Heartbleed - Your comments about the Newsletter

Matthias Kirschner mk at fsfe.org
Tue May 6 08:10:10 UTC 2014


I am interested in your feedback about the Heartbleed part of the May
Newsletter <https://fsfe.org/news/nl/nl-201405.en.html>: 


 == Heartbleed and economic incentives ==

You probably heard about the bug in the Free Software OpenSSL nicknamed
"heartbleed". The FSFE already welcomed the industry initiative to fund
critical Free Software projects[1], and the topic was discussed in
several blog articles on the planet: Sam Tuke wrote about his
impression[2], Hugo Roy shared an XKCD comic explaining how heartbleed
works[3], and Martin Gollowitzer wrote about what the Heartbleed bug
revealed to him[4] about StartSSL certificate authority.

But your editor is convinced that the main problem is not OpenSSL. It is
not Free Software. It is about companies not taking responsibilities and
about missing economic incentives to ensure security. Security expert
Bruce Schneier wrote in 2006[5]:

    "We generally think of computer security as a problem of technology,
    but often systems fail because of misplaced economic incentives: The
    people who could protect a system are not the ones who suffer the
    costs of failure."

In a nutshell, if your private data is exposed because your health
insurance, where it is stored, did not take care to secure it, you
suffer to a much higher degree than the health insurance does! You are
in no position to preasure the health insurance to change its level of
security, and they have no economic incentive to do so. In the article
Schneier further explains that the liability for attacks is diffuse and
that "the economic considerations of security are more important than
the technical considerations".

Following the argument, the important question we face is, how can we
give the right economic incentives to ensure that: security relevant
software has the proper funding; third parties are auditing code; more
people are trained in computer security; programmers have time for
maintenance and are not forced to just develop new features; we have a
diversity of software[6] for different special purposes and therefor
prevent software monocultures[7]; companies run secure software instead
of just giving people a good feeling by performing a security theatre or
by delegating responsibility to others (for example the government), so
they can be blamed if there is a problem, and that also the security
interest of private users is fulfilled and not just those of big
cooperations.

In the FSFE we thought about how to give good economic incentives for
Free Software development from the beginning, and now we have to think
more about economic incentives to increase security. It is a difficult
area, so we are looking forward to your comments on this topic and
invite you to discuss it on our public mailing lists[8].

  1. https://fsfe.org/news/2014/news-20140424-01.en.html
  2. https://blogs.fsfe.org/samtuke/?p=718
  3. http://hroy.eu/notes/openssl-tragedy/
  4. https://blogs.fsfe.org/gollo/2014/04/13/what-the-heartbleed-bug-revealed-to-me/
  5. https://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html
  6. https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
  7. https://www.schneier.com/blog/archives/2014/04/dan_geer_on_hea.html
  8. https://fsfe.org/contact/community.en.html

Best Regards,
Matthias

-- 
Matthias Kirschner - Vice President FSFE
Schönhauser Allee 6/7, 10119 Berlin, t +49-30-27595290
Weblog (blogs.fsfe.org/mk) - Contact (fsfe.org/about/kirschner)
Receive monthly Free Software news (fsfe.org/news/newsletter.html)
Your donation enables our work (fsfe.org/donate)



More information about the Discussion mailing list