Little Progress Has Been Made Toward Preventing the Next Heartbleed

Black Hat: More Internet-Scale Bugs Are Likely Lurking.

-- Tom

 

I don't see this changing unless, as it mentions in the article, commercial companies who use open source libraries are made legally liable. So that,for example, they would be considered negligent if bugs arose in software libraries they used but hadn't audited, or hadn't some form of support contract. Won't happen because of the craven behavior of politicians towards corporates.

A decent infusion of money would improve quality and fix rate fairly quickly.

 

The real progress is the progress LibreSSL is making to become a viable replacement.

Throwing money at crappy developers doesn't improve crappy code, you'd need to hire better people all together or teach the current ones. Those better people are already working on a better project, LibreSSL.

To be clear, a lack of funding isn't what caused OpenSSL to be an abomination, it just kept it undermanned. There are many good projects in the world that are also undermanned.

 

Well, Truecrypt was very well-coded by accounts I've heard, but needed crowdfunding to audit, and didn't entice the developers sufficiently to continue. And it's stopped development.

It's not point libraries or projects that's the problem either, it goes from soup to nuts to make a solid base for our computing and communications so that no-one without a warrant gets to see anything. Every darn thing is security is needlessly hard, and it only needs one slip.

People have to eat, and it's a hard call when your family needs resources and you tell them you don't have time or money enough - or else you can work for some corporate or the security services for a fat pay-check and weaken encryption and attack the population and allies. Talk about Faustian. There's a huge amount of resources on the bad-guy side, and not enough representing the interests of the population.

 

Well I'm not against paying people to work on open source projects just in case you thought that. I just think the funding is going to the wrong place.