Slashdot Mirror
2014: The Year We Learned How Vulnerable Third-Party Code Libraries Are
jfruh writes Heartbleed, Shellshock, Poodle — all high-profile vulnerabilities in widely used libraries that rocked the software industry in 2014. Sadly, experts are now beginning to believe that these aren't the only bugs lurking out there in widely used open source code, just the ones that grabbed the most attention. It's beginning to look like one of the foundation concepts of open source — that with enough eyes, all bugs are shallow — is a myth. Of course, probably no one believes that all bugs are instantly shallow, no matter how open is the source, or that open source software is immune from bugs -- particularly ESR, coiner of the phrase.
Good luck with your "Free Internet" campaign without open source.
There are two other things that should in theory make open source more secure:
1) Security through obscurity is clearly avoided
2) I don't have to be (or hire) an expert in security to use a secure library. I can use the same one as everyone else.
The phrase might be true, but we're seeing the effects of insufficient eyes. In reality, how many sets of eyes are actually reviewing these libraries at a source code level? I rather strongly suspect that in most cases they are simply used under the assumption that "well, everyone uses it, it must be okay".
Shellshock did not affect a "library", but an executable.
Open source, closed source, they have the same problem: 1 vulnerability is now shared across every app that uses that library
So why do we use libraries in the first place if they are so flawed? They cut delivery time and maintenance costs down by a huge chunk
In context rolling your own code to do the same work seems preferable but its vulnerabilities are limited to YOUR codebase and YOU gotta fix it (versus an army of OSS people who are shitting their pants that their library is in the news again)
So yeah, despite the problems I'll stick with OSS libraries
the big news is that people are now thinking that bugs in software is big news.
My magic 8 ball tells me that in 2015 we will learn that proprietary and embedded software is even more vulnerable. My Tarot Card deck tell me that we will see a lot of hacked car wrecks in 2015, now that Volvo released the demon by putting a web browser into in-dash system. Rest of the lemmings are sure to follow. Not that you really need a browser to pwn a car, with Bluetooth-to-CAN-BUS exploits shutting down cars demonstrated as early as 2012.
You're pretty fairly assuming that closed source software is bug-ridden crap capable of gross economic damage. Like OpenSSL. Because open sores suffers from amateur hour and people harping on many eyes but never fucking looking at a line of code, so that must be the case for everything else, too.
Let me tell you about my zombie carpenter friend. You can't see him or measure his effect on the world, but he pretty much owns humanity. Trust me, I have a github account.
I don't know anyone that ever thought "Open source" was bug free. The point is that people can more easilly find and fix bugs with open source. With closed source, there could be some obvious and dangerous mistakes in the code but no-one but those with access to the source will know it exists. It's then up to whomever owns the source to decide if it's profitable enough to fix it. The problem with that system is there are people with access to the source... People come and go from every company on earth every day. So they're finding these vulnerabilities, and leaving the company with them. They can sell these to whomever they wished if they so chose. The NSA and others like them probobly have all the major players broken so they can view the source as well. The point being is that closed source is only closed to YOU With open source, you can look at the code yourself, and if you see a bug the general community doesn't think is a big deal and doesn't want to fix... if it's in fact, a big deal to you, you can go right ahead and fix it yourself.
It's just an exaggeration. The principle is still true though - open source is (potentially) exposed to many more prying eyes, and its bugs are therefore (potentially) more likely to be found.
Whether it's OpenSSL or Windows APIs hackers are looking at every possible vector to attack systems. To be honest with ourselves, the software engineering community has to realize that security must be given the same priority as any other code quality metric. While we may not be able to test for every possible vector there should be a standard set of vulnerability tests that every organization should be able to test for before releasing code. Likewise regression tests need to be exercised prior to any subsequent release of the system. I also think that software engineers need to be more objective with themselves and to think more along the lines of how their frameworks/systems could be attacked. Of course that's never going to solve the insider problem as far as attack vectors are concerned but it should go a long way in addressing these kinds of problems.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Is that with FOSS, decent developers can fix bugs and keep moving on a deadline. We found an oversight in Apache Storm's HDFS integration that affected us, but not most users. So I patched it and sent it along. Had it been an Oracle product, not an Apache product, it would never have happened on a timeline acceptable to our schedule.
Security bugs? I like to throw this one out there at people who think big companies cannot unleash epic stupid on their paying customers that makes even most 0.0.1 projects on GitHub look production-ready.
In the cases that were software defects, the defect was rapidly fixed upon discovery. That's really the meaning of all bugs being shallow, not that they won't ever exist.
That said, POODLE is not a code defect, but defect in the standard (well, except the bit where an implementation skipping validation of the pad). Shellshock was indeed a grave defect, but I think a correct takeaway there is to avoid having a shell language be in the path where untrusted data could be injected as much as possible (as well as fixing it). A fair amount of noise has been made in some circles along the lines of 'told you so, open source is riskier than proprietary', though in the same time frame we've seen Apple's implementation have 'goto fail' and Microsoft's SChannel has also had at least one recent issue.
The short of it is code is not magic. If code is taken for granted, it will be neglected (whether OpenSSL or some boring proprietary function well out of view of marketing concerns). Neglect in security centric libraries is particularly dangerous. In this case, I think Heartbleed panic was the proverbial tide to rise all boats, causing investment across the industry in scrutinizing all TLS stacks.
XML is like violence. If it doesn't solve the problem, use more.
People who hate open source say that it is inherently insecure because it is open source. They actually tell me that security by obscurity is real and good. (That's why there are so many Windows exploits, right?)
All software has bugs, open or closed source. People move on to other projects and mature code gets ignored unless there is a problem or enhancement. It's not unique to open source. Open source developers can and I'm sure many do write and test their code with the same level of professionalism as closed code.
For me free/open source software is the only option. Transparency breeds honesty. You'll never see spyware in open source code because you can't easily hide it. In closed software we pretty much have to assume almost all of it is designed to send your data to a server on the Internet somewhere, especially software written by large American companies that can be forced to put such things in their products. I'm thinking Micorosft, Apple, Cisco, etc. You can hide bugs in open source code (like heartbleed), but not things that connect to a server on the Internet and send it lists of files from your hard drive, location data, passwords, keyloggers, etc.
Check out what LG "Smart TVs" do:
http://doctorbeet.blogspot.ca/2013/11/lg-smart-tvs-logging-usb-filenames-and.html
You are wrong, each and every person connected to the internet is an open source user. Open source iis first and foremost used on the planet, your email for example isn't routed around the globe by Microsoft Exchange servers, nor global DNS done by Active Directory servers.
The hundreds of thousands of bug reports submitted and successfully used to patch open source prove you are blathering about a process you don't understand.
You also are a moron with no understanding of how your computing world works.
The quality of open source software is kind of crusty these days. No matter how open it is, making stuff work properly should be priority number one.
For example, try to adjust the display brightness of a laptop under Mint or Ubuntu. It goes in multiple steps because there is multiple listeners for the adjustment event. Even basic stuff like this does not work properly.
Open-source does not make code automatically bug-free. No more than using a safe-malloc-library does, or deploying DEP on your executable, or ASLR, or coding only in a language that's considered "secure".
What it does is allows certain types of security problems to be POTENTIALLY spotted. It's a +1 on the score, not a game winner. And it doesn't mean that proprietary is -1, either. It just means that you are so confident in the quality of your code, you can show people that by opening it up.
What gets me about proprietary software is not that they choose to do it so their rivals can't copy (a bogus argument in any country that properly enforces licensing agreements, which is why you can get a peek at MS code if you have a need to), but that they are SO ASHAMED of their code they don't want you to see it.
The 3DFX card drivers, for decades, basically allowed complete DMA access to all of RAM. It was that easy. But nobody could spot it because nobody could see the 3DFX code. You don't get that in open-source drivers and the SECOND it's spotted, by anyone, it will get fixed. That's the difference - the reaction. When we found these problems, they were urgently fixed immediately. When we find problems in proprietary code, it can be (as recent articles state) known for 90 days or more without anyone bothering to even look at them.
Open-source isn't security. But it's like saying to a guy, at a security conference, "Here, I'm so confident in my gadget, that I'll let you play with it". Sure, he might break it, he might compromise it live in front of all your customers. But in an technology sector concerned with SECURITY, not profits, that's actually exactly what you want and the perfect impetus to keep improving so that next week you can do the same again, and again, and again until you've ironed out most of the bugs. You'll NEVER get them all.
But the confidence to do that is critical. I've been at tech conferences for my sector where suppliers hand out products and, in the space of a few minutes, I point out massive flaws and problems with them. They soon stop handing them out for people like me to play with. That's not the attitude to have when it comes to security, but I understand why a business would do that.
It's not the be-all-and-end-all but it's a nice thing that does not hurt to do. Those that don't understand this do not have security uppermost in their mind, only oneupmanship, and "my OS is better than yours" crap.
In security, and cryptography especially, given your enemy the source is a show of bravado and confidence. It's like the old backup adage. If you're so confident in your backups, high-availability, failover, etc. then why are you not prepared to let me take an axe to your primary server? If I was in charge of a large company and my IT guy assured me the disaster recovery was so easy and already-in-place, I might well choose to say "Yes... go on. Take an axe to it.", if nothing else than to see their reaction and see the plan kick into place.
Passing that test would cement your place on my team for a long while. Failing or chickening out of it might well mean I test it more regularly and keep a close eye on you.
Open-source doesn't have automatic properties. But it a checkmark in your favour if you're claiming to write software well that millions of people might choose to use.
I don't know anyone that ever thought "Open source" was bug free.
Every FOSS fanatic on Slashdot for the last 17 years has implied that bugs would be found and fixed FAST - not linger for years.
The point is that people can more easilly find and fix bugs with open source.
They could but do they? Nope.
ESR's claim has nothing to do with the frequency or discovery of bugs. All he says is that given enough observers, bugs are quickly characterized. It is implied that any given bug has already been discovered. There is no benevolent cohort of experts continuously auditing code bases and his statement doesn't claim there is.
Lurking at the bottom of the gravity well, getting old
Kook detected. Are you the same guy that rants about the international space station?
(esp. with the title) In 2014, with all that panic, we saw/learnt that professionals (admins,programmers,huge companies, e.t.c.) use the open-source code irresponsibly. Also, 2014 taught us that when someone gives us candy, better double check it before we consume it.
I've been telling everyone who will listen: this is why I use OpenBSD. In this day and age they are the only ones I can tell take security very seriously. I don't understand why the big commercial Linux distros don't do some of the things OpenBSD has done. Why make it so easy for malicious parties? These days even Windows seems to be doing a better job than Apple/Linux on the security front.
Apk hits opensores idiots with truth and all they have is downmods to hide it as usual? Yes.
An open source project can have as few as just one set. There are some projects that nobody other than the developer ever contributes to. Just one guy occasionally working on some little project that some people use. Those all those people COULD look at the code, they don't.
Likewise commercial firms can, and sometimes do, pay many people to look at the code. In addition to having a big development staff they can have dedicated QA staffs. They can have a person, or many people, who's job it is literally to sit and look over the code for security issues every single day.
You are buying in to the same fallacy that the article is talking about: That because something is open is just means that more people MUST be looking at it. No it means people can look at it, but they may choose not to.
Apk hit opensores idiots w/ truth & best they've got's downmods again here to hide it as usual? Yes.
Exactly. Saying bugs are shallow doesn't mean they don't exist. Shallow vs deep refers to how much effort it takes to characterize and fix - is it a "hard" bug or an "easy" one. Wikipedia explains it well:
As the Heartbleed bug shows, even shallow bugs[7] may persist in important pieces of open softwareâ"it took two years for the bug to be discovered, and the OpenSSL library containing it is used by millions of servers. Raymond said that in the case of Heartbleed, "there weren't any eyeballs".[8]
When it was discovered that there was a problem, many eyeballs starting looking at it and it didn't take long (hours) for someone to clearly identify the problem and the solution.
In contrast, there is code at my workplace that only I look at. There are intermittent problems that have persisted for MONTHS. I'm just not seeing quite what the cause is. If 1,000 other programmers looked at it, one them would probably spot the problem right away. It would be shallow _to_them_.
Bash bug? Found, and then partially patched in 6 hours, fully fixed in 18 hours. That's Shallow. The Heartbleed bug warning came immediately after the new version of the software along with a description of the problem and how the new software fixes it. Likewise the "Poodle Bug" was in an old version of the software that was fixed. The problem then isn't with the open source model. Its not with the software. Its with inept fools who are told "don't touch the hot stove" and then touch the hot stove. They refuse to update their software, and then when bugs show up that are fixed in newer versions of the software and it causes them problems, they complain. It's like "I didn't put on my seat belt and then when I crashed the car I flew through the windshield". And they are complaining about flying through the windshield. Cause and affect. Study it.
Beg to differ troll: Apk's truths = correct since all you have's downmods vs. his posts here. Poor showing boys!
How well does OpenSSL compare to other open source SSL libraries out there?
I think the Mozilla browser uses its own homegrown SSL library NSS. How well does this compare to OpenSSL?
And I have heard others have forked OpenSSL to clean up its mess, such as, the OpenBSD Project forking OpenSSL as LibreSSL?
Has anyone noticed that there are now astronomically more OSS users now? The number of OSS users is also growing at an exponential pace.
What we should expect with those stats is that there should be more cracks and bugs in OSS due to the higher percentage of people programming/using it.
Also, as the value of OSS increases to the market and more information are handled by OSS there is more incentive for old vested interests to search for the downside as a form of marketing. We never heard about all those MS Windows security deficits until years after the fact. Well after they had been exploited by te NSA.
It's interesting that SO FEW bugs have caused issues in OSS considering the sale of that ecosystem.
There is also more incentive for companies protecting turf to pay OSS project insiders to plant exploits as a way to undermine that.
It's better to rely on 'Repairable By Design' than 'Defective by Design' .
Corporations like Apple and Google have been making their billions by exploiting open source, without giving much back. These bugs were in libraries that corporations built their businesses on, and lurked while the corporations made their money. Billions of dollars later, these understaffed and underfunded projects still had the bugs, and instant karma got the corporations for a change when the exploits started coming. Shows us a lesson in how vulnerable to exploitation open source is, and big corporations wouldn't have it any other way.
3) Port to to multiple architectures (and OS's) to catch bugs not reported by the original build environment. This is one of the approaches OpenBSD uses to improve security and was quite common in the open source software world when ESR coined the phrase.
The OpenBSD team found one very long lasting (30+ years) bug in the legacy BSD code when the Sparc64 build barfed.
A Shadeless room is a brighter room.
2014: The Year We Learned How Vulnerable Third-Party Code Libraries Are
Really? Like we did not know before?
I don't think anyone in the industry who is both sane and honest ever pretended that FOSS was bug-free.
We know that software, ALL software, contains bugs.
Also, plenty of projects don't have too many contributors, so the "many eyes" principle hardly applies.
But if you've got the source at least you can have a look, (and really should, if you are considring using something for a mission-critcal application).
Then fix, if required,and contrib back.
Certainly, vulnerabilities in FOSS stuff tend to get fixed pretty quickly when found.
So everyone can see bogus downmods applied to a truth by apk http://linux.slashdot.org/comm... that the open sores losers can't handle and have to downmod to hide it (we all see it anyhow).
You mean 3rd party code is not failproof?, Who'd know right?
You seem so sure of yourself but yet you post as Anonymous? Who has no balls?
You just posted ac. Hypocrite much? No wonder apk outsmarts you idiots constantly. He's got more smarts than you all do and you can't stand it when he just tells it how it really is.
Companies(corporations like cisco and their linksys products) who benefit from open source OS's and applications should, maybe, i don't know, contribute more to the open source community to find and fix bugs. But of course not, leave it to the little guy to do all the work while the big guy reaps all the benefits. We all know corporations are in fact the biggest welfare queens on this planet with the majority of them paying 2% in taxes and taking in 5 - 10% in tax returns including subsidies. And yes red hat does contribute some but it's mostly for the benefit of their products. I wouldn't be surprised if MS implemented docker code into the kernel of next release of their server OS.
This is why we will never have linux desktop of the year. This is why we will always have heat issues with laptops. Fuck all those hardware manufacturers who benefit from open source and still don't release either open source or closed source drivers for linux, bsd.
Apk hits opensores idiots with truth and all they have is downmods to hide it as usual? Yes.
Apk hits guillible slashtards with best trolls & the laughter NEVER ENDS? Yes... apk
Maw! Fire up the karma burner!
Looks the other way around. Apk's got us laughing at you fools bigtime!
Go away apk.
From the perspective of most IT customers, bugs are bugs regardless of closed or open source. They still rely on other people to find them, patch them and release changes.
Companies who rely on open source libraries may or may not have the ability or spare resources to go digging through the code of a library, finding a security issue, writing a patch for it, recompiling the library, then using that patched copy in production. Companies in the 'service provider' realm may be able to do this, simply because they are staffed appropriately and have a greater IT focus. I do IT work for airline customers. Airlines want as little to do with IT as possible, even though it's a key part of their business...it's not directly related to the surprisingly low-margin business of moving people and planes. I would never advise a customer to roll their own Linux distribution, for example, even if it was based on a commercial one. There's just no appetite for keeping things maintained in a business who doesn't live and breathe technology.
The problem is that, increasingly, even closed source vendors are relying on open source libraries to provide large blocks of their application's functionality. A company who doesn't write operating systems generally shouldn't try rewriting these very important pieces, of course, but the closed source companies providing applications that use open source libraries need to be on top of these issues and ideally contribute back their patches.
Whether closed or open source, companies need to be able to respond quickly to security problems, and those problems may end up getting traced back to something like OpenSSL, the Apache stack, etc. Open source has the advantage of "more eyes" looking at the code for vulnerabilities, and less commercial pressure. Closed source companies have the opportunity to provide (usually at a cost) the expertise and support necessary to find and fix a customer problem. I've had both awful and good experiences with both trying to get bugs resolved. If you pay for it, and the closed source vendor has good support, they will move heaven and earth to fix your problem. For non-technology companies, closed source or support-funded open source companies like Red Hat give internal IT teams a good boundary between them and "the vendor" as well as someone to call when they have done their homework and find they can't fix something. For the Googles, Facebooks and maybe some academic institutions, the internal IT department can be staffed with kernel hackers and the like to maintain their own highly-optimized implementations. Techies tend to forget that users and companies have very little desire to mess around with technology, and use it to get their work done.
shoving every whiz-bang feature into the systems, whether they need them or not. Open source, at a minimum, should have a dedicated part of the development cycle dedicated to code auditing, and bug fixes. We don't need every new "feature" someone can imagine, that can't wait another few months.
I'm not apk and I see him kicking the shit out of you all. Your downmods prove him right again.
So there were a few high-profile security flaws found in important open source software recently. So what? People are talking almost as though this somehow proved that open source is not superior or maybe even inferior to closed source software.
It isn't like there has never been a high-profile security problem in important closed source software. Nor is it likely there will not be others in the future.
Here is an awfully safe prediction... in the future there will be more high-profile security bugs found in open source software AND in closed source software too.
Certainly the age of the code that caused these bugs is reason for concern. Hopefully lessons are being learned and improvements being made. But to even try to make a comparison between open and closed source software regarding security? Good luck with that.
How can you possibly count the number of zero day exploits in either? By definition you don't know that they are there! At least with open source if you really care you can do something about it.
Sure, there are more, but what was demonstrated is that there weren't enough. You're looking at open source's superiority over proprietary software and getting smug, but that's a pitifully low bar.
We're using the Internet, where things are exposed to the world. Being "more secure" than Windows or OS/X isn't good enough. Those things aren't the competition. The competition is this idea: don't do it. Or don't do it on the Internet. If many-eyes isn't a sufficiently-good tech, then the best tech is to not use tech. I don't know about you, but I'm not too happy with that sort of outcome. I want things, and I want to tell my people "yes, we can do this." I just don't want to do them wrong (i.e. insecurely) or have been wrong when I told someone we could do it. All our reputations are on the line.
On cellphones, P.C.'s and servers COMBINED, OSS wins. Oh, and I forgot TV's and toasters. But it was nice anyway, thank you.
Maybe you can catch up with game consoles.
http://news.netcraft.com/archives/category/web-server-survey/
What is up with this article? What about closed-sourced apps like ISS or windows, with tons and tons of vulnerabilities found (and some fixed) every week? Because there have been a very small handful in some high-profile open-source projects means open source doesn't work?
That's the stupidest thing I've ever heard. If anything, because those bugs were found and fixed shows that open source DOES work. If they were closed products, those bugs may likely still exist and No Such Agency may likely still be exploiting them. Not to mention all the back-doors they force into closed-source software, which is harder to do with open source in the first place.
The point is, for something to be secure you have to be able to audit it. In the open source world, you can do this. In the closed source world, you have 0 ability to confirm that something is secure, you are just taking a salesperson's word for it. THAT is lack of security awareness.
Wrong, those devices are connected to the internet where open source rules.
I'm older than IBM mainframes, boy. You have not been in the field longer than me.
Please tell us (since we're about bugs here): How much is android showing issues? TONS (nearly daily) - how's those "all those eyes" doing there too??
ANDROID's a LINUX too, morons...
(Man - you're ALL ridiculously EASY to outsmart, every single time...)
Thus, I've GOTTA say it, as per my usual "inimitable style":
THIS?
This was just "too, Too, TOO EASY - just '2ez'" as always vs. 1/2-witted "Open SORES" goofs!
APK
P.S.=> Again also: ONLY REASON Linux is on smartphones (via ANDROID)? It costs ZERO (buggy as hell, but cheap, right?), keeping per unit costs of handsets down... nothing more... apk
I learnt this while trying to use P for C 1989. Are people really this slow?
I have never been a believer open source code is automatically more secure. Different projects have different code quality. Depends on if/how they are managed and who all is willing to step up contribute their time and effort.
There have been some advantages unique to open source projects such as static analysis vendors developing, testing and marketing their wares blessing a huge swatch of open source land with the fruits of their labor as well as the ability for savvy users to evaluate willingness to use software based on observation of code quality which can be difficult to discern from commercial software.
Yet for the most part for most of us mortals the end result is simply a function of who is willing to step up and contribute what.
I agree that more diversity in the software ecosystem will cause critical bugs to have less impact to the world overall, and will hopefully drive competition to make the offerings more efficient and stable. However I think that this is a straw-man and the real conclusion we should draw is this:
When you write code, you are going to screw up. If you aren't writing bugs that people notice, you aren't working on anything worthwhile. While the bugs that were found were costly and dangerous, the question is were these found quicker than a closed source solution? Were they fixed faster than a closed source solution? Is there anything that can be done to allow quicker roll back or disabling of vulnerable features? When you write code, you need to design for failure, because it will happen and plan so that the recovery will be as quick as possible.
Adding additional software library offerings will only add stability in the sense that one particular vector wont affect as much of the Internet, but you introduce more surface area for attackers to poke at, and more vulnerabilities overall. Given the challenges to write really solid code, I think I'd like to have fewer, but really well vetted open source software solutions. Of course, I am not correct in this opinion, as there are no 'right' decisions here.
HA! I just wasted some of your bandwidth with a frivolous sig!
No, you should feel contrite that you are daring to report a bug in software that is obviously perfect. There are two classes of software error: hardware error, and user error. In the first case, you shouldn't have bought that in the first place, so it reduces to the second case. Our QA process will take advantage of this breakthrough, but the documentation will not be updated.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
APK Hosts File Engine 9.0++ 32/64-bit in 1 'standalone .exe' file -> http://start64.com/index.php?o...
* Didn't WANT 3rd party libs = "f-ups" depending on 'em fixing it IF they do (ala 1 of my 'competitors' doing so (not really: on the 'same team' w/ 'em in HostsMan & their use of SQLite))
There's that & another design decision that held me back from using it:
What if they went outta business or don't target 64-bit, & iirc? They don't, even now (could be wrong @ this time though) & I *had* to have it in MY program vs. HostsMan (only 32-bit & lacks hardcoded favs feature mine has theirs doesn't for more speed, & reliability as well as anonymity online it allows)
Mr. Steven Burn of MalwareBytes' hpHosts asked why I didn't just use SQLite like hostsman - there's my reasons & imo (especially based on this article)? Valid ones!
APK
P.S.=> Lastly, to the douchebags downmodding me:
You're a SKULKING NERD WORMS judging by unjustifiable downmod sneak crap a pud like that would pull & does his WHOLE LIFE which is *WHY* guys like me fucked your women in front of you & made you watch, lol!
(All you whimps can manage is downmods here http://linux.slashdot.org/comm... HERE http://linux.slashdot.org/comm... here http://linux.slashdot.org/comm... here http://linux.slashdot.org/comm... & here http://linux.slashdot.org/comm...)
Keep downmodding - unlike MOST ac's here? I can post unlimitedly, burning out your modpoints & outsmarting you lame weasels that act like bitches, & for the cost of a cut & paste, seconds only, lol!
You're a punk w/ NO BALLS & no skills obviously since all you have's unjustifiable downmods!
The downmodding WHIMPs are probably "networking/techie" menial nothing more - it's what KILLS "many eyes on the code" opensores bs since MOST of you useless fucks are only that & can't patch code to SAVE YOUR LIVES (especially PER THIS ARTICLE'S POINTS on those age old bugs)... apk
Security researchers have known about vulnerabilities in third-party components for years. Anytime you increase the attack surface of an application through the use of third-party components (commercial or open source), you're potentially introducing vulnerabilities that you didn't create. A formal study was conducted by Aspect Security in 2012. https://www.aspectsecurity.com... which illustrates how big of a problem this actually is. Up until this time, the security community always knew it was a problem, but didn't have much stats to back up their claims. This research (as well as other data points) was essential for OWASP to introduce a new category in the OWASP Top Ten 2013 - A9: Using Components with Known Vulnerabilities. 2014 was not "the year we learned how vulnerable third party code libraries are". It was the year that organizations which had no security best practices in place, paid a much higher price than organizations that did.
Computer Science is still a newbie discipline. Much more relevantly, the problems introduced by the sudden social change of what a network is are a pretty big deal.
Here's how you know it's crazy: look at the hacker hysteria, and how it has barely gotten any better. The vast majority of "hackers" who cracked stuff back in the day were treated entirely ludicrously, like some kind of wizard. Everyone here probably remembers indefinite detention and ludicrous punishments such as "can't use a computer", which would be absolutely unthinkable for even a bank robber who had served his time.
If you piped your water supply through every enemy state in the world, you would probably want to inspect it before handing it out as drinkable. But, if you did not do that inspection, would you complain about the pipe manufacturers, for not making a pipe no one could interact with? Like, "why isn't this pipe adamantium"? And would you ignore all the enemy nations and go throw in jail the guy who put green food coloring in to show that an actual bad guy could have done something much worse?
The other big thing is how fast expectations change. Every few years someone has rigged up a specialized framework that solves some set of "needed for profit" set of network issues, and then the advantages of that force migration towards it. While in theory each of these individual solutions could be highly secure, the fact that they are new features hurts that a whole lot.
As people decide on a feature set that they actually need for certain purposes, and finally discard the idea that something is bad because it is old, we will start to see really solid code that is trusted. In MANY places, we already HAVE this.
More importantly, in disciplines whose lengths of existence rounds to millenia instead of decades (network security) or a century (computer science), you have things that "everyone knows", and those things have been true for generations. Meanwhile, in computer science, you see holy wars wrapped in holy wars, and a lot of it is due to communication issues.
I remember a great article by Robert Graham over at Errata Sec back at the end of September, hxxp://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html In the wake of shellshocked he looked at the bash code and found it lacking. The problem with a lot of these sacred cows of open source is that their coding is too clever and the multitude of authors have left it a mass of spaghetti. OpenSSL sucks to program in, it is not well designed, commented and lacks a cohesive coding style. A lot of these programs are so old that they were coded back in the days before defensive programming was even a gleam in its poppa's eye.
Look at the commit list for LibreSSL, 99% of the early commits are ripping out cruft and cleaning up the code format. Simply put these old programs suck because they were written by talented amateurs back before we learned to code correctly. Now they are such crap and fragile that non but the most intrepid and pedantic (yes I mean those OpenBSD freaks) is willing to refactor them into useful form. Everyone wants the free software so they do not have to write it themselves and will accept crap it because of the cost. It all sucks, we need more properly trained KernelJanitors and fewer elite open-source coders who have not learned a damn thing about software engineering and how to write clear, commented code that everyone can read.
When everybody has the same goal, as is pretty much the case for usability issues, the shallowness of bugs posited by the many eyes hypothesis would be a good thing. When it comes to security issues, it sets up a race between the white hats and the black hats, and there is more incentive for the black hats (collectively, the rest of us have as much incentive as do the black hats, but that is not the case individually - for one thing, an attacker satisfies his goal by finding just one vulnerability.)
Your manner of writing and your choice of idioms and colloquialisms reveal you to be about half my age; those from my era have a different "look and feel" as it were. Refine your abilities as a poseur, so they will shine in the darkness like a luminescent swamp gas.
Yup, I'm "right-as-rain" (as always): You're evading a fair challenge here http://linux.slashdot.org/comm... - you FAIL (as I knew you would, lol).
* You're worthless, & weak...
APK
P.S.=> You're a waste of time - why? By this time, & I did what I wrote @ MS TechEd only my 2nd yr. out of an ASSOCIATES DEGREE only in CS @ that point, & you, by way of comparison?? LMAO - nada/squat/zip/zilch: Should've gotten work as a shoe salesman pal, because if you've been @ this THAT long (& still have to work too, I don't, mind you since I did SO well @ it with homes, sportcars, all bills + insurances always paid + "moola" in the bank too, & FREEDOM by 40 no less, almost a decade already now in fact because of things like I noted I did that YOU NEVER EVER WILL, lamo)... apk
Two words: CVE-2014-1776 (every version of IE since at least 6, Microsoft even deployed an emergency XP patch as a favor to the internet) and CVE-2014-6321 (every version of SChannel ever, but no fix for XP because anyone running a server on XP deserves to execute code remotely).
OpenSSL isn't the only buggy program, it's not even the only buggy SSL implementation.
Wtf's that got to do with what apk said that you're all running from here http://linux.slashdot.org/comm... since all you idiots can do is downmod truthful posts of his that reflect the reality of this article all through this debate exchange here on his part? Clue: Your unjustifiable downmods doth not a valid argument make and they make you all look like the weasels he called you all here. This is why you open sores dolts never win: You're typical nerd weasels, thinking your years of lies here of "Windows != Secure, Linux = Secure" was fooling anyone. That's why you're in dead last place on pc desktops and servers combined as he notes. Lies doth not a convincing argument make either. All you've enjoyed being LAST PLACE is security by obscurity, nothing more. Apk's point on ANDROID being shredded on the security front almost daily proves that for him also. You're full of shit and once Linux had to run to phones since it was failing on pc desktops (only used due to being free, just like on servers where it keeps a 50/50 split with Windows since mostly puny smallfry startup companies have to pinch pennies on using risky easily taken advantage of and for years unpatched bugs in Linux, and keeping per unit handset costs down. Linux != not better, in fact worse since there never will be a "year of linux on the desktop"). You weasels must be pissing L. Torvalds right off. You would me with all those years of deceitful crap you spouted around here. Serves you right. Especially ANDROID's massive fuckups in security for what? A decade now or more? Yes, serves you right, and about time. Truth always comes out.
Which Linux user actually got hacked by a library vulnerability this year? Speak up now. Oh, hmm, the sound of silence. Certainly not me, and not anyone I know of.
The thing is, sometimes the many eyes just aren't pointed in the right direction. A publicly disclosed vulnerability changes that instantly, hundreds or thousands of expert eyes to got work, fixes happen fast, and the community learns from the incident, often resulting in the eradication of a whole class of risks.
When all you have is a hammer, every problem starts to look like a thumb.
You do understand that we all think this AC and apk's AC are the same poster pretending to be supporting, right?
What are the number of developers who worked on OpenSSL?
Some of my favorites only:
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement). Ask for CEO Mr. Eric Dickman regarding myself, Alex Kowalski.
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com...
It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here -> http://ultradefrag.sourceforge... or here http://sourceforge.net/tracker...
Which ended up fixing a "bug" for them later, here -> http://sourceforge.net/p/ultra... via its implementation (partially, NOT fully yet as I outline it & use in my applications such as this one -> http://www.start64.com/index.p...
----
What do I have to say about that much above? I can't say it any better, than this was stated already (from the greatest book of all time, the "tech manual for life" imo):
"But by the grace of God I am what I am: and his grace which was bestowed upon me was not in vain; but I labored more abundantly than they all: yet not I, but the grace of God which was with me." - Corinthians Chapter 15, Verse 10
(And, because I got LUCKY to have been exposed to some really GREAT classmates, professors, & colleagues on the job over time as well)
APK
P.S.=> Happy now? apk
See subject-line, & this "Forrest" -> http://linux.slashdot.org/comm...
APK
P.S.=> You really should NOT have shot your piehole off @ me pal... this, is what you get, ONTOP of my blowing you & yours away @ every single turn in this debate, every single time on EVERY "so-called 'point'" of yours (usually off topic evasions now)... apk
We understand you can't answer straight questions and downmod apk whose gotten the best of every one of you weasels.
This isn't english class you off topic done zero in computing troll. Your opinion by this point = 0.
I'm sorry, one or both of us (depending on how that error is scored) has fallen victim to Poe's Law. If high-paying jobs are a result of egotism I may have to try it some day. For the present I suppose I'll have to send off for another batch of <sarcasm> tags.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Perhaps, people have forgotten the SSL debacle created by Debian several years ago, when one of the developers inadvertently weakened some random numbers generator and thus reduced the key space to something like 20 bits. Nobody noticed the bug for 2 years.
2014 was the year we learned that the Internet is insecure. Not a library, not a router, not a hacker, the whole Internet is insecure. There are British security experts building it up, and Japanese security experts tearing it down. Putting nude pictures of yourself on any cloud site is just plain stupid. GIving your credit card number at any prompt is just asking for hacking. The NSA reads your e-mail, and if they didn't the KGB would. I can encrypt my e-mail, but very few people have keys, and what back doors are built in to my encryption software?
If I have to send someone a user name and password, I send the user name via e-mail and the password via SMS. It is unlikely that anyone has hacked both.
Face it: the Internet is not secure.
See subject-line above, & keep "running", blowhard bullshitter http://linux.slashdot.org/comm...
* :)
(Gotta love BIGMOUTHS that toss names @ someone 1st, as you did to myself here -> http://linux.slashdot.org/comm... & THEN SEEING YOU "Run, Forrest" RUN!!!" from my FAIR challenge to you in the 1st link above I posted, eh? Absolutely - YOU, fail!)
All those ALLEGED years in computing too you shot your piehole off on, & YOU CAN'T SHOW US A DAMN THING? Don't waste your time in computing - it's clear you're just another "ne'er-do-well" troll...
(Especially since I have DUSTED "you & yours" @ every SINGLE turn here, easily... lol!)
APK
P.S.=> Knew you were a bigmouth, blowhard, fucking USELESS troll... (pats self on back for being right, as usual)... apk
The vulnerabilities have been found by source code review and now the argument is that it wasn't found by source code review? I don't get it.
This is what happens when people worship the religion of open sores.
Need a hug?
The heartbleed incident does not disprove that 'given enough eyeballs all bugs are shallow'. Instead, it proves the importance of Open Source software. It also illustrates the disadvantage of not having an enormous marketing machine that can spin such incidents. Instead of calling this bug 'catastrophic', we should have called this 'an opportunity to further improve server security'...
SSL/TLS is so massively complex I have serious doubts it can be made bug-free. Do we REALLY need this concept ? Cant we just use much more simple symmetric ciphers ? My feeling is the IT industry has been conceptually pwned. We are already very deep in a rabbit hole and its name is "SSL/TLS".
Wake me up when you have discovered a different free enterprise system.
Whenever I hear "metric", I know it is MBA bullshit. Long known as Beancounting. "you can only manage the beans you can count" and similar mantras. Let me pose a little question: How do you "measure" the number of bugs not yet discovered ?? Stop worshipping to pseudo-science from the social engineers.
Get latest updates about Technology
techiesom.blogspot.com
It's enough to see I ran the trolls dry of their modpoints as I said I would... they're weak!
* Additionally: Your reply alone shows that my technique of blowing by restrictions on AC's (completely legit too, no tricks/hacks) overcomes their WEAK attempts @ burying my posts since you PROVE others see them anyhow, regardless of their puny ploys, lol! THAT? Is good enough, for me...
APK
P.S.=> So much for PUNY trolls, lol... apk
Penguin trolls minus modded you again apk. They can't handle the truth.
Because the closed source shops prefer not to discuss these issues. And have you've seen our new glossy product folder, our lowpaid code monkeys^H^H^H^H^H^H^H^H^H^H^H^Hsuperb software development gurus don't make mistakes. No sorry, for whatever reason the legal department does not allows us to give you any warranty on our software.
That's the topic here & from his results (zero)? He drank 40 oz instead per my subject above!
APK
P.S.=> Hope he enjoys his "-1 flamebait" rating he got in the post he made parent to all of these - that's about ALL he merits... apk
See subject: Learn to handle the TRUTH -> http://linux.slashdot.org/comm...
APK
P.S.=> Truth HURTS, now doesn't it? Absolutely... apk
Then why are their so many more mission critical program ending bugs in FOSS software then closed source?