Slashdot Mirror
Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source (techweekeurope.co.uk)
Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."
I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvious that Microsoft is failing to publish any of their low priority vulnerabilities and is slow in publishing medium priority ones (if we assume the same proportions as other systems this probably means that there are about 750 Windows vulnerabilities with around 600 unpublished!!!). I'm not really sure how that's meant to undermine my case? Clearly Microsoft is still badly enough damaged by their experience at the start of the century that they still consider the need to "manage perceptions" about security. The Linux guys would do really well to learn from this and try act now so that they avoid getting anywhere near the level of problems Microsoft still seems to have.
It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.
At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.
Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.
The problem is that low-level "bootstrapping" software like the BIOS is still closed source, and—worse—becoming so complex that it's basically an entire operating system unto itself.
Consider Intel's Management Engine and the associated Active Management Technology that is in every modern (though, upper-middle quality) Intel-based desktop/laptop these days; it provides a whole personal computer within what you, the user, think is the actual personal computer, and that embedded personal computer has higher priority access to all the subsystems, including all of the RAM, the main CPU, and the GPU, the input devices, etc., and that embedded personal computer can be contacted via the usual network card and used to complete own the user's personal computer. It runs a proprietary operating system, and will refuse to boot the entire machine if it is in any way tampered with—you cannot get rid of it.
Consider the Volkswagen debacle that is now spreading to other car companies who abuse "low-level" proprietary software to hide their machinations.
Consider the fact that your smartphone is littered with proprietary firmware that has extraordinary access to the rest of the phone's subsystems; it is not uncommon for the phone's transceiver/modem to be connected directly to sensors like your microphone, and to have access to your system's processor and RAM, maybe GPS, etc.—it's basically a highly mobile, wireless spying device that runs completely proprietary code that is so sophisticated and connected that it could do just about anything.
Why do you think the governments have been making noise about encryption even though they know they'll never get rid of it? It's smoke and mirrors to hide the fact that the real backdoors are already in place; your encryption is worthless, when the NSA can just tap into your phone wirelessly and read the private encryption keys from RAM whenever you use them.
Security is a problem, because the powers-that-be (governments, hardware makers, etc.) have designed our systems to be insecure at the lowest levels, and no amount of FOSS at higher levels can fix that.
The article on that page reports more OS vulnerabilities for OSX and other Apple products.
Generally speaking, that's not the attack surface most people need to worry about.
The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.
The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.
I've fallen off your lawn, and I can't get up.
If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
C++ is great for masking what is actually happening in the background, which is the opposite of what you want for a kernel.