The encryption code unlocked by the Heartbleed bug last week provided vital security for some of the most widely used websites on the Internet. Fortune 1000 companies rely on the open source code for their core business. But it turns out no one is paying for it.
The software that got infected — and later fixed — is OpenSSL. It's supposed to be the really safe, secure road on the Internet superhighway, where messages get encrypted and sent between users and servers. But the recent bug was like a gaping pothole.
The volunteer team at the OpenSSL Foundation couldn't catch it because there aren't enough of them to look. The group's founder, Steve Marquess, says only one person works solely on the software. "Everyone else has outside obligations," he says.
The group gets some money in corporate contracts. "Rather quite a bit — under $1 million," he says. But that's for company-specific work. In 2013, the group got just $2,000 for upkeep.
After news of the bug broke, one person on a popular tech forum joked the software could raise more money panhandling in a big city than it's gotten online.
Ed Felten, a computer scientist at Princeton University, says OpenSSL is like public infrastructure without a tax base. It's open source — meaning anyone can use it for free — but it's so poor, it's never had a complete security audit.
Two-thirds of websites rely on OpenSSL. In economics, these users are called free riders.
"A free rider problem means that someone can benefit from a project or a technology without contributing back to it," Felten says.
High-tech companies are keeping quiet about the software's financial woes. Facebook and OKCupid did not respond to NPR's inquiry. Yahoo, Amazon and Google declined to comment. Cisco did disclose it does not gives checks to OpenSSL, but the company's employees do actively help with code.
Many cybersecurity experts, including Felten, say that's not enough.
"Somebody needs to be paying and putting in the work to ensure that components like OpenSSL are secure. It's a job that some of the large companies could do individually and get together and do," Felten says.
David Chartier, CEO of Codenomicon, the company that found the Heartbleed bug, says the crisis is not a cautionary tale in free riders and corporate accountability. Software — public or private — will always have bugs, and people have to come together as a team to deal with it.
"Never before have we seen the security community, and the general public together along with media move so quickly to get the word out," Chartier says.
There is another silver lining. Marquess says since the bug was revealed, his group has gotten about $10,000 in checks.
"What I think is remarkable about that is so many come from around the world, places like Micronesia, the Netherlands, Taiwan, typically in $5, $10, $20 amounts," Marquess says.
But given all the traffic on OpenSSL, that still doesn't cover the cost of maintenance, he says.
More Americans are saving for retirement through their employers' 401(k) programs. That's because in recent years they've been given a strong nudge — more companies are automatically enrolling workers in retirement savings programs.
Some firms are also automatically increasing the amount employees contribute. That's just as important, experts say.
And all this makes a big difference: Without it, millions of Americans don't save at all.
Making Time For Retirement Planning
A recent survey by TIAA-CREF found that, compared to setting up a retirement account, Americans spend more time choosing a flat-panel TV, or what restaurant to have a birthday party at.
"Yeah, it's kind of embarrassing to admit that I spend a lot more time doing other things," says Mary Hakken-Phillips, a 33-year-old executive assistant in Chicago.
She says says she spends countless hours planning vacations, for example. But retirement planning — not so much.
Like many Americans, Hakken-Phillips knows she should be saving for retirement. She even works at a financial services company. "I was hired in June of 2010 and they gave me a very sophisticated folder of retirement investment options," she says. But it was so complex and thick, she says, "I kind of glazed over when they handed it to me."
And still, 4 years later, she's not saving anything.
Monkeying With Economics
We like to think of ourselves as rational creatures. But research shows that when it comes to financial decisions, people can behave a lot like, well, monkeys.
Laurie Santos is a professor at Yale University. She's done research experiments where she gave monkeys money [actually fake money or tokens] and asked them to make financial decisions. Some of the choices were simple: Do you want to buy 1 grape or 2 grapes with your token?
But amazingly, with much more complex decisions, Santos says, the monkey responses match the most common human responses exactly.
What about saving some of those tokens to buy food with later on? "One thing we never saw in the monkey marketplace was any evidence of saving — just like our own species," Santos says.
There are all kinds of complicated psychological and behavioral explanations, with terms like "loss aversion" and "hyperbolic discounting."
But researchers have figured out that if a company signs up its workers for a retirement account automatically — instead of relying on them to fill out the paperwork and make decisions — it boosts participation dramatically. People can opt out of saving, but they usually stick with it.
Rob Austin is retirement research director at Aon Hewitt, a consulting firm that works with hundreds of big companies on their employee retirement programs. He says auto-enrollment programs "drastically" increase employee participation.
New data for 2013 shows that average participation rates for employees at companies with auto-enrollment was at about 85 percent, Austin says.
And more companies are adopting the approach. Austin says after the government gave the green light a few years ago, three times as many of the large companies he tracks started offering automatic enrollment. About 60 percent now do it. But in the past couple of years, that momentum has stalled.
"It's a trajectory that is good but one that we would like to see continue to increase," Austin says.
Automatic Increases To Boost Saving
Austin would like to see more firms automatically increasing the amount that employees save. Many firms start workers off automatically saving just 3 percent of their income. Ironically, that's less than what people choose at other companies when they do get around to signing up on their own.
So, Austin says, "keeping people in at 3 percent and leaving them at 3 percent is not going to generate enough retirement income for individuals."
A lot of companies still aren't doing any of this. Half of all American workers still don't have access to any 401(k)-type retirement plan — let alone auto-enrollment.
It's not just kids who are overdoing screen time. Parents are often just as guilty of spending too much time checking smartphones and e-mail — and the consequences for their children can be troubling.
Dr. Jenny Radesky is a pediatrician specializing in child development. When she worked at a clinic in a high tech savvy Seattle neighborhood Radesky started noticing how often parents ignored their kids in favor of a mobile device. She remembers a mother placing her phone in the stroller between herself and the baby. "The baby was making faces and smiling at the mom," Radesky says, and the mom wasn't picking up any of it; she was just watching a YouTube video."
Radesky was so concerned she decided to study the behavior. After relocating to the Boston Medical Center, she and two other researchers spent one summer observing 55 different groups of parents and young children eating at fast food restaurants. Many of the caregivers pulled out a mobile device right away, she says. "They looked at it, scrolled on it and typed for most of the meal, only putting it down intermittently."
This was not a scientific study, Radesky is quick to point out. It was more like anthropological observation, complete with detailed field notes. Forty of the 55 parents used a mobile device during the meal and many, she says, were more absorbed in the device than in the kids.
Radesky says that's a big mistake, because face-to-face interactions are the primary way children learn. "They learn language, they learn about their own emotions, they learn how to regulate them," she says. "They learn by watching us how to have a conversation, how to read other people's facial expressions. And if that's not happening, children are missing out on important development milestones."
And, perhaps not surprisingly, when Radesky looked at the patterns in what she and the other researchers observed, she found that kids with parents who were most absorbed in their devices were more likely to act out, in an effort to get their parents attention. She recalls one group of three boys and their father: The father was on his cell phone and the boys were singing a song repetitively and acting silly. When the boys got too loud, the father looked up from his phone and shouted at them to stop. But that only made the boys sing louder and act sillier.
Psychologist Catherine Steiner-Adair, has written a book about parenting, called "The Big Disconnect: Protecting Childhood and Family Relationships in the Digital Age" She sees lots of parents, teens and younger kids in her clinical practice in Massachusetts. The father's reaction to his three silly boys might be expected, she says, because "when you're texting or answering e-mail, the part of your brain that is engaged is the 'to do' part, where there's also a sense of urgency to get the task accomplished, a sense of time pressure. So we're much more irritable when interrupted."
And when parents focus on their digital world first — ahead of their children — there can be deep emotional consequences for the child, Steiner-Adair says. "We are behaving in ways that certainly tell children they don't matter, they're not interesting to us, they're not as compelling as anybody, anything, any PING that may interrupt our time with them," she says.
In research for her book, Steiner-Adair interviewed 1,000 children between the ages of 4 and 18, asking them about their parents' use of mobile devices. The language that came up over and over and over again, she says, was "sad, mad, angry and lonely." One 4-year-old called his Dad's smart phone a "stupid phone." Others recalled joyfully throwing their parent's phone into the toilet, putting it in the oven or hiding it. There was one girl who said, "I feel like I'm just boring. I'm boring my Dad because he will take any text, any call, anytime — even on the ski lift!"
Steiner-Adair says we don't know exactly how much these mini-moments of disconnect between a parent and child affect the child in long term. But based on the stories she hears, she suggests parents think twice before they pick up their mobile device when they're with their kids.
Like many other doctors across the country, Dr. Devesh Ramnath, a Dallas orthopedic surgeon, recently made the switch from paper to electronic medical records. This meant he no longer had to just take notes when he was examining a patient — he also had to put those notes into the computer as a permanent record.
"I was really focused on just trying to get the information in, and not really focusing on the patient anymore," Ramnath says.
In fact, he found he was spending an extra two to three hours every clinic just on electronic records. So he hired medical scribe Connie Gaylan. Acting a bit like a court reporter, Gaylan shadows Ramnath at every appointment. As the doctor examines a patient, Gaylan sits quietly in the corner, typing notes and speaking into a hand held microphone. Once she's finished with the records, she gives them to Ramnath to check and approve, saving him hours of administrative work and allowing him to concentrate on his patients.
"I would more than happily sacrifice a significant chunk of my income for the improved quality of life I have," Ramnath says.
Medical scribes are in high demand nationally. Any doctor who doesn't make the switch from paper to electronic records by 2015 will face Medicare penalties and this deadline is fueling the demand.
PhysAssist, the country's first scribe staffing company, is on the second expansion of its Fort Worth headquarters and has opened another office in Chicago. Alex Geesbreght, the company's CEO, says the firm is growing by 46 to 50 percent every year. In 2008, PhysAssist had 35 scribes; now they have 1,400. The other big scribing companies — Medical Scribe Systems and Scribe America — each have thousands more, and the demand keeps growing.
PhysAssist trains scribes from across the country every week in its Fort Worth mock emergency department, where instructor Brandon Torres shows students the right way to fill out an electronic medical record. There are thousands of record systems, and scribes need to know how to put in the right billing codes and medical terminology at lightning speed. Torres says it's important to not just be able to multi-task, but to be able to listen to multiple things at the same time.
"You're listening to the physician, you're listening to the nurse, you're listening to the patient," Torres says. "And you're gathering all that information and presenting it back to the physician."
That last part's crucial. The physician has to approve the scribe's notes because ultimately the doctor is responsible for the record.
A medical scribe makes about $8 to $16 an hour. Many of them are medical students, who say they find it an invaluable experience. But it's not clear that scribes make things better for patients. Dr. Ann O'Malley with Mathematica Policy Research in Washington, D.C., points to one study done in an Emergency Department in New Jersey that found that doctors with scribes were able to see more patients, on average - which means more money for the institution. But that same study found that the amount of time a patient spent in the emergency department didn't decrease. Medical scribing also raises some privacy concerns, O'Malley says. Some patients may not like having an extra person in the exam room.
The Los Angeles County Sheriff's Department is one of the nation's most troubled law enforcement agencies.
Eighteen current and former deputies are facing felony charges as part of a federal probe into allegations of widespread prisoner abuse in county jails. The federal government is also investigating alleged cases of deputies on patrol using excessive force during routine traffic stops, and targeting blacks and Latinos.
Max Huntsman's job — in the newly created role of watchdog — is to help clean up the department. The only problem is, he doesn't have any real power.
Promises Of Cooperation — So Far
In a sign perhaps, of how unglamorous his new job will be, Huntsman's new digs are a cramped collection of dark offices and cubicles, two floors above the famous food stalls of LA's Grand Central Market.
On a recent visit, he had just one employee — a receptionist — but soon a team of 30 lawyers, auditors and retired law enforcement officers will be in place here. They'll help Huntsman set up a system to monitor the Sheriff's Department — namely its jails.
Just blocks from here, at the Men's Central Jail, deputies are accused of beating and choking inmates without provocation, harassing visitors, then conspiring to cover it all up. In the indictments last fall, federal prosecutors portrayed a "culture of corruption" inside the agency.
"The bottom line is, I think you need to have people looking over your shoulder, and knowing what you're doing in order to make sure those cliques don't develop, that you don't get a group of people in the jail who think of themselves more as a gang than as deputy sheriffs," says Huntsman. "That's when you don't have that light shining that that happens."
That "light" is really the only tool that Huntsman will have. Unlike a police chief in a big city who answers to the mayor or a civilian commission, LA's sheriff is elected and enjoys a lot of autonomy. Huntsman can only present his findings and recommend reforms.
So far he's gotten a warm welcome and promises of cooperation — but it's early.
"They really, really want to respond to all these problems," says Huntsman, "as they should. I mean, there are federal indictments on the table, there's talk of a federal consent decree, or a memorandum of understanding."
Just after those indictments were announced, Sheriff Lee Baca, who had held the post since 1998, abruptly retired. There is currently an interim sheriff, and for the first time in decades, there's also a competitive campaign for his replacement. The race routinely makes headlines. Huntsman says all this publicity is to his advantage — this is the moment to start changing things.
He, too, is no stranger to the TV cameras. While deputy district attorney here, he built his career on high-profile public corruption trials, including prosecuting town leaders in Bell, Calif.
"Every single political corruption case I've ever done has been fundamentally a problem of the public not knowing what's going on, and not being engaged," he says.
But remember, Huntsman can't prosecute anyone in his new role. And another challenge? The Los Angeles County Sheriff's Department is a massive bureaucracy. It runs the largest municipal jail system in the U.S., and has 20,000 employees, including 10,000 sworn deputies.
"I think it'd be a mistake to say: Can Mr. Huntsman be the silver bullet to reform the sheriff's department? I don't think anybody, or any entity, can," says Peter Eliasberg, legal director of the ACLU of Southern California. His group wrote a damning report in 2011 that first detailed widespread corruption and civil rights abuses inside the jails. He says that for too long, problems festering within the department were ignored, not just by higher-ups in the sheriff's department, but also by county leaders.
"And as a result we have a national embarrassment for the county of Los Angeles that's costing the taxpayers tens of millions of dollars a year in verdicts against the Sheriff's Department; it's got the Department of Justice breathing down the sheriff department's neck," Eliasberg says.
There have been calls for the creation of an independent commission in addition to the new inspector general to oversee the sheriff. Observers like Eliasberg say that if Max Huntsman is the man for now, his success will depend on how aggressive he is.
For his part, Huntsman is reluctant to point fingers, and he's taking the long view. He says the federal indictments will help weed out a few bad apples, but constant monitoring over the long haul is the only way to bring about true reforms.
"If we think we can fix this problem and walk away, and a year from now just ignore how things operate, we're going to end up with the same problems again down the road."