Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confidence Shaken In Open Source Security Idealism

Posted by Soulskill on from the with-many-eyes-something-something dept.

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

11 of 265 comments (clear)

  1. perfect timing. by gandhi_2 · · Score: 5, Interesting

    amazing this article is posted on the same day as 3 0days for MS products.
    one of which has been known for over a month, and will soon have a logo.

    --
    THL phish sticks
  2. Open Source is More Easily Auditable by Bob9113 · · Score: 5, Interesting

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

    Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

    If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

    --
    Stop-Prism.org: Opt Out of Surveillance
  3. Re:Cart before the horse. by Cabriel · · Score: 4, Interesting

    Not so. When there are articles about governmental offices switching whole-hog to open source software, that shows immediately that there is an awareness among the general public. When there is an article about one minister claiming open source software isn't working for his office and another minister countering that claim saying no one in the office has had an issue, there's a strong suggestion that there is an awareness of open source software. When an open source OS is advertised as being superior to a closed source competitor, there's absolutely going to be an awareness of open source and free software (Android vs iOS).

    While this may still be professional click-bait, I think calling it trolling is, itself, putting the cart before the horse.

  4. Forking, not audits, is the reason openness works by stealth.c · · Score: 3, Interesting

    The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.

  5. Re:Cart before the horse. by pixelpusher220 · · Score: 4, Interesting

    And lets also remember that corporate software has so many many bugs and vulnerabilities that they had to schedule a MONTHLY day to do them. Only to find yet more bugs so critically important that they broke their own rules well more than 2 times to release out of cycle fixes.

    OS will almost always beat corporate in terms of defects and response time. Anyone care to guess how many 'heartbleeds' currently exist in Windows code that we know nothing about?

    --
    People in cars cause accidents....accidents in cars cause people :-D
  6. somebody else's job by Anonymous Coward · · Score: 3, Interesting

    I'm pretty sure i kan reed said he'd audit it.

    This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
    There was an important job to be done and Everybody was sure that Somebody would do it.
    Anybody could have done it, but Nobody did it.
    Somebody got angry about that because it was Everybody's job.
    Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
    It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done


    Really, why aren't there several open source auditing projects?
    1. secure coding bootcamp,
    2. throw them on a project to audit.
    3. tracking of when last audited, by whom, and any findings.

  7. Re:Cart before the horse. by udippel · · Score: 5, Interesting

    You can't. But that's not the point at all.
    But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
    Once you decide for closed source, you are
    1. totally dependent on the manufacturer
    2. without a chance to check yourself
    3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
    Now, where would be any advantage in using a system of closed source?

  8. pay them!! by lkcl · · Score: 3, Interesting

    the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.

    so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.

    the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.

  9. Re: Really? by Anon-Admin · · Score: 3, Interesting

    And a competent windows admin still deals with viruses on their servers.

    I was unaware that all the android phones, tablets, and devices as well as all the home routers, set top boxes, etc. were only managed by "IT professionals"

  10. Re:I don't buy it by postbigbang · · Score: 3, Interesting

    Some kids will become good and responsible coders, but not all kids. Some will be artists, musicians, mechanics, farmers, etc., and for the rest of the world that doesn't code, a heavy responsibility is placed on the FOSS community to do code reviews.

    People don't compile at all. They download binaries, and they don't know the difference between an MD5, a SHA-x and a hole in the ground. Binaries therefore need special protection. Open Source doesn't mean anyone's actually looking at the code, and there needs to be peer review on critical components given with distros, but this isn't guaranteed to happen. Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

    --
    ---- Teach Peace. It's Cheaper Than War.
  11. Re:I don't buy it by TemporalBeing · · Score: 3, Interesting

    How did you fix them in minutes when it took several days for correct patches to come out, for entirely predictable reasons (laughable approach of trying to find and fix all bugs at once in a parser never designed to be secure, when the real issue is that it should never be being fed untrusted input) ?

    To my mind, that is the biggest failure of open source / free software in this case - 20+ yr old bug / insecure-feature in an obscure corner of a system never designed for today's threat environment - forgiveable - responsible disclosure, working with maintainers under embargo - good - publication along with a patch that was broken again within hours if not minutes - fail - everyone and his dog then panic-issuing further patches for one parser vulnerability after another before eventually someone (actually more than one different approach) fixes it properly the way it should have been done in the first place - spectacular fail

    And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited; when an unknown exploit is exploited they take up to 30 days to release, and that still may not have everything fixed. So to put this in context, if Microsoft were the developers of Bash:

    • They would have sat on the bug for 20 years too if there were no known active exploits of it.
    • The first patch would have taken 30 days, not under 2 weeks (I don't know the real number, but it wasn't very long; and certainly under 2 weeks if not under 1 week).
    • The second patch would have still been needed, but would have taken yet another 30 days
    • Only a few developers would have had access to be able to review and fix anything
    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)