Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community.
The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community.
Heartbleed originated in this community, in which these volunteers, connected over the Internet, work together to build free software, to maintain and improve it and to look for bugs. Ideally, they check one another’s work in a peer review system similar to that found in science, or at least on the nonprofit Wikipedia, where motivated volunteers regularly add new information and fix others’ mistakes.
This process, advocates say, ensures trustworthy computer code.
But since the Heartbleed flaw got through, causing fears — as yet unproved — of widespread damage, members of that world are questioning whether the system is working the way it should.
“This bug was introduced two years ago, and yet nobody took the time to notice it,” said Steven M. Bellovin, a computer science professor at Columbia University. “Everybody’s job is not anybody’s job.”
Once Heartbleed was revealed, nearly two weeks ago, companies raced to put patches in place to fix it. But security researchers say more than one million web servers could still be vulnerable to attack. Mandiant, a cyberattack response firm, said on Friday that it had found evidence that attackers used Heartbleed to breach a major corporation’s computer system, although it was still assessing whether damage was done.
What makes Heartbleed so dangerous, security experts say, is the so-called OpenSSL code it compromised. That code is just one of many maintained by the open-source community. But it plays a critical role in making our computers and mobile devices safe to use.
OpenSSL code was developed by the OpenSSL Project, which has its roots in efforts in the 1990s to make the Internet safe from eavesdropping. “SSL” refers to “secure sockets layer,” a kind of encryption. Those who use this code do not have to pay for it as long as they credit the OpenSSL Project.
Over time, OpenSSL code has been picked up by companies like Amazon, Facebook, Netflix and Yahoo and used to secure the websites of government agencies like the F.B.I. and Canada’s tax agency. It is baked into Pentagon weapons systems, devices like Android smartphones, Cisco desktop phones and home Wi-Fi routers.
Companies and government agencies could have used proprietary schemes to secure their systems, but OpenSSL gave them a free and, at least in theory, more secure option.
Unlike proprietary software, which is built and maintained by only a few employees, open-source code like OpenSSL can be vetted by programmers the world over, advocates say.
“Given enough eyeballs, all bugs are shallow” is how Eric S. Raymond, one of the elders of the open-source movement, put it in his 1997 book, “The Cathedral & the Bazaar,” a kind of manifesto for open-source philosophy.
In the case of Heartbleed, though, “there weren’t any eyeballs,” Mr. Raymond said in an interview this week.
Although any programmer may work on OpenSSL code, only a few regularly do, said Ben Laurie, a Google engineer based in Britain who donates time to OpenSSL on nights and weekends. This is a problem, he said, adding that the companies and government agencies that use OpenSSL code have benefited from it but give back little in return.
The Latest on: Open-source community
[google_news title=”” keyword=”Open-source community” num_posts=”10″ blurb_length=”0″ show_thumb=”left”]
via Google News
The Latest on: Open-source community
- Top 5 Best Open Source LLMs in 2024on February 22, 2024 at 4:01 pm
Unlike proprietary LLMs, Open Source LLMs are not controlled by a single entity. Instead, they are developed and maintained by a community of developers and users. This decentralized nature ...
- Best open-source CRM of 2024on February 22, 2024 at 1:35 am
Open source technologies are those where the source code has been released for free to the wider community. Unlike proprietary solutions, open-source CRMs are free if you host it yourself ...
- Sylva Announces First Community Release: Open Source Cloud Stack Revolutionizing Telco and Edge Solutionson February 21, 2024 at 11:31 pm
Linux Foundation Europe (LF Europe) and its Sylva project are excited to announce the official release of Sylva V1, a groundbreaking open source cloud stack specifically designed for Telco and Edge ...
- First Gemini, now Gemma: Google introduces new open-source AI modelson February 21, 2024 at 8:17 am
Google announced it launched a family of open-source AI models built off the same technical and infrastructure components as Gemini.
- Jim Zemlin and the Linux Foundation share not-so-secret open-source sauceon February 21, 2024 at 3:51 am
Collaborative innovation has been the group's driving force for a quarter of a century. Or, to paraphrase Lao Tzu, the journey of a thousand open-source programs starts with a single project.
- Ajay Lotan Thakur, a Technology Leader, is leading the charge to revolutionize Open-Source Cloud Native Private 5Gon February 14, 2024 at 12:36 am
Ajay Lotan Thakur’s contributions demonstrate that 5G, AI/ML, cloud computing, and open-source technologies are transforming the telecommunication sector.
- How to Navigate Open-Source Security Without Stifling Innovationon February 7, 2024 at 4:00 pm
noted that conversations between the open-source community, the cybersecurity industry and governments simply did not take place three years ago. Now, they are happening on a regular basis. However, ...
- Open source ‘headless commerce’ builder Saleor closes $8M round led by Target Global and Zalandoon February 6, 2024 at 12:02 am
In a statement, Lina Chong, partner at Target Global, said the firm was attracted to “Saleor’s thriving open source community” and “robust SaaS offering.” Founded in 2020 but existing as ...
- Mistral CEO confirms ‘leak’ of new open source AI model nearing GPT-4 performanceon January 31, 2024 at 2:44 am
The past few days have been a wild ride for the growing open source AI community — even by its fast-moving and freewheeling standards. Here’s the quick chronology: on or about January 28 ...
via Bing News