This is embarrassing. Not quite as embarrassing as that trip to the GP a few years back regarding the, you know, little problem, but embarrassing nonetheless.
Heartbleed, I mean. For years, in fact ever since the backside dropped out of the PC magazine market and PR companies stopped sending me big bundles of review software on spec, I've been an advocate of free, open-source software (FOSS). Not the kind of advocate who knocks on your door on a Sunday morning and asks if you'd like to talk about shell scripting, but certainly the kind who would engage all and sundry in slightly foam-flecked conversation about the delights of genuinely free software that you can compile and modify yourself.
"It's free but it's also inherently safe, see? You can read the source code and everything. Not like that proprietary crap where everything's locked away and you don't get to see what's underneath. With FOSS there are loads of people checking the code for errors, all the time. It's just safer, right? No backdoors, no unpatched security holes. And it's free! Why are you leaving?"
I knew whereof I spoke. All my computers run Linux now, and it took me a mere eight years to complete the seamless migration from Windows. In that time I've compiled my share of kernel modules, battled with tool chain incompatibilities, chased down missing libraries and created build files from scratch. I've tweaked source code to make it do new and exciting things (or at least change the colour of an error message).
I can "./configure; make; make install" with the best of them. I even compiled OpenSSL once, so I could use the PGP features of Claws Mail. Luckily, because I'm lazy, I haven't updated it since and the version I'm running is still secure. OpenSSL? Yeah, I know OpenSSL.
Except I don't, of course. That's the trouble. I can read the source code and I can even understand some of it, but that doesn't mean I know what it does. Or what it shouldn't do. I simply don't have that knowledge. Only a few do. And they didn't notice there was a problem for two years.
As a journalist I'm supposed to be able to come up with an analogy or metaphor for this Heartbleed situation. But I can't. The entire web - or at least two-thirds of it, not to mention countless routers, switches, VPNs and stand-alone devices - has been compromised due to its reliance on code developed by a well-meaning, skilled but under-resourced team of developers working in their spare time on what was basically a hobby project.
The developers aren't to blame, of course. Not even slightly. Did nobody read the GPL?
"THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM ‘AS IS’ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION."
Even without the shouting, it's pretty clear.
Yet still everyone went out and built a global network on the back of the OpenSSL team’s hard work. No pressure. And not much in the way of financial compensation, either. Billion-dollar companies, banks, social networking organisations, e-commerce and auction sites, all built on the perceived security of a clever piece of open-source code. And what did they give back? What did these huge, rich organisations pay towards the development and improvement of this vital cog in their lumbering business machines? Practically nothing.
They're paying now, of course. Upgrade OpenSSL, create new private keys, buy new certificates, nag all users to change their passwords... and then wait for a few years as Heartbleed-specific malware permeates the web and finds one of the routers that wasn't patched, or the switch for which no updated firmware has yet been released. Then rinse and repeat.
What a mess.
And me? As I sit here, tediously going through my list of dozens of passwords and changing them all on sites that have upgraded their OpenSSL implementations, I'm beginning to think I should have stuck with Windows. Not that it would have changed the outcome in the slightest, but at least I'd have saved all that time and effort. Hmm... do any PRs out there want to send me a copy of Microsoft Office to "review"?
Freelance technology journalist Alex Cruickshank grew up in England and emigrated to New Zealand several years ago, where he runs his own writing business
PREVIOUS ARTICLE«Floating Email Bubbles: A Recipe For Disaster?
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond