Who is the real invisible comrade-in-arms--the real story of open source software and OpenSSL

"Editor's note" a few days ago in the circle of Friends Crazy biography of an article about OpenSSL, the story is very touching, although there is a soft text suspicion, but still let everyone see can not help to give OpenSSL donations. Moving stories are like beauties, and it's easy to ignore their authenticity, and most people seem to believe the article's author about open source software, the description of privacy security technology. This article is a rumor + popular Science article, not for the author of the article, but open source and security are IT technology hotspots, we should have a correct understanding of them.

Of course, the author of the end of the article on the media responsibility of the discussion is also worthy of the media to ponder, as reporters should understand their words and words of weight, do not issue unconfirmed statements.

A few days ago, in the circle of friends to see a transfer of OpenSSL and open source project article. Beginning to feel just rehash, "bleeding heart" this openssl serious loophole, from last year (2014) early April was known to the public, and now nearly a year, this matter has been counted. Although this article is full of misunderstanding, mishap and corporate propaganda, I do not care too much. As a result, today to see the site is still using Alipay to OpenSSL fund-raising, this is absurd. Some friends have said that, no matter what, more attention is always good, from the present results, this article caused a greater impact, this article distorts the open source community of the original situation, and other organizations and enterprises are not fair. Open source software, security, privacy is indeed most ordinary users do not understand the field, but the reporter to write an article, should always have a basic understanding of history.

I want to talk about open source software patterns and OpenSSL problems, and who is defending our privacy, which is the wrong place for that article. I would also write about the story of the OpenSSL and the clock in the process of "bleeding the heart" from Discovery to publication, which exposes serious management problems,

Start with open source.

In that article, OpenSSL is described as an organization that cannot survive without donations, but that is not the case with open source, which is a business model like free, and there are a lot of differences between them, but there is a basic common point, which is to want as many people as possible to use it for free. Everyone has been using a lot of internet services for free, and it should be very understandable for free mode, we never pay Google, and never pay for every search. But our search behavior, our attention, data, will become Google's advertising revenue. Every time we use Google search, we are helping Google make money, although not paying them directly.

The same is true for open source software. The world of open source software is fiercely competitive, and any organization can continue to develop new versions from the current Code branch, a behavior called fork. An open source organization to survive, the most important basis is to be widely used, or will soon be replaced by competitors. After a software is commonly used, it will derive the relevant services, the team can obtain a better income through these services, the business model is formed. The most famous example should be Red Hat Linux, which is called Red Hat, they offer Linux distributions free of charge, companies can get technical support through paid subscriptions, they earn quite well and are now a publicly traded company with a market value of more than 10 billion dollars.

OpenSSL is also running the same open source and service charge, and Steve OpenSSL, the head of the foundation, says that they have a business consulting program of nearly 1 million dollars a year (funded by the U.S. Department of Defense and DHS), which is a pretty good situation. It is normal for open source software to be full time workers, and most of the project's core contributors will also take on commercial projects. In the open source community, programmers like Linux founder Linus, who work full-time for open source projects, are not a common phenomenon, Linus is able to do so, on the one hand, the Linux Foundation is rich in money, on the other hand because the Linux derivative project too much, influence too much, Linus itself is a spiritual leader who has to work full-time for Linux. At the same time engaged in business services and open source projects, not that article described the sad feeling.

For example, the best open source Unix operating system FreeBSD, its core developer Poul-henning Kamp (called him phk in the community), still undertakes commercial projects today. Even from 1994 to the present, he has been ranked first in the list of FreeBSD code contributions, and is still not a full-time employee of the FreeBSD Foundation, describing himself as "self-employed". PHK A recent commercial project on his homepage, paying 3000 dollars a month. With a OpenSSL project scale, having a full-time developer is a pretty good situation.

Why are so many people abandoning the traditional way of selling software to free software and Open-source software? In addition to personal interests and ideals, open source software is a mature and reliable business model, the business model has its own income and ecology. This article tries hard to make ordinary internet users feel guilty about OpenSSL, accusing ordinary users of never paying them, a moral kidnapping. Any user, as long as the use of OpenSSL, is to help the organization to gain market share in the competition to gain a greater advantage, regardless of whether there is no direct donation to them, the user has made a contribution.

Although open source organizations can make their own living through business services, they are generally willing to accept donations. It is certainly good to have enough donations to do less business and to tilt the focus to open source software. Most software and IT companies have a small sum of money each year to support open source projects, as well as their influence and voice in the open source community, and the annual donations received by Open source organizations are not less than their respective project status. But why did the OpenSSL only receive thousands of dollars a year of donations a year ago? The answer is simple, because they have never had a fund-raising event.

Open source organizations usually set up a fund registered as a non-profit organization, through the foundation to raise funds, organize activities, promote their own open source products, depending on the situation of the project to the full-time or part-time developers pay, which fund-raising is a very important work of the foundation. If you use Wikipedia users regularly, you should be impressed. Wikipedia has a fixed period of time each year, the site will be placed very clear funding announcements, set the budget target for the year, let everyone donate. When the amount is reached, the donation ceases and no more is accepted. Almost all open source organizations raise donations in this way.

OpenSSL Foundation has never publicly raised funds, if there is no donation targets, no public donations, it is difficult to have a lot of donations into the, after all, the need for funds is too much. For OpenSSL this kind of project, raise money is quite easy, they only need to make public to send a fund to notice, each big enterprise's cash can immediately hand over. After "Heart Bleed", many businesses are not surprised by the fact that there is only one full-time developer, but why you haven't been raising money. OpenSSL never announced his financial position, no fund-raising goals, so how do people donate to him?

More interestingly, the OpenSSL Foundation is not registered as a non-profit organization, but rather as a for-profit enterprise. Donor OpenSSL and businesses are unable to receive tax cuts from the U.S. government. It is not a good reason, according to their own account, that they have no time to maintain a non-profit organization. For an open source project, registering a non-profit organization is not much harder than registering a company, and besides, is the foundation set up to do this? For-profit companies have defined their desire to earn income from business activities, rather than donations. Donations to for-profit enterprises, the use of money will be much lower, in accordance with the United States tax law, the largest number of cases to hand over the 30%~40% tax, is a huge waste. This also explains why American companies rarely donate to the OpenSSL Foundation.

But even so, things are getting better quickly. After the "Heart Bleed" event, the Linux Foundation set up the Core Infrastructure Alliance (CII, Core Infrastructure Initiative) in a very short time, and the biggest difference in the past was that they proactively picked out important open-source projects that lacked funding, Whether they raise money or not, OpenSSL is the first project they have funded. The alliance has assembled technology companies from around the world, including Google, Amazon, Facebook, Cisco, Fuji, HP, IBM ... There are now more than 10 enterprises. One of the Chinese companies is Huawei. It is particularly worth mentioning that, in addition to CII capital, Huawei has also funded the OpenSSL Foundation alone 50,000 dollars a year. Unfortunately, the article seems to have forgotten Huawei. Participation in the CII Alliance of Enterprises at least 100,000 dollars a year, according to the 2014 figure, cii a total of 1.7 million U.S. dollars per year funds can be used, the first phase of funds are mainly used to finance OpenSSL and OpenSSH, money is quite rich.

All of these things happened in the last May, one months after the "heart Bleed" incident. Whether it is the major technology companies, or the Linux Foundation, they act very quickly, this is the open source world way of doing things and efficiency. By last May, OpenSSL's money problem had been solved. As a result, the immediate cause of OpenSSL's failure to get enough money was that the foundation was negligent.

In contrast, look at last year's OpenBSD fundraising experience. OpenBSD is the most secure open source Unix operating system, they are also OpenSSH defenders (see SS is not think and encryption also related?) Yes, this is also a cryptographic tool, but not for customers, for server managers and programmers, and last year's fundraising goal was just 150,000 dollars. Compared to, 1.7 million dollars is already too much, if CII give enough money to make OpenSSL better, I am afraid that more money will not be good.

In addition to direct donations, there are many ways in which companies can support open source projects, such as the time to donate their employees. In any open source project, there are contributions from major corporate engineers who pay their employees and the code they write will give back to open source projects, which is more directly supported than donations. For example, the engineer who discovered the "heart Bleed" flaw last year was a Google employee who worked full-time on the OpenSSL code to do security audits and found the bug. He is not really a direct employee of the OpenSSL Foundation, but the results of a full-time labor run by Google are contributing to the OpenSSL project, saying that it is unfair that all the big companies have not supported the project. And that's the kind of misinformation that this article is advocating, according to the article, how absurd it is for a small Chinese company to save the world's Internet users.

Speaking of which, let's talk about donations. I am very opposed to this kind of donation sentiment, which is the use of people's guilt donations. Money is a very valuable resource, there are too many places to spend money, the right donation is based on the donor's full understanding of the project, on the basis of their values and direction of identity, according to their own desire for long-term and small fixed contributions. In this process, tax issues also have to be considered, which directly determines the use of funds, such as the United States tax residents, donated to OpenSSL, the utilization of funds is very low, and donations to CII by their funding OpenSSL, you can get a part of the tax exemption, the utilization of a lot of high, If a Canadian tax resident wants to donate to an operating system project, it should be preferred OpenBSD because it is a non-profit organization registered in Canada. Donation is a very rational behavior, hidden part of the information, the use of people's open source projects do not understand, sensational, create guilt, this is not sustainable, but also unfair, these are articles and after the operation of things.

The article said that grassroots programmers criticized their code as "sickening", in fact, the person who said this was Theo de Raadt, the founder of the OpenBSD project, not "grassroots programmer", but one of the best computer scientists in the field of operating systems. Instead of stopping to criticize, OpenBSD developers immediately decided to create a stand-alone project called Libressl from the current OpenSSL version, starting with the code to clean up OpenSSL. They removed more than 90,000 lines of code in the first week, OpenSSL the entire project with only 380,000 lines, equivalent to the deletion of nearly 1/4 of the code. It can be seen that Theo's criticism is not just nonsense. Over the past few years, OpenSSL has been out of various loopholes, in the "heart bleeding", there are still hidden more than 10 years of loopholes were found, many people familiar with the project's view is "in addition to rewrite there is no way."

OpenBSD has a document that explains the problems they encountered during the cleanup process and removed the technical details, and I put the main point here, which is basically the industry's mainstream view:

For the above reasons, OpenBSD that the project is no longer maintainable and must be restarted. That's why they create a branch that starts with the basics of cleaning code. It can be seen that the project is not a matter of money, but management and community culture problems. Compared to other projects, it is even more frustrating that they can respond so slowly in the context of having a full-time developer and chairman of a full-time foundation. By the way, the OpenBSD developer, who does the cleaning up of the code, is not working full-time, he also noted in the document "can be hired." A year later, Libressl has been largely available, and in addition to cleaning and changing the original code style, they have added some more advanced features that look promising. In addition, the project is very much in need of donations, if more agree with their practice, can donate money to them.

In addition, OpenSSL published "Heart Bleed" the process of the leak is also very problematic. In general, the process of serious vulnerabilities is not disclosed to the public, immediately notify the mainstream operating system defenders and related vendors, so that everyone to modify first, and then publish security bulletins and upgrades. This is done because if the operating system is not patched, many ordinary users know that there is no way to fix the vulnerabilities, but it makes it easier for hackers to exploit these vulnerabilities. OpenSSL not to do so, after Google informed them of the loophole, OpenSSL did not inform any one operating system manufacturer, but strangely by several major CDN manufacturers know, that is to say, do not know which part of the leak occurred. After that the open source community began to have rumors about this major bug, until this time, several major operating systems still not officially notified. It took another 3 days before OpenSSL told Red Hat, and a red Hat employee who was involved in the process shared the message in a private email group with several key operating system-related principals, Suse/debian/freebsd. Thanks to him, because at this time OpenSSL still said no details were provided, this is the California Bay area of Pacific Time April 6 night, from Red hat to get details of the several major operating systems, the overnight began busy patching, by this time, Red hat provided the message is OpenSSL will be in number 9th, That is, 3 days after the disclosure of this loophole. Unfortunately, the next, April 7 early in the morning, OpenSSL directly issued a bulletin, the media know, the world knows. If there is no news of Red Hat in advance, the final effect will be much greater, even so, because of the jet lag (Red hat the employee in India), many in his night after the Mail did not have time to reply, there are still many manufacturers do not know the details in advance. It's probably the first time in recent years that key vendors are late for such a big loophole than the media knows. This has caused a lot of damage, for example, the Canadian IRS CRA after the leak was disclosed that the data was stolen, it was too late to hit the patch, so simply turned off the electronic tax system, was April 9, the Canadian 2014-year tax deadline is April 30, is the most busy day of electronic tax filing system, The embarrassment is conceivable. The timeline of the whole process, in theage an article has a complete record, I listed at the end, for reference.

In response to this anomalous process, there's a lot of conspiracy theories in the community, and I'm not going to repeat them, I just want to say that this is another piece of evidence that OpenSSL has serious management problems, not money issues, and people say that the mess they're making is definitely not an unfounded accusation.

In addition, OpenSSL is not a project that appears out of thin air, but inherits the code from another project Ssleay. After Ssleay's developers went to RSA to work on the Open-source project, several projects inherited its code to continue to develop, and OpenSSL was just one of the more successful. Wikipedia lists the implementation of the SSL library, including OpenSSL, which is still in use over 10, with open source accounting for nearly half of it.

This is why I do not agree to tout OpenSSL, the historical choice is often accidental, specific to SSL software, it is more complex, this is a mixture of technology, business, history, political complex factors after the accidental results. Now OpenSSL has the most users for the time being, it may not be so in the future, I believe, sooner or later, a new substitute will appear.

This article argues that OpenSSL is a defender of human privacy, in fact, OpenSSL is just one of the same cryptographic software, they cannot afford the title of privacy defender. Today, we can unknowingly obtain the protection of encryption software, there are some twists and turns behind the story, that is true privacy defenders of the story.

Once, encryption technology was banned by the U.S. government, just as many weapons prohibit exports, people in other countries want to use these encryption algorithms, like to buy missiles from the United States, is impossible. The turnaround took place in 1995, during which graduate Bernstein of the University of California, Berkeley, helped sue the U.S. government with the help of a lawyer called the Electronic Frontline Foundation. His claim is that the free encryption algorithm, which is part of the freedom of speech, is protected by the First Amendment of the United States Constitution, known as Bernstein v. United States. The case went on for 4 years, and by 1999 the federal Nineth Circuit Court of Appeals ruled that the U.S. government's ban on public cryptographic algorithms was unconstitutional under the First Amendment. After that, the various cryptographic protocols and open source algorithms were circulated from the United States and were freely used.

The Electronic Frontline Foundation eff (Electronic Frontier Foundation), founded in 1990, is a legal aid organization whose mission is to defend privacy, freedom of expression and civil rights. It is also a foundation, and it is a non-profit organization that operates entirely on donations. One of the founders of EFF was Lotus founder Kapoor, a software genius who was once a par for Bill Gates. In the 80 's, Lotus was the largest independent software company, and Microsoft surpassed it a few years later. Kapoor is a very forward-looking wizard, in 1990, Kapoor aware of the future of technology, privacy, legal and political conflicts, their own funding to create EFF, and later the sponsors of the famous Apple co-founder of the Watts. At that time, the commercial Internet has not yet formed, can be seen their forward-looking. The legendary story about EFF can be written in a number of articles, and here we first talk about the OpenSSL part.

Netscape, a former browser leader, developed the first SSL protocol in 1995. Ssleay also completed its first implementation in 1995, with the 1998 Ssleay discontinued and the community took over. Until 1999, when the U.S. government lost, encryption technology finally free flow. This is the historical context of the Human privacy Protection project. In this complex story, OpenSSL is one of the beneficiaries, and a small part of the story, which OpenSSL developers as defenders of human privacy, not only overrated, but also very ignorant.

EFF and its founder, Kapoor, are real idealists who have no business income, they pay for it, and do it for 25 years, through lawsuits and legal aid for privacy-related cases, they have succeeded in promoting social progress. This is the real privacy defender of the internet age.

A friend said, write an article, let everyone donate some money, how is not harmful, should not be criticized. I don't think so. Media communication can affect the choice of people. There are precedents in the field of open source, for example, BSD is the most authentic Unix successor, but once a lawsuit has made BSD applications so far less extensive than Linux, the media have played a significant role in this process. Until today, when it came to open source software, the media were more concerned about Linux, and the more reliable the BSD lacked attention, which affected people's choices. "If an Open-source project succeeds in the business world, it will never be a fluke, never because other competitors are just being disciplined by rules and regulations," said the article. The history of BSD is a counter example. ("Never")

So, the impact of this article is very negative. I pointed out in the front of a lot of their overall cognitive errors, and other minor mistakes and unreasonable is more to say. For example, the article said that "the money with hammer technology" OpenSSL's developers had finally had a chance to meet at the German Linux conference. The article has a photo of the OpenSSL developers and names, even if these people you have no idea, now Google immediately know that these people have Debian developers, as well as Google full-time employees, these people are not OpenSSL pay, with this picture, It is not justified to say that a large enterprise has not been paid a penny. Moreover, most of the OpenSSL developers in the United Kingdom and Europe, from London to Germany, Frankfurt, round-trip air tickets are 300 of dollars, hard to say that these have jobs, the normal income of engineers even 300 U.S. dollars tickets to wait for this donation, it is too exaggerated.

The security of the Internet does not depend on a particular software, even if the software is used for encryption. Google employee Mehta, who found a "heart bleed" flaw, said that Libjpeg could have a significant impact if something went wrong. Libjpeg's images used to generate and display most of the Web sites and software are more widely used by ordinary people than OpenSSL and threaten to be more severe. When people are turned on by the media to OpenSSL, a lot of more important questions are missing. Hope to have more people focus on more basic projects, rather than Wenchuan earthquake, staring at the big companies who give OpenSSL more donations. A year, the hype should also be over.

This article for Huawei, Nokia, Google, such as money, not the hype of the manufacturers unfair, for other open source organizations are also unfair.

Original link: Who is the real invisible comrade-in-arms-open source software and OpenSSL True Story (Zebian: Zhou Xiaolu)