Slashdot Mirror
Confidence Shaken In Open Source Security Idealism
iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."
While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.
"When information is power, privacy is freedom" - Jah-Wren Ryel
All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.
This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.
A Pirate and a Puritan look the same on a balance sheet.
I think it's nice to know about a security flaw and that the community usually has a fix for it fairly quickly.
Corporations probably have an equal amount of security flaws but since it is private it is not usually given as much publicity and sometimes it takes months for companies to make a fix.
amazing this article is posted on the same day as 3 0days for MS products.
one of which has been known for over a month, and will soon have a logo.
THL phish sticks
and is that really so different than leaving it to a corporation with closed source?
Yes its very different, since ANYONE can chose to do it. Just because most people don't understand something doesn't mean the information shouldn't be available to them to learn and evaluate.
The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.
The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.
Yes, it really is so different.
With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.
And this makes how many?
Heartbleed & Shellshock have impacted for-profit companies quite significantly. I don't have an objection to them using opensource within the boundaries of the license but should THEY not be vetting before rolling it into a commercial product?
No one company has to do it all alone - it can be done through a team effort & foundation, just like OpenStack.
Pain is merely failure leaving the body
Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.
With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.
Last time I checked, the general public was pretty ignorant about just about everything related to computers outside of checking their email and viewing the latest cat pictures on reddit.
I'd rather consult a magic 8 ball than the general public.
Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.
There is no magic alternative that is better than open.
If the public thinks that closed source is any safer, then people are dumber than I thought.
I think when it comes to security related projects, like security libraries, that are used all over the place, we should demand higher quality code and better design and code practices, like those of OpenBSD. We should not compromise on quality when it comes to this kind of stuff. Do it correctly or don't do it at all.
As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?
Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.
If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.
Stop-Prism.org: Opt Out of Surveillance
The strength of open source just depends on how active the project is. Some companies open source their code as a business model and many Fortune 500 companies have developers focused solely on open source projects. That said, most projects are developed by a small handful, working after hours.
I think the exacerbating issue is so many use open source technologies and the more they are used the more issues you'll find.
I'd be surprised if a random member of the public could even define what free software is. They'd probably think it's connected to the cost of the software rather than its freedom giving properties.
That said, I think that the view that with enough eyes all bugs are shallow is false. Given that bash is used in millions and millions of servers and the bug took decades to root out, we must think of a better way to get eyes on the code.
The whole stack needs a line by line review by security experts. That will cost tens if not hundreds of millions of dollars but my view is that it's probably worth it. Then we have to make sure all changes get reviewed in the same way.
The result of this process would be a super-hardened version of OpenBSD. It would come with a nice fat government certification and if you want to do business with the government, you have to use that distro.
That might rub people up the wrong way but I think that's what's ultimately going to happen eventually. A lot of this infrastructure is so critical to the modern economy that we can't just run any old code anymore.
The difference between Open Source and Closed source is not the number of bugs and flaws... the numbers of bugs and flaws are likely equal. The difference is the number of bugs that were found and fixed. Just as many problems exist and are as equally dangerous in closed source software. The differences is that because it's closed, they remain there, undiscovered by the general public, for a very very long time.
All of these discoveries should be celebrated. They are examples of Open source working as it should.
Nobody claims there are no vulnerabilities in open source code. But I bet you'd see some interesting differences if you compare the time between when an open-source vulnerability is reported and when it is fixed to the same interval for a commercial, closed source alternative, you'd see that known vulnerabilities exist for a much shorter time in a well-supported open source product. No, I don't have any source to back that up, just my experience with how long known vulnerabilities go unpatched in Windows, Adobe products, etc.
The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.
Look, people in the USA are more worried about Ebola, an infinitesimal risk, than are worried about getting a polio shot (we're losing herd immunity in major cities right now) or a flu shot (which WILL kill thousands of people this year).
I'm not that concerned that "the public" is worried about Open Source, as most of the people polled think it means "open sores".
-- Tigger warning: This post may contain tiggers! --
as opposed to the commercial software with a EULA 30 pages long which essentially says the same thing but without access to the source for your own review
Ill disagree, I still believe it is because Windows is far less secure.
Linux == 98% of all super computers (Top 500 List)
Linux/Android == 74% of all Mobile devices (Gartner)
Linux/Android == 61.9% of all Tablets (Gartner)
Linux == 78% of all internet Servers (Security Tech)
Linux == 28% of mainframes (Gartner)
Linux Desktops == 1.65% (From Gartner as the total number of systems shipped with Linux pre-installed) up to 20% depending on the source.
That is not even getting into all the routers and smart switches, embedded devices, etc.
Open source and Linux make a very large target with lots of high profile targets. I am surprised that there are not more exploits and the simple lack of viruses should be proof enough that linux is far more secure.
Somebody saw something weird, looked at the code analyzed the logic, found the bug, reported it, and it was fixed.
Nobody said those thousand eyes would find bugs instantly.
>> is that really so different than leaving it to a corporation with closed source?"
Yes its COMPLETELY different.
Can there be exploitable bugs in open source? Of course. That remains true for all software, open or not. It is incredibly naive to imagine that anyone could effectively predict every potential future use of any product, especially a complex system.
Not only are exploits less likely in opensource in the first place (beacuse of the larger numbers of eyes looking at the code) but detection is faster (same reason) and also patches are released very quickly in community projects. For comparison look at Microsofts ongoing track record on even consciously leaving known exploits unpatched, in comparison to the speed that patches for Heartbleed and Shellshock got pushed out.
Furthermore unlike closed source, it is very unlikely that there could be anything added to an opensource project that is intentionally malicious or even morally questionable, and then remain undetected for long. Apart from anything else, It would be too easy to see which user put it there and make that information public.
Free software is about ideology. About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point. Much like freedom of speech: it's important even if I never say or write anything and it doesn't make everyone Shakespeare either.
Posted from my Windows computer btw; I think there is value in software freedom, but I use what best meets my current needs and wants, and encourage others to do so too.
I'm pretty sure i kan reed said he'd audit it.
This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that because it was Everybody's job.
Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done
Really, why aren't there several open source auditing projects?
1. secure coding bootcamp,
2. throw them on a project to audit.
3. tracking of when last audited, by whom, and any findings.
"While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it."
Examples?
Usually, when developers abandon a project they'll post it on github and leave it up to the fans to continue the development.
"As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Yeah, it's completely different by every imaginable degree.
the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.
so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.
the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.
"Closed" software also has lots or more security problems, and then you do not have the source to look at and fix it. This article is a troll.
yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Being open-source is what allowed these flaws to become publicly exposed. This article assumes that this is a 100% bad thing. The better question is how many closed-source security holes exist and are being actively exploited that we don't know about?
Hackers have shaken the free-software movement that once symbolized the Web’s idealism.
And then fails to provide any real evidence that this is true. It should take strong evidence to reach the conclusion that an entire "movement" has been "shaken" to the point that it has lost its symbolic meaning. I skimmed the rest of the article, but the authors pretty much lost me after that bit of nonsense.
People (both good and bad) have been finding flaws in open source software for decades. No one in the "movement" was surprised or "shaken" to hear about a few new discoveries. These bugs earned extra attention because of the ubiquity of the software, but still -- nobody has ever said that open source software is somehow, magically, bug free. The "idealism" is that a) people can actually find the bugs by looking at the source rather than reverse engineering; and b) once a bug is found, anyone is free to modify the code to fix it, rather than waiting on a business to decide that it merits patching, perhaps weeks or months later. And, as far as I could tell, this all worked very well with the "Shellshock" vulnerabilities. The bugs were found, and the patches were written and released not long after.
I think some of Schneier's words apply here:
"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."
If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.
If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?
And a competent windows admin still deals with viruses on their servers.
I was unaware that all the android phones, tablets, and devices as well as all the home routers, set top boxes, etc. were only managed by "IT professionals"
Whether you trust the community or trust a closed vendor, you're still trusting that they got it right and/or haven't been compromised by moles working for crooks or governments. The bottom line is you should assume any easily accessible security software is compromised and build multilayer security around the asset you want protected. At least with open software you can audit it yourself or have it audited by someone you do trust. Closed? forget it, unless you're a government.
you are full of shit, the important stuff is not on windows and the infrastructure of the internet is not built using window
With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed.
Excuse me for saying that I find all these platitudes less than reassuring.
The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.
Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves, with Fox undertaking the work as an employee of FSF. Fox released Bash as a beta, version .99, on June 7, 1989 and remained the primary maintainer until sometime between mid-1992 and mid-1994, when he was laid off from FSF.
A security hole in Bash dubbed Shellshock, dating from version 1.03, was discovered in early September 2014.
Bash (Unix Shell)
Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.
Shellshock (software bug)
A 25 year old bug with the potential to do enormous damage.
In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.
A big difference is probably that with open source you know you don't have glaring issues like a mail client that checks all incoming and outgoing emails for specific keywords, then sends a report to Microsoft and the NSA if any of those keywords are used. It's not that both open source and proprietary can't both have subtle bugs, of course they can. If an open source project such as say Apache decided to start sending tracking data to Apache.org, we'd all know about it before the version was even released, and we'd chop that "feature" right out immediately.
Secondly, fixes are much, much faster, and in high-impact cases the fixes tend to be of much higher quality due to the number of people studying the problem and suggesting fixes. Microsoft publicly acknowledged a problem with IE in 1998. In 2012, they released a half-fix. Florian released the shellshock fix that most people use within 24 hours. Over the next couple of days, many smart people looked at and proposed and released other methods of addressing it, and after a few days it was decided to use Florian's original fix.
As ESR famously said (but with context this time):
given enough eyeballs, all bugs are shallow. More formally: Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.
The fix, the proper fix, is likely to be clear to someone when you have perhaps thousands of people looking at an issue like shellshock or heartbleed. The possible solutions are discussed and a solid solution is generally released within hours to days. Contrast that with Microsoft repeatedly needing to publish more patches to fix problems caused their last patch, which they released to fix problems in an earlier patch.
Just substitute "general public" here with "widespread notion", and try to focus in discussion on essential message of the post.
Servant of karma
There were two high profile security flaws in Open Source software that garnered a lot of news attention. Once the vulnerabilities were noticed the community quickly moved to patch them. How is this worse than proprietary software developers who pray that no one exploits their dodgy code until they have the business will and manpower to patch the bugs? Or perhaps we should turn to our proprietary secure software paragons: Apple, Microsoft, Oracle, Flash to provide secure alternatives to Open Source software....oh wait.
"There are lies, there are damn lies, and there are statistics"
Specifically, anti-vaxxers.
"If so many people refuse to get vaccinated, herd immunity can't work. So why bother?"
"Because if all you voluntary natural selection candidates want to kill yourselves, my own vaccination will at least partially protect me."
Open Source at least offers the opportunity to protect yourself, to the extent of your own skill and effort. Which is the most anyone can realistically expect in this world. I have no intentions of allowing my fate to rest entirely at the tender mercy of people who think they know better than me.
Welcome to the Panopticon. Used to be a prison, now it's your home.
As ESR famously said (but with context this time):
given enough eyeballs, all bugs are shallow.
Addendum: Of course, it might take 20 years for anyone to notice, because everyone is assuming that someone else is looking at it, but whatever.
Wow.. confidence shaken by vu-vu-vulnerabilities huh?
Article is nothing more than talking points from someone who knows nothing about the industry and only read about the 2 vulnerabilities in the news.
They might as well have stopped a person in the street and asked "Sir/Madam, if your livelihood depended on computers, and said computers had a vulnerability, could it possibly affect you in a negative way? Yes?"
It's a story! Rush to print!
before its anywhere near close Windows security failures over the years.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Yes, the advantage of open source is that good actors can read the code and find and fix security flaws. The disadvantage is that bad actors can also read the code and find and exploit security flaws. One would hope good actors would outweigh the bad ones, but my fear that that governments and organized crime have become bad and worse actors in a big way. Even when a particular flaw is fixed, we all know that there are still flaws to be found and exploited in any big software project, and nowadays the big-time software exploiters have the budgets and the manpower to take advantage.
That said, that doesn't mean closed-source is any better (a different tradeoff), but it would be foolish to think that open-source software is not being exploited for its open-source properties.
Yes, that quote talks about once a problem is noticed, the right solution will be clear if many people look at the problem.
It says nothing about positive or negative about how subtle bugs might be or when they'll be found. The answer to that question largely depends on the architecture of the code and the style, whether side-effects are common. Linus prefers kernel functions to be no more than a few lines long. If a function is three lines, you can pretty easily see if it's correct or not. A function that's 200 lines long probably has a bug that you wouldn't see easily. That's true regardless of the license the code is under.
For example Android userland doesn't give you much access to anything but the app store. They aren't managed as general use computing devices.
What does that even mean? Any Android user can download and install an application from anywhere, not just from an app store.
The reality is that doing security audits and code reviews are boring. Unless you have someone who is really dedicated and knows their stuff taking on the task for an open source project, or someone paying a team to do it (TrueCrypt/VeraCrypt), it's not going to happen. In theory corporations are paying their staff so it should happen, but in reality corporations are likely to push such reviews way down the priority list because they cost money. Spending money is bad to a corporation, m'kay?
Personally I've never believed in the "many eyeballs" approach because even when porting an open source project to a new release of an OS or a custom distribution, I only learn the bare surface of the code -- enough to get the port running. I most certainly do not do an in-depth learning and understanding of the code being ported.
As a result, the only one who does any sort of real review is usually the original developer -- the person(s) least likely to see the flaws in their work that are caused by misunderstandings and erroneous assumptions -- because they don't know any different than they did when writing the code in the first place!
I do not fail; I succeed at finding out what does not work.
Yes, but all those high profile targets also don't suffer from being "administrated" (I'll use that term loosely here) by Joe Randomsurfer.
Super computers: Not only are few of them readily accessibly via internet, they usually reside behind atomic-bomb-grade firewalls and are administrated by people whose net worth is more or less directly tied to that super computer's well being.
Android Phone/Tablets: Give it time, the malware writers are only just getting into the mobile market. But they're already pretty efficient, you have to give them that.
Internet Servers/Mainframes: While not as well administrated as the aforementioned supercomputers, we're still a far cry from their admins being idiots who think TCP is the acronym for the Chinese Secret Service.
Linux Desktops: Yes, even they usually have users that don't fall for the dancing pigs.
In a nutshell, Linux as the "geek system" has turned into a self fulfilling prophecy. It's still rarely used by people who have neither some decent computer skills nor some relative who does.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Sadly, virus writers do work that way. Virus writing is a business. Nothing more, nothing less. Yes, there is the occasional hobbyist who wants to prove something, but most malware today is simply trying to steal money or identity.
And with this goal, it is simply more profitable to target MS systems. Few Linux servers are ever being for online banking or buying stuff with a credit card.
And while, yes, a Linux server connected to a 100mbit line would be interesting to get, e.g. for spamming purposes, getting 100 MS machines with 1mbit each is even better. And easier to infect, too.
What makes MS systems attractive to a malware criminal is that they are more numerous and more likely to be "administrated" by a computer illiterate who is easier to trick into clicking or starting something.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In open source you'd probably just add something along the lines of
/* Yeah, I know it ain't pretty. If you don't like it, improve it. */
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't really feel like the open source community is "ready" to talk about what security means.
It's nice that communities found these issues, but if I was in organized crime I'd be not only following this, but looking for exploits. Which should be a lot easier given the code. Looking for lesser projects vs even the big boys and going after that.
Do a search for "QA" in open source and the results are a little eye opening...in that you won't see much. I think in general open source projects need to actively find help and have their code scanned and analyzed more.
I believe open source can be far more secure and possibly already is, but just flat out denials of any issues in our communities is just being complacent.
Open source has security issues does not equal go back to closed source, but it does mean we have work to do to get better.
The general public? Please. The general public is a mass of ignorant people. If you want to find the IQ of a group of random people, take the dumbest person and divide by the number of legs. I.e. the more people you get, the stupider they are.
Need proof? Just take any reaction to any "sky-is-falling" information they ever got. From 9/11 to Ebola, the reaction is blind panic. You want to use THAT mass of idiots to gauge the sensibility of something esotheric like a coding paradigm?
Please.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yeah, it might be true that Linux servers are more secure than windows servers, or win desktop, but X comes from an age where people didn't care about per-app isolation, but about per-user isolation. X is, in security terms, broken.
Examples, citations, personal experience. What's special about open source that prevents its maintainers from doing the same thing?
It's technically possible, but another advantage for free software is that you can fix the problems yourself or hire others to do it, and even fork the project if necessary. You don't have to wait for some company to do it.
Yes, a company producing closed-source software can do this behind hidden doors, but doesn't mean they fall into this paradigm of laziness.
No, but the secrecy certainly helps keep things out of the spotlight.
You just never find out about it. It takes an open source developer to write a heartbleed-style bug, and some jackass at a company to attach a CGI shell script to a web server. I seem to recall the web server very specifically says never to do that. I've worked at companies from mom and pop shops to IBM and have never seen security as a priority for any commercial entity. Except that one time, auditing software at Data General for their B2 secure UNIX, which IBM acquired and decommissioned a year or so after I left the company.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The main difference is that you aren't leaving the trust to the open-source community. You can, but you don't have to. If you're affected by a problem, you have the option of legally fixing the problem yourself if it's that critical for you. You can discuss the problem with others without risking a vendor's legal department jumping down your throat. You can test your systems to determine whether they're vulnerable (eg. Debian-based Linux systems weren't normally affected by the recent bash bug even though the bug existed on them because of the way Debian configured their shells). Ultimately you've got options you just don't have with closed-source software.
And think about this. How many problems of a similar severity have we seen in closed-source software? And how many of those have the vendors known about for years and deliberately left in place because fixing them would involve admitting they existed and cause PR problems? It seems to me that open-source software still has a much better track record when it comes to these issues than closed-source software by a wide margin.
With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining
If security holes didn't have economic consequences, that'd be true. And I don't mean incident-related costs because the EULA got the almost watertight covered there, but no doubt bad press about zero day bugs hurt their sales and bottom line. If it becomes common and grave enough it also becomes a brand and reputation problem which costs a lot for marketing to tackle. When Blaster and Slammer was all over the news they implemented the firewall. When malware exploited that everyone runs as admin they implemented UAC. When malware corrupted the boot process they came up with Secure Boot, of course throwing a wrench in easy Linux booting was bonus.
They'll put as much effort into it as it pays off rather than dealing with the fallout. Of course they'll cover up and downplay all that they can as damage control regardless, but they're still interested in avoiding it altogether. As long as it doesn't clash with other money making attributes like convenience, in early UAC they dialed it up too high. Now a watered down version is in Windows 7 and few complain anymore. Patch Tuesday is such a convenience, not for security but for IT staff managing Microsoft machines. The downside of 24x7 patching is that all Linux admin must keep up and having them just roll out automatically without testing could get nasty.
Basically, Microsoft takes take blame for whatever happens before patch Tuesday. IT staff can plan for a monthly test and patching session, in between they have it easy unless there's an emergency patch and then everyone knows you "must" do it because it's an emergency. Microsoft is big enough to just absorb the blame because if 0,001% of their customers is mad at them it doesn't really matter. The CIO can point to the company following best practices regarding Microsoft products. All the blame gets neatly passed around and defused, unlike the CIO having to defend their home grown solution where bits and pieces were cobbled together with open source and the only support was themselves so all the blame stays in-house. It might not work better for the system, but it works better for the people in the system.
Live today, because you never know what tomorrow brings
And a competent windows admin still deals with viruses on their servers.
Are you sure?
"First they came for the slanderers and i said nothing."
And a competent windows admin still deals with viruses on their servers.
No, they don't.
"Security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work." If a company uses the work of "volunteers collaborating online" it should at least do some checks on that software, improve it, make it better, more secure and make sure it suits their needs. That's the difference from proprietary software where you buy it and then discover that it has a quirk that works against you or it has a security hole that you can't fix yourself, not even hire somebody to fix it. And companies, at least responsible ones, are doing this, of course. The author is just naive to think they don't. The simple fact is that with "open-source" there are more eyes looking for security holes and fixing them, including programmers employed by companies.
That's basically how it is. If you look at the attacks against online banking, you'll notice that the malware targets the users, not the bank. It's easier and more profitable. Getting a thousand bucks from a few thousand people beats grabbing a million in a bank heist.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Opensource is the posterkid for bashing this week, but at least the holes are being fixed now that attention is focussed.
The recent windows-related NSA stories show what happens when bugs remain unpublished and can get widely exploited for years before being quietly fixed.
"Many eyes" may not find bugs in a hurry if they're not looking, but when they finally focus on the code, things change rapidly - and the finding of these bugs often inspires other eyes to go check for the same thing in other code (which is how the ancient X bugs were found recently.)
People repeatedly tell me that old code is safe and secure because it's old and therefore stable. My argument is that the only "safe" code is stuff which has been security audited and gets regularly security audited - and that most old stuff has never been properly checked because everyone assumes someone already did it.
My own corporate experience as a software developer, architect and VP is that security is taken very seriously by industry and a considerable amount of effort is expended on that very issue.
I am glad you take your company's products' security seriously.
Sadly, most of my clients only take their company security seriously. Product security, no. In one case, the client was so averse to implementing any security measures in the products that, when our customer dictated we had to use a particular CPU integrity test that required a random number generator, when the project manager saw the name of the psuedo-random number generator I used, he exclaimed "What?!! You're putting encryption in the software?!! No!! No!! No!! We can NOT do that!!". I then assured him it was only a random number algorithm, not encryption.
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr