Slashdot Mirror
Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source (techweekeurope.co.uk)
Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."
I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvious that Microsoft is failing to publish any of their low priority vulnerabilities and is slow in publishing medium priority ones (if we assume the same proportions as other systems this probably means that there are about 750 Windows vulnerabilities with around 600 unpublished!!!). I'm not really sure how that's meant to undermine my case? Clearly Microsoft is still badly enough damaged by their experience at the start of the century that they still consider the need to "manage perceptions" about security. The Linux guys would do really well to learn from this and try act now so that they avoid getting anywhere near the level of problems Microsoft still seems to have.
It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.
At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.
Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.
The article on that page reports more OS vulnerabilities for OSX and other Apple products.
Generally speaking, that's not the attack surface most people need to worry about.
The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.
The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.
I've fallen off your lawn, and I can't get up.
If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
C++ is great for masking what is actually happening in the background, which is the opposite of what you want for a kernel.