Heartbleed - Your comments about the Newsletter

Tue May 6 22:47:49 UTC 2014

On 6 de mayo de 2014 09:10:10 GMT+01:00, Matthias Kirschner <mk at fsfe.org> wrote:
>I am interested in your feedback about the Heartbleed part of the May
>Newsletter <https://fsfe.org/news/nl/nl-201405.en.html>: 
>
>
> == Heartbleed and economic incentives ==
>
>You probably heard about the bug in the Free Software OpenSSL nicknamed
>"heartbleed". The FSFE already welcomed the industry initiative to fund
>critical Free Software projects[1], and the topic was discussed in
>several blog articles on the planet: Sam Tuke wrote about his
>impression[2], Hugo Roy shared an XKCD comic explaining how heartbleed
>works[3], and Martin Gollowitzer wrote about what the Heartbleed bug
>revealed to him[4] about StartSSL certificate authority.
>
>But your editor is convinced that the main problem is not OpenSSL. It
>is
>not Free Software. It is about companies not taking responsibilities
>and
>about missing economic incentives to ensure security. Security expert
>Bruce Schneier wrote in 2006[5]:
>
>   "We generally think of computer security as a problem of technology,
>   but often systems fail because of misplaced economic incentives: The
>    people who could protect a system are not the ones who suffer the
>    costs of failure."
>
>In a nutshell, if your private data is exposed because your health
>insurance, where it is stored, did not take care to secure it, you
>suffer to a much higher degree than the health insurance does! You are
>in no position to preasure the health insurance to change its level of
>security, and they have no economic incentive to do so. In the article
>Schneier further explains that the liability for attacks is diffuse and
>that "the economic considerations of security are more important than
>the technical considerations".
>
>Following the argument, the important question we face is, how can we
>give the right economic incentives to ensure that: security relevant
>software has the proper funding; third parties are auditing code; more
>people are trained in computer security; programmers have time for
>maintenance and are not forced to just develop new features; we have a
>diversity of software[6] for different special purposes and therefor
>prevent software monocultures[7]; companies run secure software instead
>of just giving people a good feeling by performing a security theatre
>or
>by delegating responsibility to others (for example the government), so
>they can be blamed if there is a problem, and that also the security
>interest of private users is fulfilled and not just those of big
>cooperations.
>
>In the FSFE we thought about how to give good economic incentives for
>Free Software development from the beginning, and now we have to think
>more about economic incentives to increase security. It is a difficult
>area, so we are looking forward to your comments on this topic and
>invite you to discuss it on our public mailing lists[8].
>
>  1. https://fsfe.org/news/2014/news-20140424-01.en.html
>  2. https://blogs.fsfe.org/samtuke/?p=718
>  3. http://hroy.eu/notes/openssl-tragedy/
>4.
>https://blogs.fsfe.org/gollo/2014/04/13/what-the-heartbleed-bug-revealed-to-me/
>5.
>https://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html
>  6. https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations
> 7. https://www.schneier.com/blog/archives/2014/04/dan_geer_on_hea.html
>  8. https://fsfe.org/contact/community.en.html
>
>Best Regards,
>Matthias
>
>-- 
>Matthias Kirschner - Vice President FSFE
>Schönhauser Allee 6/7, 10119 Berlin, t +49-30-27595290
>Weblog (blogs.fsfe.org/mk) - Contact (fsfe.org/about/kirschner)
>Receive monthly Free Software news (fsfe.org/news/newsletter.html)
>Your donation enables our work (fsfe.org/donate)
>_______________________________________________
>Discussion mailing list
>Discussion at fsfeurope.org
>https://mail.fsfeurope.org/mailman/listinfo/discussion

Thank you is all I can say. Gave me another point of view about the need of funding free software projects.
Thank you.
-- 
Enviado desde mi teléfono con K-9 Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20140506/822344ca/attachment.html>