Confidence Shaken In Open Source Security Idealism

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

I don't buy it

[GameboyRMH]

Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

Re:I don't buy it

[Lilith's+Heart-shape]

Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

Re:I don't buy it

[The+Ickle+Jones]

Corporations will definitely be re-evaluating the option of open-source after these two issues.

Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

Re:I don't buy it

[GameboyRMH]

Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

Re:I don't buy it

[ArhcAngel]

Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

Re:I don't buy it

[postbigbang]

Try an energy link and go check CVEs using the string openssh for starters. Kernel? No. All the crap in the back? Oh, yeah.

Re:I don't buy it

[Opportunist]

...and 2 days after it got known.

The main difference between OSS and CSS is that in OSS you can actually find the security holes. In CSS, all you can do is hope that the vendor finds them, or at least cares enough to look for them in the first place.

Re:I don't buy it

[TemporalBeing]

I didn't say MS was better, I said the bash response was poor, and the poster I replied to couldn't possibly have had fixes in place within minutes as claimed.

I'm just pointing out that however poor the Bash devs response was, Microsoft's would have been worse.

Oh, and in your argument "up to 30 days" suddenly becomes "taken 30 days" - actually if bugs come in uniformly distributed in the 30 day cycle then average would be 15 days, or lower since sometimes they do go out-of-band.

Actually, my comment regarding "taken 30 days" for Microsoft is well founded in their historical turn-around for CVEs that they have acknowledged as being fixed. With a rare exception, they don't deliver any patches in under 30 days; and even 30 days is being gracious as it's usually more like 6 months so I'm already putting them on their own expedited schedule for such fixes.

Again, pointing out that however poor the Bash devs response was, Microsoft's at it best is worse.

Plus, the second (and third and fourth and so on) patches are only needed if the first (and second and third.,.) one is inadequate and not properly tested.

If the numerous people reviewing Bash, from multiple companies, and disciplines didn't find the issue with the first patch, then how would Microsoft with a far more limited set of people looking at the code be able to get the same kind of patch correct the first time and get all the corner cases figured out and fixed before releasing the first patch?

I'm not saying the Bash devs had 1 million eyes on this; but they certainly had a few hundred if not a thousand or so in total. Microsoft's equivalent group probably is no greater than 50 devs at best, likely smaller; and probably no where near the cross-discipinary skill set match either.

So if the Bash guys had to do a second patch (or even a third, etc) to fix it; chances are Microsoft would have had to have at least as many patches too.

Maybe MS are just as bad at that too, but the developers of Bash were certainly not good at it.

Agreed - kinda. The main point of the origin of this thread (article?) was that F/LOSS software could not deal as well as proprietary software; that somehow the proprietary vendors could do better with these kinds of bugs - both catching them and responding to them.

My point, is that based on its history - documented in numerous articles over the years - Microsoft is a prime example of showing that's not the case. That proprietary vendor's own policies and procedures prevent them from delivering anywhere near as good a turn around.

But here's the kicker - there is a similar exploit for cmd.exe. It's yet to be patched. ;-)
here's an example: https://twitter.com/FioraAeter...
(And yes, I've seen it from other sources, just don't have those links right now.)

Cart before the horse.

[jedidiah]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Re:Cart before the horse.

[i+kan+reed]

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

Obviously, as a developer, I know that security flaws are just another way to make mistakes, but once you know about heartbleed, how can you assume nothing else of similar scale has been found by nefarious actors?

Re:Cart before the horse.

[FuzzyDustBall]

On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

The source is there, just read it

The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

Yes, it really is so different.

[ysth]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Re:Yes, it really is so different.

[ljw1004]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Why do you submit that?

I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.

How many patches did MS push down today for IE?

[schwit1]

And this makes how many?

Yes. Yes it is.

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

Vojjne.

Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.

There is no magic alternative that is better than open.

Re:perfect timing.

AC because modding. My experience (as unpaid maintainer of friends and family computers) is that the new breed of Apple users are the most inept and clueless of all of them; believing that Apple is 'secure' they click away at phishing emails, visit websites that they have been warned have been pwned and generally abdicate all responsibility for their own security. That Nigeriean Prince only cares that they have a Mac because it means they probably have more he can steal from them.

Damn good thing Windows has no holes!

[swschrad]

yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.

"...if it's in the news, don't worry about it."

[trawg]

I think some of Schneier's words apply here:

"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."

If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.

If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?