The Heartbleed bug that made news last week drew attention to one of the least understood elements of the internet: Much of the invisible backbone of websites from Google to Amazon to the FBI was built by volunteer programmers in what is known as the open-source community.
Heartbleed originated in this community, in which these volunteers, connected over the internet, work together to build free software, to maintain and improve it and to look for bugs. Ideally, they check one another’s work in a peer review system similar to that found in science, or at least on the nonprofit Wikipedia, where motivated volunteers regularly add new information and fix others’ mistakes.
This process, advocates say, ensures trustworthy computer code.
But since the Heartbleed flaw got through, causing fears — as yet unproved — of widespread damage, members of that world are questioning whether the system is working the way it should.
“This bug was introduced two years ago, and yet nobody took the time to notice it,” said Steven M. Bellovin, a computer science professor at Columbia University. “Everybody’s job is not anybody’s job.”
Once Heartbleed was revealed, nearly two weeks ago, companies raced to put patches in place to fix it. But security researchers say more than 1 million web servers could still be vulnerable to attack. Mandiant, a cyberattack response firm, said Friday that it had found evidence that attackers used Heartbleed to breach a major corporation’s computer system, although it was still assessing whether damage was done.
What makes Heartbleed so dangerous, security experts say, is the so-called OpenSSL code it compromised. That code is just one of many maintained by the open-source community. But it plays a critical role in making our computers and mobile devices safe to use.
OpenSSL code was developed by the OpenSSL Project, which has its roots in efforts in the 1990s to make the internet safe from eavesdropping. “SSL” refers to “secure sockets layer,” a kind of encryption. Those who use this code do not have to pay for it as long as they credit the OpenSSL Project.
Over time, OpenSSL code has been picked up by companies like Amazon, Facebook, Netflix and Yahoo and used to secure the websites of government agencies like the FBI and Canada’s tax agency. It is baked into Pentagon weapons systems, devices like Android smartphones, Cisco desktop phones and home Wi-Fi routers.
Companies and government agencies could have used proprietary schemes to secure their systems, but OpenSSL gave them a free and, at least in theory, more secure option.
Unlike proprietary software, which is built and maintained by only a few employees, opensource code like OpenSSL can be vetted by programmers the world over, advocates say.
“Given enough eyeballs, all bugs are shallow” is how Eric S Raymond, one of the elders of the opensource movement, put it in his 1997 book, “The Cathedral & the Bazaar,” a kind of manifesto for open-source philosophy.
In the case of Heartbleed, though, “there weren’t any eyeballs,” Raymond said in an interview this week.
Although any programmer may work on OpenSSL code, only a few regularly do, said Ben Laurie, a Google engineer based in Britain who donates time to OpenSSL on nights and weekends. This is a problem, he said, adding that the companies and government agencies that use OpenSSL code have benefited from it but give back little in return.
“OpenSSL is completely unfunded,” Laurie said. “It’s used by companies who make a lot of money, but almost none of the companies who use it contribute anything at all.”
According to the project’s website, OpenSSL has one full-time developer — Stephen N Henson, a British programmer — and three so-called core volunteer programmers, including Laurie, in Europe.
Logged records on the OpenSSL site show that Henson vetted the code containing the Heartbleed bug after it was mistakenly included in a graduate student’s code update on New Year’s Eve 2011, and the bug was inadvertently included in an OpenSSL software release three months later.
Neither Henson nor the other two volunteers responded to requests for an interview.
Opensource coders hardly blame Henson, considering that the OpenSSL project has operated on a shoestring annual budget of $2,000 in donations – most from individuals – which is just enough for volunteers to cover their electric bills.
Five years ago, Steve Marquess, then a technology consultant for the Defense Department, was struck by the contradiction that OpenSSL was “ubiquitous,” yet no one working on the code was making any money. When he met Henson, Marquess said, Henson was working on OpenSSL code full time and “starving.”
So Marquess started the OpenSSL Software Foundation to help programmers like Henson make money by consulting for government agencies and companies that were using the code. It also takes in some minimal donations, he said.
Over the past five years, the foundation has never made more than $1 million in commercial contracting revenue a year. This does not go very far in paying for the programmers’ work, Marquess said.
Most corporate OpenSSL users do not contribute money to the group, Marquess said. Google and Cisco say they contribute by encouraging their own engineers to look for bugs in the code while they are on the clock. The OpenSSL website shows that a Cisco engineer and several Google engineers have discovered bugs and created fixes over the years.
A Google engineer, Neel Mehta, discovered the Heartbleed bug earlier this month, and two other Google engineers came up with the fix.
Likewise, Microsoft and Facebook created the Internet Bug Bounty initiative, which pays engineers who responsibly disclose bugs in widely used systems like OpenSSL. The group paid Mehta $15,000 for his discovery – a windfall he donated to the Freedom of the Press Foundation.
But open-source advocates say organizations that rely on the code should do more to help.
“Opensource is not magic fairy dust,” said Tim O’Reilly, an early advocate of opensource and the founder of O’Reilly Media. “It happens because people work at it.”
At the least, security experts say, companies and governments should pay for regular code audits, particularly when the security of their own products depends on the trustworthiness of the code.
“They should be taking more responsibility for everything they ship in their product,” said Edward W. Felten, a professor of computer science at Princeton University.
Ten years ago, Laurie, then a freelancer, performed an audit of OpenSSL for the Defense Advanced Research Projects Agency, known as DARPA. It took an entire year. Today, Laurie said, volunteers simply do not have the time to run that kind of audit.
The problem, Raymond and other open-source advocates say, boils down to mismatched incentives. Raymond said companies don’t maintain OpenSSL code because they don’t profit directly from it, even though it is integrated into their products, and governments don’t feel political pain when the code has problems.
“For those that do work on this, there’s no financial support, no salaries, no health insurance,” Raymond said. “They either have to live like monks or work nights and weekends. That is a recipe for serious trouble down the road.”
He and other elders of the open-source movement say they want to create a nonprofit group to solicit donations from governments and companies and on Kickstarter that will be used to pay for audits of OpenSSL and other crucial open-source projects.
There was some good news this week. Marquess said that after Heartbleed helped expose the OpenSSL project’s meager resources, the group received $17,000 in donations, almost entirely from individuals outside the United States. The highest individual donation was $300; the lowest was 2 cents.
But there was a hitch, he said: “Unfortunately, the 2 cents were donated through PayPal, and PayPal took both.”
Nicole Perlroth,New York Times
Focus will be on India when virtual reality phenomenon gets real
Once the virtual reality (VR) phenomenon explodes, India, with its huge smartphone base, will be a key market — but VR players will have to come up with low-cost options to entice the country’s “digital” consumers.
According to experts, head-mounted devices (HMDs) that create an immersive virtual world for users is the future after the successful touchscreen era.
Today, the market is flooded with VR devices: Oculus Rift, HTC Vive, Sony PlayStation VR, Samsung Gear VR (co-developed with Oculus), LG 360 VR, Google Cardboard, Zeiss VR One and One GX and several other players soon going to join the VR fray.
But, with a huge smartphone base of 160 million plus users that is likely to surpass the US smartphone user base in a couple of years, what India needs are low-cost VR headsets compatible with low-cost smartphones. Only then will VR use truly explode in India.
“I feel that VR adoption is currently at a minuscule level in India. Many firms like Sony, Samsung, HTC, OnePlus have joined Facebook’s Oculus platform in the virtual reality space. But we are still far away from its widespread adoption here,” says Thomas George, senior vice president and head of CyberMedia Research(CMR), a market research and consulting firm.
“But going forward, thanks to India’s rich demographic dividend, we may witness VR finding its ‘sweet spot’ in the youth segment. The adoption of virtual reality could see traction in the edutainment arena. Applications like immersive learning and entertainment, especially games, could kick-start its adoption sooner,” George said.
According to the global research firm MarketsandMarkets, the international VR technology market is expected to reach $15.89 billion by 2020.
With VR technology, the user is isolated from the real world while being immersed in a world that is not real, so VR, in a way, works better for video games and social networking in a virtual environment.
But for Rajiv Srivatsa, COO and co-founder of Urban Ladder, a curated online furniture seller, VR can help complex purchase categories like theirs engage more effectively with consumers and helps the consumers make better, informed choices about the products they purchase.
“If the products are built right, VR has the power to revolutionise user-interaction,” he told IANS.
Although these are early days for VR, companies the world over – including in China, from where low-cost VR headsets will soon flood the markets – are now investing heavily in VR technology.
Facebook is credited with taking an early bet on virtual reality by acquiring the start-up Oculus VR for $2 billion in early 2014. It is expected to start shipping Oculus headsets — priced at $599 — in March this year and has already started taking orders.
South Korean electronics giant Samsung has also launched Gear VR — its flagship virtual reality headset — for Indian consumers in January for as low a price as Rs. 8,200.
Apple has reportedly hired experts in virtual and also augmented reality (AR) to built prototypes of headsets that can one day rival Facebook’s Oculus Rift.
Technology adoption by vendors is rapid. What is launched in the US and other advanced markets also gets due attention in India and VR is no different.
“We may not be 100 percent ready but definitely India should be seeing some activity around VR this year, especially the introduction of devices with VR features. This small step could in time serve as a ‘big leap’ and the start of more serious adoption in the country,” notes Faisal Kawoosa, lead analyst, telecoms practice, CMR.
Several smartphones were launched in 2015 with VR technology which, beyond gaming, has a potential to help young people choose their careers too.
“For example, a smartphone using VR goggles can help a student virtually get a glimpse of a surgeon’s career in medicine by showing an immersive video on a surgical procedure or helping him or her choose an alternate career video altogether,” says George.
It has implications in other sectors too. For example, VR technology can be used to determine how people perceive their bodies, to treat body image disturbances and to improve adherence to physical activity among obese individuals.
“Virtual reality offers promising new approaches to assessing and treating people with weight-related disorders and early applications are revealing valuable information about body image,” according to researchers at the University of Barcelona, Spain, who recently demonstrated how VR environments can produce responses similar to those seen in the real world.
While we discuss VR, the next big thing coming our way is augmented reality (AR) and it has better chances to thrive. Unlike with VR, AR users continue to be in touch with the real world while interacting with the virtual world (remember Google Glass!) and this makes experts feel that AR has a definite edge over VR. (Let us keep a discussion on AR for another day though.)
“Pretty soon we’re going to live in a world where everyone has the power to share and experience whole scenes as if you’re right there’,” said Mark Zuckerberg while speaking at the just-concluded ‘Samsung Mobile World Congress 2016’ in Barcelona.
And when VR finally comes out in the open, with a massive smartphone consumer base, India is going to be a key player in the global VR ecosystem, say experts.
Facebook launches free WordPress plugin for Instant Articles
New York: The social networking giant, set to open its Instant Articles feature to all publishers next month, has launched a free WordPress plugin that will help publishers create Instant Articles with ease.
Instant Articles will be open to all publishers – of any size, anywhere in the world – at Facebook’s F8 conference in San Francisco on April 12.
“We have partnered with Automattic, parent company of WordPress.com VIP, to build a free plugin for Instant Articles, which simplifies the process of generating and publishing Instant Articles from WordPress,” said Chris Ackermann, partner engineering at Facebook in a blog post on Tuesday.
The open-source WordPress publishing platform now powers more than 25 percent of sites on the web so “we are excited to help millions of publishers all over the world bring the Instant Articles experience to their readers”, he added.
The plugin creates a special RSS feed that automatically optimises Facebook posts to appear as Instant Articles. The plugin is open-source and customisable.
“We’ve worked with a small group of publishers on WordPress to beta test the plugin as a seamless way to adapt web content for the Instant Articles format, with a built-in suite of interactive tools that help stories come to life on mobile,” Ackermann posted.
When Instant Articles opens up in April, publishers that use standard WordPress templates can activate the plugin out-of-the-box to create Instant Articles.
Publishers that want a more customised production experience can extend the plugin to support additional elements.
“We encourage all interested publishers on WordPress to review the plugin’s documentation and FAQs,” the post said.
More Live videos in your Facebook timeline soon
As more and more people are watching “Facebook Live Videos”, the social networking giant has pushed its live video feature to top of its News Feed.
The company is considering Live Videos as a new content type – different from normal videos – and learning how to rank them for people in News Feed.
“As a first step, we are making a small update to News Feed so that Facebook Live videos are more likely to appear higher in News Feed when those videos are actually live, compared to after they are no longer live,” wrote Vibhi Kant, product manager and Jie Xu, software engineer at Facebook in a blog post.
“People spend more than 3x more time watching a Facebook Live video on average compared to a video that’s no longer live. This is because Facebook Live videos are more interesting in the moment than after the fact,” they wrote.
“Facebook’s Live Video” feature allows users to broadcast live video from their smartphones.
News Feed is made up of posts from the friends and Pages you have connected to. These posts can be status updates, photos, videos, links and now, Facebook Live videos.
“We rolled out Facebook Live on iOS in December and last week, we began rolling it out on Android in the US. Over the last three months, Facebook Live video has become more and more popular and more and more people and Pages are creating and watching live videos,” the Facebook officials posted.
“As with any new type of content in News Feed, we are learning what signals help us show you the most relevant Facebook Live videos for you personally,” they added.
For example, a few years ago when more people began sharing and watching video on Facebook, the company listened to feedback to learn what signals helped them show people more of the videos they want to see and fewer of the videos they don’t.
“At first we updated News Feed ranking to take into account how many people watched a video and how long people watched for to help us personalise News Feed based on people’s preference for watching video,” the company said.
“Over time, we also learned that certain actions people take on a video, such as choosing to turn on sound or making the video full screen, are good signs they wanted to see that video, even if they didn’t choose to like it,” it noted.
Facebook Live is currently available for verified Pages and public figures using Mentions.
“We do not expect Pages to see significant changes as a result of this update. We will continue to learn how people are watching this new content type,” Kant and Xu added.
Follow us on Twitter
Canadian News1 year ago
Stephen Lecce, Ontario education minister appoints investigator to examine Peel District School Board
Canadian News2 years ago
Joint statement from the Greater Toronto Area & Hamilton Mayors and Chairs
World News1 year ago
HERBAL FORMULAS CAN HELP IN COVID-19 FIGHT: EXPERTS
Canadian News1 year ago
Ontario to reopen province, guiding principles unveiled
Canadian business News1 year ago
COVID-19: Canadian Entrepreneurs less pessimistic in April
Canadian News1 year ago
COVID-19″ More Indo-Canadians returning are from India
Canadian News1 year ago
Help for people leaving violent or unstable situations in B.C., 300 additional spaces
World News1 year ago
Prince Charles Lauds British-Sikhs’ Role In Covid-19 Fight