I have been thinking about recent news about recently discovered problem with open SSL that left many sites vulnerable for a couple years. This problem has been dubbed the HeartBleed vulnerability.
My first reaction was discouragement at finding out that something specifically promising to be secure is not secure after all. This is not the first time something like this was discovered where something supposedly secure has some other way to be vulnerable. It is folly to expect any kind of protection on the Internet.
My second reaction concerned some reports, later denied, that the government knew about this problem but chose to leave it vulnerable. Although it was denied, I still want a firm commitment that the government would immediately take steps to report to the developers any vulnerabilities the government finds. I doubt I’ll ever get that.
My last reaction was about the poor individuals who put so much effort into developing and maintaining open source software for no compensation and yet are criticized severely for allowing such a problem to slip through. I wonder why anyone would want to commit to that kind of project. Not only is there no compensation, but there is no protection at all.
In this particular case, the software is so widely used that if it were commercially distributed it could have brought in sufficient revenues to support larger team and with more protections of a corporate entity. It seems ridiculous that so many for-profit companies have made fortunes in large part enabled by this particular piece of software that they paid nothing for.
It seems even more ridiculous that the government itself takes advantage of this free software extensively for its own internal projects. People are paid very well to work on these projects and they end up using free open source software that the paid workers don’t even bother to read the code. When something happens, everyone looks at this one volunteer developer as if he were to blame. He is not to blame. The community as a whole is to blame for not doing their fair share in the project.
There are commercial providers of competing software and they have fairly significant costs. A justification for that cost is that they are making a commitment to be sure the developers are well funded.
In practice, open source software fares pretty well with commercial products in terms of software errors and speed of fixing problems. A simple cost analysis would recommend free open source software because it is reasonably competitive.
However, the choice of using open source software should come with a commitment to give back. There were thousands of users of this software, most of whom were paid very well, and yet no one could be bothered to check the code for possible weaknesses. They instead blissfully expected magical beings to take care of things.
This is the biggest travesty. The vulnerability was not hard to detect if some of these paid developers who used the code actually spent some time actually giving back by checking over the source code.
This gets back to the second reaction above where there was a rumor that the government staff had checked the code, found a problem, and didn’t report it so that the government can exploit it. They denied this rumor. But that very denial is an admission that all of their highly paid developer staff who use this particular software for many projects have not spent any of their compensated time actually checking the open source to help the community keep the code safe. I think that is equally as bad as admitting they found it and kept their mouths shut.
Using open source software to support well-compensated projects ought to obligate those developers to participate in the open source project. They should be spending time improving that code base with code review, testing, refactoring, or where ever else they can help out. At the very least they can donate some money to the developers.
The government has a large initiative to adopt open source software into government projects with the goal of saving a lot of money. That initiative ought to include a commitment to contribute to those projects through the funded projects that benefit from the open source free stuff. There should be a commitment to give as much as they take. That would mean it wouldn’t be such a big money saver.
I doubt this is happening. This particular event is good evidence that it isn’t happening.
I’ve been watching the open source phenomena for a long time, and I have been a reluctant user of some of the fruits of these efforts. I mention reluctance because of recognizing that I would not be able to hold up my end of the bargain by contributing back in some form.
I much prefer a licensed product because it is a clean transaction. The company accepts my license fees as a fair trade for access to their software. Although I will hold them to fix any errors or deficiencies, I’m not obliged to participate in their software project. This is a honest transaction.
The alternative of using open source has an implicit obligation to give something back. The point of open source is that the source code is available. I have always interpreted that to mean that I have no excuse to not notice any bugs. In other words, the choice to use open source software is the choice to accept full responsibility of what that source compiles into. If something does go wrong, the first in line to blame is the one who chose to use the software, the last person to blame is the one who introduced the bug.
As I watch the HeartBleed fiasco unfold, it doesn’t look like many others think that way. These are paid software developers who couldn’t be bothered to check the source code that was open to them. They believed it was not their job.
It should have been part of their job description. Using open source should mean the user is responsible for what is inside it. After all the source is open and readily available. This should be especially true for government users whose alternative is far more rigorous and expensive software development that adheres to very strict government-imposed development standards.
They shouldn’t be a using open source as a way to avoid doing their job.
The government used the libraries that had this problem. Either they did their job and found the problem early and didn’t report it, or they didn’t do their job and never bothered to check if there were any problems. Either way, they failed.