Confidence Shaken In Open Source Security Idealism

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

I don't buy it

[GameboyRMH]

Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

Re:I don't buy it

[Lilith's+Heart-shape]

Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

Re: I don't buy it

[BarbaraHudson]

The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã

Re:I don't buy it

[The+Ickle+Jones]

Corporations will definitely be re-evaluating the option of open-source after these two issues.

Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

Re:I don't buy it

[GameboyRMH]

Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

Re:I don't buy it

[ArhcAngel]

Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

Re:I don't buy it

[postbigbang]

Try an energy link and go check CVEs using the string openssh for starters. Kernel? No. All the crap in the back? Oh, yeah.

Re:I don't buy it

[Opportunist]

...and 2 days after it got known.

The main difference between OSS and CSS is that in OSS you can actually find the security holes. In CSS, all you can do is hope that the vendor finds them, or at least cares enough to look for them in the first place.

Re:I don't buy it

Actually, I can't remember last Linux Zero-Day bug.

Linux has certainly had a number of security bugs that existed for many years and could have been exploited for privilege escalation and unauthorized access to machines:
5-year-old privilege escalation bug
8-year-old privilege escalation bug
14-year-old sigreturn bug

Now you could take the dismissive, naive approach and say these don't matter and weren't exploited simply because you didn't hear about it in any well-publicized, poorly-executed attack but how many more of these ancient (and recent) vulnerabilities exist in the Linux kernel unfixed and unbeknownst to the maintainers? There could be none (unlikely), there could be many (much more likely) and as the kernel gets more and more complex and more and more bloated with kernel-mode drivers in the source tree it becomes even more likely that security vulnerabilities will be incorporated and go unnoticed.

NB: I'm not discussing this in the context of Linux Vs something else or Open Vs Closed, just that the Linux kernel is no more secure than any other software.

Re:I don't buy it

[UnknownSoldier]

> http://www.phoronix.com/

Please don't link to Phoronix garbage -- all they care about is linking to themselves instead of actually linking to the source
i.e.

* https://lkml.org/lkml/2010/9/1... Linux 2.6.36-rc4
* https://lkml.org/lkml/2010/9/2... Linux 2.6.36-rc5 <-- alpha: fix a 14 years old bug in sigreturn tracing

Cart before the horse.

[jedidiah]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Re:Cart before the horse.

[i+kan+reed]

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

Obviously, as a developer, I know that security flaws are just another way to make mistakes, but once you know about heartbleed, how can you assume nothing else of similar scale has been found by nefarious actors?

Re:Cart before the horse.

[Cabriel]

Not so. When there are articles about governmental offices switching whole-hog to open source software, that shows immediately that there is an awareness among the general public. When there is an article about one minister claiming open source software isn't working for his office and another minister countering that claim saying no one in the office has had an issue, there's a strong suggestion that there is an awareness of open source software. When an open source OS is advertised as being superior to a closed source competitor, there's absolutely going to be an awareness of open source and free software (Android vs iOS).

While this may still be professional click-bait, I think calling it trolling is, itself, putting the cart before the horse.

Re:Cart before the horse.

[pixelpusher220]

And lets also remember that corporate software has so many many bugs and vulnerabilities that they had to schedule a MONTHLY day to do them. Only to find yet more bugs so critically important that they broke their own rules well more than 2 times to release out of cycle fixes.

OS will almost always beat corporate in terms of defects and response time. Anyone care to guess how many 'heartbleeds' currently exist in Windows code that we know nothing about?

Re:Cart before the horse.

[FuzzyDustBall]

On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

Re:Cart before the horse.

[udippel]

You can't. But that's not the point at all.
But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
Once you decide for closed source, you are
1. totally dependent on the manufacturer
2. without a chance to check yourself
3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
Now, where would be any advantage in using a system of closed source?

perfect timing.

[gandhi_2]

amazing this article is posted on the same day as 3 0days for MS products.
one of which has been known for over a month, and will soon have a logo.

Re:perfect timing.

[fustakrakich]

It's why a lot of people switched to Apple.

Boy, are they in for a surprise!

The source is there, just read it

The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

Yes, it really is so different.

[ysth]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Re:Yes, it really is so different.

[ljw1004]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Why do you submit that?

I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.

Yes. Yes it is.

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

Vojjne.

Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.

There is no magic alternative that is better than open.

Open Source is More Easily Auditable

[Bob9113]

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

Re:Open Source in commercial products

[spitzak]

No, bash was NOT working as expected.

The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.

The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

Damn good thing Windows has no holes!

[swschrad]

yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.