Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source (techweekeurope.co.uk)

Posted by Soulskill on from the they-never-seemed-to-slow-microsoft-down dept.

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

11 of 77 comments (clear)

  1. Re:This contradicts history. by Anonymous Coward · · Score: 2, Insightful

    I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvious that Microsoft is failing to publish any of their low priority vulnerabilities and is slow in publishing medium priority ones (if we assume the same proportions as other systems this probably means that there are about 750 Windows vulnerabilities with around 600 unpublished!!!). I'm not really sure how that's meant to undermine my case? Clearly Microsoft is still badly enough damaged by their experience at the start of the century that they still consider the need to "manage perceptions" about security. The Linux guys would do really well to learn from this and try act now so that they avoid getting anywhere near the level of problems Microsoft still seems to have.

  2. it needed to happen. by Gravis+Zero · · Score: 5, Interesting

    heartbleed was a blessing in disguise because companies were blindly assuming this software was secure and thus never investing a dime in it's development. this internet-scale problem woke up some people and now they are actually investing in real security.

    --
    Anons need not reply. Questions end with a question mark.
  3. Heartbleed should've been way more of a yawn by somepunk · · Score: 4, Interesting

    Still a serious bug, but if forward secrecy had been widely deployed, much, much less threat exposure would have occurred.

    That's the lesson. Code audits are great, but they still miss stuff and are expensive. Take good practices more seriously, and you get a lot of bang for your investment in time/money/whatever.

    --
    Those people who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
    1. Re:Heartbleed should've been way more of a yawn by Bengie · · Score: 2

      OpenSSL issues weren't language issues, they were willful fundamental decisions made. Blindly accepting lengths claimed from the client, writing their own memory allocator, using the the raw private key for random data, creating their own RNG.

  4. Open Source is working as intended by PvtVoid · · Score: 5, Insightful

    It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.

    At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.

    Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.

  5. Re:This contradicts history. by fyngyrz · · Score: 4, Insightful

    The article on that page reports more OS vulnerabilities for OSX and other Apple products.

    Generally speaking, that's not the attack surface most people need to worry about.

    The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.

    The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.

    --
    I've fallen off your lawn, and I can't get up.
  6. Vendors don't want interoperability by 140Mandak262Jamuna · · Score: 2
    It is never in the interests of the vendors to support full two way interoperability. Up starts will support interoperability with established players when it suits them and sabotage interoperability to prevent people from leaving. From early days of Microsoft making sure unix file systems can be seen by windows but not vice versa to present day CAD vendors investing order of magnitude more effort in "importing" other vendor's CAD format but becoming very apathetic to bugs reported on their export capability. Parametric Technologies started encrypting its files to prevent Microedge or some such vendor from reading the files, and invoking DMCA to stop anyone else from reading the files. The format is PTC's but the data is the customers'. They use every trick in the book to hold the data hostage. Every CAD tool vendor does this, PTC is not particularly worse than any of its competitor. It is exactly the same fight between ODF and XLS. The "open" formats are STEP and IGES

    But it is in the interest of the customers to make sure their data never gets locked up in a format they don't control. Why wouldn't the fortune 500 companies invest a tiny part of their IT budgets to support ACM or IEEE to play the role of arbitrator when it comes to file formats, data and export/import protocols, fundamental security etc. These things should be neutral and no vendor should see them as yet another way to invade and occupy their customer's systems and processes.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  7. This is not the golden age of FoSS by drinkypoo · · Score: 2, Insightful

    If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Re:The problem is C by Z00L00K · · Score: 2

    Switching to C++ is just opening another can of worms.

    C++ just have the bad stuff from C and the bad stuff from object oriented design combined.

    If you want a language for an OS that is better you will need to look at ADA or some completely different language. One of the more secure operating systems out there is OpenVMS and that's written in BLISS.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  9. Re:The problem is C by Bengie · · Score: 2, Insightful

    C++ is great for masking what is actually happening in the background, which is the opposite of what you want for a kernel.

  10. Re:Nobody is talking about the root causes yet.... by WorBlux · · Score: 2

    A microkernel minimizes the amount of code you have to trust. MINIX as of 3.0 is also designed to be fault-tolerant, able to recover to almost any sort of bug. You tend to get a lot of transactional and message passing overhead though. For example the filesystem modules isn't allowed to access the disk controller, it has to ask the block layer to do it and pass the result. But the block layer can't actually pass the result directly, it has to check in with the microkernel to make sure it's okay.

    But the future isn't bleak, not only has hardware in general become faster, there has been quite a bit of design advance around these sorts of messaging system that reduce the overhead micro-kernels generate.

    I think the original argument was about design complexity though, not performance or security as linux started as a hobbyist desktop system. Linus's counterargument as that a microkernel design simply moved complexity to a different level and didn't actually decrease the complexity of a practical and working system.