As the fears and realities of bugs, hacks and crashes of our global lifeblood – the internet – hang round us like flies attracted to filth, one commentator believes it’s all about money, rather than malicious thinking.
Robert McMillan wrote a expose on Wired (11 April 2014) under the heading, ‘How Heartbleed Broke the Internet – And Why It Can Happen Again.’
We’re going to paraphrase it as it makes such a powerful point in the discussion about the safety and security of our main communication system, especially at this time of real concern about Heartbleed.
For the purposes of this discussion, web and internet are treated as the same thing in common with most people’s understanding, though purists insist they are different from each other.
Heartbleed, It’s a Bad One
McMillan claimed that Stephen Henson is ‘responsible for the tiny piece of software code that rocked the internet this April.’
Just before 2012 began Henson received a code from an academic expert in internet protocols, Robin Seggelmann, to update internet security protocol OpenSSL. He added it to software repositories across the web.
That tiny code contained a bug ‘that would cause massive headaches for internet companies worldwide, give conspiracy theorists a field day, and, well, undermine our trust in the internet. The bug is called Heartbleed, and it’s bad.’
It can steal passwords and usernames from Yahoo, let criminals slip into online bank account. ‘And in theory, it could even help the NSA or China with their surveillance efforts.‘It’s so bad that Blackberry were early to produce patches to secure the welfare of customers.
We’ve been here before with bugs, but here’s McMillan’s chilling point: ‘Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all.’
Who’s Paid to Do What?
He said that the code containing this bug was ‘written by a team of four coders that has only one person contributing to it full-time. And yet Henson’s situation isn’t an unusual one. It points to a much larger problem with the design of the internet. Some of its most important pieces are controlled by just a handful of people, many of whom aren’t paid well — or aren’t paid at all. And that needs to change.’
He thought that we must add ‘more oversight to the internet’s underlying infrastructure. We need a dedicated and well-funded engineering task force overseeing not just online encryption but many other parts of the net.’
Open source software which underpins so much of the net has a ‘serious sustainability problem. Linux, Mozilla, and the Apache web server enjoy hundreds of millions of dollars of funding, but other important projects don’t have money or people behind them.
According to McMillan, ‘Mozilla, maker of the Firefox browser, reported revenues of more than $300 million in 2012. But the OpenSSL Software Foundation, which raises money for the project’s software development, has never raised more than $1million in a year; its developers have never all been in the same room. And it’s just one example.’
If a problem is fixed, a solution is frequently open sourced widely, so the software becomes instantly popular. Many projects are just not maintained thereafter. He cited Dnsmasq started by British systems administrator Simon Kelley which has become after 15 years and 30,000 lines of code ‘a critical piece of network software found in hundreds of millions of Android mobile phones and consumer routers.’
Kelley has sympathy with the OpenSSL team who develop critical and widely used software with minimal resources, as he is at present on just a 9-month contract with Comcast and is not working on Dnsmasq. He is recorded as saying ‘with each release, I get more nervous.’
Money Buys Audits
Conceding that money doesn’t buy good code, McMillan argued it ‘pays for software audits and face-to-face meetings, and it can free up open-source coders from their day jobs.’ Most OpenSSL money comes from companies asking for support or specific development work. They don’t have the time to do ‘code audits, security reviews, refactoring.’
He felt that this problem is also ‘preventing some critical technologies from being added to the internet.’ As it gets bigger, traffic increases, choke points and vulnerable stretches are inevitable. Individual developers may know or work out how to fix the glitches, but without proper funding and systematic organisation, they are not heard.
- So, does the world need an international regulatory body?
- A web domain policing equivalent?
- A UN of the web?
- A levy on every web user to pay for audits, security and expansion?
- A less open source attitude?
Consider these blogs, too:
New Web Domains Set to Flood the World With Cybersquatters, 11 March 2014
Three Seconds Is Too Long to Load a Website, 25 December 2013
Cybercriminals Should Keep Us All Alert, Looking Over Our Shoulders, 22 October 2013
The Digital Economy Is No Longer an Add-On, It IS The Economy, 27 August 2013
Lies, Half Truths and the Internet Are Not All True, 3 July 2013
Policing the Internet: Everybody Wants to Do It, Nobody Will, 10 October 2012
Image: NASA Apollo 17