Soo, throwing a little bit of economics out there: BSD-licensed open source software is pretty much a Public Good (http://en.wikipedia.org/wiki/Public_good). There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter).
Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?
"There are basically two ways we've figured out how to create public goods: taxation and assurance contracts (like Kickstarter)."
No, many BSD licensed projects have been created through other means. Partial sponsorship and user contributions (usually non-monetary) seems like a common path.
The problem with taxation is that it requires force, which implies a heavy burden of responsibility on the people allocating the funds after collection. It's really hard to figure out which projects should get funded, and how much, and avoid strange incentives along the way. I just don't think any group of humans could do a good job of this outside of very specific tactical funding (e.g. what the DoD does with some projects).
Yeah, assurance contracts make the "figuring out what to fund" easier, since there's sort of a natural selection process. You still have execution risk, though, which is probably the biggest problem right now: if I'm contributing to fund the creation of some software, how do I know the funded people will actually deliver?
That's where a trusted intermediary probably has to come into play. The best thing I can think of at the moment is a version of Kickstarter that vets the candidate projects almost as thoroughly as a VC would and takes a cut for providing that service. Not sure how the business economics would play out in practice, though.
Since the NSA (and probably other government agencies) are already researching vulnerabilities, it would be nice to have them made public. We're already paying for the research, so we wouldn't really have to raise taxes.
They are not just researching, they are weakening security for everyone, especially domestically considering Americans dominate tech businesses. So not only are Americans paying for research that returns no economic benefit (unless NSA is sharing info with American special interests and are not just security?), they are making it nearly impossible to have full trust in the information systems the business community invests heavily in protecting.
I imagine if the NSA was focused on defending businesses and not reading emails of people, they wouldn't be getting the same amount of financing. They are financed for their power to exploit people the government feels threatened by, not their ability to defend citizens from harm.
Considering that the NSA has known about this bug for up to two years[1], I think it's optimistic to consider that they'd be willing to help in this regard, as they've very possibly been exploiting it for some time now.
Thanks for the Wikipedia link. Just wanted to point out that the link identifies more than two ways to fund public goods.
In particular, I'd like to point out the "Privileged group" solution, which can occur when some individuals or organisations obtain enough personal benefit from a public good that they're basically willing to fund the good themselves, even if others are free riding. Many organisations obtain enough personal benefit from secure communications that it's worth it for them to contribute to OpenSSL.
There are lots of other ways of encouraging funding too. Hacker News is one place where the community constructs social norms around open source contributions.
The Privileged Group case is more-or-less the informal handshake equivalent of assurance contracts, and the altruism/social status option doesn't quite seem to cut it for critical infrastructure like crypto libraries, unfortunately. But thanks for pointing those out!
I'd imagine the logistics of managing such a thing would be tricky, but I for one would have no issue with an "SSL Tax" that's voluntarily added to various pieces of software, with proceeds going directly to things like the OpenSSL project.
I'd be more inclined to look to state funding for encryption-related public goods if the state wasn't demonstrably an antagonist in the realm of encryption...
Thoughts on the pros and cons of either approach with respect to improving information security infrastructure?