Heartbleed’s Password Heartbreak

 Now that you’ve changed all your passwords (I did) in the wake of the discovery of a coding error in OpenSSL, the widely-used software for the secure transmission of data, it’s time to think about why the “Heartbleed bug” made it into the code and sat there undetected for two years. The problem can be fixed with a wake-up call and a bit of money.

The bug, which allowed hackers to capture passwords and other personal information, was the handiwork of German programmer Robin Seggelmann, who says it was an honest, “trivial” mistake. The reviewer, Englishman Stephen Henson, one of a “core team” of enthusiasts supporting the OpenSSL library, missed it. And that was it: We don’t know how whether anyone exploited the vulnerability the two men created, but then hackers certainly wouldn’t tell us if they did.

heartbleed_bug_small Heartbleed's Password Heartbreak

Seggelmann has this to say to The Sydney Morning Herald by way of explanation: “It’s unfortunate that [open source software] is used by millions of people, but only very few actually contribute to it.”

That is not how the best-known open source evangelist, Linux creator Linus Torvalds, saw the future when he wrote in his 1999 book, “The Story of an Accidental Revolution”:

“Imagine: Instead of a tiny cloistered development team working in secret, you have a monster on your side. Potentially millions of the brightest minds are contributing to a project, and are supported by a peer review process that has no, er, peer.”

The open source ideology is still attractive to millions of engineers who work on it just for fun, and the challenge of producing beautiful things. As Torvalds wrote, “in a society where survival is more or less assured, money is not the greatest of motivators. It’s been well-established that folks do their best work when they are driven by a passion.”

Two conclusions follow. First, where there are people passionate enough about a product to work for free, others will claim their work and use it for profit because they are equally passionate about money. Second, open-source software will never be painstakingly debugged: No one is passionate about that kind of drudgery. This does not mean commercially-produced software is free from bugs, but at least paid developers bear responsibility for the products. In the case of OpenSSL, all the developer will do if something goes wrong is shrug and say he was doing it for free – more or less as Seggelmann did.

The reason so many big companies – Google, Facebook, Cisco, Juniper Networks, Yahoo!, Amazon and others – were using OpenSSL was using the free libraries speed up the development process and make it cheaper. Even companies that initially frowned on open source, such as Microsoft, now talk of “a mixed-source” world. “Pragmatism from customers drove commercial vendors of all stripes toward interoperability,” the company wrote in a paper titled Microsoft and Open Source Software. “Today, the state of IT in virtually every sector is one of ‘mixed source’.”

The fact that for-profit companies have embraced open source does not mean, however, that they are willing to spend serious money to fund it. Why would they want to when it’s fueled by passion, as Torvalds explained? As Johns Hopkins University cryptography expert Matthew Green tweeted recently, “Hey companies that use OpenSSL: How many $$ have you spent recovering from Heartbleed? Why not fund OpenSSL so it doesn’t happen again?”

You won’t see any household names on this web page, where the OpenSSL Software Foundation lists its biggest sponsors. Compare it to the corresponding page for Apache Foundation, which supports the development of eponymous software powering web servers.

Open source is increasingly becoming a business, but there will always be a selfless, anarchic core to it. It is extremely valuable, and it deserves every form of support. Commercial vendors who use a lot of open source software should be more involved in funding and testing it. Passion is great, but it’s an imperfect replacement for money and the human resources necessary for boring technical work.

Those of us who don’t like changing passwords too often should also consider making a few personal donations to software foundations that are behind products we use every day, often without being aware of it. It’s easy to find out what they are: A simple Google search will work.