If you haven’t heard about Heartbleed yet (perhaps you’ve been underground for 2 weeks?), it’s time you become aware of the risk you are running with your personal data online. Heartbleed is one of the largest security risks in the history of the modern web. With its very own website, and branded logo, Heartbleed is the most famous breach in recent web history. Heartbleed was discovered by Codenomicon, a private tech company that develops fuzz testing tools to find potential memory leaks in data. Codenomicon did a fantastic job of spreading the word about Heartbleed through an easy to understand website (Heartbleed.com), a catchy name, and branded logo. The company’s key goal was to spread awareness of the bug and convince people to react quickly.
So what exactly is so scary about Heartbleed? The bug lies in an errant line of code in OpenSSL, which about 66% of web servers rely on to encrypt data. The Heartbleed bug makes it possible for hackers to steal passwords and other personal data from a web server without anyone’s knowledge. The scariest part is that the bug existed in the web for two years before anyone (except maybe the NSA) discovered it.
With such a high risk for security breaches, data-reliant tech companies are jumping into action. The Core Infrastructure Initiative, an offshoot of Linux Foundation, is taking it upon themselves to find a solution to the ever-growing problem of data theft. The initiative is trying to embrace and improve the free OpenSSL so that companies are not inclined to move to a paid solution for data encryption. By allowing OpenSSL developers to work with the free code, they can help it to improve and evolve, thus giving back to the communities that use it.
More than a dozen tech companies have taken part in the initiative, each agreeing to commit $100,000 per year for the next three years (totaling over $4 million). This is a massive increase from the 2013 donations, which summated closer to $2000. Some of the larger companies involved include Facebook, HP, Microsoft, Google, Dell, Cisco, IBM, VMWare, Qualcomm, Rackspace, Amazon Web Services, and Fujitsu.
The donations made by the companies may seem like a sweet form of altruism, but it is in the companies’ best interest to invest in the security of OpenSSL. Rather than each company trying to find their solutions to Heartbleed individually, it makes the most sense to invest in a project that can be dedicated to finding a solution.
Jim Zemlin, the executive director for the Linux Foundation, claimed to have a surprisingly easy time drumming up donations for the project from the large tech companies. The majority of the companies responded quickly with, “of course, what can we do to help?” His only regret is that he did not pursue funding earlier for the project.
It is a good sign that huge tech companies, which may be competitors, can come together for a common goal. Yet, it is kind of scary that there can be a problem big enough to bring the companies together in the first place. Heartbleed is not something that should be taken lightly, and users on all ends should give it the respect it deserves. As a common web user, you should take a look at the Hearthbleed Hit List: The Passwords You Need to Change Right Now.