to fund improvements in open source programs like OpenSSL, the software whose "Heartbleed" bug has sent the computer industry into turmoil.

Amazon.com Inc, Cisco Systems Inc, Facebook Inc, Google Inc, IBM, Intel Corp and Microsoft Corp are among a dozen companies that have agreed to be founding members of a group known as Core Infrastructure Initiative. Each will donate $300,000 to the venture, which is recruiting more backers among technology companies as well as the financial services sector.

Other early supporters are Dell, Fujitsu Ltd NetApp Inc, Rackspace Hosting Inc and VMWare Inc .

The industry is stepping up after the group of developers who volunteer to maintain OpenSSL revealed that they received donations averaging about $2,000 a year to support the project, whose code is used to secure two-thirds of the world's websites and is incorporated into products from many of the world's most profitable technology companies.

"I think we get complacent as an industry when we see something as working well or working 'well enough.' We sort of see it as a 'maintenance job,'" said Chris DiBona, director of open source and engineering with Google. "We have to be a bit more vigilant."

The Heartbleed bug has likely cost businesses tens of millions of dollars in lost productivity as they have had to update systems with safe versions of OpenSSL, according to security experts. Also, it has already resulted in at least one major cyber attack: the theft of data from Canada's tax authority.

The non-profit Linux Foundation, which promotes development of the open source Linux operating system, organized the group, whose formation it announced on Thursday.

It will support development of OpenSSL as well as other pieces of open source software that make up critical parts of the world's technology infrastructure, but whose programmers do not necessarily have adequate funding to support their work, said Jim Zemlin, executive director of the Linux Foundation.

Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

Open source software refers to programs developed by groups of developers spread across the globe, who seek community involvement to improve the code. Companies are typically free to incorporate such code in their products without paying any fees to volunteer developers who maintain the code.

Some types of open-source software, such as Linux and the MySQL database, have versions that are sold by companies such as Red Hat Inc and Oracle Corp, which offer premium services such as updates and help-desk support.

The Core Infrastructure Initiative expects to offer one or more of the small crew of OpenSSL developers full-time jobs working on the project through fellowships, Zemlin said in an interview.

It will also identify other projects like OpenSSL that it believes are equally critical to the infrastructure of the Internet and merit support.

Eben Moglen, a Columbia Law School professor and attorney who represents many open-source software projects, said he believes there are six to 10 such open-source software.

"The process of keeping software secure is constant. It never stops," said Moglen, whose clients include the group of OpenSSL developers.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Major tech companies back 'Heartbleed' prevention measure
Read this article in
https://www.csmonitor.com/Technology/2014/0424/Major-tech-companies-back-Heartbleed-prevention-measure
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe