Tech titans join forces to stop the next Heartbleed
The Linux Foundation's new Core Infrastructure Initiative creates a virtual Justice League of the biggest tech firms to ensure that open-source code gets the cryptographic scrutiny that it desperately needs.
In between hurriedly snapping 1,250 pieces of a Lego Millennium Falcon set together in time for his daughter's sixth birthday last Sunday, Jim Zemlin, executive director of the Linux Foundation, was just as frantically making calls to tech's biggest firms. The future of Internet security could be at stake.
Google, which he called first, said yes. Facebook said yes. Intel said yes. And by 11 p.m. in New York City last night, with Amazon Web Services and Rackspace on board, Zemlin had lined up a dozen companies and millions of dollars to support his latest project, the Core Infrastructure Initiative.
A new open-source security evaluation group that the Linux Foundation announced on Thursday morning, the initiative's founding members stretch from Silicon Valley around the world. In addition to the aforementioned companies, Microsoft, Cisco, Dell, Fujitsu, IBM, NetApp, and VMware have all signed on, and each will contribute $100,000 annually over the next three years to support the project and sit on its guiding board, although anyone can donate.
Conceived by Zemlin just over a week ago, the group is tasked with building a framework to permanently support the myriad of critical yet often under-funded open-source projects that most of the Internet has come to rely on.
"I thought, Where did we go wrong?" Zemlin told CNET when asked to describe the origins of the initiative. "There are numerous open-source projects that are not in line with the same kind of support that supports Linux."
OpenSSL is used by so many website owners and hardware makers that it has become the de facto spine of Internet encryption. Announced two weeks ago with a coordinated campaign to educate Internet users and tech firms about its severity, Heartbleed allowed an attacker to pluck critical personal data such as usernames, passwords, and credit card numbers out of ostensibly secure transmissions. Many but not all of the servers that deliver the most popular sites on the Web have been patched, but that doesn't include Internet-connected devices that use OpenSSL that could still be exposed.
Zemlin said that he expects the Core Infrastructure Initiative to financially support cryptographic experts who devote their time to open-source code, the same way that the Linux Foundation was created to support Linux's creator Linus Torvalds so that he could work solely on the open-source operating system.
That may not be the best analogy, as there have been kernel bugs in Linux for 20 years. Still, Zemlin was enthusiastic.
"The concept that 'more eyeballs make bugs more shallow' I don't think is wrong. The idea is that we want to facilitate faster idea sharing," he said, "This has been somewhat proven by the Linux model."
Professor Eben Moglen of Columbia Law School said in a statement that "maintaining the health of the community projects that produce software critical to the security and safety of Internet commerce is in everyone's interest."
The founding director of the Software Freedom Law Center, Moglen said that the companies involved are ensuring that the Internet will "work safely for us all."
Chris DiBona, Google's director of engineering for open source and Zemlin's first contact for the project, said that once Zemlin contacted him, the only issue was figuring out whether DiBona or his boss, Google vice president of security Eric Gross, would take ownership of Google's responsibilities. Where the $100,000 annual contribution would come from was almost an afterthought.
"It's slightly less than the cost of hiring an engineer ourselves," he said. Google's managing board didn't have to be consulted.
While a $1.2 million operating budget may not sound like much and is close to what one of the initiative's founding companies might consider pocket change, Zemlin said that the point of the new group goes beyond dollars.
"At least equally important, and I would posit more important, is that this forum will now exist," he said. Another bug like Heartbleed "will happen again," and Zemlin hopes that the framework created by the initiative will lessen the risk.
"The initial, first baby steps [of the initiative] is that it will find the people working on [Open]SSL who aren't spending their whole time on it, and get them to spend their whole time on it," DiBona said.
Once the framework in place and work on OpenSSL has begun, DiBona said that he'd like to see the organization tackle security in the "most popular and least developed" open-source projects, including core system libraries and cryptography analysis tools. The project's advisory board, on which each contributing company gets a seat, will identify not only what to tackle next, but how to go about building the group in the first place. The organization is so new that it hasn't even met yet.
Zemlin said that none of the companies he contacted balked at participating and that he expects the group to grow rapidly as word spreads. Firms like Apple and Adobe were missing from the list of founders, he said, for two reasons: he didn't know anybody to reach out to at those companies, and he had to juggle making the phone calls with his daughter's birthday.
Josh Corman, the former director of security intelligence at Akamai and current chief technology officer at security firm Sonatype, applauded the creation of the initiative but said that some parts of it concerned him.
"A fear of this initiative is that sometimes the presence of any solution will take the heat off, that it could remove some urgency simply because it's something that needs to be done," as opposed to being the best solution, he said. "But if it creates some adult recognition of our dependence on open source, that could be great."
Zemlin acknowledged that the unsettled nature of the project is also likely to early cause concern among security experts.
Also of concern, he said, is the as-yet unknown methodology by which the group's board chooses which projects to prioritize, and how to address the thornier problems facing open-source security, such as updating Internet-connected devices.
DiBona conceded that it's impossible to patch all the vulnerable devices and websites running OpenSSL.
"There's always going to be some level of vulnerable device out there," he said. "I'm not as worried about it, because manufacturers shut off features they don't actually use to save space [memory.] The hope would be that devices that don't get patched get retired by their owners."
The mechanisms by which the group makes decisions "should be able to have management meet the hackers, and help the hackers on the hackers terms," Zemlin said. "That's meaningful, that's a change. We'd like to help."
While the Core Infrastructure Initiative is barely out of the womb, Zemlin has high hopes for its impact during its first year.
"It's not a panacea, not going to prevent all problems, but it's going to play an important role in preventing essentially a market failure. If we could play a small role in solving that problem, I'd be incredibly gratified," he said.