Showing 162 posts tagged security
Showing 162 posts tagged security
OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.
To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.
This is really excellent news: the large companies and organizations that rely on open-source critical infrastructure projects need to (ideally) contribute back through either code contributions of financial support. Hopefully we’ll not just see money but efforts to improve and develop the code of these projects, projects which often are the hidden veins that enable contemporary Internet experiences.
Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.
“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.
Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?
Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.
This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.
The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.
"This is supposed to be the sort of thing that they’re supposed to find and ideally report," says Parsons.
"I think over the coming months, we need to figure out if they knew and if they didn’t, why didn’t they, because this is what we pay them to do. And if they did know, then why weren’t they protecting us?"
If you’re interested in why it’s so hard to patch a huge portion of the Internet in secret, and what forced the (relatively) early public disclosure of Heartbleed, then this is a good article to read.