Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confidence Shaken In Open Source Security Idealism

Posted by Soulskill on from the with-many-eyes-something-something dept.

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

6 of 265 comments (clear)

  1. Re:Really? by Anon-Admin · · Score: 3, Informative

    Ill disagree, I still believe it is because Windows is far less secure.

    Linux == 98% of all super computers (Top 500 List)
    Linux/Android == 74% of all Mobile devices (Gartner)
    Linux/Android == 61.9% of all Tablets (Gartner)
    Linux == 78% of all internet Servers (Security Tech)
    Linux == 28% of mainframes (Gartner)
    Linux Desktops == 1.65% (From Gartner as the total number of systems shipped with Linux pre-installed) up to 20% depending on the source.

    That is not even getting into all the routers and smart switches, embedded devices, etc.

    Open source and Linux make a very large target with lots of high profile targets. I am surprised that there are not more exploits and the simple lack of viruses should be proof enough that linux is far more secure.

  2. Re: I don't buy it by BarbaraHudson · · Score: 5, Informative

    The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  3. Re:Open Source in commercial products by spitzak · · Score: 4, Informative

    No, bash was NOT working as expected.

    The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.

    The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

    I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

  4. Re:Damn good thing Windows has no holes! by GameboyRMH · · Score: 1, Informative

    The MS salesmen actually use the threat of spies coding on open source projects as a scare tactic. Unironically.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. Re:I don't buy it by Anonymous Coward · · Score: 4, Informative

    Actually, I can't remember last Linux Zero-Day bug.

    Linux has certainly had a number of security bugs that existed for many years and could have been exploited for privilege escalation and unauthorized access to machines:
    5-year-old privilege escalation bug
    8-year-old privilege escalation bug
    14-year-old sigreturn bug

    Now you could take the dismissive, naive approach and say these don't matter and weren't exploited simply because you didn't hear about it in any well-publicized, poorly-executed attack but how many more of these ancient (and recent) vulnerabilities exist in the Linux kernel unfixed and unbeknownst to the maintainers? There could be none (unlikely), there could be many (much more likely) and as the kernel gets more and more complex and more and more bloated with kernel-mode drivers in the source tree it becomes even more likely that security vulnerabilities will be incorporated and go unnoticed.

    NB: I'm not discussing this in the context of Linux Vs something else or Open Vs Closed, just that the Linux kernel is no more secure than any other software.

  6. Re:I don't buy it by UnknownSoldier · · Score: 4, Informative

    > http://www.phoronix.com/

    Please don't link to Phoronix garbage -- all they care about is linking to themselves instead of actually linking to the source
    i.e.

    * https://lkml.org/lkml/2010/9/1... Linux 2.6.36-rc4
    * https://lkml.org/lkml/2010/9/2... Linux 2.6.36-rc5 <-- alpha: fix a 14 years old bug in sigreturn tracing