Major tech companies back 'Heartbleed' prevention measure
After the OpenSSL flaw, nicknamed 'Heartbleed,' potentially exposed over two-thirds of websites to hackers, a group of major tech companies such as Amazon, Google, and Facebook, are donating funds to improve open-source security systems.
Boston — The world's biggest technology companies are donating millions of dollars to fund improvements in open source programs like OpenSSL, the software whose "Heartbleed" bug has sent the computer industry into turmoil.
Amazon.com Inc, Cisco Systems Inc, Facebook Inc, Google Inc, IBM, Intel Corp and Microsoft Corp are among a dozen companies that have agreed to be founding members of a group known as Core Infrastructure Initiative. Each will donate $300,000 to the venture, which is recruiting more backers among technology companies as well as the financial services sector.
Other early supporters are Dell, Fujitsu Ltd NetApp Inc, Rackspace Hosting Inc and VMWare Inc .
The industry is stepping up after the group of developers who volunteer to maintain OpenSSL revealed that they received donations averaging about $2,000 a year to support the project, whose code is used to secure two-thirds of the world's websites and is incorporated into products from many of the world's most profitable technology companies.
"I think we get complacent as an industry when we see something as working well or working 'well enough.' We sort of see it as a 'maintenance job,'" said Chris DiBona, director of open source and engineering with Google. "We have to be a bit more vigilant."
The Heartbleed bug has likely cost businesses tens of millions of dollars in lost productivity as they have had to update systems with safe versions of OpenSSL, according to security experts. Also, it has already resulted in at least one major cyber attack: the theft of data from Canada's tax authority.
The non-profit Linux Foundation, which promotes development of the open source Linux operating system, organized the group, whose formation it announced on Thursday.
It will support development of OpenSSL as well as other pieces of open source software that make up critical parts of the world's technology infrastructure, but whose programmers do not necessarily have adequate funding to support their work, said Jim Zemlin, executive director of the Linux Foundation.
Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.
Open source software refers to programs developed by groups of developers spread across the globe, who seek community involvement to improve the code. Companies are typically free to incorporate such code in their products without paying any fees to volunteer developers who maintain the code.
Some types of open-source software, such as Linux and the MySQL database, have versions that are sold by companies such as Red Hat Inc and Oracle Corp, which offer premium services such as updates and help-desk support.
The Core Infrastructure Initiative expects to offer one or more of the small crew of OpenSSL developers full-time jobs working on the project through fellowships, Zemlin said in an interview.
It will also identify other projects like OpenSSL that it believes are equally critical to the infrastructure of the Internet and merit support.
Eben Moglen, a Columbia Law School professor and attorney who represents many open-source software projects, said he believes there are six to 10 such open-source software.
"The process of keeping software secure is constant. It never stops," said Moglen, whose clients include the group of OpenSSL developers.