Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Friday, 07 November 2014 11:08

OpenSSL, Bash bugs show why firms should back FOSS projects Featured

By

This year has been an unusual one for free software in that two popular projects have been hit by vulnerabilities that have had wide ramifications for all classes of software. And that is one good reason why the big proprietary software firms should look to support such projects financially.

The OpenSSL cryptographic software library was the first to suffer, when a vulnerability dubbed as Heartbleed, was discovered. This library is used across the spectrum. According to a website devoted to the bug: "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

OpenSSL has a four-man core team. The same four are also part of the 15-member development team. Many of these developers are also involved in other free software and open source projects. And, lest one forget, they also have to do paid work somewhere to put food on the table.

It is definitely not the place for a man looking for riches. Yet over the years, development has proceeded apace and, without any praise or awards, this small team has provided a library that has near universal usage. (There is now a fork of the project called LibreSSL which was started after the bug was found by Theo de Raadt who is the leader of the OpenBSD project).

The second free software project to suffer was Bash, the Bourne-again shell which was created by the GNU Project set up by Richard Stallman in the 1980s. As the project describes it, "Bash is the GNU Project's shell. Bash is the Bourne Again SHell. Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification."

When a series of remote vulnerabilities were discovered beginning on September 24, it was left to individual developers to come up with fixes. The lone Bash developer, Chet Ramey, was snowed under. Red Hat's Florian Weimer did yeoman work – while Apple, a company which uses Bash as its default shell, sat by and did little. It was tardy in the extreme with its patches and left the task of creating patches for older versions of its Mac OS X operating system to an individual.

Proprietary software companies love to use code that is available under the BSD family of licences,  because they can take it, make changes, and lock it away for good in the depths of their own operating systems. They benefit no end from this, but rarely offer even a cent in goodwill to those who wrote the code.

Developers who release their code under the GPL family of licences have a safeguard against the kind of usage detailed above, because the GPL licences are a "share and share alike" breed. One can freely use code and modify it for one's own purposes. But if one distributes it, then one has to offer all the changes to anyone who asks for it.

But despite these safeguards, proprietary software companies often do not play fair. And free software and open-source software developers are not the most militant, and let things lie. Unless someone takes up cudgels for them, they just let it go as it is too exhausting to fight these battles.

But the year has shown clearly that there is more manpower needed in projects like OpenSSL and Bash, and others where there is wide usage. For example, the usage of OpenSSH, an implementation of the SSH protocol by the OpenBSD team, is more than 80 per cent. When he came to Melbourne a decade ago, OpenBSD project leader de Raadt was quite frank about the help he had received from big companies: "Hardware donations do not come from vendors who use OpenSSH on parts of their stuff. They come from individuals. The hardware vendors who use OpenSSH on all of their products have given us a total of one laptop since we developed OpenSSH five years ago. And asking them for that laptop took a year. That was IBM."

Developers need hardware to test their software against. They need bandwidth. And they need to be paid because they can then take their time to concentrate and code, instead of having to do a rush job because they have to also attend to their responsibilities at a paid job.

There are any number of big proprietary software companies that benefit from free software – Microsoft, Facebook, Google, Cisco, Twitter, Apple, Yahoo!, and Oracle to name a few. It is high time that these companies started contributing money to a developers' fund from which projects like OpenSSL and Bash can be supported.

All these companies have billions stashed away yet rarely does one see any decent-sized donation to any free or open source software project. And all the while, those very projects are saving the companies plenty.

Both the OpenSSL bug and the Bash bug have shown that it will cost far less to pay for some more coders in these projects simply because it will lessen the chances of remotely exploitable bugs being introduced into software by overworked and underpaid individuals who are trying their best to manage to release software in the face of unimaginable odds. It is a cheap solution to preventing oneself from faciing public embarrassment and problems down the track.

Image courtesy Heartbleed.com


Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments