Heartbleed Pricetag To Top $500 Million?

darthcamaro (735685) writes "The Heartbleed OpenSSL vulnerability has dominated IT security headlines for two weeks now as the true impact the flaw and its reach is being felt. But what will all of this cost? One figure that has been suggested is $500 million, using the 2001 W.32 Nimda worm as a precedent. Is that number too low — or is it too high?"

Re:Low

[slashmydots]

That's ridiculous. I download firmware patches, software patches, etc on a daily basis. Patching heartbleed wouldn't even be out of the ordinary for my job as CIO. It basically costs IT nothing.

1 Trillion

[EmperorOfCanada]

I might as well beat all the fear mongering "security" companies that will state all kinds of absurd numbers, so I am going to say 1 trillion and countless lives lost.

Years ago I worked for an IT consulting company and those bozos made a lot of hay from the Y2K bug. They had guys going around saying to customers that they should stockpile food because all the cummins diesel engines had a Y2K bug that required advanced mechanical repairs to solve and basically all food trucks, fuel trucks, fire trucks, etc were all going to be shut down for at least a month. So I made a bet with the guy that this was total BS. On speakerphone I called Cummins very quickly got onto the phone with one of the top guys in their engineering. He said that the only clock in the engines was to keep track of hours of operation and it didn't actually know what date it was, just total hours. He had a guess that the other clock in many trucks would be on the dashboard to say what time of day it was.

This IT guys bozo answer: "Cover up"

So while the heartbleed bug was pretty damn good and definitely cost money, and I am willing to bet that it cost way more money than Y2K (in damage). I am now willing to bet that Heartbleed will go on to cost way more in fear mongered consulting fees and anti Open Source fear mongering. My brother-in-law just stated that Heartbleed showed how weak Open Source really is. He didn't have the faintest idea of what open source was. This guy is in a position to influence government decisions and is surrounded by the decision makers who probably have half the IT knowledge he does. So when the Mega consultants are done whispering in the government's ears I suspect that there will be fewer Open Source projects and that the mega consultants will start selling services such as "Open Source code Audits" and these audits will show vulnerabilities such as "widely leaked source code".

So while the fear mongering will tally up some absurd numbers it will be the defrauding of customers that will really make heartbleed expensive.

Maybe...

[charles05663]

Maybe the companies that rely on open source software will realize that supporting the projects financially is in their best interest instead of freeloading like they do now.

Re:1 Trillion

[rubycodez]

Point out to your brother in law that weak closed source software has killed people, destroyed hundreds of millions of dollars worth of spacecraft, caused blackouts, loss of continental long distance service, etc. etc.