Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confidence Shaken In Open Source Security Idealism

Posted by Soulskill on from the with-many-eyes-something-something dept.

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

13 of 265 comments (clear)

  1. I don't buy it by GameboyRMH · · Score: 5, Insightful

    Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:I don't buy it by Lilith's+Heart-shape · · Score: 5, Insightful

      Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

      --

      I write sci-fi for metalheads

    2. Re: I don't buy it by BarbaraHudson · · Score: 5, Informative

      The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:I don't buy it by The+Ickle+Jones · · Score: 5, Insightful

      Corporations will definitely be re-evaluating the option of open-source after these two issues.

      Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

    4. Re:I don't buy it by GameboyRMH · · Score: 5, Insightful

      Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:I don't buy it by ArhcAngel · · Score: 5, Insightful

      Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  2. perfect timing. by gandhi_2 · · Score: 5, Interesting

    amazing this article is posted on the same day as 3 0days for MS products.
    one of which has been known for over a month, and will soon have a logo.

    --
    THL phish sticks
  3. The source is there, just read it by Anonymous Coward · · Score: 5, Insightful

    The schematics for cars are available, just review them to make sure there's no structural or design flaws.
    The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
    The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

    The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

  4. Yes. Yes it is. by Anonymous Coward · · Score: 5, Insightful

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

    Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

    With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

  5. Open Source is More Easily Auditable by Bob9113 · · Score: 5, Interesting

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

    Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

    If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

    --
    Stop-Prism.org: Opt Out of Surveillance
  6. Re:Cart before the horse. by FuzzyDustBall · · Score: 5, Insightful

    On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

  7. Re:Cart before the horse. by udippel · · Score: 5, Interesting

    You can't. But that's not the point at all.
    But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
    Once you decide for closed source, you are
    1. totally dependent on the manufacturer
    2. without a chance to check yourself
    3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
    Now, where would be any advantage in using a system of closed source?

  8. Re:Yes, it really is so different. by ljw1004 · · Score: 5, Insightful

    Yes, it really is so different.

    With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

    Why do you submit that?

    I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

    What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

    I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.