The Inquirer-Home

Google, Microsoft, Intel and Facebook join forces to prevent another Heartbleed fiasco

Will pump money into the critical software infrastructure that needs it
Thu Apr 24 2014, 16:02

heartbleed bugA CONSORTIUM of information technology firms including Intel, Google, Microsoft, Facebook, Dell and IBM have joined forces to try to prevent another security breach similar to Heartbleed.

The new project. blandly named the "Core Infrastructure Initiative" (CII), will be housed at The Linux Foundation and will fund open source projects that "are in the critical path for core computing functions", or basically, pump money into the critical software infrastructure that needs it.

The Linux foundation described it as "a multi-million dollar project... inspired by the Heartbleed OpenSSL crisis" with its funds administered by the foundation alongside a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders.

"The steering group will work with an advisory board of esteemed open source developers to identify and fund open source projects in need," the Linux Foundation said on the webpage for the project.

"Support from the initiative can include funding for fellowships for key developers to work full time on the open source project, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support."

Early adopter of the project include Google, Facebook, IBM, Intel, Dell, Cisco Amazon Web Services, Microsoft, Qualcomm, Rackspace, VMWare, Netapp and Fujitsu.

The Linux Foundation said it expects more to follow suit in the coming weeks and months. Its members will have the role of evaluating open source projects that are essential to global computing infrastructure and are experiencing under-investment.

"These companies recognize the need for directed funds for highly critical open source software projects they all consume and that run much of modern day society," the foundation added.

The Heartbleed bug was discovered earlier this month in a software library used in servers, operating systems and email and instant messaging systems, and it allows anyone to read the memory of systems using vulnerable versions of OpenSSL.

OpenSSL is an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by which email, instant messaging, and some VPNs are kept secure.

The vulnerability is called Heartbleed because it's in the OpenSSL implementation of the TLS/DTLS heartbeat extension described in RFC6520, and when it is exploited it can lead to leaks of memory contents from the server to the client and from the client to the server.

The researchers from defense security firm Codenomicon said that attackers could take advantage of the bug to eavesdrop on communications, steal data directly from server or client systems, and impersonate users and servers. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015