How I Explained Heartbleed To My Therapist
Riding Open Source’s Race to the Bottom
Three years ago, my husband, an open source architect and developer, killed himself. For years, everywhere, we had struggled together against depression, and worked together to try to make our world better. It was always difficult. He succumbed. I did not.
Admitting I needed help wasn’t the hard part. Figuring out how to explain the problem is.
“So you’re concerned about your ability to focus on your job because your hobbies distract you.”
He is supposed to be helping me. I have already told him about how my technical speaking schedule is burning me out and he’s still talking about it like it’s a bad case of stamp collecting or a model-train habit that’s gotten out of hand, maybe one of those newfangled Internet addictions like World of Warcraft. But I cannot afford to let myself file him under “one of those assholes,” not yet. I have to get him to understand, or find someone who does.
“This isn’t about a hobby.” I am not trying to tell him about a thing I can’t leave at the office, because it is not what my office is for in the first place. It is not a thing I come home to, even though working from home blurs that to begin with. It follows me around like some gaseous component of my native atmosphere. My hands swipe at the space in front of me, as if to claw meaning from the empty air. None materializes. None ever does.
“But you do it in your free time.”
“Yes. But it isn’t really free time. It’s all work. It’s all important. And I have to figure out how to balance the work I can make a living on with the work I can’t, because the work I can’t make a living on is more important.”
“I don’t understand.” Bless him for being Belgian, sois Belge et tais-toi; the condescension I’d expect from an American, the if it’s so important, why can’t you make a living doing it?, never materializes. And in that moment between the conception and the creation, between the emotion and the response, falls the shadow of a chance to explain. I have learned to grasp at them, because every shadow is cast by something, which is why sometimes even grasping at shadows beats the alternative.
“Remember back around April or May, when you had to change your passwords on all the websites you use? Facebook, Yahoo, LinkedIn, everywhere?” He nods, vigorously. “Do you remember hearing the word ‘Heartbleed’ back around then?” A blank look. Maybe I should have worn the T-shirt. Too late. I have to press on.
“That part’s not important. It doesn’t matter what the problem was called. What matters is, there’s one piece of software that nearly all those websites use to make sure that all the messages that go between your browser and their site are private. And nobody pays for it.”
“Nobody at all?”
“Nobody. The people who write it have been working on it for like fifteen years now, and they’re basically all working for free, the same way I’m doing on the work I’d rather be doing, even though Google and Facebook and practically every company with a website relies on that software these guys make. ‘Relies’ as in without this software, all their business evaporates.” I leave out the part where half of “these guys” are my dead husband’s friends and they’re not all guys; there will be time to talk about that at a later appointment. “And back around New Year’s in 2011, one of those guys made a little mistake with a really big consequence. The upshot of it was that any jerkoff could just ask whatever websites they wanted for whatever private information they had on hand at the time — your passwords, your calendar, whatever.
“And nobody in a position to fix it noticed until April of this year. Which is why you and everybody else had to change all your passwords. And in the meantime, who knows how many credit card numbers and god knows what else got snatched.” My e-cigarette is nearly empty but I fidget with it anyway, calculating on the back of the envelope in my head whether I can dredge just one more hit of nicotine without burning the coil to an ashy, taste-ruining wreck. Everything has become a cost-benefit analysis on the edge of a razor in this New New Economy that has become my life: how far can I stretch the resources I have before physics or information theory dictate they snap? “And even after a disaster like this, these poor fuckers are still running on handfuls of donations. They’re still overstretched and understaffed. It’s a tragedy of the commons problem.”
That’s a catchphrase you hear sometimes in sociology, a cousin dialect to the language of psychoanalysis he speaks. He leans forward. “In what way?” he asks. I hope it means I’ve given him firmer footing than all this computery shit he doesn’t speak.
“These bugs that happen, these mistakes in software that lead to vulnerabilities, they aren’t one-off problems. They’re systemic. There are patterns to them and patterns to how people take advantage of them. But it isn’t in any one particular company’s interest to dump a pile of their own resources into fixing even one of the problems, much less dump a pile of resources into an engineering effort to fight the pattern. Google could easily throw a pile of engineers at fixing OpenSSL, but it’d never be in their interest to do it, because they’d be handing Facebook and LinkedIn and Amazon a pile of free money in unspent remediation costs. They’ve got even less incentive to fix entire classes of vulnerabilities across the board. Same goes for everybody else in the game.
“And that across-the-board shit is what I work on.” I’ve been sloshing the last drops of liquid around in the bottom of my tank as I rock back and forth, clutching my e-cig, so I chance a drag. It burns. I catch the burn in my throat and hold it and it feels good.
“Okay,” he says. “I see how you mean that it isn’t a hobby.”
I can work with that.
There’s more to say, more urgency to convey, the part about how it’s worse than a tragedy of the commons, it’s a race to the bottom, but we are out of time. There is never enough time. But there will be a next time. And I can work with that. For now, I have to.
