OpenSSL may not be a household name, but every household with an Internet connection uses it.
That’s why few security vulnerabilities ever garnered the attention of Heartbleed, a security bug uncovered in the OpenSSL protocol last April. The OpenSSL software stack encrypts communications between computers and is the way we secure everything, including connections to mobile banking applications, Facebook logins, credit card transactions and emails, on the internet.
Manu Sporny, founder and CEO of Digital Bazaar, which develops payment and identity standards for the Web, argues that of the 3 billion people that have ever logged online, all 3 billion people have used OpenSSL or SSH (another security protocol) at one time or another.
With major newspapers inciting panic, eyes were on the core OpenSSL team to stem the damage that left private keys and passwords vulnerable to theft. However, at the time, the project had only 11 developers, only two of which were paid full-time for their work… again, on a protocol that protects the sensitive information of 3 billion people.
This may seem surprising given the importance of the software, but it’s endemic of the current culture around open source. In a free-market capitalist society, incentives are set up so corporates can search for efficiencies in an effort to provide better products and services in less time and at lower costs.
Sporny and his team at Digital Bazaar have dealt with the problem firsthand on a protocol called Forge. Security bugs are submitted by developers on a regular basis, and most the time these developers are working for a large corporate.
Between 30 and 40 big companies have asked Sporny and his team to implement fixes or extra features, but only one has actually paid for an added feature. Another asked how much the developers charge, Sporny gave them a figure, and the company was never heard from again.
“Every single tech company … uses open source software in some part of their stack,” Sporny says. “In most cases, their whole stack is built on open source with a few added [proprietary] features.”
HP, IBM, Google, Yahoo, Facebook, Twitter and Uber all use large amounts of open source software, and the system has evolved to allow these corporates to exploit the community, made up of passionate programmers working pro bono on critical software.
Sporny says Google, IBM and Red Hat are big contributors to the open source community, although based on their revenues the contributions seem minimal.
“Anytime you have a community that would be doing something regardless of whether they get paid for it with a pretty strong commercial upside, you’ll find large corporations taking advantage of it for their own gain,” says Sporny.
———
This isn’t stopping open source work from pressing forward.
Digital Bazaar is based out of Blacksburg, Virginia, near the Virginia Tech campus. Sporny had recently begun renting the house he set me up in for four days, in a room that will eventually house people working on open standards related to digital payments and credentials for the World Wide Web Consortium (W3C).
The payments and credentials group’s did raise a tranche of money recently, but are still working towards the goal of raising $1 million every year for at least the next five years.
The effort is emblematic of open source community and its inclination toward solving big problems, measuring success in the number of people using the software they built. W3C, for example, is currently seeking to develop a standard for web payments, one that would homogenize APIs for transactions that happen within web applications and web pages (such as when you use PayPal, for example, to donate to Moneytripping).
The open source community, however, is far older, tracing its roots to the late ‘70s and early ‘80s when software developers got tired of writing the same proprietary code over and over again for different companies. To eliminate the monotony and extra work, developers began sharing code and software libraries, which ballooned into the open source movement.
Today, open source software is free, not only in cost but also in how individuals and companies use it.
Sporny doesn’t want to make it sound like open source developers are struggling to make ends meet, because “look they’re software developers, they’re very employable.” Still, he finds fault with the fact many aren’t paid for the important development they’re passionate about.
“That’s a failure of capitalism to capture the work these people are putting in through open source,” Sporny says.
While most developers see the exploitation of open source as a necessary evil of keeping software and internet protocols open to all, there are a handful of people, including Sporny, that are trying to find a way to make sure developers get some value back from corporations that profit wildly off open source.
Sporny is working on a project for tracking contributions to open source projects, in an effort to ensure developers that write code, document or market the software are compensated. His idea is that corporations that license open source software and have the ability to give back, should. And the revenue should be split up among all those that worked on the software project, based on how valuable their contribution to the project was.
“That’s the really tough problem: who determines what kind of value you put in,” Sporny says. This will be especially challenging to get past open source developers who tend to think the second money enters the equation the project is corrupted, he says.
Sporny also wonders if the federal government should enact a small blanket fee on large digital providers that is then redistributed back into the open source community.
“It goes against this capitalistic idea, that if you create something of value you’ll get rewarded for it,” Sporny says. But in reality, the capitalistic idea is that “if you create something of value and fence it, then that’s the way you capture value.”
There’s a parallel to derivative trading on Wall Street. The farmers that grow the food or the construction workers that build the houses are not extracting value from the trading of derivatives and in some cases are actually hurt by it.
———
Today, Sporny thinks, people are more aware of capitalism’s problems, but few are working on fixing it.
For instance, the open source community sits back and watches large digital providers make billions of dollars without infrastructure costs, with the hope that these companies will someday pay them for their time, but that rarely happens, Sporny says.
Although Sporny and his team are hopeful younger generations might demand that these large corporates give back to the open source community that they leach off of.
“Younger people are growing up with different attitudes towards money … and I think it’s a good thing,” says Matt Collier, a developer for Digital Bazaar that also lived in intentional communities for about 15 years. “Younger people in general are more willing to share” whether it’s group living situations or sharing cars.
In New York City, the sharing economy is in full flux, whether it’s ZipCar or Airbnb. Plenty of people, including myself, have converted one bedroom apartments into two. Renting a temporary wall to section off my living room was quite expensive, so instead I put tall, Ikea shelves up and then hung a curtain over the entry for a roommate I found on Craigslist.
Collier, at least, doesn’t think I’m crazy.
“Economies that come from that are good,” he says. “When you don’t want to go in pursuit of making a large salary, for example a musician working a low wage job, but you still have access to resources because of your cooperation, that’s where it’s at. And i think people do embrace that.”
———
After the Heartbleed bug was initially disclosed, a number of tech organizations raised several million dollars to help under-funded open source projects, starting with OpenSSL. The fund was initiated by the Linux Foundation, and its donors, including Facebook, Google and Microsoft, committed to $100,000 a year for at least three years.
Does $100,000 seem like a lot?
Facebook’s annual revenue in 2014 was $12.5 billion.
Google’s was $66 billion.
And Microsoft’s 2014 annual revenue was $86.8 billion.
Nope.
Great article. Only one issue in my view, which is lumping Red Hat in with IBM and Google. You could have said Apple, since their entire operating system was built on BSD. Red Hat has given back in so many ways it’s hard to start counting them. While I’m a Debian guy, I still give them credit, as do most people who use open source software exclusively.