[ISN] Here’s why it took 2 years for anyone to notice the Heartbleed bug

http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security By Timothy B. Lee Vox.com April 12, 2014 What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn’t notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years. It’s hard to blame those guys. OpenSSL is an open source project. As the Wall Street Journal describes it, the project is “managed by four core European programmers, only one of whom counts it as his full-time job.” The OpenSSL Foundation had a budget of less than $1 million in 2013. That’s shocking. Software like OpenSSL increasingly serves as the foundation of the American economy. Cleaning up the mess from the Heartbleed bug will cost millions of dollars in the United States alone. In a society that spends billions of dollars developing software, we should be spending more trying to keep it secure. If we don’t do something about that, we’re doomed to see problems like Heartbleed crop up over and over again. Why security flaws are different from other bugs Computer security is a classic collective action problem. We all benefit from efforts to improve software security, but most organizations don’t make it a priority. For most of us, it’s economically rational to free-ride on others’ computer security efforts. […]