Link

Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL

Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL:

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.

That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.

To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.

This is really excellent news: the large companies and organizations that rely on open-source critical infrastructure projects need to (ideally) contribute back through either code contributions of financial support. Hopefully we’ll not just see money but efforts to improve and develop the code of these projects, projects which often are the hidden veins that enable contemporary Internet experiences.

Link

Heartbleed Internet Security Flaw Used in Attack

It’s a statement from Mandiant and so some mindfulness should be taken when reading their comments. (The same is true when parsing statements from other for-profit security companies.) Still, that Heartbleed is not only weaponized (that happened almost immediately after it was integrated into Metasploit) but is showing up in the wild prominently enough to warrant a response from Mandiant demonstrates why Heartbleed is going to be a problem for years going forward. For a good, if technical, discussion of why the hurt is just going to continue (like all things that involve breaking SSL…) see Adam Langley’s recent post titled “No, Don’t Enable Revocation Checking.”

Also: even if you don’t read Adam’s post you can follow the lesson he provides in the title of his technical post. If in the aftermath of the Heartbleed vulnerability you enabled Revocation Checking in Chrome then disable it, ASAP.

Source: Heartbleed Internet Security Flaw Used in Attack