#HEARTBLEED was 5-years ago.

I was reading through my old handwritten tech notebooks this morning, search for some details on a Windows problem I know I’ve had before. I noticed an entry for March 28th, 2014 on the latest bug tracker list from Red Hat. One of the items on the list from the week before was the #Heartbleed bug in OpenSSL.

Image from synopsis.com

In less than a couple of weeks, Jim Zemlin from the Linux Foundation contacted John Hull in the open source team at Dell, who passed the call to me. I was happy to tell Jim we’d be happy to sign up, I got voice approval for the spending commitment and the job was done.

The Core Infrastructure Initiative (CII) was announced on April 24th, 2014. One of the first priorities was how to build a more solid base for funding and enabling open source developers. The first projects to receive funding were announced on April 26th, 2014 with remarkable speed.

Five years later I’m delighted to see Dell are still members, along with the major tech vendors, especially and unsurprisingly, Google. Google employees have made both substantial commitments to CII and open projects in general. I remember with great appreciation many of the contributions made by the tehn steering committee members, especially, but not limited to Ben Laurie and Bruce Schneier.

This blog, on synopsis.com, has a summary, entitled Heartbleed: OpenSSL vulnerability lives on. May 2, 2017.

My blog entries on Heartbleed and CII are here, here, and here.

There is still much to be concerned about. There are still many unpatched Apache HTTPD servers, especially versions 2.2.22 and 2.2.15 accessible on the Internet.

Remember, just because you don’t see software, it doesn’t mean it isn’t there.

More on OpenSSL, Heartbeat

I don’t propose to become an expert on OpenSSL, much less the greater security field, but I know people who are. My role in the Linux Foundation Core Infrastructure Initiative was to help Dell recognize how we can support a key industry technology, and at least give Dell the ability to have input on what comes next.

Our SonicWall team have many experts. They’ve published a great blog both on  their product positioning and use in relation to Heartbleed and vulnerabilities, and Network Security product manager Dmitriy Ayrapetov raises the question, in a world of mostly TCP traffic, are TLS Heartbeats even necessary?

The Dell SecureWorks Counter Threat Unit™ (CTU) have a blog on malware arising out of and exploiting the heartbleed vulnerability. Another great Dell resource well worth following for those with an interest in security.

Core Infrastructure Initiative (OpenSSL)

I’m pleased to announce that Dell with be a joining the Linux Foundation and a number of key industry partners in establishing the Core Infrastructure Initiative(CII). This is another open source initiative, and I’m glad to have have played my part in pushing through the approval. I mentioned in my February blog, and we continue to work on three other, I think significant initiatives.

CII is a new project to fund and support critical elements of the global information infrastructure. The Core Infrastructure Initiative enables technology companies to collaboratively identify and fund open source projects that are in need of assistance, while allowing the developers to continue their work under the community norms that have made open source so successful.

The first project under consideration to receive funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.

You can read the full Linux Foundation news release here and the New York Times already has a blog here.