Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source (techweekeurope.co.uk)

Posted by Soulskill on from the they-never-seemed-to-slow-microsoft-down dept.

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

45 of 77 comments (clear)

  1. obviously, "move" by turkeydance · · Score: 1

    was more obvious

  2. what OSS is insecure? by Skapare · · Score: 1

    what OSS is insecure? i think it is company executives and lame sysadmins that are insecure. of course easier-to-use security could help.

    --
    now we need to go OSS in diesel cars
    1. Re:what OSS is insecure? by Anonymous Coward · · Score: 1

      OpenSSL and GPG both have had numerous security flaws opened against them in the last 6 months or so.

      The Linux Kernel regularly gets critical security updates.

      A better question is, "What OSS *isn't* insecure?" If you think anything is magically "secure" you're in for a bad time.

    2. Re: what OSS is insecure? by bill_mcgonigle · · Score: 1

      That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some. Lame users want to use computers too.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:what OSS is insecure? by Z00L00K · · Score: 1

      So do Windows and a number of other applications and operating systems. Mostly the security issue is just a small thing but now and then a big issue appears.

      Many large issues are also caused by not one single mistake but by a chain of mistakes where each mistake by itself wasn't fatal. This isn't limited to software alone but we see it from time to time in the physical world as well.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re: what OSS is insecure? by bbelt16ag · · Score: 1

      Ok if you are talking about Desktop users Vs. Sysadmins in major corporations is what everyone else is talking about.

      --
      NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
    5. Re: what OSS is insecure? by drinkypoo · · Score: 1

      That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some.

      Secure boot and trust chains where I choose what to boot and who to trust wouldn't be a walled garden, it would be a libertarian paradise... or the computing equivalent. The problem isn't the technology, it is how it is (inevitably?) used.

      Lame users want to use computers too.

      As well they should. It would be nice if there were more credible options for everyone else, though. Google is taking steps to lock down Android somewhat in Marshmallow, with possible ramifications both for ad blockers and for modification tools like the Xposed framework. Because it's OSS it will be theoretically possible to work around some or all of that...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:what OSS is insecure? by WorBlux · · Score: 1

      Not automatically. If your only building security is the lock on the front door it's not going to help you against targeted attacks of it you let employees have any sort of guest that they want in the office.

    7. Re:what OSS is insecure? by jabuzz · · Score: 1

      I will politely refer you to the recent Hatton Gardens

  3. Re:Billion dollar companies by Skapare · · Score: 1

    maybe you should be reading "how to become a one percent-er, for dummies".

    --
    now we need to go OSS in diesel cars
  4. Re:This contradicts history. by hairyfeet · · Score: 1, Flamebait

    Riiight, I'll just leave this here then.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  5. Re:This contradicts history. by Anonymous Coward · · Score: 2, Insightful

    I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvious that Microsoft is failing to publish any of their low priority vulnerabilities and is slow in publishing medium priority ones (if we assume the same proportions as other systems this probably means that there are about 750 Windows vulnerabilities with around 600 unpublished!!!). I'm not really sure how that's meant to undermine my case? Clearly Microsoft is still badly enough damaged by their experience at the start of the century that they still consider the need to "manage perceptions" about security. The Linux guys would do really well to learn from this and try act now so that they avoid getting anywhere near the level of problems Microsoft still seems to have.

  6. it needed to happen. by Gravis+Zero · · Score: 5, Interesting

    heartbleed was a blessing in disguise because companies were blindly assuming this software was secure and thus never investing a dime in it's development. this internet-scale problem woke up some people and now they are actually investing in real security.

    --
    Anons need not reply. Questions end with a question mark.
  7. Heartbleed should've been way more of a yawn by somepunk · · Score: 4, Interesting

    Still a serious bug, but if forward secrecy had been widely deployed, much, much less threat exposure would have occurred.

    That's the lesson. Code audits are great, but they still miss stuff and are expensive. Take good practices more seriously, and you get a lot of bang for your investment in time/money/whatever.

    --
    Those people who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
    1. Re:Heartbleed should've been way more of a yawn by Bengie · · Score: 2

      OpenSSL issues weren't language issues, they were willful fundamental decisions made. Blindly accepting lengths claimed from the client, writing their own memory allocator, using the the raw private key for random data, creating their own RNG.

    2. Re:Heartbleed should've been way more of a yawn by Metabolife · · Score: 1

      Look at the list of effected companies. You'll notice that none of them are financial institutions which were still on an older version. Some people do their due diligence and audit the code, others can't afford to.

  8. Open Source is working as intended by PvtVoid · · Score: 5, Insightful

    It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.

    At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.

    Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.

    1. Re:Open Source is working as intended by Anonymous Coward · · Score: 1

      LOL, and look how secure Cisco gear has been lately! But more importantly, even Cisco is going down the software-defined networking route with open source NOS.

  9. Re: This contradicts history. by Anonymous Coward · · Score: 1

    Hardly. People left Windows because TCO on Linux is lower. Security is a tiny part of TCO in either. Keeping Linux up to date ain't free time wise either.

  10. Proprietary Firmware by Anonymous Coward · · Score: 1, Insightful

    The problem is that low-level "bootstrapping" software like the BIOS is still closed source, and—worse—becoming so complex that it's basically an entire operating system unto itself.

    Consider Intel's Management Engine and the associated Active Management Technology that is in every modern (though, upper-middle quality) Intel-based desktop/laptop these days; it provides a whole personal computer within what you, the user, think is the actual personal computer, and that embedded personal computer has higher priority access to all the subsystems, including all of the RAM, the main CPU, and the GPU, the input devices, etc., and that embedded personal computer can be contacted via the usual network card and used to complete own the user's personal computer. It runs a proprietary operating system, and will refuse to boot the entire machine if it is in any way tampered with—you cannot get rid of it.

    Consider the Volkswagen debacle that is now spreading to other car companies who abuse "low-level" proprietary software to hide their machinations.

    Consider the fact that your smartphone is littered with proprietary firmware that has extraordinary access to the rest of the phone's subsystems; it is not uncommon for the phone's transceiver/modem to be connected directly to sensors like your microphone, and to have access to your system's processor and RAM, maybe GPS, etc.—it's basically a highly mobile, wireless spying device that runs completely proprietary code that is so sophisticated and connected that it could do just about anything.

    Why do you think the governments have been making noise about encryption even though they know they'll never get rid of it? It's smoke and mirrors to hide the fact that the real backdoors are already in place; your encryption is worthless, when the NSA can just tap into your phone wirelessly and read the private encryption keys from RAM whenever you use them.

    Security is a problem, because the powers-that-be (governments, hardware makers, etc.) have designed our systems to be insecure at the lowest levels, and no amount of FOSS at higher levels can fix that.

    1. Re:Proprietary Firmware by WorBlux · · Score: 1

      You can even buy laptops now that are OSS from the firmware on up. There are dozens of OSS u-boot based dev boards availible. You can run a system of a CPU design loaded onto an FGPA. There are cellphones built with basebands you can load OSS firmware onto, or are not linked into DMA with main memory and have CPU controlled hard off switches. These aren't flagship consumer products, but they are available. Security is rarely convenient.

      Intel's management engine and the like are not some vast conspiracy, There really is a demanded use case. And as way they are used is less intrusive than the alternative, which is to lock the computer to a particular OS and configuration that calls home anyways. A big issue is that stuff at the firmware level tends to be implemented poorly at best. Write once and forget.

      And there are processors and boards you can be without these features. It just tends to be more convenient for corporations to have these feature. At least 90% of the desktop market are corporations or those that don't have a clue. 95% or more of the cell phone market is wireless carriers (via deciding what phones to offer subsidies on and to carry in their store). They have legitimate use cases for these security-poor features. The logic of the business case overrides any concern over the common good. They don't even stop to think about it, which is why OSS will generally be more secure, but less accessible to the average joe.

  11. Re:This contradicts history. by fyngyrz · · Score: 4, Insightful

    The article on that page reports more OS vulnerabilities for OSX and other Apple products.

    Generally speaking, that's not the attack surface most people need to worry about.

    The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.

    The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.

    --
    I've fallen off your lawn, and I can't get up.
  12. Vendors don't want interoperability by 140Mandak262Jamuna · · Score: 2
    It is never in the interests of the vendors to support full two way interoperability. Up starts will support interoperability with established players when it suits them and sabotage interoperability to prevent people from leaving. From early days of Microsoft making sure unix file systems can be seen by windows but not vice versa to present day CAD vendors investing order of magnitude more effort in "importing" other vendor's CAD format but becoming very apathetic to bugs reported on their export capability. Parametric Technologies started encrypting its files to prevent Microedge or some such vendor from reading the files, and invoking DMCA to stop anyone else from reading the files. The format is PTC's but the data is the customers'. They use every trick in the book to hold the data hostage. Every CAD tool vendor does this, PTC is not particularly worse than any of its competitor. It is exactly the same fight between ODF and XLS. The "open" formats are STEP and IGES

    But it is in the interest of the customers to make sure their data never gets locked up in a format they don't control. Why wouldn't the fortune 500 companies invest a tiny part of their IT budgets to support ACM or IEEE to play the role of arbitrator when it comes to file formats, data and export/import protocols, fundamental security etc. These things should be neutral and no vendor should see them as yet another way to invade and occupy their customer's systems and processes.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  13. Objective proof that proprietary is more secure? by walterbyrd · · Score: 1

    If there is no such evidence, then how does this article make any sense?

  14. This is not the golden age of FoSS by drinkypoo · · Score: 2, Insightful

    If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  15. Re:Billion dollar companies by Anonymous Coward · · Score: 1, Interesting

    Step 1: Get 100 million dollars. Surely you are born into money, so this step goes almost without saying.
    Step 2: Buy some companies.
    Step 3: Bribe politicians to pass laws that benefit you and your companies, while preventing pesky competition from stealing your profitsessss.
    Step 4: MOAR profits!
    Step 5: Repeat steps 2-4 until you are into the .1% range.

  16. Re:The problem is C by Z00L00K · · Score: 2

    Switching to C++ is just opening another can of worms.

    C++ just have the bad stuff from C and the bad stuff from object oriented design combined.

    If you want a language for an OS that is better you will need to look at ADA or some completely different language. One of the more secure operating systems out there is OpenVMS and that's written in BLISS.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  17. Re:The problem is C by Bengie · · Score: 2, Insightful

    C++ is great for masking what is actually happening in the background, which is the opposite of what you want for a kernel.

  18. Nobody is talking about the root causes yet.... by ka9dgx · · Score: 1

    The root cause of all of these security problems has been in plain sight since 1970 or so, yet only a few people are even aware of it. It's obvious once you get it, and the scope of fixing things comes clearly into place. So, do you really want to take on forking every program to build a new version of it? If so, you can fix it, if not... this will continue to happen, and government will try to fix it by fiat, badly.

    The cause is that our operating systems operate on the assumption that programs can be trusted. This makes it almost impossible to launch an executable safely, because there is no OS enforced way to limit the side effects of execution.

    Only an operating system that requires specifying the resources to feed to a given instance of execution can limit the side effects by design, instead of luck.

    It doesn't have to be user-unfriendly, because the OS can always handle prompting for file names, etc... in fact if done properly, the user might not even need re-training to use the new fork of their favorite program, because for their intents and purposes, it acts the same, with the same dialog boxes, etc.

    The principle of least privilege is the solution to this whole mess, but it has to be applied from the kernel all the way up the stack. This is a lot of forking work to do.

    Do you dare to take up the challenge, or will you let someone else try the latest band-aid instead?

    1. Re:Nobody is talking about the root causes yet.... by drinkypoo · · Score: 1

      The cause is that our operating systems operate on the assumption that programs can be trusted.

      Android tries to sandbox programs, pretty successfully until you find a hole in the sandbox someplace. Two new Stagefright vulnerabilities have been found recently. I was just patched, too. I guess a new edition of the custom rom I'm running will be available shortly. And there's always selinux, but configuring it is still a massive PITA. The tools and their build processes are immature.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Nobody is talking about the root causes yet.... by KGIII · · Score: 1

      A remarkably beautiful young lady revealed something to me just the other day. This is from a pop song in 1982 - I'd never noticed it when it was popular and getting radio play.

      Back at base, bugs in the software
      Flash the message
      "Something's out there"

      Yup... Ah well, we'll always have bugs. Anyhow, isn't the idea of a microkernel meant to minimize such? IIRC that was the guy from MINIX (I forget his name) big complaint about Linux. Stability and security come at a cost of performance but the price might be worth paying now that we have hardware that is so speedy.

      Oh, the song is 99 Red Balloons. Yeah, I'd never realized that. And, the good (maybe) news is that I'm still here with her. The oddity is that it was a live Linux disk that was our introduction but that's a story for another time unless, for some odd reason, someone really wants me to type all that out. They won't read it so I'll skip the effort, I guess. 'Tis an interesting story, however.

      --
      "So long and thanks for all the fish."
    3. Re:Nobody is talking about the root causes yet.... by dog77 · · Score: 1

      I think we need to go further and fundamentaly redesign the hardware architecture that the operating system runs from

      Physically Isolate the operating system from the rest of the system. Let it run from completely different memory and storage so that is impossible to access from the rest of the system. Let it be a monolithic program that has its own drivers and its own network stack.

      If you need to make a change to the operating system, you must physically switch to the operating system control and from within the operating system pull updates.

      Support responsive drivers in user space.

      Allow the operating system to pause and inspect the entire system (like a debugger). Allow it to download programs directly to userspace, like an antivirus program. Let it pause all programs while the antivirus runs. Let it remove and add programs from ram and storage while everything is halted.

      Support extensive utilties in the operating system image to monitor and repair the user space.

      Allow the operating system storage to be physically removed so that it can be replaced or verified.

      The concept of root/admin would still exist, but would no longer have access to change anything in the operating system, only userspace.

    4. Re:Nobody is talking about the root causes yet.... by drinkypoo · · Score: 1

      I think we need to go further and fundamentaly redesign the hardware architecture that the operating system runs from
      Physically Isolate the operating system from the rest of the system.

      Don't we have hardware in the CPU which is effectively supposed to do that? And don't we just keep poking holes in it so that we can get better performance?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:Nobody is talking about the root causes yet.... by WorBlux · · Score: 2

      A microkernel minimizes the amount of code you have to trust. MINIX as of 3.0 is also designed to be fault-tolerant, able to recover to almost any sort of bug. You tend to get a lot of transactional and message passing overhead though. For example the filesystem modules isn't allowed to access the disk controller, it has to ask the block layer to do it and pass the result. But the block layer can't actually pass the result directly, it has to check in with the microkernel to make sure it's okay.

      But the future isn't bleak, not only has hardware in general become faster, there has been quite a bit of design advance around these sorts of messaging system that reduce the overhead micro-kernels generate.

      I think the original argument was about design complexity though, not performance or security as linux started as a hobbyist desktop system. Linus's counterargument as that a microkernel design simply moved complexity to a different level and didn't actually decrease the complexity of a practical and working system.

    6. Re:Nobody is talking about the root causes yet.... by WorBlux · · Score: 1

      The existing hardware virtualization and security extensions actually let you do this. See L4 as an example.

    7. Re:Nobody is talking about the root causes yet.... by KGIII · · Score: 1

      Thank you for the insight. I really need to fire up MINIX in a VM and see what's going on. I'm a maths grad and not a CS grad so it will be fun for me to learn about the various ins and outs. One of the things I assume is that, in realistic use, today's hardware will cope with the added overhead with nary a problem - I'd imagine the processing rate to be only trivially slower if I'm understanding everything properly (and I may not be).

      I kind of like the checks, or the idea - I'm not fluent enough to say that I like them in practice. With, say, Linux I need to enter my password for all sorts of things. I like that. I like having to give something permission to do what it wants to do. I can handle the added time and overhead - I don't mind. I dare say that I prefer it. Much of my earlier days were spent in Unix land. Then I poked and prodded Linux for a while. Then I went to Windows - I always kept Linux on a spare drive. Now I've just decided to return to Linux and remain there. I made that choice a couple of years ago and haven't touched my own Windows quite a while now.

      Anyhow, I'm curious as to where MINIX goes. I'd like to get involved but I'm afraid I probably can't do much more than donate. I can code. I'd say that I'm "pretty good" but I'm really not. Not only are my skills rusty but I was never that good in the first place. Eventually, I hired professionals to do this for me and I stopped "helping" once I realized that I had, indeed, hired them for a reason.

      As for the original argument, not so very long ago I read the exchange and a follow-up from what's his name (MINIX author). From what I could reason there was a complexity issue, stability issues, and security issues. What I did find amusing is that he remarked that he'd not have given Linus a very high grade for Linux if he'd taken his course. I can only imagine how he'd grade Windows. I like the idea of it, however. I really need to immerse myself in it for a while to actually give a qualified opinion.

      --
      "So long and thanks for all the fish."
    8. Re:Nobody is talking about the root causes yet.... by WorBlux · · Score: 1

      Even if you can "prove" the software, how do you prove your hardware? And I think this sort of thing is very hard in a desktop system. Just take private namespaces. Within a single program you can be fairly sure as to what needs access to that data structure, on the desktop it's less sure what a user could want to have access to a particular file. There are server techs with isolate namespaces between services and processes, and there are techs which can fine-tune access of arbitrary executables to files and vice versa, It's just on an open platform that can be configured in an exponential combination what exactly is proper access ex ante.

  19. Re:This contradicts history. by KGIII · · Score: 1

    They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead. So, a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.

    --
    "So long and thanks for all the fish."
  20. Re:The problem is C by KGIII · · Score: 1

    Doesn't all C code run as C++ code with no code changes by default? I'm not sure where I'm going with this but I am not a programmer (not a good one, at any rate) and I'm mostly curious. With my limited knowledge, well, I can't really think of any reason to switch but I can't see any harm in switching by default. So long as the practice was good in C shouldn't it also be good in C++? After all, I thought you could literally take the C and just put it in C++ and it worked natively?

    --
    "So long and thanks for all the fish."
  21. Re:The problem is C by windwalkr · · Score: 1

    Pretty much. A "C++ programmer" doesn't typically write C-style programs, however, but uses the more advanced language features to buy some amount of extra compile-time safety. At least, that's the idea.

  22. Re:The problem is C by GuB-42 · · Score: 1

    Not exactly. All C is not valid C++.
    However, it may be considered good practice for C code to be written so as to make it valid C++. In is not a big effort and allows you to take advantage of the added safeties included is C++ compilers. Think of it as static analysis.
    One trouble however of using C++ is the lack of a binary standard, so, while compiling your C code as C++ may be a good test, actually shipping C code compiled with a C++ compiler may not be a good idea.

  23. Re:This contradicts history. by drinkypoo · · Score: 1

    They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead.

    Uh no. Explorer is basically equivalent to nautilus+gnome-panel. It's a graphic and file manager and program launcher, and it provides a notification area. Windows has a kernel like any normal operating system. Explorer can die and be restarted without affecting the kernel at all.

    a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.

    It doesn't matter by how much they separate them, because these statistics cover publicly known vulnerabilities. Microsoft could potentially know about hundreds or even thousands (or merely dozens) of bugs with security implications and be simply fixing them on their own time and not bothering to notify anyone. However, that Microsoft hasn't notified anyone of security flaws of which they are internally aware does not preclude others (or malicious actors inside of Microsoft) from exploiting those flaws.

    Of course, we can only speculate about how many flaws they might have, so to do so is to spread FUD... much like claiming that OSS is threatened by security flaws in some OSS software any more than non-OSS is threatened by security flaws. With OSS, you can see that known flaws are being fixed. With closed-source software, you just have to pray.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  24. Re:The problem is C by WorBlux · · Score: 1

    The only provably secure OS (L4) is written in C. I think there are good languages out at the application or platform level (Rust, Haskell, Scala) but systems level programming it's mostly just C. Alternatives are mostly just dressed up C (C++, D). Java and Haskell offer was to wrap application in a standalone VM, but largely due to the fact it uses shims in a controlled enviroment, it doesn't actually have to work with the messy hardware stuff.

  25. Re: Nobody is talking about the root causes yet... by WorBlux · · Score: 1

    Sound like a micro-kernel burnt into the microprocessor. It's almost kind of too specialized unless you already have a very strong use-case.

  26. Re:The problem is C by Xabraxas · · Score: 1

    The Windows kernel is written in C. Most kernels are written in C.

    --
    Time makes more converts than reason