Someone would have to be pretty dense not to blame open-source for the global catastrophe that is the Heartbleed bug. But that hasn’t stopped InfoWorld from trying.
“Stop laying the blame for Heartbleed on open source,” blared the headline on its Monday PM email newsletter. Followed by: “Security experts acknowledge that open source is the best model for crypto, so how do we drive improvements to the model for creating security-critical infrastructure?”
Interestingly, the headline says open source isn’t to blame, but the text admits it needs to be fixed. Headline giveth, story taketh away. Let’s agree that the open source process failed. Can it be fixed?
You’d think so, but I wonder. Maybe some things — say, the security of essentially the whole Internet — are too important to be trusted to a process we obviously cannot count upon?
The Heartbleed blame game
I don’t blame the coder who inserted the bad code. I’d fire him, but I don’t blame him. First, I’d fire his bosses in the OpenSSL group. It was charged with preventing essentially everyone from having to change all their passwords, including those on accounts they didn’t even remember having. Every password must change to deal with the problem of bad guys grabbing a password used in more than one place.
This is about as big a security disaster as can be imagined, with the single silver lining that maybe, just maybe, not too much damage was done before fixes started being applied. Of course, it’s likely to be years before all unpatched servers and devices go away. So change your passwords.
InfoWorld seems to miss the minor point that open source is supposed to rely on openness, not secrecy, to protect it from hacking. Open source, I’d always been told, was secure because so many people looked at it that a problem would be quickly discovered and fixed.
That the process failed in OpenSSL’s case is an indictment to the core concept of open software. If InfoWorld’s “security experts” say open source security is so wonderful, why didn’t they care enough to prevent this from happening?
It’s not like we aren’t talking about the whole world’s Internet security or anything, right? Rather than setting up a mechanism to protect critical infrastructure, like OpenSSL, the open source community marveled at how wonderful their “free” software was, rather than investing in the testing necessary to prove it secure.
Wanna bet that whatever money was saved with “free” software has been many times spent in the past couple of weeks solving the problem that free software created? As a user, is it really too much to expect that the Internet geeks who make security decisions on my behalf will actually be good at their jobs?
I agree that, theoretically, open source security is probably the best model. Except that provably it failed. And because free software is so popular (What, me worry?) it’s a bit like what has happened to food crops with the loss of genetic diversity.
We have become so reliant that if a few varieties of rice die all at once, significant parts of the world might starve. Closer to home, take out some corn or wheat strains and Americans will suffer what NGOs like to call “food pressure.”
That makes me think putting all our “security eggs” into the OpenSSL basket was a pretty dumb thing to do.
Could the for-profit sector have done better?
Perhaps, the for-profit sector could do better. Maybe we need a real consortium to create this critical infrastructure that then charges to develop and manage it. Perhaps, this could be accomplished with some sort of a fee attached to domain names or some other way to spread the cost evenly.
Alternately, we could simply support multiple open source security projects. Having a single OpenSSL was convenient, but seems a convenience we maybe can no longer afford. Suppose we had 10 different implementations and only one had Heartbleed?
Clearly, something has to change. Open source needs some sort of an overseer to make sure the software is tested and works as promised, at least for the critical pieces. That requires money and commitment.
Some software really is “too big to fail” and we must prevent that. Open source is not the problem, per se, but for the important pieces it needs to be run less like a coder commune and more like the critical infrastructure business that it is.