Confidence Shaken In Open Source Security Idealism

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

I don't buy it

[GameboyRMH]

Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

Re:I don't buy it

[Lilith's+Heart-shape]

Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

Re: I don't buy it

[BarbaraHudson]

The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã

Re:I don't buy it

They are aware of the title "Open Source" only and these flaws are definitely a black-eye, even if they do not understand the concept. Most of the public sees it as a bunch of free stuff out there that maybe someone an use.

Corporations will definitely be re-evaluating the option of open-source after these two issues.

Re:I don't buy it

[MouseR]

I still dont trust my kids with Cuisinart.

Them last pancakes where horrible.

Re:I don't buy it

[mlw4428]

Yes and no. Most of the general public that deal with software who have any real influence are your managers/executives and I think they're the ones more or less meant in this article. My company won't lay in bed with Open Source because of the recent issues and their opinions on the lack of support. I'm not saying FOSS is bad, just why ONE company chooses not to.

Re:I don't buy it

[The+Ickle+Jones]

Corporations will definitely be re-evaluating the option of open-source after these two issues.

Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

Re:I don't buy it

[GameboyRMH]

Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

Re:I don't buy it

Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

be just like microsoft to try to derail linux in this very fashion

Re:I don't buy it

Fuck no, this is corporate bullshit perpetrated by the new and improved /.

What a shame...back to reddit, just wanted to see what kind of crap was being peddled today.

Re:I don't buy it

[LifesABeach]

"...the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Closed source works? They're the ones the bad guys make mega-bank on. Get real. So the holes are there, they get filled up in the FOSS world a lot faster than some other a== clown closed system, even factoring in that the close source community cares.

Re: I don't buy it

[LifesABeach]

coffee..on..keyboard,..damn,..cleaning..it..up..before..boss..gets..back

Re:I don't buy it

[LifesABeach]

Pen and paper methods worked for thousands of years?

Re:I don't buy it

[r1348]

Not when it comes to encryption.

Re:I don't buy it

[postbigbang]

Some kids will become good and responsible coders, but not all kids. Some will be artists, musicians, mechanics, farmers, etc., and for the rest of the world that doesn't code, a heavy responsibility is placed on the FOSS community to do code reviews.

People don't compile at all. They download binaries, and they don't know the difference between an MD5, a SHA-x and a hole in the ground. Binaries therefore need special protection. Open Source doesn't mean anyone's actually looking at the code, and there needs to be peer review on critical components given with distros, but this isn't guaranteed to happen. Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

Re:I don't buy it

Go read about "shellshock" - 20+ years of exploitability.

Re:I don't buy it

[ArhcAngel]

Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

Re:I don't buy it

[LifesABeach]

I think Rosetta could debate that on point.

Re:I don't buy it

Of course, everybody trusts the proprietary code that was jacked from the open code? Come on, if Heartbleed showed nothing, it showed that close source code is very much based on open source.

Re:I don't buy it

[leenks]

I found their language courses incomprehensible too...

Re:I don't buy it

[xvan]

Actually, I can't remember last Linux Zero-Day bug.
And the bugs this article refers to are BSD's and GNU's fault.

Maybe, just maybe, Linus' way is the right way.

Re:I don't buy it

[mlts]

I notice that open source software has bugs ready to be patched.

Windows has exploits in the wild and major breaches in progress due to exploits, such as the one today.

The Linux vulnerabilities were fixed on the boxes I'm responsible for in minutes. MS, you can wait a month for a fix, and in the meantime, there may be no workarounds.

Re:I don't buy it

So true. A housemate saw my Linux desktop with multiple xterm windows opened: "Oh, I know, this is that thing they call DOS".

Re:I don't buy it

My company says your company is full of shit and will meet it outside during recess to settle the score.

Re:I don't buy it

[AchilleTalon]

I even know a bunch of software developers who pretend to embrace open-source software without knowing what it is all about. Imagine the general public, they just know about free software like in free beer. Even large corporations using open-source software just like the free part like in beer, that's why these critical pieces of software don't have the resources they deserve.

Re:I don't buy it

[AchilleTalon]

Of course, if they are using Cuisinart to make pancakes they are surely not trustworthy.

Re:I don't buy it

[ray-auch]

How did you fix them in minutes when it took several days for correct patches to come out, for entirely predictable reasons (laughable approach of trying to find and fix all bugs at once in a parser never designed to be secure, when the real issue is that it should never be being fed untrusted input) ?

To my mind, that is the biggest failure of open source / free software in this case
- 20+ yr old bug / insecure-feature in an obscure corner of a system never designed for today's threat environment - forgiveable
- responsible disclosure, working with maintainers under embargo - good
- publication along with a patch that was broken again within hours if not minutes - fail
- everyone and his dog then panic-issuing further patches for one parser vulnerability after another before eventually someone (actually more than one different approach) fixes it properly the way it should have been done in the first place - spectacular fail

Re:I don't buy it

[postbigbang]

Try an energy link and go check CVEs using the string openssh for starters. Kernel? No. All the crap in the back? Oh, yeah.

Re:I don't buy it

[Opportunist]

"Open Source software is free!"
"So? On bittorrent, any software is free"

Re:I don't buy it

[Jane+Q.+Public]

Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

But this just leads back to the final line in OP:

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

And despite Betteridge's Law, the answer to this is Yes. Because when flaws are found, the community DOES audit, and repair.

Great example: a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

Was that specifically a security issue? No. But it's still illustrative of the difference.

Re:I don't buy it

[gweihir]

Many seem to think that FOSS is these "terrorist-like" "hacker kids" that "threaten modern society". Hence you can sell them anything but do not expect any understanding.

Re:I don't buy it

[gweihir]

To be fair, modern compilers have some similarities with Cuisinarts.

Re:I don't buy it

[Opportunist]

Nope. For the same reason they don't give a shit about any sky-is-falling announcement in any other software they use. The cost to change anything is SO prohibitively high that there is no option but to simply carry the risk.

Every time someone announces "there has been a huge security flaw in X", someone will invariably follow up with "oh, now corporations will drop it instantly and not touch it with a 10 foot pole anymore".

It usually shows more about the lack of knowledge of corporate structures and corporate thinking than anything else about the person making that claim.

Corporations don't, and more often than not simply CANNOT, make spot decisions. Strategies span years and dropping something suddenly, if possible at all (again, nearly invariably it is NOT possible altogether), is prohibitively expensive. Unless that system flaw is near certain to occur and near certainly sinking the company if it happens, a "drop it like it's hot" will simply not happen.

If any corporation is now "moving away" from OSS because of this, it's either that someone important wanted to and needed an excuse, or that the last business dinner with the CSS vendor was tasty.

Re:I don't buy it

[Opportunist]

...and 2 days after it got known.

The main difference between OSS and CSS is that in OSS you can actually find the security holes. In CSS, all you can do is hope that the vendor finds them, or at least cares enough to look for them in the first place.

Re:I don't buy it

Actually, I can't remember last Linux Zero-Day bug.

Linux has certainly had a number of security bugs that existed for many years and could have been exploited for privilege escalation and unauthorized access to machines:
5-year-old privilege escalation bug
8-year-old privilege escalation bug
14-year-old sigreturn bug

Now you could take the dismissive, naive approach and say these don't matter and weren't exploited simply because you didn't hear about it in any well-publicized, poorly-executed attack but how many more of these ancient (and recent) vulnerabilities exist in the Linux kernel unfixed and unbeknownst to the maintainers? There could be none (unlikely), there could be many (much more likely) and as the kernel gets more and more complex and more and more bloated with kernel-mode drivers in the source tree it becomes even more likely that security vulnerabilities will be incorporated and go unnoticed.

NB: I'm not discussing this in the context of Linux Vs something else or Open Vs Closed, just that the Linux kernel is no more secure than any other software.

Re:I don't buy it

[marcello_dl]

a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

It is not the best example, one could object that MySQL was bought to be eventually snuffed.
On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

Re:I don't buy it

[TemporalBeing]

How did you fix them in minutes when it took several days for correct patches to come out, for entirely predictable reasons (laughable approach of trying to find and fix all bugs at once in a parser never designed to be secure, when the real issue is that it should never be being fed untrusted input) ?

To my mind, that is the biggest failure of open source / free software in this case - 20+ yr old bug / insecure-feature in an obscure corner of a system never designed for today's threat environment - forgiveable - responsible disclosure, working with maintainers under embargo - good - publication along with a patch that was broken again within hours if not minutes - fail - everyone and his dog then panic-issuing further patches for one parser vulnerability after another before eventually someone (actually more than one different approach) fixes it properly the way it should have been done in the first place - spectacular fail

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited; when an unknown exploit is exploited they take up to 30 days to release, and that still may not have everything fixed. So to put this in context, if Microsoft were the developers of Bash:

• They would have sat on the bug for 20 years too if there were no known active exploits of it.
• The first patch would have taken 30 days, not under 2 weeks (I don't know the real number, but it wasn't very long; and certainly under 2 weeks if not under 1 week).
• The second patch would have still been needed, but would have taken yet another 30 days
• Only a few developers would have had access to be able to review and fix anything

Re:I don't buy it

[UnknownSoldier]

Open Source software is legally free!"
"So? On bittorrent, any software is free"
You forgot most likely illegal -- just because the "cost" appears to be zero for you, doesn't mean it is legally free.

FTFY.

Re:I don't buy it

[Jane+Q.+Public]

It is not the best example, one could object that MySQL was bought to be eventually snuffed.

Actually, that's just part of the same argument. Open source has no way to snuff programs. They're just picked up by others and carried on.

And in fact, that's what happened to MySQL. Many -- possibly even a majority by now -- webhosts have replaced MySQL with MariaDB, and hardly anybody even notices. MariaDB is a fork of the pre-Oracle, open-source MySQL. So if Oracle was really trying to kill it, they failed. It lives on, newer and in many ways better, just under a different name.

On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

I certainly agree with you there.

Re:I don't buy it

[UnknownSoldier]

> http://www.phoronix.com/

Please don't link to Phoronix garbage -- all they care about is linking to themselves instead of actually linking to the source
i.e.

* https://lkml.org/lkml/2010/9/1... Linux 2.6.36-rc4
* https://lkml.org/lkml/2010/9/2... Linux 2.6.36-rc5 <-- alpha: fix a 14 years old bug in sigreturn tracing

Re:I don't buy it

[Opportunist]

I guess I should have noted that I wanted to depict the general level of information some random internet user would have about open source software.

Re:I don't buy it

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited

Link?

Re:I don't buy it

[nukenerd]

Whooosh!

Re:I don't buy it

"We can eventually fix this by teaching kids to code"

Problem solved? Much like trying to teach kids Math.... or English. Yeah, those were successful ideas...

Re:I don't buy it

[ray-auch]

I didn't say MS was better, I said the bash response was poor, and the poster I replied to couldn't possibly have had fixes in place within minutes as claimed.

Oh, and in your argument "up to 30 days" suddenly becomes "taken 30 days" - actually if bugs come in uniformly distributed in the 30 day cycle then average would be 15 days, or lower since sometimes they do go out-of-band.

Plus, the second (and third and fourth and so on) patches are only needed if the first (and second and third.,.) one is inadequate and not properly tested. Maybe MS are just as bad at that too, but the developers of Bash were certainly not good at it.

Re:I don't buy it

Process? I hope you're not referring to the ones 9 out of 10 proprietary companies use (cause that's why they charge a lot)...

Re:I don't buy it

Problem is all those flash/IE/reader bugs crashed your MS word app or screwed up your FPS game.

The FLOSS issues are worse, credit card servers, data banks, shipping servers, company infrastructure, etc... why? cause we all agreed back then that Linux > Unix.

Re:I don't buy it

[sjames]

Is shatter fixed yet?

Re: I don't buy it

What in the world are you talking about? Microsoft was sitting in their smug little offices telling all their customers they were protected when all the OSS fanboys were scrambling to re-key all their servers.

Re:I don't buy it

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited

There is no such policy.

Re:I don't buy it

[Bite+The+Pillow]

The article does not use the term "general public". Thanks to a misinterpretation by iONiUM, and your failure to make sure the thing you are criticising is even a thing, we are talking about a non-issue instead of the actual topic. Unless you are brand spanking new to this website, you should know better, and shame on you.

I don't even see a clarification of who is becoming more aware - only that people involved with open source in some fashion are making comments. The obvious conclusion is that the general public has more opportunity to be aware. Not that they take advantage of that opportunity.

Re: I don't buy it

[rtb61]

The also missed the one who glaring difference between open source security holes and closed sourced proprietary security holes. Once found they are publicly exposed, and fixed and not lied about and put off until the next paid update, as motivation to pay for that update. Found as in found by the respective communities, one being the open developers and the other being the sales and marketing division of a corporation. Of course from the article itself âoeIf these systems were based on proprietary software, these vulnerabilities would likely stick around a lot longer,â Trost said. âoeThey may not be found ever, and if they were found, they would be found by high-end hackers or nation states.â

Hard to pick what this article is really about, it seems to be hinting at government funding of securing of widely used open source software. So logically any government departments using and securing open source software, share their work with each other and the public via a government sharing house that could also work with other allied countries. This is not a lost investment like buying 'er' renting closed source proprietary code but has potential for major savings across public and private technology use, savings in the range of hundreds of billions of dollars. There is serious money to be saved here across the long term, especially for those countries that don't profit from computer software licences but in fact register huge tax evasion losses as a result, again basically billions stolen in tax evasion scams.

Re:I don't buy it

Put DOWN the tinfoil hat

the Open Source community is doing a perfectly competent job of derailing itself without any outside interference

Re:I don't buy it

[cascadingstylesheet]

which has the additional benefit of showing them that their feelings don't matter to anybody else.

Um.

Pendulums swing in two directions. ya know. I'm not sure that the best antidote to an over-emphasis on feelings is to lurch into sociopathy ...

Re:I don't buy it

[TemporalBeing]

I didn't say MS was better, I said the bash response was poor, and the poster I replied to couldn't possibly have had fixes in place within minutes as claimed.

I'm just pointing out that however poor the Bash devs response was, Microsoft's would have been worse.

Oh, and in your argument "up to 30 days" suddenly becomes "taken 30 days" - actually if bugs come in uniformly distributed in the 30 day cycle then average would be 15 days, or lower since sometimes they do go out-of-band.

Actually, my comment regarding "taken 30 days" for Microsoft is well founded in their historical turn-around for CVEs that they have acknowledged as being fixed. With a rare exception, they don't deliver any patches in under 30 days; and even 30 days is being gracious as it's usually more like 6 months so I'm already putting them on their own expedited schedule for such fixes.

Again, pointing out that however poor the Bash devs response was, Microsoft's at it best is worse.

Plus, the second (and third and fourth and so on) patches are only needed if the first (and second and third.,.) one is inadequate and not properly tested.

If the numerous people reviewing Bash, from multiple companies, and disciplines didn't find the issue with the first patch, then how would Microsoft with a far more limited set of people looking at the code be able to get the same kind of patch correct the first time and get all the corner cases figured out and fixed before releasing the first patch?

I'm not saying the Bash devs had 1 million eyes on this; but they certainly had a few hundred if not a thousand or so in total. Microsoft's equivalent group probably is no greater than 50 devs at best, likely smaller; and probably no where near the cross-discipinary skill set match either.

So if the Bash guys had to do a second patch (or even a third, etc) to fix it; chances are Microsoft would have had to have at least as many patches too.

Maybe MS are just as bad at that too, but the developers of Bash were certainly not good at it.

Agreed - kinda. The main point of the origin of this thread (article?) was that F/LOSS software could not deal as well as proprietary software; that somehow the proprietary vendors could do better with these kinds of bugs - both catching them and responding to them.

My point, is that based on its history - documented in numerous articles over the years - Microsoft is a prime example of showing that's not the case. That proprietary vendor's own policies and procedures prevent them from delivering anywhere near as good a turn around.

But here's the kicker - there is a similar exploit for cmd.exe. It's yet to be patched. ;-)
here's an example: https://twitter.com/FioraAeter...
(And yes, I've seen it from other sources, just don't have those links right now.)

Re:I don't buy it

Critical pieces *do* get checked. And have been checked. The Covarity Code Checker(tm) is a software application that tested large parts of code (funded by the United States Government Department of Homeland Security). The checked open source software and (because they are part of the US government) closed source software. Critical parts of Open Source (specifically the Linux kernel among other pieces of software). The results reveal that, yes, Open Source (at least the pieces tested) *really are* more secure and are created to higher standards than the commercial software also tested. The commercial software included operating systems from leading vendors (you can probably guess who they are). So its not just FOSS doing code reviews, the DHS is doing them too (as are others).

Re:I don't buy it

You are describing a large proprietary piece of software I was associated with about 10 years ago. Per-seat licences were counted, and people (users) could vote on bugs they wanted fixed, based on the number of licenses. Each per-seat license was in the thousands of dollars, and the bugs the locals found they wanted addressing the most were given priority, and would be allocated votes accordingly. Low priority bugs (as defined by user/licenses) were left alone. There might be a site where fixing a particular bug is very important, but if its not important to anyone else anywhere else, then it gets 0 time (and since its proprietary, they can't get their mitts on the code and so either live with it or go elsewhere).

Re:I don't buy it

True, but consider the known 0 day exploits in Windows vs. Linux. There was just a /. post about an egregious Windows bug that has existed since Win7, and we all know there are MANY more exploits available than the known ones. My company constantly finds intruders in our Win 8.1 desktops, which is behind a half billion dollars of extra security, and this happens with every other admin I know. You can't stop it, you can only mitigate the damage done.

Our Linux desktops and servers rarely have these problems, even with known exploits, because the rest of the stack is capable of deterring the worst of the bugs. Even when we discover bugs and submit them, we've never found an exploit before our patch is incorporated back upstream and available via the package manager. We've only discovered intrusion attempts after the patch, which is of course stopped in it's tracks. Our auditing software that logs access has only detected Windows intrusions in over 20 years of running most of the services billions of people rely upon daily. There is a difference.

EDIT: my captcha was "disclose", which I legally cannot disclose which company I work for. Most of the world runs our software if you use the internet, I can tell you that much.

Re:I don't buy it

[ReeceTarbert]

And the bugs this article refers to are BSD's and GNU's fault.

Would you care to elaborate? The article talks about Heartbleed and Shellshock bugs which, affecting userland components, aren't OS specific.

Actually, I find it odd that you singled out the BSD family, especially considering that bash is not part of the default FreeBSD install and, even if a user decides to install it, /bin/sh is not the same executable as /bin/bash (or rather /usr/local/bin/bash). The FreeBSD went even as far as to disable the "export function" feature by default on 20140926:

20140926:
AFFECTS: users of shells/bash
AUTHOR: bdrewery@FreeBSD.org

Bash supports a feature of exporting functions in the environment with
export -f. Running bash with exported functions in the environment will
then import those functions into the environment of the script being ran.
This resulted in security issues CVE-2014-6271 and CVE-2014-7169, commonly
known as "shellshock". It also can result in poorly written scripts being
tricked into running arbitrary commands.

To fully mitigate against this sort of attack we have applied a non-upstream
patch to disable this functionality by default. You can execute bash
with --import-functions to allow it to import functions from the
environment. The default can also be changed in the port by selecting the
IMPORTFUNCTIONS option.

RT.

Re:I don't buy it

[ray-auch]

If the numerous people reviewing Bash, from multiple companies, and disciplines didn't find the issue with the first patch, then how would Microsoft with a far more limited set of people looking at the code be able to get the same kind of patch correct the first time and get all the corner cases figured out and fixed before releasing the first patch?

Because they have a "far more limited" team full of security specialists. Some (maybe all) of the later bugs were found using standard fuzzing tools, which should have been part of the test process the first time, as soon as the parser was found to be broken once on non-standard input. In fact it should have been picked up, whilst under embargo, that the whole idea of parsing code out of untrusted input was a security hole that would need to be patched (as it eventually was), even not-security-experts with some idea about security could have predicted that (as I did - http://slashdot.org/comments.p...)

I'm not saying the Bash devs had 1 million eyes on this; but they certainly had a few hundred if not a thousand or so in total.

During the embargo, really ?

Agreed - kinda. The main point of the origin of this thread (article?) was that F/LOSS software could not deal as well as proprietary software; that somehow the proprietary vendors could do better with these kinds of bugs - both catching them and responding to them.

Actually the article doesn't say that proprietary is any better, just that FOSS hasn't turned out to be as good at it as people were assuming (many eyes bugs shallow etc.).

But here's the kicker - there is a similar exploit for cmd.exe. It's yet to be patched. ;-)

cmd.exe parser has a bug, or maybe a feature. bash parser had a bug, or several, or maybe a feature.

Big big big difference is that cmd.exe doesn't execute, or echo, or parse, all its environment variables at startup - that is the actual bash shellshock vulnerability (not the various parser bugs), and cmd doesn't have it. No one has yet found an exploit for this cmd.exe bug, let alone a remote one.

Re:I don't buy it

[abhisri]

Here is the biggest difference maker. Found a serious issue in your closed-source router? Wait for next 2 years for the vendor to fix it.

Open-source? There is at least a chance that you are not hostage to the whim of some mid-level manager deciding what goes in next dozen releases. Unlike in case of corporations like oracle/microsoft, you could reach out to the developers and argue the case of fixing the issue early or even(assuming you have the skill) come up with a fix yourself. Vendor of a popular product closes shop or kills off a much-needed feature? You don't have a prayer. Open-source? Project may just get forked, as happened in case of MySQL. Security? Truecrypt can be audited by a third-party, to confirm that it is actually secure *because* code is open-source. How does that even work for a closed-source proprietary encryption product?

Re:I don't buy it

[Wootery]

It's called Coverity, not Covarity, and no, it's not funded by the US government., other than that the government hired them to check some Open Source packages. I wasn't aware that had happened. The article you link shows that Coverity pointed out a good number of real issues.

The results [coverity.com] reveal that, yes, Open Source (at least the pieces tested) *really are* more secure

What's really secure and what's not isn't something a static-analysis tool gets to decide. At least, not when we have real-life track-records to look at.

Re:I don't buy it

[pop+ebp]

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited

Can you please cite the policy?
A quick glance through the Microsoft Security Bulletins reveals that most of them have not been actively exploited before being patched.

Of course you could argue that Microsoft is lying, but many security researchers do (privately) report vulnerabilities to Microsoft, and you really don't think some of them will publicize the bugs if they aren't fixed in, like, a year?

Or are you actually trying to say they don't fix them unless they have been reported, which is an entirely different thing?

Re:I don't buy it

If Adobe had developed Bash:

They would have flat-out denied that the bug/exploit existed, even though a suitable test-case was provided to them.
They'd have continued to deny the existence of the problem, even though an in-the-wild exploit was being used against the product
They'd produce a 'hotfix', which they would describe as "core jmx() call sometimes fails"
You'd have to log a support ticket for them to tell you that the hotfix addressed the issue
You'd apply the hotfix - it would partially solve the problem, but simultaneously rename 'vim' to 'cock' and make all your filenames upper case
You'd log another ticket, and get another hotfix
You'd apply the new hotfix, which would fix Bash
You'd need to go around the loop a few more times to resolve the vim/cock and filename problems
At the end of the year, the account manager would swing by your office and leave an invoice for whatever you paid last year + 20%

Re:I don't buy it

[Lilith's+Heart-shape]

Some kids will become good and responsible coders, but not all kids. Some will be artists, musicians, mechanics, farmers, etc., and for the rest of the world that doesn't code, a heavy responsibility is placed on the FOSS community to do code reviews.

And some will also write for TV and movies. If they know how to code, they'll have no excuse for some of the really shitty depictions of computers and hacking we've seen on TV and in film before. :)

Re:I don't buy it

[Lilith's+Heart-shape]

Take a look at our governments and corporations. At least half of 'em are run by sociopaths.

Re:I don't buy it

[Lilith's+Heart-shape]

I hope you told them it was DOS on steroids instead of being a condescending prat. :)

Re:I don't buy it

[TemporalBeing]

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited

Can you please cite the policy? A quick glance through the Microsoft Security Bulletins reveals that most of them have not been actively exploited before being patched.

Of course you could argue that Microsoft is lying, but many security researchers do (privately) report vulnerabilities to Microsoft, and you really don't think some of them will publicize the bugs if they aren't fixed in, like, a year?

Or are you actually trying to say they don't fix them unless they have been reported, which is an entirely different thing?

Microsoft does not publicize all vulnerabilities reported to them; and not every reporter will publicize it either. So how many they actually know about is unknown. This is reported by most people that are writing about the issue, especially those comparing Microsoft's practices to Open Source's and comparing the numbers for the CVE reports between the groups.

Re:I don't buy it

[pop+ebp]

You don't need every reporter to publicize it. You just need one reputable researcher to come out and say "Most the bugs I reported to MS haven't been fixed," and it would prove your point. The fact that we don't see that makes your story highly unlikely. By the way, you are also alleging that they are knowingly publishing false information on their web site. (As you said they only patch bugs that they know are being exploited, but most of their issued bulletins said the bugs are not being exploited.)

I don't like defending Microsoft (they certainly deserve their bad reputation), but your accusation is really going too far. No large company is going to do that.

Re:I don't buy it

[xvan]

Heartbleed was caused by a FreeBSD bug,
Shellshock was caused by a GNU bash bug.

Both projects are independent of the Linux Kernel Project. That's the project managed by Linus.
So blaming Linus management for the lost confidence on open source security is, at least, unbased.

Re:I don't buy it

[ale2011]

Well said. But there is still much room for improvement and stabilization of free software processes.

Re:I don't buy it

[ReeceTarbert]

Heartbleed was caused by a FreeBSD bug,

No. Heartbleed is a security bug in the OpenSSL cryptography library. OpenSSL, in turn, is an open-source implementation of the SSL and TLS protocols vailable for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the various open source BSD operating systems), OpenVMS and Microsoft Windows. See? Not OS specific.

Shellshock was caused by a GNU bash bug.

Correct but, again, not OS specific.

Both projects are independent of the Linux Kernel Project. That's the project managed by Linus. So blaming Linus management for the lost confidence on open source security is, at least, unbased.

True, but the article didn't mention either and, let's face it, a kernel with no applications to run wouldn't be much fun -- or useful.

RT.

Re:I don't buy it

[LifesABeach]

I was actually referring to a stone found in Egypt

Cart before the horse.

[jedidiah]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Re:Cart before the horse.

[GameboyRMH]

Thank you. I said essentially the same thing above but got downmodded for it.

Re:Cart before the horse.

[i+kan+reed]

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

Obviously, as a developer, I know that security flaws are just another way to make mistakes, but once you know about heartbleed, how can you assume nothing else of similar scale has been found by nefarious actors?

Re:Cart before the horse.

[Cabriel]

Not so. When there are articles about governmental offices switching whole-hog to open source software, that shows immediately that there is an awareness among the general public. When there is an article about one minister claiming open source software isn't working for his office and another minister countering that claim saying no one in the office has had an issue, there's a strong suggestion that there is an awareness of open source software. When an open source OS is advertised as being superior to a closed source competitor, there's absolutely going to be an awareness of open source and free software (Android vs iOS).

While this may still be professional click-bait, I think calling it trolling is, itself, putting the cart before the horse.

Re:Cart before the horse.

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Agreed. Where does it end? Why can't everyone just slow downnnn. Oh yeah capitalism...

Re:Cart before the horse.

[Famak1994]

Not to mention that the article in question is based entirely on two bugs. The first one was thwarted by security researchers while the 2nd is a direct result of legacy code running on old machines/mainframes. So I fail to see how the open source community is shaken by all of this...I'm certainly not pissing myself!

Re:Cart before the horse.

[udippel]

Right. But the GP's formulation is less abstract and leaves less room for interpretation. No, did not mod you down nor do I have modpoints currently.
Never forget, we are at /.

Re:Cart before the horse.

I'd say it is only evidence that governments are aware, not the general public.

Re:Cart before the horse.

[Frescard]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

Before ranting about the ignorance of the "general public", it would help to read the article first, which makes no mention of them at all, but rather talks about multiple professional developers, and their response to these security breaches.

Re:Cart before the horse.

[pixelpusher220]

And lets also remember that corporate software has so many many bugs and vulnerabilities that they had to schedule a MONTHLY day to do them. Only to find yet more bugs so critically important that they broke their own rules well more than 2 times to release out of cycle fixes.

OS will almost always beat corporate in terms of defects and response time. Anyone care to guess how many 'heartbleeds' currently exist in Windows code that we know nothing about?

Re: Cart before the horse.

[BarbaraHudson]

We notice these articles because they're in our field of interest. The general public? They're more aware of Apples latest problems because they have iThingees.

Re:Cart before the horse.

[FuzzyDustBall]

On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

Re:Cart before the horse.

[Curunir_wolf]

Never forget, we are at /.

And, it's GameboyRMH, who has so many "freaks" he probably gets modded down regularly just for being who he is.

Re:Cart before the horse.

[udippel]

You can't. But that's not the point at all.
But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
Once you decide for closed source, you are
1. totally dependent on the manufacturer
2. without a chance to check yourself
3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
Now, where would be any advantage in using a system of closed source?

Re:Cart before the horse.

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

Obviously, you can't completely trust anybody.

That said, I'll tend to trust open source projects more than closed source. The former at least gets a glance over for obvious bugs and backdoors -- the bugs found have been pretty obscure -- whereas in addition to subtle bugs, the closed source stuff can have back doors put in, either by the vendor's own choice or at e.g. NSA behest.

And the fix cycle for bugs once detected is usually a lot faster for open source.

Re:Cart before the horse.

Developer(s) The OpenSSL Project
Stable release

1.0.1i (6 August 2014; 2 months ago[1]) [±]
1.0.0n (6 August 2014; 2 months ago[1]) [±]
0.9.8zb (6 August 2014; 2 months ago[1]) [±]
Preview release 1.0.2 Beta 3 (September 25, 2014; 18 days ago[1]) [±]
Written in C, assembly
Operating system Multi-platform
Type Security library
License Apache License 1.0 and 4-clause BSD License
Website www.openssl.org

All it proves BSD License software is crap

Re:Cart before the horse.

[jedidiah]

What professional developers?

The original article doesn't really say anything meaningful at all. It doesn't appear to actually make any effort to judge the perceived impact of these problems?

Besides, it's not the "professional developers" that matter here really. It's the end users including Fortune 100 companies that might have a VP position dedicated to Linux.

The whole thing was content-free trolling masquerading as journalism.

Re:Cart before the horse.

It is trolling.
Where are the decades worth of proprietary software screwups?

PS Keep pushing iOS and Windows to the front. One day someone will find a hack that will brick millions of PC's and devices within hours. I'll laugh my ass off when it happens.

Re:Cart before the horse.

This pretty well sums up my beliefs in Ubiquiti Networks, a vendor that pops up out of practically no where, offering services that require that you trust keys to them, prices aggressively against the rest of the market, and yet is quiet about everything from hiring to their supply chain.

I have no direct reason to suspect them of any nefarious behaviour, but they just "feel" wrong..

If they have a trap-door built into every piece of equipment they own, and it turns out to be a MAJOR scandal some day, I'm not going to be surprised.

Re:Cart before the horse.

[Opportunist]

Traffic analysis would show.

A nefarious actor would probably act upon his discovery. For the simple reason that as long as it is his and his alone, he can capitalize on it. This is something traffic would reflect. He would probably try to use it to the maximum effect before it becomes widely known and a patch against it gets developed.

Today we're at the point where we can in hindsight identify such occasions. After a flaw gets revealed, certain "odd" firewall logs start to make sense. The next step would be to notice such clusters of "odd" network traffic and use it as an analysis source to find such flaws.

Re:Cart before the horse.

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with.

RMS and others have been at it for decades, presenting Open Source and Free Software so yes many people have heard of it even though they probably don't understand it in any great depth. The problem is the arguments that go along with it, in particular:

That it is inherently more secure, which is a possibility if the development community around a given project is large enough though old bugs in the Linux kernel and Bash as well as recent ones added to OpenSSH have shown that even the most popular and widely-used products don't have enough developers so what hope do less popular projects have.

That it is innovative, which given the slow-follower approach to everything outside of development tools and backend server utils, is not really a successful argument either.

So you're right about it not being their "confidence has been shaken" but just that the few things they do know about Open Source and Free Software don't appear to be true.

Re:Cart before the horse.

This, this, a million times this. RSA is 1000% useless, as it's known to be owned by multiple parties (mostly the NSA), so trusting anything to RSA is basically leaving it unencrypted for anyone to have. Yet it is the backbone to bank infrastructure (which we now know gets owned regularly).

Depending on proprietary software is like being a sheep invited to dinner by a wolf. You just don't know you're the dinner.

Re:Cart before the horse.

According to my company's analysis, about 16 :) And they are actively being used, unfortunately. Anyone remember any major retailer breaches in recent history?

Re:Cart before the horse.

[ale2011]

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

U mean GnuTLS?

--
Bugs happen

Publicity

I think it's nice to know about a security flaw and that the community usually has a fix for it fairly quickly.

Corporations probably have an equal amount of security flaws but since it is private it is not usually given as much publicity and sometimes it takes months for companies to make a fix.

Re:Publicity

[murkwood7]

... sometimes it takes months, if not years, for companies to make a fix.

Sorry, couldn't resist!

perfect timing.

[gandhi_2]

amazing this article is posted on the same day as 3 0days for MS products.
one of which has been known for over a month, and will soon have a logo.

Re:perfect timing.

I agree. The "general public" doesn't even know what Open Source is, and the amount of security problems the general public has with Windows isn't small. It's why a lot of people switched to Apple.

Re:perfect timing.

[fustakrakich]

It's why a lot of people switched to Apple.

Boy, are they in for a surprise!

Re:perfect timing.

AC because modding. My experience (as unpaid maintainer of friends and family computers) is that the new breed of Apple users are the most inept and clueless of all of them; believing that Apple is 'secure' they click away at phishing emails, visit websites that they have been warned have been pwned and generally abdicate all responsibility for their own security. That Nigeriean Prince only cares that they have a Mac because it means they probably have more he can steal from them.

Re:perfect timing.

A lot of people switched to Apple? I thought the Mac's market share was still pretty static around the 5% it's been at forever, most of the people that have gone Apple that I know of went from some flavour of Linux

Yes its very different.

and is that really so different than leaving it to a corporation with closed source?

Yes its very different, since ANYONE can chose to do it. Just because most people don't understand something doesn't mean the information shouldn't be available to them to learn and evaluate.

Re:Yes its very different.

[jones_supa]

For security it is not enough that anyone can read the source code. In practice people rarely have the time or patience to churn through projects that can be 10k or 100k lines of code, just looking for dragons for fun. If we really want to get this right, there must be professional, thorough, provable and documented code audits.

nope

No difference...

The source is there, just read it

The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

Re:The source is there, just read it

The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

Since when do people even care about constitutional violations? Even blatant ones (like the TSA) just get ignored outright.

The point is, get off your high horse

Who are you talking to? Most proponents claim that the ability to read the source is what matters. You can hire others to audit the code, do it yourself, make modifications yourself, or hire others to make modifications. You are not beholden to a specific company. This is a huge advantage over proprietary software, and it remains a huge advantage even if most people can't code.

Re:The source is there, just read it

[fustakrakich]

The texts of the laws are available...

Depends...

The world is full of secret sauces...

Re:The source is there, just read it

It is a little more insidious (not exactly the right word for it). We assume the libraries we are using are good. But what if they are not? Sure the code is there. Sure I can 'fix it'. I am banging away on my code. Bam bug in a library. So now I have to take time to fix it. ORRRR ignore it and work around it. If I work around it I am done. I do not have to bother with 'upstream' or any egos and a whole round of convincing someone else there is a bug (even if you show up with code sometimes). In the case of some libraries you do not even get that option. It may even be a misunderstanding of how the code works. I once spent 3 months and about 15 meetings getting someone to change 2 lines of code; and that was an internal library that my company controlled the source code for (but I was not allowed to see, but I had).

http://delphi.org/2013/10/6-stages-of-debugging/

We want good libraries but depend on a handful of people who may or may not be in charge of it. Some may have moved on years ago and do not care. I see in many projects people who decide to help out are suddenly inundated by bug fix requests. They burn out quick and disappear.

There are no good answers for this. Building libraries can be dull as dirt. Unfortunately it took heartbleed to shine a big spotlight on it. We are letting our libraries rot.

ha awesome catchpa ulcers

Re:The source is there, just read it

Sigh. Another "insightful" troll post.

Security software has to be open source because if it is not then the developers will invariably fuck it up due to laziness, incompetence or greed. This has been proven again and again over time. From end-consumer application software, over embedded programming and operating systems up to the most expensive miltary applications basically every proprietary software maker has messed it up badly at one time or another - sometimes even every month or so. Name me one single proprietary software company whose proprietary products did not have serious flaws or even intentional backdoors (e.g. Crypto AG) that went undiscovered for a long time. The only exception to this rule is very, very expensive external reviewing in combination with strict guidelines, formal software verification, etc., which is way too expensive for any product outside the highly regulated aerospace and medical industry.

Without code review it simply does not work, and every honest developer knows that. The temptation to make shortcuts, skip a detail here or there, and simply code in a sloppy, time efficient way is simply too huge. Heck, even voting machines contained serious flaws and lazy, insecure programming. Nobody expects you to review the software you're using if you're not up to the task, the point is that with open source software external specialists at least have a chance to find the bugs and identify the backdoors.

Re:The source is there, just read it

The schematics for cars are available, just review them to make sure there's no structural or design flaws.

Non-sequitur. A perfectly designed car may well explode at the drop of a hat because it was built/implemented badly.

The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.

Non-sequitur. A perfectly designed drug may well be poisonous because too many poisonous impurities were created in its formulation or added in as filler..

The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

Non-sequitur. Oh where do I begin on the warped interpretation of law to conveniently ignore constitutional rights (or how that constitutional rights are themselves but a subset of human rights).

The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

Speaking of a high horse... Seriously, design flaws and programming flaws are separate things. You don't need to know the first thing about programming languages to spot a lot of design flaws. If anything, the major problem with plenty of open source is precisely that no one has bothered to set up any sort of design and hence never taken the time to introspect what they're doing. It's the same reason why the lack of documentation is such an issue.

Having said all that, of all the things that are there to be done to make open source turn out better, the first thing would be to learn how to program and actually "read [the source]" to try to construct a design description and documentation on a project. You may find that the reason developers often so chide those who are so quick to complain and want a fix is precisely that they're not even of the mindset to expend the effort to try to fix things themselves. Now, there's still plenty of developers who will still refuse your input (perhaps with good reason, perhaps not) and not accept your help; but then that's where the other beauty of open source, the ability to fork, means that even if no one else benefits from your work but you, you're still more often than not better off than you would be otherwise. And odds are good, if you do make positive contributions and try to distribute them, others will benefit as well*.

Now, having said all that, I entirely agree with the implied statement you were trying to make: source being open doesn't inherently make it secure because the underlying presumption of shallow bugs fails in the same way the free market fails--it's too steeped in ideology to acknowledge that reality doesn't work like clockwork according to very narrowly defined scope. But, then, the only way software has any real chance of improving is...to have more people reading code and hence learning to program.

* The funny part about all your examples, btw, is that all of them are steeped in experts who presumably have full-time jobs doing very narrow work that grants them an elevated salary of which there are high barriers of entry and a general inability to do pro bono work exclusively short of being a trust fund baby. Meanwhile, since the fruit of software development is information that can be duplicated near infinitely, perfectly, the ready bottleneck in software development is precisely those things that would close it up. Put another way, by comparison it makes perfect sense that each individual needs a lawyer when in civil or criminal case, but the general bulk of the law is written by and for the people (in theory, anyways) for the interest of the people. Similarly, most software being written by and for the people for the interest of the people is the general n

Re:The source is there, just read it

If you have money you can pay someone else to do it... not so with proprietary code, the code is secret so that amounts to security by obscurity. Not to say anyone *does* audit source code, it's just that they could. And opensource isn't more secure or less secure - it just has the source code available. Security is entirely contingent on people actually using the source code that is available to identify flaws - but the open availability of the source code is a necessary (but not sufficient) condition for this. The bigger problem with security is that there is little financial or legal incentive to perform expensive reviews, and that goes for both closed and open source.

Yes, it really is so different.

[ysth]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Re: Yes, it really is so different.

Well that and in the case of bash, would a company still exist after all years to patch it?

Re:Yes, it really is so different.

Bingo!

All of the "attacks" (heartbleed, shellshock, etc) came after the bugs were discovered - discoveries that would not have been made by white hats if it weren't for the fact that the software was open source in the first place. These discoveries prove the value of open source, not its flaws.

Re:Yes, it really is so different.

I think the original question is a troll. It seems obvious to me that with closed source, 1. you can't tell where the problems are nearly as easily, 1B. if there is a problem the vendor has the ability (and, "right") to hide it as long as they like, and 2. if you're sure you've found the problem, you can't fix it even if you know how.

Also, do we have a realistic comparison of closed-source vs. open-source vulnerabilities present, or just ones found and exploited?

Re:Yes, it really is so different.

[ljw1004]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Why do you submit that?

I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.

Re:Yes, it really is so different.

Your own experience demonstrates that open source provides more case for investigation than closed source, by the very nature of the fact that the compilers that you explicitly worked on were made open source.

You are arguing against the wind and asking for evidence that is, in fact, contrary to your own experience when examined form outside of your own bias or self-subjective views.

Good day to you.

Re:Yes, it really is so different.

I'm willing to believe your submission is true -- but not without evidence

Right, evidence of how a closed system responds. And how would we obtain that? In an open system at least we can see evidence of the response rather than just being told "we're working very hard on this, we promise".

Re:Yes, it really is so different.

Bingo!

All of the "attacks" (heartbleed, shellshock, etc) came after the bugs were discovered - discoveries that would not have been made by white hats if it weren't for the fact that the software was open source in the first place. These discoveries prove the value of open source, not its flaws.

Um... you *think* all the attacks came "after" the bugs were discovered.
Of course nobody was looking for said attacks until the bug was reported, so how would anyone really know? It's not like the "black hats" would have been reporting the flaws, right?

Re:Yes, it really is so different.

To quote an earlier post trying to bash the original claim - on what basis, statistics,etc are you basing this believe that closed source would find/fix flaws as quickly on the average as open source? I think the lesson that is being taught, though apparently not learned is that Open Source does not make the code inherently secure. These bugs exist in the code for years without being noticed - despite the "millions of eyeballs looking at it" - because, in practice, those eyeballs are not interested in, nor have the time to, go back and read *and* understand all the intricacies of millions upon millions of lines of source code - many of which have been forked multiple times. A group of random people, who come and go over time, doing this in their spare time as an unpaid hobby are not going to do any better than a corporation that has paid staff who are directed on a daily basis to make understanding the code their day-to-day job.

Re:Yes, it really is so different.

Open and closed source are like science and commerce. While scientific papers start life in peer reviewed journals and thus have a high degree of plausibility they are still frequently wrong and occasionally fraudulent. However, the data they are based on is generally open to inspection and the conclusions open to debate. It is this openness that allows science to be self correcting. Few scientists and still fewer non-scientists can really evaluate any particular scientific paper. But there are enough people who can and will that science progresses. Getting things wrong has severe penalties for erring authors and cover ups are very difficult to impossible. It is this review and rereview process that should inspire public confidence in scientific results. Compare this with drug companies or automobile manufacturers.

Re:Yes, it really is so different.

[scamper_22]

It would probably not be much different, just on the basis of 'open source' alone.

Both open source and closed source can make their case that their way means better software.

Open source basically claims code is available for anyone to see/fix/build on top.

Proprietary software claims their software is more controlled, they can formalize review processes, and they have paid people attending to the code.

But in reality, the open/closed nature of a project is probably one of the smallest factors in terms of affecting quality.

There are open source projects that no one really looks at, there are projects that people use that no one thinks of going into the depths of...

For closed source, often time legacy software/libraries get abandoned, support handed to people who know nothing about it, they go bankrupt...

It really just depends on the company/team/organization assigned to working on said project.

Re:Yes, it really is so different.

I think the issue is that whatever you're doing with closed source, when you open it, you get more people potentially looking at it.

You could have the best team in the world working on something, but there's always going to be some myopia due to inevitable human perceptual and decision-making biases. Sometimes it helps to have random outside checks, so to speak.

Now, I've never bought the idea that because everyone can be checking it, they will, but I tend to believe that at least it's possible. I feel safer using open-source software because at least it's a level playing field. With closed source, I don't even know what the heck the developers are doing, and don't have a way to find out.

No warranty

You want to use my software in your product? Cool, go ahead. You're on the hook to figure out if it's fit for purpose though.

Re:No warranty

as opposed to the commercial software with a EULA 30 pages long which essentially says the same thing but without access to the source for your own review

Re:No warranty

You miss the point, which is that this can't be levelled rationally as a criticism of open source.

How many patches did MS push down today for IE?

[schwit1]

And this makes how many?

Re:How many patches did MS push down today for IE?

[bigpat]

And more importantly... who in their right mind still uses IE? Internet Explorer is currently blocked by my company's proxy server because it is considered so insecure and isn't likely to get unblocked any time soon.

Open Source in commercial products

[haruchai]

Heartbleed & Shellshock have impacted for-profit companies quite significantly. I don't have an objection to them using opensource within the boundaries of the license but should THEY not be vetting before rolling it into a commercial product?
No one company has to do it all alone - it can be done through a team effort & foundation, just like OpenStack.

Re:Open Source in commercial products

[LWATCDR]

Heartbleed and Shellshock show that nothing is really free.
Those bugs would have been found long ago if big companies had put resources into FOSS.
OpenSSL was used by everyone but had less than 20 active devs and a super skimpy budget.
Bash? When was the last build of Bash before Shellshock?

Re:Open Source in commercial products

Another one of the important distinctions between Open Source and Free Software. The FSF pushes for free software not because it works better (though it often does) but because it's a moral good.
It's possible that these security problems can be seen to weaken the case for Open Source, but it doesn't affect the Free Software position at all.

Re:Open Source in commercial products

[Cabriel]

So, you're saying that the F/OSS community isn't responsible for the bugs in their software?

Re:Open Source in commercial products

[Bengie]

It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

Re:Open Source in commercial products

[neilo_1701D]

Heartbleed and Shellshock show that nothing is really free.
Those bugs would have been found long ago if big companies had put resources into FOSS.

But that's special pleading.

FOSS is supposed to be an alternative to stuff put out by big companies; why is it suddenly incumbent upon them to be fixing security holes 20+ years old?

Re:Open Source in commercial products

[spitzak]

No, bash was NOT working as expected.

The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.

The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

Re:Open Source in commercial products

[benjymouse]

It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

Nope. It was a bug. While it was the intention that bash would "import" function definitions from env vars, it was *never* the intention that it would directly and without confirmation execute any commands *following* the function definitions in the env vars.

So yes, a serious bug.

Re:Open Source in commercial products

[swillden]

FOSS is supposed to be an alternative to stuff put out by big companies

Cite?

Re:Open Source in commercial products

[Bengie]

The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

There seems to be several "bugs" associated with "ShellShock". At least one of the security issues was postponed because there was no way to fix it without breaking the feature. OpenBSD, then FreeBSD decided just to disable the feature all together. I am not aware of any follow-up on whatever "bug" that was, but it sounded like a "working as expected" issue.

Since I cannot find anything sounding like this on Wiki, I'll assume that I'm wrong.

Re:Open Source in commercial products

Which wiki? There are millions - try harder! Or did you mean Wikipedia, a popular wiki?

Re:Open Source in commercial products

[haruchai]

Not at all. But anyone who uses F/OSS IS a member of the community and that includes companies who chose to use it in commercial products.

Re:Open Source in commercial products

I believe there was a variant that allowed setting a variable named the same as a common program, which combined with a parsing bug could result in running the function in the variable. The entire class of bugs was fixed by changing the way bash passes functions to require a prefix and suffix (e.g. instead of func='() {...', you have to do BASH_FUNCTION_func()='() {...' or something like that), so although there are probably still some exploitable parsing bugs in bash, they aren't in the attack surface anymore because remote programs can't set arbitrary environmental variables (or, rather, if they could, there's more direct ways to run arbitrary code than messing with bash bugs).

Re:Open Source in commercial products

[UnknownSoldier]

> was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

As opposed to close source? That doesn't change the reality that ...

ALL software has bugs.

Now at a pragmatic level at least the open source ones are _eventually_ found -- we have no idea, or guarantee, when or If the closed source ones will ever be found !

Re:Open Source in commercial products

[serviscope_minor]

So, you're saying that the F/OSS community isn't responsible for the bugs in their software?

Nope, he's saying that the community is responsible. As major users, those companies are part of the community. They're as responsible as anyone else.

As the saying goes: it's free so if it breaks you get to keep both halves.

Re:Open Source in commercial products

[phantomfive]

I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats.

1) Finding bugs is hard work.
2) There is plenty of lower hanging fruit

Re:Open Source in commercial products

[LordWabbit2]

I'm gonna be pedantic here, I would say ALL complex software has bugs in it. Hello world seems pretty bug free to me.

Re:Open Source in commercial products

[UnknownSoldier]

Your pedantry is "almost" correct. ;-)

The only program that is bug-free is the trivial one liner.

NOP // assembly no-operation

Though some would argue:

int foo = 0;

is bug free since without input, and output, whatever "calculation" you do is pointless & void.

Software runs on the _assumption_ that the hardware is

a) functioning ...
  b) ... correctly!

We have almost no way to guarantee that in software. Sure we have ECC RAM but what else? Anything more then 1 line is making these assumptions and therefore is a candidate for being buggy.

So I would revise your statement:

"All non-trivial software is buggy."

Re:Open Source in commercial products

[LordWabbit2]

Well if you really want to be pedantic you could go with the fact that whilst the code of "hello world" is simple and mostly a one liner, the libraries and code it relies on to produce that one line is made of thousands of lines of code which might have an issue with the length of "hello world" and cause a buffer overrun.
But I do understand your meaning, even simple code like "Hello World" could create real world problems, you still have to deal with the underlying system problems. I recall an exploit in WinXP where you could send an overized ping packet and do a buffer overflow.

Yes. Yes it is.

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

And that matters, how?

[casings]

Last time I checked, the general public was pretty ignorant about just about everything related to computers outside of checking their email and viewing the latest cat pictures on reddit.

I'd rather consult a magic 8 ball than the general public.

Re:And that matters, how?

LOL! I bet if I did a poll at work (hi tech mechanical engineering) I'd find maybe half a dozen people out of hundreds who'd even heard of reddit; your public are a lot better informed than mine!

Re:And that matters, how?

..and this smug attitude is exactly why Linux is still at 1.65% of end-user desktop PCs TWENTY YEARS after I first used it.

get over yourself, neckbeard.

Vojjne.

Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.

There is no magic alternative that is better than open.

Re:Vojjne.

And how many security-critical bugs are taken over from 20 year old kernel parts still present in the Windows 8.1 kernel?

Right - you don't know, but are you really, really sure they ain't there?

See? Who knows how many exploit are being done under your nose, just because you don't know they are there.
And you will never know, because it's all closed source...

With open source there is at least an chance it will be discovered and patched.
With closed source nobody knows but the company selling the software, and they keep there mouths shut if it could become an "image disaster"...
 

Public believes closed source is safer?

If the public thinks that closed source is any safer, then people are dumber than I thought.

Re:Public believes closed source is safer?

That's the kind of sanctimonious, judgemental bullshit that makes "the public" think of IT folk as arrogant assholes.

To some small business without the resources or need to hire a software engineer or dedicated "IT person", there is no practical difference between placing their faith in "the open source community" and placing their faith in a software vendor like Microsoft. In either case, "someone else" is responsible for it, be it the OEM like Dell or Lenovo, the store they bought the computer from, or the manager's nephew that's "good with computers".

OpenBSD

[Bengie]

I think when it comes to security related projects, like security libraries, that are used all over the place, we should demand higher quality code and better design and code practices, like those of OpenBSD. We should not compromise on quality when it comes to this kind of stuff. Do it correctly or don't do it at all.

Re:OpenBSD

[udippel]

I salute your resolve. Tell this to the unwashed masses how have been craving for the most recent cool software / gadget / widget / design / feature for the last 20 years. And offer 'security' as alternative, and close to 99 out of 100 will gladly take the earlier candy.

The press

The problem here is the press and the way they report stories. Many people have heard of open source for the very first time associated with one of the recent reports. As the press is more of an entertainment service than a news reporting one these days everything is blown out of all proportion and sensationalised. So they can make headlines with stories about shell shock or what ever the fuck stupid name it has been given and at the same time mention open source . If this was a critical windows bug lets bd honest the press would not give a shit as there is nothing new to make headlines from.

Really?

Windows is exploited more nowadays because the userbase is much larger and much less savvy. That's pretty much it.

Open Source is More Easily Auditable

[Bob9113]

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

Depends

[JCaptainP]

The strength of open source just depends on how active the project is. Some companies open source their code as a business model and many Fortune 500 companies have developers focused solely on open source projects. That said, most projects are developed by a small handful, working after hours.

I think the exacerbating issue is so many use open source technologies and the more they are used the more issues you'll find.

I doubt it

[Ckwop]

I'd be surprised if a random member of the public could even define what free software is. They'd probably think it's connected to the cost of the software rather than its freedom giving properties.

That said, I think that the view that with enough eyes all bugs are shallow is false. Given that bash is used in millions and millions of servers and the bug took decades to root out, we must think of a better way to get eyes on the code.

The whole stack needs a line by line review by security experts. That will cost tens if not hundreds of millions of dollars but my view is that it's probably worth it. Then we have to make sure all changes get reviewed in the same way.

The result of this process would be a super-hardened version of OpenBSD. It would come with a nice fat government certification and if you want to do business with the government, you have to use that distro.

That might rub people up the wrong way but I think that's what's ultimately going to happen eventually. A lot of this infrastructure is so critical to the modern economy that we can't just run any old code anymore.

The difference

[Charliemopps]

The difference between Open Source and Closed source is not the number of bugs and flaws... the numbers of bugs and flaws are likely equal. The difference is the number of bugs that were found and fixed. Just as many problems exist and are as equally dangerous in closed source software. The differences is that because it's closed, they remain there, undiscovered by the general public, for a very very long time.

All of these discoveries should be celebrated. They are examples of Open source working as it should.

Re:The difference

[freeze128]

Not only that, but the SPEED at which they are fixed. When heartbleed was discovered, there was a patch available later that day. Shellshock was also patched very quickly. In the case of Windows flaws, you usually have to wait until the next patch cycle (once a MONTH). Sometimes Microsoft knows about a flaw and simply DOESN'T patch it.

Re:The difference

[Charliemopps]

Sometimes Microsoft knows about a flaw and simply DOESN'T patch it.

...and that's another very good point... Fixing bugs often is a "Cost benefit" thing.
"It will cost us $100k to fix this and the worst thing they could get are the first names of client contacts" = Not getting fixed
"It will cost us $100k to fix this and the worst thing they could get are the nuclear launch codes" = Getting fixed

With closed source, the decision to fix that is in the hands of the developers.
"99% of our customers will continue using this despite the bug. We'll lose the defense department but oh well..."

With open source they can choose to fix it themselves.

Re:The difference

There's bugs floating around all over the 'net...

I think if we just let Skynet loose it can fix everything for us. ::)

Re:The difference

[mystikkman]

A long time went between the discovery and the fix available to the public. The ignorance and history rewriting is getting painful to watch in these comments.

http://www.smh.com.au/it-pro/s...

Nobody claims open source software has no flaws

[chubs]

Nobody claims there are no vulnerabilities in open source code. But I bet you'd see some interesting differences if you compare the time between when an open-source vulnerability is reported and when it is fixed to the same interval for a commercial, closed source alternative, you'd see that known vulnerabilities exist for a much shorter time in a well-supported open source product. No, I don't have any source to back that up, just my experience with how long known vulnerabilities go unpatched in Windows, Adobe products, etc.

Re:Nobody claims open source software has no flaws

[jones_supa]

But I bet you'd see some interesting differences if you compare the time between when an open-source vulnerability is reported and when it is fixed to the same interval for a commercial, closed source alternative, you'd see that known vulnerabilities exist for a much shorter time in a well-supported open source product.

Take a look at bug trackers of OSS projects sometimes. They are full of known bugs which have been waiting for fix for months or years. Around the time when Heartbleed was discovered, there was another bug reported 4 years ago and no one had taken the responsibility to fix it. It even had a CVE record.

Forking, not audits, is the reason openness works

[stealth.c]

The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.

66 pct of America worried about Ebola

[WillAffleckUW]

Look, people in the USA are more worried about Ebola, an infinitesimal risk, than are worried about getting a polio shot (we're losing herd immunity in major cities right now) or a flu shot (which WILL kill thousands of people this year).

I'm not that concerned that "the public" is worried about Open Source, as most of the people polled think it means "open sores".

Re:66 pct of America worried about Ebola

[WillAffleckUW]

To be exact, I mean thousands of people will die from influenza, not the actual shot itself. Which you should get. It's going to be (and already is) one of those years.

Oh, and consider patching your libraries, if you use open source. Most of the hacks were due to people not patching libraries, after someone did identify vulnerabilities.

Now, excuse me, I have an email from a Nigerian Prince who wants to give me money.

Re:Really?

[Anon-Admin]

Ill disagree, I still believe it is because Windows is far less secure.

Linux == 98% of all super computers (Top 500 List)
Linux/Android == 74% of all Mobile devices (Gartner)
Linux/Android == 61.9% of all Tablets (Gartner)
Linux == 78% of all internet Servers (Security Tech)
Linux == 28% of mainframes (Gartner)
Linux Desktops == 1.65% (From Gartner as the total number of systems shipped with Linux pre-installed) up to 20% depending on the source.

That is not even getting into all the routers and smart switches, embedded devices, etc.

Open source and Linux make a very large target with lots of high profile targets. I am surprised that there are not more exploits and the simple lack of viruses should be proof enough that linux is far more secure.

Looks like free software is working

[El_Muerte_TDS]

Somebody saw something weird, looked at the code analyzed the logic, found the bug, reported it, and it was fixed.

Nobody said those thousand eyes would find bugs instantly.

What a dumb question

[JustNiz]

>> is that really so different than leaving it to a corporation with closed source?"

Yes its COMPLETELY different.

Can there be exploitable bugs in open source? Of course. That remains true for all software, open or not. It is incredibly naive to imagine that anyone could effectively predict every potential future use of any product, especially a complex system.

Not only are exploits less likely in opensource in the first place (beacuse of the larger numbers of eyes looking at the code) but detection is faster (same reason) and also patches are released very quickly in community projects. For comparison look at Microsofts ongoing track record on even consciously leaving known exploits unpatched, in comparison to the speed that patches for Heartbleed and Shellshock got pushed out.

Furthermore unlike closed source, it is very unlikely that there could be anything added to an opensource project that is intentionally malicious or even morally questionable, and then remain undetected for long. Apart from anything else, It would be too easy to see which user put it there and make that information public.

Nothing's changed

[reikae]

Free software is about ideology. About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point. Much like freedom of speech: it's important even if I never say or write anything and it doesn't make everyone Shakespeare either.

Posted from my Windows computer btw; I think there is value in software freedom, but I use what best meets my current needs and wants, and encourage others to do so too.

Re:Nothing's changed

[edis]

... About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point...

Of course, that is the point: permission to examine and modify is directly setting preconditions to instantly enhance code examined. And if examination with sufficient eyeballs really takes place, process goes just as doctor prescribed. It does not, however, mean, that code escapes possibilities to hack completely - it is too complicated structure to expect that, unless looking at it with idealism of topic.

somebody else's job

I'm pretty sure i kan reed said he'd audit it.

This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that because it was Everybody's job.
Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done


Really, why aren't there several open source auditing projects?
1. secure coding bootcamp,
2. throw them on a project to audit.
3. tracking of when last audited, by whom, and any findings.

Re:somebody else's job

[ray-auch]

There aren't because:

1. no one is paying for them (or at least not enough to make a difference and catch stuff like heartbleed and shellshock)
2. auditing existing code doesn't "scratch an itch" for anyone on the hobbyist side

Closed source companies like MS have to weigh up costs of security auditing vs. cost of reputational damage of getting it wrong (i.e. if you think safety is expensive try having an accident). For a long time, MS was so secure as a monopoly that the reputational damage wasn't worth them worrying about - that isn't the case now, and they are better at security than they were, but they have a very large legacy mess still to clear up.

For open source companies, the reputational damage is spread or lands elsewhere (shellshock is a GNU bug not a Linux bug or a RedHat or Debian or...), so there is even less incentive. Your competition benefits equally from your auditing but you take the whole cost. Therefore it will need collective funding by competing companies - which is always a lot harder to organise.

Re:somebody else's job

[TangoMargarine]

Somebody and Anybody are on trains headed towards each other at 20mph (each). Construct a boolean algebra equation to describe all actors.

Wow...

[Famak1994]

"While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it."

Examples?

Usually, when developers abandon a project they'll post it on github and leave it up to the fans to continue the development.

"As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yeah, it's completely different by every imaginable degree.

Re:Wow...

[Yunzil]

Examples?

Wait, you want examples of people who are too busy to review other people's code? OK, here's one: me.

Re:Wow...

[Famak1994]

I'm referring to open source software that has fallen victim to vandalism due to a lack of security researchers.

Again, show me an example.

Re: Really?

Most of what you listed is managed and used by IT professionals. Comparing Linux on supercomputers and servers to the millions of Windows PCs predominantly used by computer illiterates makes no sense.

A careless user can get a Linux machine compromise just as easy as a Windows machine.

pay them!!

[lkcl]

the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.

so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.

the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.

Re:pay them!!

[swillden]

the key point that people keep missing is that corporations - which are legally obligated to maximise profits

That supposed legal obligation doesn't always exist, and far too much is made of it even where it does. Can you show me any examples of companies being prosecuted, or even investigated, for failing to maximize their profits? It doesn't happen. And you can easily spot any number of examples of companies failing to take opportunities to maximize profits.

Drop that tired meme, it's really not true in practice, even when it's true in theory -- which isn't always the case, even for for-profit corporations.

What they're really legally obligated to do is whatever is in their corporate charter, articles of incorporation and IPO statements. Those define the expectations of investors and what's what they have to meet. In nearly all cases, generating profit is a key element of those expectations, but it's not always the primary one. But regardless, you don't see anyone getting prosecuted for failing to do that, either. The real punishment for a company that doesn't meet shareholder expectations is that the share price drops, and eventually the board ousts the management and puts in someone who will.

Re:pay them!!

Because with open source, the company isn't beholden to a specific company. If the current devs are doing a good job, then throwing some money their way makes sense. If there's specific bugs or features the company cares about, those devs will probably be more responsive to someone that's giving them money. But more importantly, if the devs are responsive or don't care about the same things, the company is free to hire different devs to work on it.

In practice, the image of the lone open source dev working for free isn't true for a lot of projects. Open source software is often developed by companies that need the software but see no business purpose in keeping it closed.

Also, you present a false dichotomy: it's very rare that I encounter a situation where the closed source software is higher quality than the open source competitor. And those examples are polished user-facing software like Photoshop; software for businesses tends to be pretty awful, and if it's closed there's nothing the company can do about it.

Re:pay them!!

[UnknownSoldier]

100% agree!

If businesses were smart they all would chip in $10 say towards LibreOffice, Inkscape, Krita, FreeNAS, GimpShop, etc.

They could be free of the tyranny of proprietary vendor-lock file formats for once and for all. But yet they would rather pay to suffer ! **shrugs**

Could you image how much development could get done if open source alternatives to X could get funding!? Not say money is a silver bullet TM but it certainly would go a long way!

FUD

[ruir]

"Closed" software also has lots or more security problems, and then you do not have the source to look at and fix it. This article is a troll.

Damn good thing Windows has no holes!

[swschrad]

yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.

Re:Damn good thing Windows has no holes!

[GameboyRMH]

The MS salesmen actually use the threat of spies coding on open source projects as a scare tactic. Unironically.

Re:Damn good thing Windows has no holes!

I'm shocked anyone would imply that intelligence services would place people at Microsoft in order to install back doors or otherwise degrade the security of Microsoft's products. Shocked I say.

Publicity.....

[Dega704]

Being open-source is what allowed these flaws to become publicly exposed. This article assumes that this is a 100% bad thing. The better question is how many closed-source security holes exist and are being actively exploited that we don't know about?

Yes, it's a lot different

For two reasons.

First, the vendor doesn't have a monopoly on fixing the bug. With closed-source, the vendor decides whether it gets fixed, when it gets fixed, how it gets fixed, who gets the fix, and whether you have to pay for the fix.

Second, while open-source doesn't ensure that ordinary bugs go un-noticed for long periods, it provides a reasonable guarantee against most deliberately-malicious behaviour. It doesn't necessarily work for stuff like crypto, where a one-character "typo" can render the whole system ineffective. But it's much harder to smuggle an entire malware subsystem inside open-source code.

false premise

[binarstu]

TFA starts off with this as the very first sentence:

Hackers have shaken the free-software movement that once symbolized the Web’s idealism.

And then fails to provide any real evidence that this is true. It should take strong evidence to reach the conclusion that an entire "movement" has been "shaken" to the point that it has lost its symbolic meaning. I skimmed the rest of the article, but the authors pretty much lost me after that bit of nonsense.

People (both good and bad) have been finding flaws in open source software for decades. No one in the "movement" was surprised or "shaken" to hear about a few new discoveries. These bugs earned extra attention because of the ubiquity of the software, but still -- nobody has ever said that open source software is somehow, magically, bug free. The "idealism" is that a) people can actually find the bugs by looking at the source rather than reverse engineering; and b) once a bug is found, anyone is free to modify the code to fix it, rather than waiting on a business to decide that it merits patching, perhaps weeks or months later. And, as far as I could tell, this all worked very well with the "Shellshock" vulnerabilities. The bugs were found, and the patches were written and released not long after.

"...if it's in the news, don't worry about it."

[trawg]

I think some of Schneier's words apply here:

"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."

If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.

If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?

Re: Really?

[Anon-Admin]

And a competent windows admin still deals with viruses on their servers.

I was unaware that all the android phones, tablets, and devices as well as all the home routers, set top boxes, etc. were only managed by "IT professionals"

Either way it's about trust

[epyT-R]

Whether you trust the community or trust a closed vendor, you're still trusting that they got it right and/or haven't been compromised by moles working for crooks or governments. The bottom line is you should assume any easily accessible security software is compromised and build multilayer security around the asset you want protected. At least with open software you can audit it yourself or have it audited by someone you do trust. Closed? forget it, unless you're a government.

Re:Really?

[iggymanz]

you are full of shit, the important stuff is not on windows and the infrastructure of the internet is not built using window

Some things can't be papered over.

[westlake]

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed.

Excuse me for saying that I find all these platitudes less than reassuring.

The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.

Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves, with Fox undertaking the work as an employee of FSF. Fox released Bash as a beta, version .99, on June 7, 1989 and remained the primary maintainer until sometime between mid-1992 and mid-1994, when he was laid off from FSF.

A security hole in Bash dubbed Shellshock, dating from version 1.03, was discovered in early September 2014.

Bash (Unix Shell)

Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

Shellshock (software bug)

A 25 year old bug with the potential to do enormous damage.

In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.

Re:Some things can't be papered over.

In the *nix shops I've worked at, bash was generally despised in favour of more pure shells, even on Linux servers.

Re:Some things can't be papered over.

(1) Bash was not a "spare-no-expense" project. It is really weird you turned the idea that FSF would use an employee to develop software into a claim that it was some sort of big-budget production. Nothing the FSF does is "spare no expense" because they operate on a shoe-string budget of less than $1M/yr with 13 employees. And that's today when they are famous and popular versus the 80s when they were new and people were still laughing at them.

(2) Your comparison is premised on the idea that 25-year old proprietary software won't have day-1 bugs either. That's implausible.

Re:Some things can't be papered over.

A 25 year old bug with the potential to do enormous damage.

In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.

And you never knew about it (or anyone else) until someone stumbled over it, and once they did, the fix for the most dangerous part of it was issued in less than 6 hours, and it became a non-issue after 1 day. Notice no one ever yelped about the stupid I love you virus created by a kid in asia, and the bash bug caused problems for no one I know, and I love you affected thousands of people I know. And microsoft spent BILLIONS on that software, and made *TRILLIONS* from it. And their service and response sucked worse. So take your incredulity and shove it up your ass, you double standards keeping rat bastard ass hole.

Re:Some things can't be papered over.

[ale2011]

Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

That's the outcome of a limited analysis. Had they dug deeper, they would probably have concluded that such kind of vulnerability was already latent in Babbage's Difference engine, as well as in any man-made device. Don't misunderstand me, I don't mean that Nature makes no bugs :-/

The point with man-made stuff is that we are free to decide how to deal with it. No wait, that was supposed to be the point with free software. (Damn, I'm getting garbled, perhaps it's hypocaffeiniemia.) Really, bugs happen the same whether you're paid or not. Discovering such an old one takes an odd moment.

Speedy fixes and obvious "relay all to Microsoft"

[raymorris]

A big difference is probably that with open source you know you don't have glaring issues like a mail client that checks all incoming and outgoing emails for specific keywords, then sends a report to Microsoft and the NSA if any of those keywords are used. It's not that both open source and proprietary can't both have subtle bugs, of course they can. If an open source project such as say Apache decided to start sending tracking data to Apache.org, we'd all know about it before the version was even released, and we'd chop that "feature" right out immediately.

Secondly, fixes are much, much faster, and in high-impact cases the fixes tend to be of much higher quality due to the number of people studying the problem and suggesting fixes. Microsoft publicly acknowledged a problem with IE in 1998. In 2012, they released a half-fix. Florian released the shellshock fix that most people use within 24 hours. Over the next couple of days, many smart people looked at and proposed and released other methods of addressing it, and after a few days it was decided to use Florian's original fix.

As ESR famously said (but with context this time):
given enough eyeballs, all bugs are shallow. More formally: Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.

The fix, the proper fix, is likely to be clear to someone when you have perhaps thousands of people looking at an issue like shellshock or heartbleed. The possible solutions are discussed and a solid solution is generally released within hours to days. Contrast that with Microsoft repeatedly needing to publish more patches to fix problems caused their last patch, which they released to fix problems in an earlier patch.

Re:Really?

[jedidiah]

> Windows is exploited more nowadays because the userbase is much larger and much less savvy. That's pretty much it.

Except this does not match with the reality that has existed for far longer than the current iteration of Windows. There have been heavily infested platforms with much fewer users than any of the current Windows alternatives. That includes absolute numbers or market share.

People aren't going to leave Linux or MacOS alone just because they aren't the market leaders. Virus writers don't work that way.

If anything, all of the Unixen represent higher value targets.

The "market share argument" is just your way of kidding yourself. You know that you have bought crap and you are aware enough to feel stupid about it. You need to rationalize it in any way you can.

General public as topic?

[edis]

Just substitute "general public" here with "widespread notion", and try to focus in discussion on essential message of the post.

Re: Really?

No, a competent admin doesn't deal with viruses on their servers.

And yes, phones and tablets are managed - by the carriers or the maker. For example Android userland doesn't give you much access to anything but the app store. They aren't managed as general use computing devices.

In a word....

"As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes.

Next question?

Really?

Windows users have always been less savvy.

Like Proprietary Software is Better?

[Forgefather]

There were two high profile security flaws in Open Source software that garnered a lot of news attention. Once the vulnerabilities were noticed the community quickly moved to patch them. How is this worse than proprietary software developers who pray that no one exploits their dodgy code until they have the business will and manpower to patch the bugs? Or perhaps we should turn to our proprietary secure software paragons: Apple, Microsoft, Oracle, Flash to provide secure alternatives to Open Source software....oh wait.

is that really so different . . . ?

Yes, there is no guarantee that the flaw will be fixed if found in closed source code.

I've heard this argument before

[idontgno]

Specifically, anti-vaxxers.

"If so many people refuse to get vaccinated, herd immunity can't work. So why bother?"

"Because if all you voluntary natural selection candidates want to kill yourselves, my own vaccination will at least partially protect me."

Open Source at least offers the opportunity to protect yourself, to the extent of your own skill and effort. Which is the most anyone can realistically expect in this world. I have no intentions of allowing my fate to rest entirely at the tender mercy of people who think they know better than me.

Re:Speedy fixes and obvious "relay all to Microsof

[Yunzil]

As ESR famously said (but with context this time):
given enough eyeballs, all bugs are shallow.

Addendum: Of course, it might take 20 years for anyone to notice, because everyone is assuming that someone else is looking at it, but whatever.

Re: Really?

And a competent windows admin still deals with viruses on their servers.

Just like it mostly doesn't matter about choice of desktop platform when it comes to careless users, the same applies to admins. A careless admin will have to deal with viruses/hacks on servers regardless of platform. A competent admin - linux or windows - will not (or at least not very frequently).

I've administered servers professionally for 13 years, as a hobby for 7 years before that, both linux and windows, and there have been 0 infections. Your obvious bias makes the validity of your opinion questionable.

article writer is an idiot

[slashdime]

Wow.. confidence shaken by vu-vu-vulnerabilities huh?

Article is nothing more than talking points from someone who knows nothing about the industry and only read about the 2 vulnerabilities in the news.

They might as well have stopped a person in the street and asked "Sir/Madam, if your livelihood depended on computers, and said computers had a vulnerability, could it possibly affect you in a negative way? Yes?"

It's a story! Rush to print!

Lots of shaking to go

[future+assassin]

before its anywhere near close Windows security failures over the years.

Yes. Yes it is.

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

You had me up to here. There can be no argument against this.

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

Examples, citations, personal experience. What's special about open source that prevents its maintainers from doing the same thing? Yes, a company producing closed-source software can do this behind hidden doors, but doesn't mean they fall into this paradigm of laziness.

Open Source Tradeoff

[scruffy]

Yes, the advantage of open source is that good actors can read the code and find and fix security flaws. The disadvantage is that bad actors can also read the code and find and exploit security flaws. One would hope good actors would outweigh the bad ones, but my fear that that governments and organized crime have become bad and worse actors in a big way. Even when a particular flaw is fixed, we all know that there are still flaws to be found and exploited in any big software project, and nowadays the big-time software exploiters have the budgets and the manpower to take advantage.

That said, that doesn't mean closed-source is any better (a different tradeoff), but it would be foolish to think that open-source software is not being exploited for its open-source properties.

I have one thing to say about this

How many corporation with closed source software do you know of that will look seriously at a bug or feature request from one individual user and make the appropriate changes to their software. I have seen this happen in open source software several times, but I have not observed it in closed source software. It likely will not happen in closed source software because the drive is to make money which means making the largest number of people happy as possible, even if the request in question might bring in or keep a large number of clients the simple fact is that if most people do not want it or do not know they want it corporations have no reason to pay attention to them. While the open source community is driven by other factors, usually things like to make a piece of software that performs a specific task very well, or to make a piece of software that handles a task in a different way.

yes, shallow/deep refers to solvability

[raymorris]

Yes, that quote talks about once a problem is noticed, the right solution will be clear if many people look at the problem.

  It says nothing about positive or negative about how subtle bugs might be or when they'll be found. The answer to that question largely depends on the architecture of the code and the style, whether side-effects are common. Linus prefers kernel functions to be no more than a few lines long. If a function is three lines, you can pretty easily see if it's correct or not. A function that's 200 lines long probably has a bug that you wouldn't see easily. That's true regardless of the license the code is under.

Re: Really?

[DaTrueDave]

For example Android userland doesn't give you much access to anything but the app store. They aren't managed as general use computing devices.

What does that even mean? Any Android user can download and install an application from anywhere, not just from an app store.

Of course it is..

For-profit corporations have a huge financial incentive (and at least in theory, penalty for failure) to maintain software and address security issues. If Application B *fails*, Corporation A will at some level be held accountable - whether through lost sales or possible legal action. Who's accountable when open-source fails? John Q. SixpackofJolt, the maintainer of some obscure dependency? Why does he care if that package failed if he can just go find another paying job elsewhere? That it's free as in beer works against it in this way, because it is taken for granted - there's an assumption by 'the public' that it *works* and is *reliable* if it is being used to such an extent.

This is PRECISELY the argument that Microsoft has been making against it for years.

Re:Of course it is..

You can spew sophistry about the 'freedom' of open-source as much as you want, but the uncomfortable fact is I would guarantee 95% of you take the reliability and security of components and dependencies built by others in your distro of choice for granted too.. just like the 98.35% of desktop PC users who run Windows or Macs.

The fact that the bash bug existed for twenty years says what, exactly about the reliability and trustworthiness of open-source software? It says that no one bothered; that it was taken for granted and no one had any incentive to investigate it beforehand.

Zero Day Troll?

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Do you mean you discovered a Zero Day Troll that works on open source software?

"Linux" got hurt, not "open source"

First, the public knows the brand Linux, but open source is a rather vague thing to John Doe, I think. Second, the solution to bugs is what we have on many projects -- free software (or even open source) supported by paid professionals, such as the work done by Red Hat, the Mozilla Foundation, the Apache Project, etc. Gnu stuff such as bash, and other smallish free software efforts, should be (is?) supported by professionals employed by organizations who care about, and depend on, the quality of the product. So we get free software, with the source available for experimentation and to avoid vendor control, with the quality of professional programmers/QA testers/documentation people with professional incentives and focus.

The reality

[msobkow]

The reality is that doing security audits and code reviews are boring. Unless you have someone who is really dedicated and knows their stuff taking on the task for an open source project, or someone paying a team to do it (TrueCrypt/VeraCrypt), it's not going to happen. In theory corporations are paying their staff so it should happen, but in reality corporations are likely to push such reviews way down the priority list because they cost money. Spending money is bad to a corporation, m'kay?

Personally I've never believed in the "many eyeballs" approach because even when porting an open source project to a new release of an OS or a custom distribution, I only learn the bare surface of the code -- enough to get the port running. I most certainly do not do an in-depth learning and understanding of the code being ported.

As a result, the only one who does any sort of real review is usually the original developer -- the person(s) least likely to see the flaws in their work that are caused by misunderstandings and erroneous assumptions -- because they don't know any different than they did when writing the code in the first place!

Re:The reality

[edis]

The reality is, that nobody ever should have gave badge of non-hackable software to products of any development model. For thousands and millions of software lines, and multitude of situations regarding mutual relations of its parts, multiplied by possible input fluctuations additionally depending on execution environment, you have imperfect software somewhere somehow, rather than perfect one. Constant float of patches for live products of any model is reality. What we can talk about, are certain and numerous benefits, that open source has over proprietary one. If confidence in idealism is shaken, this is only for good, because reality was certainly far from being ideal.

Re:Yes. Yes it is.

And your facts demonstrating that companies spend as little as possible on security are?

This is the problem with the Open Source community - they spout these opinions as if they were fact.

My own corporate experience as a software developer, architect and VP is that security is taken very seriously by industry and a considerable amount of effort is expended on that very issue.

Re:Really?

[Opportunist]

Yes, but all those high profile targets also don't suffer from being "administrated" (I'll use that term loosely here) by Joe Randomsurfer.

Super computers: Not only are few of them readily accessibly via internet, they usually reside behind atomic-bomb-grade firewalls and are administrated by people whose net worth is more or less directly tied to that super computer's well being.

Android Phone/Tablets: Give it time, the malware writers are only just getting into the mobile market. But they're already pretty efficient, you have to give them that.

Internet Servers/Mainframes: While not as well administrated as the aforementioned supercomputers, we're still a far cry from their admins being idiots who think TCP is the acronym for the Chinese Secret Service.

Linux Desktops: Yes, even they usually have users that don't fall for the dancing pigs.

In a nutshell, Linux as the "geek system" has turned into a self fulfilling prophecy. It's still rarely used by people who have neither some decent computer skills nor some relative who does.

That is not what open source is about

Open source does not enhance security or quality. It just provides the source.

Re:Really?

[Opportunist]

Sadly, virus writers do work that way. Virus writing is a business. Nothing more, nothing less. Yes, there is the occasional hobbyist who wants to prove something, but most malware today is simply trying to steal money or identity.

And with this goal, it is simply more profitable to target MS systems. Few Linux servers are ever being for online banking or buying stuff with a credit card.

And while, yes, a Linux server connected to a 100mbit line would be interesting to get, e.g. for spamming purposes, getting 100 MS machines with 1mbit each is even better. And easier to infect, too.

What makes MS systems attractive to a malware criminal is that they are more numerous and more likely to be "administrated" by a computer illiterate who is easier to trick into clicking or starting something.

Re:Yes. Yes it is.

[Opportunist]

In open source you'd probably just add something along the lines of
/* Yeah, I know it ain't pretty. If you don't like it, improve it. */

can we even discuss this yet?

[Twillerror]

I don't really feel like the open source community is "ready" to talk about what security means.

It's nice that communities found these issues, but if I was in organized crime I'd be not only following this, but looking for exploits. Which should be a lot easier given the code. Looking for lesser projects vs even the big boys and going after that.

Do a search for "QA" in open source and the results are a little eye opening...in that you won't see much. I think in general open source projects need to actively find help and have their code scanned and analyzed more.

I believe open source can be far more secure and possibly already is, but just flat out denials of any issues in our communities is just being complacent.

Open source has security issues does not equal go back to closed source, but it does mean we have work to do to get better.

The general public? Really?

[Opportunist]

The general public? Please. The general public is a mass of ignorant people. If you want to find the IQ of a group of random people, take the dumbest person and divide by the number of legs. I.e. the more people you get, the stupider they are.

Need proof? Just take any reaction to any "sky-is-falling" information they ever got. From 9/11 to Ebola, the reaction is blind panic. You want to use THAT mass of idiots to gauge the sensibility of something esotheric like a coding paradigm?

Please.

Re:Really?

[NotInHere]

Yeah, it might be true that Linux servers are more secure than windows servers, or win desktop, but X comes from an age where people didn't care about per-app isolation, but about per-user isolation. X is, in security terms, broken.

Re:Yes. Yes it is.

[The+Ickle+Jones]

Examples, citations, personal experience. What's special about open source that prevents its maintainers from doing the same thing?

It's technically possible, but another advantage for free software is that you can fix the problems yourself or hire others to do it, and even fork the project if necessary. You don't have to wait for some company to do it.

Yes, a company producing closed-source software can do this behind hidden doors, but doesn't mean they fall into this paradigm of laziness.

No, but the secrecy certainly helps keep things out of the spotlight.

Closed Is Just As Bug-Ridden

[Greyfox]

You just never find out about it. It takes an open source developer to write a heartbleed-style bug, and some jackass at a company to attach a CGI shell script to a web server. I seem to recall the web server very specifically says never to do that. I've worked at companies from mom and pop shops to IBM and have never seen security as a priority for any commercial entity. Except that one time, auditing software at Data General for their B2 secure UNIX, which IBM acquired and decommissioned a year or so after I left the company.

Yes, it's different

[Todd+Knarr]

The main difference is that you aren't leaving the trust to the open-source community. You can, but you don't have to. If you're affected by a problem, you have the option of legally fixing the problem yourself if it's that critical for you. You can discuss the problem with others without risking a vendor's legal department jumping down your throat. You can test your systems to determine whether they're vulnerable (eg. Debian-based Linux systems weren't normally affected by the recent bash bug even though the bug existed on them because of the way Debian configured their shells). Ultimately you've got options you just don't have with closed-source software.

And think about this. How many problems of a similar severity have we seen in closed-source software? And how many of those have the vendors known about for years and deliberately left in place because fixing them would involve admitting they existed and cause PR problems? It seems to me that open-source software still has a much better track record when it comes to these issues than closed-source software by a wide margin.

Realism, not idealism

Open source (well, free software, at least) != starry-eyed dreaming for ignorant journalists to blog gushingly about. So maybe something slips past scrutiny, but once it's known, it's near instantly fixed.

Believing that proprietary software derives from starry-eyed notions of free enterprise, with the corrupting suspension of disbelief that IP entails, would be more along the lines of idealistic fantasy, particularly if you want vulnerabilities fixed on a timely basis not subject to "business" expediencies.

Yes, it is very different!

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

Yes, it's night-and-day different, and shame on the irresponsible, factually-incorrect "news" organizations that make any claim otherwise, or even entertain doubts about this to the public. That there has been a recent spate of high-profile bug discoveries in open source codebases doesn't change *anything* about the situation or the relative security of the two models.

The distinction, with reference to the quoted question, is this: a closed-source codebase is only ever analyzed by the company that owns the source code, period. Nobody else even has the option to do so. Even if they claim they've done a good job of analysis, who's verifying or double-checking that analysis? Are those double-checkers the closed-source company hired for verification the best in the world? As good as the best hackers in the world you've never even heard of?

An open-source codebase can be infinitely analyzed over time, because *everyone* has the option to do so. It's good that people are a little shaken up by these recent issues, but trying to turn that into an open source problem is the wrong way to think about things. The right way to think about the issue is this: when a commercial company distributes a product very widely to make a profit, they have a choice whether to develop closed software for it or use open source. If they choose the open source path (which is still the wisest of the two paths), it's still up to them to be one of the many eyes who validates the security of the open source code they ship.

When hundreds of commercial companies are shipping expensive products whose security *absolutely relies* on the open-source OpenSSL library, and not *one* of them is doing serious analysis on the codebase as part of the infinite eyes of open security, not even to double-check things for themselves and their own consumers, that's a huge failing on the part of those commercial software companies, and I think their customers have a right to sue them for it. They already got away with not having to pay to develop their own SSL implementation that would suck much worse. Is it so much to ask that they at least pay out to validate the software they're using before they foist it blindly on consumers in exchange for money?

Re:Yes. Yes it is.

[Kjella]

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining

If security holes didn't have economic consequences, that'd be true. And I don't mean incident-related costs because the EULA got the almost watertight covered there, but no doubt bad press about zero day bugs hurt their sales and bottom line. If it becomes common and grave enough it also becomes a brand and reputation problem which costs a lot for marketing to tackle. When Blaster and Slammer was all over the news they implemented the firewall. When malware exploited that everyone runs as admin they implemented UAC. When malware corrupted the boot process they came up with Secure Boot, of course throwing a wrench in easy Linux booting was bonus.

They'll put as much effort into it as it pays off rather than dealing with the fallout. Of course they'll cover up and downplay all that they can as damage control regardless, but they're still interested in avoiding it altogether. As long as it doesn't clash with other money making attributes like convenience, in early UAC they dialed it up too high. Now a watered down version is in Windows 7 and few complain anymore. Patch Tuesday is such a convenience, not for security but for IT staff managing Microsoft machines. The downside of 24x7 patching is that all Linux admin must keep up and having them just roll out automatically without testing could get nasty.

Basically, Microsoft takes take blame for whatever happens before patch Tuesday. IT staff can plan for a monthly test and patching session, in between they have it easy unless there's an emergency patch and then everyone knows you "must" do it because it's an emergency. Microsoft is big enough to just absorb the blame because if 0,001% of their customers is mad at them it doesn't really matter. The CIO can point to the company following best practices regarding Microsoft products. All the blame gets neatly passed around and defused, unlike the CIO having to defend their home grown solution where bits and pieces were cobbled together with open source and the only support was themselves so all the blame stays in-house. It might not work better for the system, but it works better for the people in the system.

Re: Really?

[phantomfive]

And a competent windows admin still deals with viruses on their servers.

Are you sure?

Public trust? What's that?

And from Bloomberg.com. Sleazy journalism from the old school of journalism, where anything that isn't produced by our advertisers is suspect and thus worthy of a scathing article explaining same to the news starved audience.

Bad news, audience isn't news starved. Good news, Bloomberg has zero trust outside of their circle of friends (aka, advertisers).

This is abject stupidity

Commercial software is LOADED with security bugs at all levels. Few bother to exploit them, but they're there, waiting for the next Stuxnet.

Re:Really?

Few Linux servers are ever being for online banking or buying stuff with a credit card.

The linux server IS THE BANK... it's a HUGE profit center to get control of it. It's high difficulty high reward. Knocking over a wintel box with 'click to download idiotic shit' is trivial, and just requires a bunch of mules and some way to hide your command and control servers.

Re: Really?

In general they only use the official app store.

Re: Really?

[jones_supa]

And a competent windows admin still deals with viruses on their servers.

No, they don't.

Re: Really?

And an incompetent windows admin still deals with viruses on their servers.

FTFY...although even an incompetent windows admin is unlikely to deal with viruses on their servers.

Vojjne.

six weeks > 20+ years

Yes, it really is so different.

Re: "I submit that this would likely not have been the case with closed source software."

Well that's your opinion then? Why should I take your opinion seriously?

The reason I ask that is that I have worked in the closed source world for many, many years. FOSS enthusiasts often make statements like this and there seems to be precious little to back it up, except enthusiasm and ideology. My experience with closed source has been mainly positive. You see, closed source does not automatically mean 'no access to source code'.

What I have seen is real world, close up. Bugs? Yep, thousands of them! But that's a feature of both open and closed source. It's not enough to take one person's experience, preference or whatever, and extrapolate that to a metaphysical notion of good and evil.

In order to be persuasive you need to quote some statistics, and not the cherry picked stuff either. Make it broadly based and neutral as to preferred outcome. Instead the best attempts I ever see is "FOSS app X has Y bugs/KLOC and Closed app M has N bugs/KLOC". Leaving the probability that these were the only available metrics (best explanation) or these were chosen to make the outcome predetermined (worse, obviously).

And here's the larger issue, IMO. FOSS is just a market forcing mechanism. FOSS accelerates the rate at which value added software (stuff for which you can charge money) becomes commodity and then finally public domain. FOSS has it's own set of strengths and weaknesses and should be chosen (or not) based upon knowledge of those factors.

Otherwise this is just FOSS champions issuing their own FUD. That's what this sounds like, right here in the comments. The OP asks an important question, in the face of multiple major stumbles by the FOSS world. Yet commentor after commentor keeps chanting "FOSS is better because I like the philosophy and can make unsubstantiated allegations of superiority!"

Re: Really?

> the home routers

Since these crappy home routers running old firmware get pwned on a regular basis, I'd be careful about touting them as some kind of success story for Linux if I were you

Oh, the naivety!

[mdragan]

"Security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work." If a company uses the work of "volunteers collaborating online" it should at least do some checks on that software, improve it, make it better, more secure and make sure it suits their needs. That's the difference from proprietary software where you buy it and then discover that it has a quirk that works against you or it has a security hole that you can't fix yourself, not even hire somebody to fix it. And companies, at least responsible ones, are doing this, of course. The author is just naive to think they don't. The simple fact is that with "open-source" there are more eyes looking for security holes and fixing them, including programmers employed by companies.

open source helps

When a problem is suspected, people will find the problem.

In closed software, not so much.

Case closed.

That statement is just arrogant...

If by "confidence" you mean piggybacking the FOSS community for years - then yeah, I'm all shaken... F that, it's just silly.

Re:Really?

[Opportunist]

That's basically how it is. If you look at the attacks against online banking, you'll notice that the malware targets the users, not the bank. It's easier and more profitable. Getting a thousand bucks from a few thousand people beats grabbing a million in a bank heist.

Confidence shaken? Not really.

[stoatwblr]

Opensource is the posterkid for bashing this week, but at least the holes are being fixed now that attention is focussed.

The recent windows-related NSA stories show what happens when bugs remain unpublished and can get widely exploited for years before being quietly fixed.

"Many eyes" may not find bugs in a hurry if they're not looking, but when they finally focus on the code, things change rapidly - and the finding of these bugs often inspires other eyes to go check for the same thing in other code (which is how the ancient X bugs were found recently.)

People repeatedly tell me that old code is safe and secure because it's old and therefore stable. My argument is that the only "safe" code is stuff which has been security audited and gets regularly security audited - and that most old stuff has never been properly checked because everyone assumes someone already did it.

OSS will always be more secure than Proprietary

No software is or will ever be bulletproof - so if you thought OSS promised that, then you're misguided.

But in a world where eventually someone will find a hole in every piece of software - you're much better off with OSS.

Any hack is simply going to be fixed faster with OSS.

Re:Yes. Yes it is.

[UnderCoverPenguin]

My own corporate experience as a software developer, architect and VP is that security is taken very seriously by industry and a considerable amount of effort is expended on that very issue.

I am glad you take your company's products' security seriously.

Sadly, most of my clients only take their company security seriously. Product security, no. In one case, the client was so averse to implementing any security measures in the products that, when our customer dictated we had to use a particular CPU integrity test that required a random number generator, when the project manager saw the name of the psuedo-random number generator I used, he exclaimed "What?!! You're putting encryption in the software?!! No!! No!! No!! We can NOT do that!!". I then assured him it was only a random number algorithm, not encryption.