Slashdot Mirror


2014: The Year We Learned How Vulnerable Third-Party Code Libraries Are

jfruh writes Heartbleed, Shellshock, Poodle — all high-profile vulnerabilities in widely used libraries that rocked the software industry in 2014. Sadly, experts are now beginning to believe that these aren't the only bugs lurking out there in widely used open source code, just the ones that grabbed the most attention. It's beginning to look like one of the foundation concepts of open source — that with enough eyes, all bugs are shallow — is a myth. Of course, probably no one believes that all bugs are instantly shallow, no matter how open is the source, or that open source software is immune from bugs -- particularly ESR, coiner of the phrase.

2 of 255 comments (clear)

  1. THAT's the reason I did this how I did... apk by Anonymous Coward · · Score: -1, Troll

    APK Hosts File Engine 9.0++ 32/64-bit in 1 'standalone .exe' file -> http://start64.com/index.php?o...

    * I didn't WANT to find out that a 3rd party lib was "f'd up", & having to depend on them fixing it quickly either IF they do at all (ala 1 of my 'competitors' doing so (not really, on the 'same team' with them really, as in HostsMan, & their use of SQLite).

    (There was also that, & another design decision that held me back from using it: What if they went outta business, or don't target 64-bit, & iirc? They don't, even now (could be wrong @ this timeframe though) & I *had* to have that in MY program vs. HostsMan (only 32-bit, & lacks hardcoded favs feature mine has, & theirs doesn't, for more speed, & reliability as well as anonymity online that feature affords)).

    APK

    P.S.=> Mr. Steven Burn of MalwareBytes' hpHosts asked me why I didn't just use SQLite as hostsman does - THOSE were my reasons, & imo (especially based on this article's premise)?? Quite valid ones... apk

  2. Oh, really? apk by Anonymous Coward · · Score: -1, Troll

    Closed source is TOUGHER to "hack" by far: All you can really do to it is disassemble or hit it with fuzzers - with "Open SORES" all you have to do, assuming you're a proficient coder, is see the source + step trace it, hitting either obvious shortcomings in it, to find vulnerabilities (& you additionally have the option to do the above also along WITH that stuff too).

    Disassembly, especially via a kernel-level debugger, is by FAR much tougher to do, than step tracing sourcecode... by far.

    APK

    P.S.=> Funniest part here, is this: For all those "eyes on the code", your OPEN SORES stuff is still DEADLAST in overall usage on PC's & Servers combined (the latter only REALLY uses *NIX variants like Linux since it has no up front costs, keeping what MBA's love, down - software costs, especially server-class ware) & those bugs SHOW + PROVE "All those eyes on the code does *NOT* fucking work (since those were around for ages, but no "penguins" etc. fixed them, or, lol, EVEN SPOTTED THEM to do so - which says WORLDS about the Open SORES community in & of itself - most of you DORKS are merely menial techies/admins, who are HELPLESS without truly proficient people - coders - who make the things you MERELY USE)... apk