Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Heartbleed Pricetag To Top $500 Million?

samzenpus posted about 7 months ago | from the price-tag dept.

Security 80

darthcamaro (735685) writes "The Heartbleed OpenSSL vulnerability has dominated IT security headlines for two weeks now as the true impact the flaw and its reach is being felt. But what will all of this cost? One figure that has been suggested is $500 million, using the 2001 W.32 Nimda worm as a precedent. Is that number too low — or is it too high?"

Sorry! There are no comments related to the filter you selected.

Low (1)

Stargoat (658863) | about 7 months ago | (#46805625)

There's been a lot of time and effort that marketing and legal departments have put in on this. The IT side would be expensive, but I keep hearing from my CFO about the post-Target world.

Yeah, he sounds like a moron. Nothing changed with the Target breach except for his recognition that this computer stuff can be serious. There are a lot of people like that and they took notice of the Heartbleed vulnerability.

Re:Low (4, Insightful)

slashmydots (2189826) | about 7 months ago | (#46805671)

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46805703)

It only costs money if you're unprepared and suddenly need to resource a response because you don't have such response mechanisms in-built into your company. Let the weak die.

Re:Low (1)

spazdor (902907) | about 6 months ago | (#46818773)

It also costs money to mitigate and manage risk.

If you've been sending and receiving sensitive SSL traffic for a while before the vulnerability was disclosed, then you should consider all that traffic retroactively compromised, and that might involve calling up a lot of customers and breaking some bad news to them.

Being well-prepared helps, but it's ridiculous to suggest that this only costs money for the the ill-prepared.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46805811)

Well, early key revocation and the cascade effect has its costs. But it really isn't that bad... except for the CAs.

Re:Low (1)

stephenmac7 (2700151) | about 7 months ago | (#46808113)

Correct me if I'm wrong, but wouldn't the CAs make money from all the new certificates?

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46809127)

Most will reissue/rekey for free.

Re:Low (1)

spazdor (902907) | about 6 months ago | (#46818783)

Plenty of their semi-competent customers will cluelessly order new ones instead of rekeying their existing ones, and I'm sure none of the CA's will lift a finger to cure them of this misunderstanding.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46811779)

Only the cheap sleazy CAs charge for reissues.

Re:Low (3, Interesting)

Gr8Apes (679165) | about 7 months ago | (#46805823)

True - being able to manage your browser recognized CAs should be a core function of IT anyways, along with cert replacements. The real cost will be born by customers who largely are unschooled and don't know enough to install new CAs (the worst case scenario where CA certs are replaced across the board and no SSL/TLS CA certs are valid.) On the other hand, it might be enough to do a quick browser check and get them to finally upgrade to a decent browser version that does include the latest CAs. Which, in retrospect, will wind up being a zero-cost item since they should be doing this anyways.

Re:Low (2)

Frobnicator (565869) | about 7 months ago | (#46805869)

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

That is the difficulty with all the estimates. Software defects, upgrades, and maintenance all cost money but it is generally just rolled up as part of the cost of doing business.

Every time a new patch or service pack or update gets released, there is a cost. But the cost is so commonplace as to be meaningless.

From the article, costs 1-5 are just normal business tasks. Of course there is a cost to rolling out patches. Every month's Patch Tuesday has Microsoft's patches costing organizations millions of dollars collectively around the globe. Security audits for this bug need to be done, but they need to be done for all the other recent discoveries as well. They are just costs associated with maintaining servers, much like the cost of oil changes and tires are associated with maintaining vehicles. They are not costs because of the bug specifically, they are costs because of all bugs and attacks generally.

Cost 6, "stolen data" is so vague as to be meaningless; if not heartbleed than some other exploit will be used to steal the valuable data.

Re:Low (1)

Bengie (1121981) | about 7 months ago | (#46806321)

Patches are free, but I hear that Akamai covered the cost of the few thousands dollars per cert to revoke and several thousand to get a new cert, for each of their customers. Certs aren't free and not all CA did this for free.

Re:Low - "Bad" CA's (1)

Anonymous Coward | about 7 months ago | (#46806903)

Read the woes of the the MirOS maintainer (short version: startssl.com are being jerks, and will leave possibly compromised certificates active since this hobbyist hacker cannot afford their pricing):
https://www.mirbsd.org/

Re:Low - "Bad" CA's (1)

XanC (644172) | about 7 months ago | (#46811693)

I'm not following that. He describes in great detail how there's no way his private key was compromised. Why does he need to re-key?

Re:Low - "Bad" CA's (1)

spazdor (902907) | about 6 months ago | (#46818805)

Jesus christ. So Startssl won't even revoke a cert for a customer who's already bought it, unless they pay extra?

Why is Startssl a trusted CA? Shenanigans like that ought to be clear grounds for Chrome, Firefox et. al. to leave Startssl out of their default bundle. Am I wrong?

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46808003)

I don't think they're considering the cost exclusively with IT. I believe they're linking the $ value with the repercussions of vulnerable Internet sessions with banking data, transaction data, etc.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46809703)

If you are using a CA that does not allow you to revoke and replace certs immediately at little or no cost, you are an idiot. It isn't 1999 any more.

Re:Low (1)

hawguy (1600213) | about 7 months ago | (#46807573)

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

If you are downloading patches,you are no CIO regardless of the the title you gave yourself. Any company large enough to need a real CIO would have a gone through an extensive testing/qualification process for an emergency out-of-band patch. You would be lamenting the many man hours your teams lost while testing the patch (which, due to the urgency, meant that it could not go through the normal QA process you use before deploying patches). It took Amazon all day to deploy the patch across their load balancers.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46808295)

Testing department are useless when you can take a snapshot and rollback in case a problem is detected. Also, if you are into an organisation as big as you claim, your critical system run unecrypted behind an SSL accelerator&application firewall. Testing is so 200?ish...

Re:Low (1)

hawguy (1600213) | about 7 months ago | (#46810607)

Testing department are useless when you can take a snapshot and rollback in case a problem is detected. Also, if you are into an organisation as big as you claim, your critical system run unecrypted behind an SSL accelerator&application firewall. Testing is so 200?ish...

Sure.... I've heard that before... rollback fixes everything... When the time clocks lose punches because they can't upload data to the attendance system you can just tell managers to manually reconcile timecards for 10,000 employees since IT didn't bother to test anything.

Re:Low (0)

Anonymous Coward | about 7 months ago | (#46808821)

* Research to determine if heartbleed affects our stack
* Study to determine any possible leaks
* Determining what potentially unsecured data needs to be cleaned (changed passwords etc)
* Plan for what needs to be patched, what may break with patches
* Patch process on x # of servers and n # of configuration
* Buying new ssl certs - and determining when to best to update them to minimize customer impact
* Dealing with customer support during upgrade process as things may break
* dealing with customers complaining about heartbleed for the next few months

Re:Low (1)

bloodhawk (813939) | about 7 months ago | (#46810785)

patches are free and part of your normal cycle. But there is cost in new certificates, time and cost in getting thousands if not millions of user credentials changed/reissued etc. patching is the cheap and easy part. some companies will incur considerable cost because of this.

Re:Low (1)

donaldm (919619) | about 7 months ago | (#46811913)

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

Yes and no. If you are patching for home use then there is basically no cost, however if you are patching corporate systems then the cost can be considerable since you actually have to involve all the managers that have an interest in all the relevant applications on the systems that need patching.

Just patching a corporate system without testing if the update breaks any applications is almost a sure way of getting fired. Many business have or should have a change management process and the professional IT manager has to follow those procedures. In the case of a serious vulnerability change management can be fast-tracked however the IT manager should consult with their software service provider to see if only the relevant patch can be applied and in some cases a full update may be required. In the worse case there may be a requirement to have a major update (ie. one major release to the next plus updates) which in the case of Linux/Unix should only take a few hours however without the proper testing that upgrade may actually break some applications which may not sit well with some business.

To recap you are correct in saying that just applying the patch would take a few minutes with almost zero IT cost, however when you take enterprise systems into account what would normally be a very quick patch could translate into a considerable amount of hours/days/weeks when all interested parties get involved.

Possibly higher... (2)

mlts (1038732) | about 7 months ago | (#46805709)

If Heartbleed leads to subsequent intrusions, then the pricetag will definitely go into the ten digit range. If web services are patched, both external and internal [1], then it still will be expensive.

[1]: There are a lot of embedded devices that use OpenSSL, some may not be able to be updated, especially if they are used for constant production runs. All and all, if one factored in man-hours and opportunity costs, the factor is larger. Especially because the OpenSSL patches are not done yet, so even patched systems will need re-patched once a stable, "blessed" release is made.

Whats the cost of writing your own library? (1)

Anonymous Coward | about 7 months ago | (#46805711)

Sure, but consider this: if all the users of this library had to write their own SSL implementation, what would that cost in total? I'm sure the $500M would be dwarfed.

Re:Whats the cost of writing your own library? (4, Interesting)

SydShamino (547793) | about 7 months ago | (#46806029)

NPR this morning mentioned that, in all of 2013, OpenSSL received just $2000 in donations that they could use for "maintenance of the code base" work. (All of their other income was earmarked for specific work for specific customers.)

Funny enough, they said they've gotten some $10,000 this year, in the last few weeks, though note that most of this is small donations from other countries. There's no indication yet that any of the big U.S. corps most affected by this want to pony up the cash for a full security audit, though maybe some have employees working on it internally (for their own servers' versions, or maybe to share upstream).

I liked the analogy made in the NPR story, that OpenSSL is like public works infrastructure, except it has no tax authority for maintenance income. Not that I think paying for software should be mandatory, but hopefully some people will decide that, even when they don't have to pay "tax" on something, sometimes it's in their best interest to do so.

Re:Whats the cost of writing your own library? (2)

Collective 0-0009 (1294662) | about 7 months ago | (#46806335)

Not that I think paying for software should be mandatory

You are forgetting a tenant of economics: there is no such thing as a free lunch. Someone is paying for that software. Heartbleed shows how you pay for it. You can use open source and never donate, living off the work of others for free. That's perfectly acceptable. But when the shit hits the fan, you have to pony up OT and scramble to patch and fix.

It is absolutely mandatory to pay for software. Everything requires resources to be built and maintained. If someone used OpenSSL and did not contribute, then they are now paying for the software.

Re:Whats the cost of writing your own library? (0)

Anonymous Coward | about 7 months ago | (#46808035)

Except creating duplicates of data is cheap and computers are exceptional at copying data.

Re:Whats the cost of writing your own library? (0)

Anonymous Coward | about 7 months ago | (#46811253)

Well look who didn't read even one post in this thread.

OpenBSD team not OpenSSL team doing cleanup ... (3, Informative)

perpenso (1613749) | about 7 months ago | (#46806351)

There's no indication yet that any of the big U.S. corps most affected by this want to pony up the cash for a full security audit, though maybe some have employees working on it internally (for their own servers' versions, or maybe to share upstream).

Perhaps the money is going to a more qualified team, the OpenBSD team (fyi - OpenSSH is also theirs, OpenSSL was not). They are doing a massive cleanup pass on the OpenSSL code which is to be followed by a security audit of the code.

Re:OpenBSD team not OpenSSL team doing cleanup ... (1)

WaffleMonster (969671) | about 7 months ago | (#46808307)

Perhaps the money is going to a more qualified team, the OpenBSD team

http://www.cvedetails.com/vuln... [cvedetails.com]

Re:Whats the cost of writing your own library? (1)

phantomfive (622387) | about 7 months ago | (#46806621)

Not sure about other companies, but if I wanted to donate a reasonable amount of money for something like that, it would take more than a week to get approved. So maybe they'll get more later.........

2 years of NSA usage .. price way to low (-1)

Anonymous Coward | about 7 months ago | (#46805717)

i assume that the NSA has caused way more then 500m in damages with the 2 year use of the bug.

not to mention that there might have been groups that been using the bug for a very long time without being noticed

Re:2 years of NSA usage .. price way to low (1)

Wootery (1087023) | about 7 months ago | (#46807531)

2 year use of the bug

Got a source for that? They might like to be (perceived to be) omniscient, but there's at least a chance that they're not.

Looking at Wiki [wikipedia.org] pedia [wikipedia.org] , it hardly seems certain that there was exploitation of the bug prior to the disclosure, or that the NSA knew.

There was some exploitation of the bug very soon after disclosure, but I can't see a way to win here. You can't tell everyone about the bug without telling the bad guys...

Re:2 years of NSA usage .. price way to low (0)

Anonymous Coward | about 7 months ago | (#46807721)

On a completely unrelated topic... There's this structure I have in New York; it's pretty bit and s capable of transporting motor vehicles across a body of water...
Are you interested in buying it?

Re:2 years of NSA usage .. price way to low (0)

Anonymous Coward | about 7 months ago | (#46810111)

On a completely unrelated topic... There's this structure I have in New York; it's pretty bit and s capable of transporting motor vehicles across a body of water...
Are you interested in buying it?

Do you ship to Canada?

Telling Everyone without Telling the Bad Guys (2)

Sanians (2738917) | about 7 months ago | (#46809037)

There was some exploitation of the bug very soon after disclosure, but I can't see a way to win here. You can't tell everyone about the bug without telling the bad guys...

Actually you can. An AC in another story figured it out, and was promptly modded all the way up to +1.

You simply tell everyone that there is a vulnerability, but you do not tell them any details about what the vulnerability is. Instead, you simply announce a release date & time for a patch. People can either shut down their servers until the patch is released, or, if they're feeling lucky, they can keep running the old code until the patch is released since no one actually knows what the vulnerability is and so, in theory, they're in no more danger than they were the day before. Then, at the announced time, you release the patch, and because of the pre-release announcement, everyone with vulnerable servers has already taken them off-line, and so no one gets fucked by the patch essentially telling the hackers about the exploit.

Re:Telling Everyone without Telling the Bad Guys (1)

Wootery (1087023) | about 7 months ago | (#46813509)

You simply tell everyone that there is a vulnerability, but you do not tell them any details about what the vulnerability is. Instead, you simply announce a release date & time for a patch.

This is brilliant, and I'm kicking myself for not having thought of it.

The only problem I can see is that of whether the average repair-averse manager can be properly jolted by a good-faith announcement. Businesses often prefer PR bullshit to actual repairs, and will only invest in proper repairs if they're going to be utterly humiliated otherwise, and if they see no other way out. It's not unheard of for security researchers to be threatened with lawsuits should they disclose, for instance.

Even if this were to happen though, it would still be the responsible course of action for the developers/security researchers. That way there'd at least be no Well we did all we could weaseling on the part of vulnerable websites.

Your bank balance! (1)

ElectraFlarefire (698915) | about 7 months ago | (#46805831)

If your not careful and change your passwords, it could cost you personally everything you have!

And I think the corporate number is rather low. But the exact figure is going to be rather nebulous and hard to define as these things always are.

Re:Your bank balance! (1)

Virtucon (127420) | about 7 months ago | (#46806053)

I'm sure any financial institution has already done a vulnerability assessment for this risk and acted accordingly. If not you'll see a few more CSOs and CIOs out on the street shortly.

1 Trillion (3, Insightful)

EmperorOfCanada (1332175) | about 7 months ago | (#46805839)

I might as well beat all the fear mongering "security" companies that will state all kinds of absurd numbers, so I am going to say 1 trillion and countless lives lost.

Years ago I worked for an IT consulting company and those bozos made a lot of hay from the Y2K bug. They had guys going around saying to customers that they should stockpile food because all the cummins diesel engines had a Y2K bug that required advanced mechanical repairs to solve and basically all food trucks, fuel trucks, fire trucks, etc were all going to be shut down for at least a month. So I made a bet with the guy that this was total BS. On speakerphone I called Cummins very quickly got onto the phone with one of the top guys in their engineering. He said that the only clock in the engines was to keep track of hours of operation and it didn't actually know what date it was, just total hours. He had a guess that the other clock in many trucks would be on the dashboard to say what time of day it was.

This IT guys bozo answer: "Cover up"

So while the heartbleed bug was pretty damn good and definitely cost money, and I am willing to bet that it cost way more money than Y2K (in damage). I am now willing to bet that Heartbleed will go on to cost way more in fear mongered consulting fees and anti Open Source fear mongering. My brother-in-law just stated that Heartbleed showed how weak Open Source really is. He didn't have the faintest idea of what open source was. This guy is in a position to influence government decisions and is surrounded by the decision makers who probably have half the IT knowledge he does. So when the Mega consultants are done whispering in the government's ears I suspect that there will be fewer Open Source projects and that the mega consultants will start selling services such as "Open Source code Audits" and these audits will show vulnerabilities such as "widely leaked source code".

So while the fear mongering will tally up some absurd numbers it will be the defrauding of customers that will really make heartbleed expensive.

Re:1 Trillion (0)

Anonymous Coward | about 7 months ago | (#46806061)

"My brother-in-law just stated that Heartbleed showed how weak Open Source really is."
Because closed source doesn't have any 2 yr old bugs?!?

Re:1 Trillion (1)

Anonymous Coward | about 7 months ago | (#46806317)

Heartbleed will re-write your hard drive. Not only that, but it will scramble any disks that are even close to your computer.
It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CD's you try to play.

It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fishtank. It will drink all your beer and leave its socks out on the coffee table when there's company coming over. It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work.

Heartbleed will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girlfriend behind your back and billing the dinner and hotel room to your Discover card.

It will seduce your grandmother. It does not matter if she is dead, such is the power of Heartbleed, it reaches out beyond the grave to sully those things we hold most dear.

It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.

Heartbleed will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methanphedime in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower.

Re:1 Trillion (1)

ogar572 (531320) | about 7 months ago | (#46807355)

It better not drink my beer!

Re:1 Trillion (3, Insightful)

rubycodez (864176) | about 7 months ago | (#46806257)

Point out to your brother in law that weak closed source software has killed people, destroyed hundreds of millions of dollars worth of spacecraft, caused blackouts, loss of continental long distance service, etc. etc.

Re:1 Trillion (0)

gnupun (752725) | about 7 months ago | (#46807441)

Perhaps all you say is true, but this bug kinda disproves open source's selling point that "many eyeballs" means bugs can't exist for long.

Re:1 Trillion (1)

EmperorOfCanada (1332175) | about 7 months ago | (#46808101)

Nothing is perfect. But this bug may have caused a leap in open source evolution. It seems that many (myself included) people have been complaining about the SSL project. But nobody did anything about it. But now it looks like at least 1 group has taken the reigns and is renovating the project. I don't know how much of the new project is going to include the people who were running the project a few weeks ago. But it seems that more people will be looking at the mega fork (as opposed to the usual dumb little fork) as an answer to any critical yet badly run open source projects.

My limited exposure to some open source projects is that once they start to be included as standard and somewhat critical in most Linux distributions then the inner circle becomes a priesthood tending to the mysteries of the shrine. This is not always a bad thing but isn't always a healthy thing.

Re:1 Trillion (1)

rubycodez (864176) | about 7 months ago | (#46827139)

no, a single case doesn't prove what is the norm. those of us who follow the forums of major open source projects see the many eyeballs doing great things all the time. and now many eyeballs are being focused on openssl, the world will benefit.

Re:1 Trillion (1)

EmperorOfCanada (1332175) | about 7 months ago | (#46808033)

I tried. It seemed to violate his sensibilities.

Is that number too low — or is it too high? (0)

Anonymous Coward | about 7 months ago | (#46805853)

Does the Tin Man have a sheet metal cock?

Re:Is that number too low — or is it too hig (0)

Anonymous Coward | about 7 months ago | (#46807363)

Why yes, the Tin Man does have a sheet metal cock.

The government is mad they can't fine anyone (1)

gelfling (6534) | about 7 months ago | (#46805903)

The Federal government's main compliant is that there's no clear case to fine the crap out of every deep pocket in the country.

I can say with confidence (0)

Anonymous Coward | about 7 months ago | (#46805917)

It is almost certainly either too low or too high.

huh (1)

koan (80826) | about 7 months ago | (#46805935)

Why does it really cost anything, update your certs and software and send out an email telling customers to do the same.

Someone please clue me in on why silly things like this "cost millions and millions".

Or is it an "open source" smear campaign.

Re:huh (1)

Jose (15075) | about 7 months ago | (#46806153)

yea, is difficult to see how it could cost *that* much. although, I would argue that it could be a little more complicated than you mention, if you don't have a perfect inventory of all of your software and devices.

it was/is a serious enough bug that it was drop everything and start patching/mitigating the problem...since it can take time to determine if your software/devices are vulnerable, it is likely that people had to work overtime (does anyone actually get paid overtime anymore?).

it also probably meant running scans across your public IP space to see if you have anything listening that is vulnerable that you somehow missed, then tracking down exactly what that device is.

I've heard that some CA's were charging for either the revoke, or re-issue on certs as well. although I never actually confirmed that.

you then had to roll all passwords used on those devices, and any passwords that were used on external sites.

after the initial rush to patch/scan your network...it came out that all heartbleed scanners are not accurate. so lots of people probably re-scanned with better tools.

if you work with a lot of external partners, people probably spent time scanning them as well, to see if they were still vulnerable, and reached out to them to get them to patch.

in a perfect world, a lot of the above is fairly automated...but I'd imagine most of us don't live in that perfect world...so the above tasks take a fair amount of time, which detracts from other work..so shows up as the cost of heartbleed. multiply that times X companies....and add in costs for consultants/contractors for some companies...and it gets to be big number.

$500 mil? what about routine maint. (1)

Virtucon (127420) | about 7 months ago | (#46805975)

If an organization has a routine maintenance policy then there should be no additional cost to apply the OpenSSL fixes for Heartbleed.

Re:$500 mil? what about routine maint. (1)

flyingfsck (986395) | about 7 months ago | (#46806605)

Yup, it is similar to trying to add up the cost of the Malay plane search in the Indian ocean. The Aussie defence force is paid for anyway, they just happen to spend time in one spot for several weeks.

That number is too.... (1)

Dcnjoe60 (682885) | about 7 months ago | (#46805983)

High. You can't compare the virus in 2001 with the vulnerability today. First, most sites were patched immediately. So it is likely existing staff that was paid their regular wages did the work. But accountants have a funny way of assigning costs. Even if no extra pay or workers were required, if it took 4 hours to fix it, they will assign 4 hours of labor plus overhead to it. So, while it is possible that the number, based on assigning costs could reach 500M, it would also mean that all the affected companies saved $500M on their other projects, so it was a wash. Now granted, some firms may have had to hire consultants and additional help, but that would mean that it won't be a complete wash. Overall, though, it is hard to see a large financial impact on any of this, unless, there was gross mismanagement of IT resources.

$392 Trillion! (1)

Lumpy (12016) | about 7 months ago | (#46806037)

We all know that these numbers are pulled out of their butts just like RIAA loss numbers were. So why dont they go for really stellar numbers?

$590 Quintillion is going tobe the cost with over $200 Postillion alone lost due to hackers.

Maybe... (4, Insightful)

charles05663 (675485) | about 7 months ago | (#46806045)

Maybe the companies that rely on open source software will realize that supporting the projects financially is in their best interest instead of freeloading like they do now.

Re:Maybe... (-1, Troll)

Anonymous Coward | about 7 months ago | (#46806103)

Maybe the open source crowd will realize that if you give your shit away for free, not to be surprised when people take it.

Re:Maybe... (0)

Anonymous Coward | about 7 months ago | (#46807619)

Is that you, Stevie B?

Re:Maybe... (1)

jones_supa (887896) | about 7 months ago | (#46806333)

Just brainstorming... Would it be possible to create an open source license, which would mostly resemble GPL, but which had an additional clause that would require companies to pay the developers royalties when the code is used for commercial purposes?

Re:Maybe... (1)

mwvdlee (775178) | about 7 months ago | (#46806773)

You could create a source code license to do that, but it wouldn't be an open source license.

Re:Maybe... (1)

jones_supa (887896) | about 7 months ago | (#46806829)

Why not?

Re:Maybe... (1)

mwvdlee (775178) | about 7 months ago | (#46807023)

http://opensource.org/osd [opensource.org] , criteria 6
Ofcourse, there's no legally official definition of the words "open source", but that's pretty much the definition the whole world uses.

Re:Maybe... (1)

Bengie (1121981) | about 7 months ago | (#46806823)

That would be infeasible. There wouldn't just be one royalty, there would be a separate royalty for each separate piece of code being used. I see you're using bash, that's a royalty to the bash project. I see you're using Apache, that's a different royalty to the Apache foundation. You see where this is going.

MySQL used to have a license like this... (1)

xxxJonBoyxxx (565205) | about 7 months ago | (#46808267)

In the 2000's (before Oracle), I negotiated a license with MySQL that allowed our company to bundle the software in my commercial app (for ease-of-install, especially demo time) even though someone could have downloaded and installed their own copy of MySQL for free. The OEM license cost something like $150-250/license (kept going up, of course).

Re:MySQL used to have a license like this... (1)

XanC (644172) | about 7 months ago | (#46811719)

They still have it.

https://www.mysql.com/why-mysq... [mysql.com]

Bad Programming - One line of code (3, Interesting)

Dan Askme (2895283) | about 7 months ago | (#46806353)

Quote from http://www.inferse.com/14435/h... [inferse.com]

Heartbleed was introduced into the OpenSSL software library by 31-year-old Robin Seggelmann, a Frankfurt, Germany developer who says that it was likely introduced while he was working on OpenSSL bug fixes around two years ago. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length.” The error was also missed by a reviewer responsible for double-checking the code, “so the error made its way from the development branch into the released version,” Seggelmann said.

Cost to fix? free.
Cost to roll out? 1 trillion dollars, because the companies like to milk every excuse in the book.

Another win for open sores! (0)

Anonymous Coward | about 7 months ago | (#46806447)

You should really get that looked at. I think it might be infected.

It cost us a bit. (2)

resfilter (960880) | about 7 months ago | (#46806539)

In a very small non-technical business which relies on some ssl based services, where I am the only nerd, here's my experience.

I had to:

- Test everything with SSL that we use in-house (we got off easy), then patch openssl on our internal web server. That was mostly for fun, since our network is fairly secure, and nobody that uses our internal network would be smart enough to exploit heartbleed. But still, NAT invaders, you never know. Maybe an hour spent, probably less.

- Explain this bug to everyone that isn't tech saavy, how it probably wont make a difference for us, but what it means for security. It wasn't worth calling a meeting over, so I did it individually, took a while, though.

- Make all employees reset ALL of their passwords on the SSL websites we use, after testing a small sample of them and finding several were affected by the bug, better safe than sorry. From a micromanagement standpoint, this is actually a gigantic expense of time, since we generally don't cycle passwords on many of these sites very often, and often share non-critical accounts between employees. There's wasted time when everyone types the old password, scratches their head, tries to remember the new one, has to find someone else to ask, etc.. A customer could walk away in frustration if it takes too long. Probably an hour or two spent.

- Contact any of the web service providers that we use, that I know were affected, sit around, wait on hold (for a long time obviously) to try to get some kind of plan of action or disaster report out of them. Many hours spent, but probably a waste of time anyway.

- Loss of business from downtime of two critical sites that shut down for a few days when they discovered the bug. Not as bad as it could have been if it were a larger business.

So how much did it cost our organization specifically? A couple hundred bucks in time total might be a reasonable estimate. Definitely not a problem for an end user like us.

This is nothing in contrast to a bad IT problem - for example when our entire network got raped by Zeus.....

We're talking every email account compromised, our static ips placed on god knows how many blacklists, practically worldwide email blacklist of our entire domain, very difficult removal, loss of HUGE amounts of business data to cryptolocker, loss of reputation when many of our customers also got the virus from opening emails from us, or received spam under our name, our ISP even cut us offline until repairs were done, we were down for a week.

It even hit a backup drive with cryptolocker because someone left it plugged in, which was very unfriendly when the banks needed to audit some business data that was cryptolockered in two places. Management freaked and required very expensive antivirus software that slowed our computers to a crawl, requiring upgrade or replace of every system in the entire building.

I bet Zeus cost us over 50 grand, we had to change our domain name, which is the worst way out, and who knows what kind of data those assholes got while they were abusing our mail server.

We were tempted to burn the building to the ground and change our name to recover from that one.

Where are ze jobs (1)

DrPBacon (3044515) | about 7 months ago | (#46806697)

Ze jobs. We want to see ze jobs. Whence dost thine heartbleed?

Heartbleed like airbags? (0)

Anonymous Coward | about 7 months ago | (#46806973)

When the Feds force airbags on Detroit the big three put out cost claims that included the total cost of the dash and other parts that the airbags changed (or could be claimed to change.) A grossly inflated "cost for airbags" was used to justify grossly car prices. I wonder how many IT budgets will be inflated using the Heartbleed excuse?

Not free as in beer but free as in... (0)

Anonymous Coward | about 7 months ago | (#46807247)

500 million dollars!

Nothing (0)

Anonymous Coward | about 7 months ago | (#46807711)

Legal, IT and marketoids are all already on staff and they get paid heartbleed or no.

Is this why FOSS licenses have disclaimers? (1)

macsforme (1735250) | about 7 months ago | (#46807997)

I sometimes mock the obnoxious disclaimer in all capital letters in the BSD license but in this case, could it have saved a few developers from massive liability?

cost now (losses) vs cost (funding) (2)

lkcl (517947) | about 7 months ago | (#46808625)

ynow... there is a moral to this tale: if businesses and individuals making money from software (libre) had properly funded it, putting some of the money that they saved from not purchasing proprietary software into the hands of those software teams, would we be talking about this now? in all probability, the answer is no. the reason is because those teams would be able to expand, take on more people, pay for security audits and so on which they would otherwise, as we have discovered, not be in a position to do.

so my take on this is that it is really really simple: businesses have received what they paid for, and got what they deserved.

i have been through this experience - directly - a number of times. i worked on samba - quietly - for three years. whilst the other members of the team were receiving shares from the Redhat and VA Linux IPOs, which they were able to sell and receive huge cash sums - i was busy reverse-engineering Windows NT Domains so that businesses world-wide could save billions of dollars.... and not one single one of those businesses called me up to say thank you, have some cash. as a result, about a year after terminating work on samba i was working on a building site as a common labourer.

it was the same story with the Exchange 5 reverse-engineering, which the Open Exchange Team mirrored (copied, minus the Copyright and Credits).

there is a moral to this tale: unlike proprietary software, which has a price tag commensurate with its perceived value, the process of even *offering* payment to individuals working on a software libre project that has been downloaded, usually from a completely different location (via a distro), is completely divorced from the developers actual efforts.

even in shops in rural districts, it is understood that if the door is unlocked and the shopkeeper not there, you help yourself, open the till, sort out your own correct change and walk out. but in the software libre world there is often not even that level of expectation! the software is quotes free quotes therefore it is monetarily zero cost therefore we should not have to pay, right? and businesses are pretty pathological about taking whatever they can get without paying for it.

so the short version is: there is a huge disconnect in software libre between service provision (the software) and paying for that service, and i really cannot see a solution here. perhaps this really should be bigger news: perhaps in this openssl vulnerability we have an opportunity to make that clear.

Re:cost now (losses) vs cost (funding) (1)

Neo-Rio-101 (700494) | about 7 months ago | (#46811675)

ynow... there is a moral to this tale: if businesses and individuals making money from software (libre) had properly funded it, putting some of the money that they saved from not purchasing proprietary software into the hands of those software teams, would we be talking about this now? in all probability, the answer is no.

And that's a flaw in the open source model. There is the assumption that people will review code and give back to the code... but it is just naive.
It assumes that companies actually care about utopian ideals and not just making money for shareholders.

Additionally in the field of system administration, when issues like this occur it is always about appropriating blame. Some places would rather let hackers break their systems than risk upsetting customers with downtime to fix issues. If a hacker gets in, the hacker gets blamed.... but if the user experiences downtime from a patch or critical upgrade which maybe breaks compatibility with the old.... the company gets the blame for trying to protect it's users!

That's just the ugly realities we deal with.

Re:cost now (losses) vs cost (funding) (1)

XanC (644172) | about 7 months ago | (#46811775)

Agreed, but what should that mechanism be? My business runs on open-source software. Pretty much everything is behind our reverse proxy, Pound. One of the numerous libraries which Pound relies on is OpenSSL.

To whom do I give money? Debian? The applications I use like Apache and Pound? Do I enumerate all the libraries that all the applications use and give each of those hundreds of projects a few pennies?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?