Who Should Pay To Keep The Internet's Locks Secure? | WAMU 88.5 - American University Radio
Filed Under:

Who Should Pay To Keep The Internet's Locks Secure?

Play associated audio

The encryption code unlocked by the Heartbleed bug last week provided vital security for some of the most widely used websites on the Internet. Fortune 1000 companies rely on the open source code for their core business. But it turns out no one is paying for it.

The software that got infected — and later fixed — is OpenSSL. It's supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. But the recent bug was like a gaping pothole.

The volunteer team at the OpenSSL Foundation couldn't catch it because there aren't enough of them to look. The group's founder, Steve Marquess, says only one person works solely on the software. "Everyone else has outside obligations," he says.

The group gets some money in corporate contracts. "Rather quite a bit — under $1 million," he says. But that's for company-specific work. In 2013, the group got just $2,000 for upkeep.

After news of the bug broke, one person on a popular tech forum joked the software could raise more money panhandling in a big city than it's gotten online.

Ed Felten, a computer scientist at Princeton University, says OpenSSL is like public infrastructure without a tax base. It's open source — meaning anyone can use it for free — but it's so poor, it's never had a complete security audit.

Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.

"A free rider problem means that someone can benefit from a project or a technology without contributing back to it," Felten says.

High-tech companies are keeping quiet about the software's financial woes. Facebook and OKCupid did not respond to NPR's inquiry. Yahoo, Amazon and Google declined to comment. Cisco did disclose it does not gives checks to OpenSSL, but the company's employees do actively help with code.

Many cybersecurity experts, including Felten, say that's not enough.

"Somebody needs to be paying and putting in the work to ensure that components like OpenSSL are secure. It's a job that some of the large companies could do individually and get together and do," Felten says.

David Chartier, CEO of Codenomicon, the company that found the Heartbleed bug, says the crisis is not a cautionary tale in free riders and corporate accountability. Software — public or private — will always have bugs, and people have to come together as a team to deal with it.

"Never before have we seen the security community, and the general public together along with media move so quickly to get the word out," Chartier says.

There is another silver lining. Marquess says since the bug was revealed, his group has gotten about $10,000 in checks.

"What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts," Marquess says.

But given all the traffic on OpenSSL, that still doesn't cover the cost of maintenance, he says.

Copyright 2014 KQED Public Media. To see more, visit http://www.kqed.org.


New Technology Immerses Audiences At Sundance Film Festival

From flying like a bird to walking through a refugee camp in Syria, virtual reality has enabled journalists, filmmakers and artists to immerse their audience in their stories like never before.

Sandwich Monday: Girl Scout Cookie Coffeemate

For this week's Sandwich Monday, we try Girl Scout Cookies in a new form. Coffeemate has somehow blended them into non-dairy creamer, so you can start your day the disturbing way.

GOP Says Obama Must Act First On New ISIS Resolution

In his State of the Union address, President Obama asked Congress to pass a resolution to show national unity in the war on ISIS. GOP lawmakers say Obama must draft that resolution, even as they sue him for acting alone on immigration.

Intended For Millennials, Dish's Sling TV Is A Cord Cutter's Dream

Dish Network soon debuts its Sling TV streaming service, with a small group of cable channels for $20 a month. NPR TV Critic Eric Deggans tried it and says Sling TV is a welcome challenge to cable.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.