Heartbleed bug not a technical problem – it’s an awareness and support problem

by David Solomonoff

While free/open source software (FOSS) may be a better development model and Richard Stallman argues, an ethical one, it doesn’t guarantee good software by itself. Software development, like any other human endeavor, depends on the skills, resources and motivations of the people doing it.

FOSS advocates argue that the inner workings of technology should be open to inspection and modification by their users.

While the Heartbleed bug was a technical problem that is being fixed, the real problem is the lack of awareness or interest in of back-end technologies that we rely on.

Encryption used on the Internet is now critical infrastructure and unfortunately with OpenSSL, has not been allocated the needed resources. That two thirds of websites relied on security tools developed and maintained by four people, only one of them a paid full time employee, is clearly a formula for disaster.

However the prospect of having a government maintain this type of infrastructure in the wake of the NSA spying scandals (as well as allegations that they were aware of the bug and exploited it) is not likely to gain a lot of traction.

FOSS uses a variety of business models but the reliance on volunteers for critical infrastructure may have hit its limit.

In the end the solution to security problems like Heartbleed may be one of funding and awareness rather fixing a specific programming error.

All too often there has been confusion as to whether the “free” in FOSS refers to “free” speech or to “free beer”.

It looks like the bar tab has come due.

Leave a Comment

%d bloggers like this: