On 6 de mayo de 2014 09:10:10 GMT+01:00, Matthias Kirschner mk@fsfe.org wrote:
I am interested in your feedback about the Heartbleed part of the May Newsletter https://fsfe.org/news/nl/nl-201405.en.html:
== Heartbleed and economic incentives ==
You probably heard about the bug in the Free Software OpenSSL nicknamed "heartbleed". The FSFE already welcomed the industry initiative to fund critical Free Software projects[1], and the topic was discussed in several blog articles on the planet: Sam Tuke wrote about his impression[2], Hugo Roy shared an XKCD comic explaining how heartbleed works[3], and Martin Gollowitzer wrote about what the Heartbleed bug revealed to him[4] about StartSSL certificate authority.
But your editor is convinced that the main problem is not OpenSSL. It is not Free Software. It is about companies not taking responsibilities and about missing economic incentives to ensure security. Security expert Bruce Schneier wrote in 2006[5]:
"We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure."
In a nutshell, if your private data is exposed because your health insurance, where it is stored, did not take care to secure it, you suffer to a much higher degree than the health insurance does! You are in no position to preasure the health insurance to change its level of security, and they have no economic incentive to do so. In the article Schneier further explains that the liability for attacks is diffuse and that "the economic considerations of security are more important than the technical considerations".
Following the argument, the important question we face is, how can we give the right economic incentives to ensure that: security relevant software has the proper funding; third parties are auditing code; more people are trained in computer security; programmers have time for maintenance and are not forced to just develop new features; we have a diversity of software[6] for different special purposes and therefor prevent software monocultures[7]; companies run secure software instead of just giving people a good feeling by performing a security theatre or by delegating responsibility to others (for example the government), so they can be blamed if there is a problem, and that also the security interest of private users is fulfilled and not just those of big cooperations.
In the FSFE we thought about how to give good economic incentives for Free Software development from the beginning, and now we have to think more about economic incentives to increase security. It is a difficult area, so we are looking forward to your comments on this topic and invite you to discuss it on our public mailing lists[8].
- https://fsfe.org/news/2014/news-20140424-01.en.html
- https://blogs.fsfe.org/samtuke/?p=718
- http://hroy.eu/notes/openssl-tragedy/
https://blogs.fsfe.org/gollo/2014/04/13/what-the-heartbleed-bug-revealed-to-... 5. https://www.schneier.com/blog/archives/2006/06/economics_and_i_1.html 6. https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations 7. https://www.schneier.com/blog/archives/2014/04/dan_geer_on_hea.html 8. https://fsfe.org/contact/community.en.html
Best Regards, Matthias
-- Matthias Kirschner - Vice President FSFE Schönhauser Allee 6/7, 10119 Berlin, t +49-30-27595290 Weblog (blogs.fsfe.org/mk) - Contact (fsfe.org/about/kirschner) Receive monthly Free Software news (fsfe.org/news/newsletter.html) Your donation enables our work (fsfe.org/donate) _______________________________________________ Discussion mailing list Discussion@fsfeurope.org https://mail.fsfeurope.org/mailman/listinfo/discussion
Thank you is all I can say. Gave me another point of view about the need of funding free software projects. Thank you.