online prescription solutions
online discount medstore
pills online
buy lorazepam without prescription
xanax for sale
buy xanax without prescription
buy ambien without prescription
ambien for sale
buy modafinil without prescription
buy phentermine without prescription
modafinil for sale
phentermine for sale
lorazepam for sale
buy lexotan without prescription
bromazepam for sale
xenical for sale
buy stilnox without prescription
valium for sale
buy prosom without prescription
buy mefenorex without prescription
buy sildenafil citrate without prescription
buy adipex-p without prescription
librium for sale
buy restoril without prescription
buy halazepam without prescription
cephalexin for sale
buy zoloft without prescription
buy renova without prescription
renova for sale
terbinafine for sale
dalmane for sale
buy lormetazepam without prescription
nobrium for sale
buy klonopin without prescription
priligy dapoxetine for sale
buy prednisone without prescription
buy aleram without prescription
buy flomax without prescription
imovane for sale
adipex-p for sale
buy niravam without prescription
seroquel for sale
carisoprodol for sale
buy deltasone without prescription
buy diazepam without prescription
zopiclone for sale
buy imitrex without prescription
testosterone anadoil for sale
buy provigil without prescription
sonata for sale
nimetazepam for sale
buy temazepam without prescription
buy xenical without prescription
buy famvir without prescription
buy seroquel without prescription
rivotril for sale
acyclovir for sale
loprazolam for sale
buy nimetazepam without prescription
buy prozac without prescription
mogadon for sale
viagra for sale
buy valium without prescription
lamisil for sale
camazepam for sale
zithromax for sale
buy clobazam without prescription
buy diflucan without prescription
modalert for sale
diflucan for sale
buy alertec without prescription
buy zyban without prescription
buy serax without prescription
buy medazepam without prescription
buy imovane without prescription
mefenorex for sale
lormetazepam for sale
prednisone for sale
ativan for sale
buy alprazolam without prescription
buy camazepam without prescription
buy nobrium without prescription
mazindol for sale
buy mazindol without prescription
buy mogadon without prescription
buy terbinafine without prescription
diazepam for sale
buy topamax without prescription
cialis for sale
buy tafil-xanor without prescription
buy librium without prescription
buy zithromax without prescription
retin-a for sale
buy lunesta without prescription
serax for sale
restoril for sale
stilnox for sale
lamotrigine for sale

How to Stanch the Heartbleed: Short-Term Fixes and Long-Term Solutions

Experts disagree over the potential impact of Heartbleed. Many worry about the sheer ubiquity of OpenSSL code – which serves as the encryption platform for many Android devices plus over two-thirds of the Internet – and has been adopted by companies like Amazon, Facebook, Netflix and Yahoo. Government entities like the F.B.I. and the Pentagon also rely upon OpenSSL. Two weeks ago, the Canada Revenue Agency announced that its website was attacked with Heartbleed over a six-hour period, during which the information of approximately nine hundred Canadian taxpayers was stolen.

Some experts indicate that the Canada Revenue Agency incident was unique – a foreseeable result of Heartbleed’s powerful zero-day exploit – and that Heartbleed will not be used to steal mundane passwords or other such data. But apart from costs related to stolen data, Heartbleed-related costs will accrue from tasks like building and implementing patches, scanning for risk, resetting passwords, and certificate revocation bandwidth. The last item alone might amount to “millions” – whereas the costs of resetting passwords and general Heartbleed-induced panic are even harder to estimate, and thus might be too easily dismissed.

Using password managers like 1Password plus browser extensions like Chromebleed could help individual users evade Heartbleed and other such bugs for the short term. So would changing passwords on any websites stating that 1) they are no longer vulnerable to Heartbleed and that 2) they have changed the private encryption key they use to protect HTTPS traffic. Widespread adoption of two-factor authentication processes is an adequate “medium term” solution. But preventing Heartbleed-like bugs for the long term cannot be accomplished through easy fixes.

Long-term solutions include abandoning OpenSSL altogether in favor of private-market equivalents, and ensuring that OpenSSL receives a steady influx of funds and manpower. The first option appeals to commentators who believe that OpenSSL contributors, as unpaid volunteers, are simply under-incentivized to check for Heartbleed-like errors – an allegedly grueling and monotonous task, which earns them neither bonuses nor pink slips.

However, some economists argue that open source programmers largely operate within a gift economy, wherein notions of contribution, community, honor and prestige are powerful motivators. Pure altruism and “reciprocal altruism” – the belief that other programmers will likewise share their valuable solutions – are two other weighty yet oft-overlooked motivators.

Other economists note that unpaid participation in the open source community still yields commercial rewards in the labor market, such as job offers or attention from venture capitalists. And a recent Linux Foundation survey indicates that nowadays, contributing to open source projects has become a job requirement for many programmers at companies like IBM, Intel, Google, and Samsung.

So perhaps open source advocates are right – OpenSSL contributors are under-funded, not under-incentivized. After all, OpenSSL has thus far survived with under $2000 in yearly donations whereas Linux – widely touted as an open source triumph – regularly garners over $500,000 in donations per year. With a fitting budget, OpenSSL could thrive like Linux and prevent other Heartbleed-like outbreaks.

Thankfully, last week, the Linux Foundation announced a three-year, multi-million dollar initiative to help under-funded open source projects, including OpenSSL – which can now afford to conduct security audits, enable outside reviews, and hire more than one full-time developer. The Core Infrastructure Initiative should prove successful precisely because Linux Foundation leaders promise to respect OpenSSL community norms and preserve OpenSSL’s autonomy.

About the Author

Ioana Lavric

Ioana lavric is a Staffer for the Columbia Science and Technology Law Review. She is a 2L at Columbia Law School.
blog comments powered by Disqus