Slashdot Mirror
Confidence Shaken In Open Source Security Idealism
iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."
While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.
"When information is power, privacy is freedom" - Jah-Wren Ryel
All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.
This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.
A Pirate and a Puritan look the same on a balance sheet.
amazing this article is posted on the same day as 3 0days for MS products.
one of which has been known for over a month, and will soon have a logo.
THL phish sticks
The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.
The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.
Yes, it really is so different.
With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.
Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.
With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.
Last time I checked, the general public was pretty ignorant about just about everything related to computers outside of checking their email and viewing the latest cat pictures on reddit.
I'd rather consult a magic 8 ball than the general public.
Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.
There is no magic alternative that is better than open.
Heartbleed and Shellshock show that nothing is really free.
Those bugs would have been found long ago if big companies had put resources into FOSS.
OpenSSL was used by everyone but had less than 20 active devs and a super skimpy budget.
Bash? When was the last build of Bash before Shellshock?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?
Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.
If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.
Stop-Prism.org: Opt Out of Surveillance
I'd be surprised if a random member of the public could even define what free software is. They'd probably think it's connected to the cost of the software rather than its freedom giving properties.
That said, I think that the view that with enough eyes all bugs are shallow is false. Given that bash is used in millions and millions of servers and the bug took decades to root out, we must think of a better way to get eyes on the code.
The whole stack needs a line by line review by security experts. That will cost tens if not hundreds of millions of dollars but my view is that it's probably worth it. Then we have to make sure all changes get reviewed in the same way.
The result of this process would be a super-hardened version of OpenBSD. It would come with a nice fat government certification and if you want to do business with the government, you have to use that distro.
That might rub people up the wrong way but I think that's what's ultimately going to happen eventually. A lot of this infrastructure is so critical to the modern economy that we can't just run any old code anymore.
The difference between Open Source and Closed source is not the number of bugs and flaws... the numbers of bugs and flaws are likely equal. The difference is the number of bugs that were found and fixed. Just as many problems exist and are as equally dangerous in closed source software. The differences is that because it's closed, they remain there, undiscovered by the general public, for a very very long time.
All of these discoveries should be celebrated. They are examples of Open source working as it should.
The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.
Look, people in the USA are more worried about Ebola, an infinitesimal risk, than are worried about getting a polio shot (we're losing herd immunity in major cities right now) or a flu shot (which WILL kill thousands of people this year).
I'm not that concerned that "the public" is worried about Open Source, as most of the people polled think it means "open sores".
-- Tigger warning: This post may contain tiggers! --
Ill disagree, I still believe it is because Windows is far less secure.
Linux == 98% of all super computers (Top 500 List)
Linux/Android == 74% of all Mobile devices (Gartner)
Linux/Android == 61.9% of all Tablets (Gartner)
Linux == 78% of all internet Servers (Security Tech)
Linux == 28% of mainframes (Gartner)
Linux Desktops == 1.65% (From Gartner as the total number of systems shipped with Linux pre-installed) up to 20% depending on the source.
That is not even getting into all the routers and smart switches, embedded devices, etc.
Open source and Linux make a very large target with lots of high profile targets. I am surprised that there are not more exploits and the simple lack of viruses should be proof enough that linux is far more secure.
Free software is about ideology. About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point. Much like freedom of speech: it's important even if I never say or write anything and it doesn't make everyone Shakespeare either.
Posted from my Windows computer btw; I think there is value in software freedom, but I use what best meets my current needs and wants, and encourage others to do so too.
I'm pretty sure i kan reed said he'd audit it.
This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that because it was Everybody's job.
Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
It ended up that Everybody blamed Somebody when Nobody did what Anybody could have done
Really, why aren't there several open source auditing projects?
1. secure coding bootcamp,
2. throw them on a project to audit.
3. tracking of when last audited, by whom, and any findings.
No, bash was NOT working as expected.
The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.
The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.
I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...
the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.
so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.
the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.
yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.
if this is supposed to be a new economy, how come they still want my old fashioned money?
It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.
Nope. It was a bug. While it was the intention that bash would "import" function definitions from env vars, it was *never* the intention that it would directly and without confirmation execute any commands *following* the function definitions in the env vars.
So yes, a serious bug.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
I think some of Schneier's words apply here:
"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."
If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.
If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?
And a competent windows admin still deals with viruses on their servers.
I was unaware that all the android phones, tablets, and devices as well as all the home routers, set top boxes, etc. were only managed by "IT professionals"
With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed.
Excuse me for saying that I find all these platitudes less than reassuring.
The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.
Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves, with Fox undertaking the work as an employee of FSF. Fox released Bash as a beta, version .99, on June 7, 1989 and remained the primary maintainer until sometime between mid-1992 and mid-1994, when he was laid off from FSF.
A security hole in Bash dubbed Shellshock, dating from version 1.03, was discovered in early September 2014.
Bash (Unix Shell)
Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.
Shellshock (software bug)
A 25 year old bug with the potential to do enormous damage.
In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.
The general public? Please. The general public is a mass of ignorant people. If you want to find the IQ of a group of random people, take the dumbest person and divide by the number of legs. I.e. the more people you get, the stupider they are.
Need proof? Just take any reaction to any "sky-is-falling" information they ever got. From 9/11 to Ebola, the reaction is blind panic. You want to use THAT mass of idiots to gauge the sensibility of something esotheric like a coding paradigm?
Please.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.