Infrastructure – Zacqary Adam Green: Unsurprisingly, it turns out that the NSA knew about the Heartbleed bug since shortly after it was added to OpenSSL. While thousands of salaried NSA personnel search for bugs like these to exploit, OpenSSL has only four part-time volunteers maintaining it. Of course this was going to happen.
The idea behind open source software is that “given enough eyeballs, all bugs are shallow.” This only works if there actually are enough eyeballs. Code audits can only happen if there are people with the will, expertise, and time to do so. Rusty Foster pointed out the problem with OpenSSL:
The project’s code is more than fifteen years old, and it has a reputation for being dense, as well as difficult to maintain and to improve. Since the bug was revealed, other programmers have had harsh criticisms for what they regard as a mistake that could easily have been avoided.…
Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts.
This point is only compounded by the NSA news. As it turns out, a great deal of funding was going towards meticulously auditing OpenSSL. The problem is that the NSA keeps the results of these audits to themselves. No bugs are fixed. No patches are committed. Critical flaws are kept under wraps so that they can be used to siphon more data and break into more computers.