Heartbleed Bug Prompts Tech Juggernauts to Increase Open Source Funds
Tech juggernauts are joining forces in light of the recent Heartbleed scare in order to prevent such open source catastrophes in the future.
Google, Facebook, Intel, Microsoft, Amazon, and IBM have all signed onto a Linux Foundation mission labeled the "Core Infrastructure Initiative" aimed at better funding critical open source resources such as OpenSSL.
"The Core Infrastructure Initiative is a multi-million dollar project housed at The Linux Foundation to fund open source projects that are in the critical path for core computing functions. Inspired by the Heartbleed OpenSSL crisis, The Initiative's funds will be administered by the Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders," the Linux Foundation says.
In its current state, companies involved in the Core Infrastructure Initiative will donate $100,000 per year over the next three years for a total of $4 million.
OpenSSL, the widely used encryption code vulnerable to Heartbleed, is the new posterchild for open source funding. The OpenSSL Software Foundation (OSF) receives an average of $2,000 a year, with annual revenues never exceeding $1 million. The OSF employs only one full-time worker to work on code. This much for an encryption software used by two-thirds of the world's websites.
Companies like Google and Facebook announced they were vulnerable to Hearbleed, and even though they have since patched up the bugs, the incident highlights how little attention an important part of the Internet is paid. The Core Infrastructure Initiative is the first proactive major public step by major tech players in light of the Heartbleed break.
Heartbleed is a recently discovered exploit affecting websites using certain versions of OpenSSL for security. In essence, Heartbleed allows for an attacker to steal someone's data and eavesdrop.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon, the Finnish-based security firm that discovered Heartbleed, wrote on Heartbleed.com.
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," Codenomicon describes.
Heartbleed has been part of the OpenSSL code for over two years, but most experts agree that many hackers didn't know about it until it was revealed a couple weeks ago. It is still unclear how much damage has been wrought thanks to Heartbleed. Major websites, including Google, Facebook, and Yahoo were all found to be vulnerable, and many prompted users to change passwords.