Who Should Pay To Keep The Internet's Locks Secure? | WAMU 88.5 - American University Radio
Filed Under:

Who Should Pay To Keep The Internet's Locks Secure?

Play associated audio

The encryption code unlocked by the Heartbleed bug last week provided vital security for some of the most widely used websites on the Internet. Fortune 1000 companies rely on the open source code for their core business. But it turns out no one is paying for it.

The software that got infected — and later fixed — is OpenSSL. It's supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. But the recent bug was like a gaping pothole.

The volunteer team at the OpenSSL Foundation couldn't catch it because there aren't enough of them to look. The group's founder, Steve Marquess, says only one person works solely on the software. "Everyone else has outside obligations," he says.

The group gets some money in corporate contracts. "Rather quite a bit — under $1 million," he says. But that's for company-specific work. In 2013, the group got just $2,000 for upkeep.

After news of the bug broke, one person on a popular tech forum joked the software could raise more money panhandling in a big city than it's gotten online.

Ed Felten, a computer scientist at Princeton University, says OpenSSL is like public infrastructure without a tax base. It's open source — meaning anyone can use it for free — but it's so poor, it's never had a complete security audit.

Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.

"A free rider problem means that someone can benefit from a project or a technology without contributing back to it," Felten says.

High-tech companies are keeping quiet about the software's financial woes. Facebook and OKCupid did not respond to NPR's inquiry. Yahoo, Amazon and Google declined to comment. Cisco did disclose it does not gives checks to OpenSSL, but the company's employees do actively help with code.

Many cybersecurity experts, including Felten, say that's not enough.

"Somebody needs to be paying and putting in the work to ensure that components like OpenSSL are secure. It's a job that some of the large companies could do individually and get together and do," Felten says.

David Chartier, CEO of Codenomicon, the company that found the Heartbleed bug, says the crisis is not a cautionary tale in free riders and corporate accountability. Software — public or private — will always have bugs, and people have to come together as a team to deal with it.

"Never before have we seen the security community, and the general public together along with media move so quickly to get the word out," Chartier says.

There is another silver lining. Marquess says since the bug was revealed, his group has gotten about $10,000 in checks.

"What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts," Marquess says.

But given all the traffic on OpenSSL, that still doesn't cover the cost of maintenance, he says.

Copyright 2014 KQED Public Media. To see more, visit http://www.kqed.org.

NPR

What It's Like To Own Your Very Own Harrier Jump Jet

The Harrier Jump Jet is known for vertical take-offs and landings. It also has an accident-prone track record, but that didn't dissuade one pilot from buying his dream plane.
NPR

Rust Devastates Guatemala's Prime Coffee Crop And Its Farmers

Central American coffee farmers are facing off against a deadly fungus that has wiped out thousands of acres of crops. Coffee companies like Starbucks are pooling money to support them in the fight.
NPR

When Did Companies Become People? Excavating The Legal Evolution

The Supreme Court has been granting more rights to corporations, including some regarded as those solely for individuals. But Nina Totenberg finds the company-to-person shift has a long history.
NPR

What It's Like To Own Your Very Own Harrier Jump Jet

The Harrier Jump Jet is known for vertical take-offs and landings. It also has an accident-prone track record, but that didn't dissuade one pilot from buying his dream plane.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.