Open Source Code Isn't a Warranty (opensource.com)

← Back to Stories (view on slashdot.org)

Open Source Code Isn't a Warranty (opensource.com)

Posted by timothy on Tuesday October 27, 2015 @03:46AM from the you-get-to-keep-and-fix-both-pieces dept.

An anonymous reader writes: Automotive software issues such as the Jeep hack and Volkswagen cheating on emissions tests have made headlines this year, which means the public is thinking about software in cars like never before. Some experts have argued that mandating that such software be open source is a solution to the problem. In an article on Opensource.com, Ben Cotton writes that although there are definite benefits to public scrutiny of the software, code visibility alone is no guarantee. It's an important thing to bear in mind, because "Open, therefore secure" is an easy straw man to knock down.

133 of 214 comments (clear)

Min score:

Reason:

Sort:

Guarantee by KatchooNJ · 2015-10-27 03:49 · Score: 3, Insightful

I think the better word choice is "guarantee" instead of "warranty" for the headline.

--
"Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
1. Re:Guarantee by ShanghaiBill · 2015-10-27 04:10 · Score: 4, Insightful
  
  I think the better word choice is "guarantee" instead of "warranty" for the headline.
  Also, "visible source" would be better than "open source". Unless they actually mean that anyone should be able to copy, modify, fork, and redistribute.
2. Re:Guarantee by binarylarry · 2015-10-27 04:11 · Score: 2, Interesting
  
  But it allows you to create guarantee because you can audit it.
  For closed source software, you have to trust the supplier and their guarantee.
  Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:guarantee by bobbied · 2015-10-27 04:15 · Score: 3, Insightful
  
  And there is no such thing as security in closed source software.
  I'm not so sure you can claim that. Where I will admit that closed source software has less people scrutinizing it and generally more eyes the better, I will not admit that makes it less secure. If security is important enough to the developer of a closed solution, important enough to actually cause the right things to happen during development and test to catch security issues before a solution is released, it can be as secure as any software out there. If you have the right people looking at it, looking for the right things, you can produce secure solutions that are closed source.
  You see, open source just allows more folks to look at the details, it doesn't mean that the right kind of people actually do look at it. With closed source, you can get secure by demanding it from your development team and giving them the resources to accomplish it.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
4. Re:Guarantee by pixelpusher220 · 2015-10-27 04:20 · Score: 1
  
  Visible is open. If the code is visible I'm able to download it and modify/fork/redistribute; legality of that is an, ahem, open question.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
5. Re:Guarantee by Capt.Albatross · 2015-10-27 04:29 · Score: 3, Insightful
  
  Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.
  It's a Hobson's choice for me, as I don't have the time or resources to verify the software of my car, let alone those that I rent.
6. Re:Guarantee by jellomizer · 2015-10-27 04:42 · Score: 2
  
  For the VW incident. having the code open probably wouldn't do much, as it is just the settings/input file which would cause the damage.
  Your code could be perfect and still used for evil.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
7. Re:Guarantee by AmiMoJo · 2015-10-27 04:54 · Score: 1
  
  Head over the XDA Developers, where people mod phone firmware for fun. Note the number of wannabe coders who rant about how stupid Google is and how Android is complete crap without their mods and "fixes". Have a look at some of the scripts and apps they have written.
  Very, very few people are qualified to write embedded software for cars, and fewer still to audit it and understand what is safe and why things are done the way they are done. We really, really don't want random people screwing with their car's firmware and then driving around. Most countries have rules against certain hardware mods to cars for the same reason, or at least require an inspection after they have been made. Imagine trying to inspect thousands of different source code mods.
  Anecdote time. A friend had a "chip" installed in his car years ago, basically an EEPROM that had "tuned" engine parameters for more performance. It kept stalling when idle. He spent a lot of money having the engine stripped down etc, and eventually tried swapping the chip back when fixed it. Even the self-appointed "pro" don't seem to have a clue.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re:Guarantee by mwvdlee · 2015-10-27 05:00 · Score: 1
  
  What guarantee do you have that your cars runs the code you were allowed to see?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
9. Re:Guarantee by mwvdlee · 2015-10-27 05:01 · Score: 2
  
  That file would be considered source code as well.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
10. Re:Guarantee by ShanghaiBill · 2015-10-27 05:25 · Score: 3, Insightful
  
  I don't have the time or resources to verify the software of my car
  I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.
11. Re:Guarantee by alvinrod · 2015-10-27 05:28 · Score: 1
  
  But you don't have to though as long as one other person does it and reports the results. I don't have time to fix bugs in a lot of the open source software that I use, but someone else does and I get the benefits of that at no cost to myself, and if I make any contributions, someone else can benefit from my work as well.
  
  There's probably someone with either enough time on their hands or the predilection towards such things that they would do an audit and more than likely you'd get a small handful of people to independently perform the audit and submit fixes for issues or at least a report of something that appears off. It also benefits the manufacturer since they have people doing the auditing essentially for free and helps them to improve their software.
12. Re:Guarantee by ShanghaiBill · 2015-10-27 05:32 · Score: 1
  
  What guarantee do you have that your cars runs the code you were allowed to see?
  All the consumer safety lawyers willing to make themselves rich by suing car companies.
  After a serious accident, if the car company cannot reproduce the binary from the published code, they are going to be forking over a lot of money.
13. Re:Guarantee by Capt.Albatross · 2015-10-27 05:49 · Score: 4, Insightful
  
  I don't have the time or resources to verify the software of my car
  I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.
  Many of the things you use are welded shut - integrated circuits, for example.
14. Re:Guarantee by Capt.Albatross · 2015-10-27 05:55 · Score: 1
  
  None of this matters unless it is actually happening to a significant extent. I could be persuaded by statistical evidence, but not by wishful thinking, no matter how often it is repeated.
15. Re:Guarantee by TheCarp · 2015-10-27 06:11 · Score: 1
  
  yes but, as long as some number of people are willing and interested enough, which for something as widely used as a car, you can expect will be the case (even if it wasn't open, people would be hacking on it), then it works anyway.
  Though, in no way are you really protected, its not like "bugs" can't be engineered and well obfuscated.
  Oh gee look, some odd data corruption when this register overflows and.....oh quite odd there.
  
  --
  "I opened my eyes, and everything went dark again"
16. Re:Guarantee by Capt.Albatross · 2015-10-27 06:55 · Score: 1
  
  There seem to be a great many people here who are confident that someone else is going to do this for them.
17. Re:Guarantee by mwvdlee · 2015-10-27 08:45 · Score: 1
  
  Can the car makers require that their custom compiler tool-chain is used?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
18. Re:Guarantee by F.Ultra · 2015-10-27 09:41 · Score: 1
  
  If you don't think that Open Source software have bugs fixed by people all over the world right now "to a significant extent" you must be living in denial. Granted it does not happen to 100% of all projects but if a product is running FLOSS you can be sure to a big percentage that there is some one else hacking it.
19. Re: Guarantee by KGIII · 2015-10-27 10:10 · Score: 1
  
  You know what's in your post?
  More than meets the eye.
  
  --
  "So long and thanks for all the fish."
20. Re:Guarantee by KGIII · 2015-10-27 10:14 · Score: 1
  
  A study, not that long ago, said something like 98% of all open source projects get abandoned in ____ amount of time. I forget how long. I'm not sure that you can say that a "big percentage" has someone else hacking it. It's quite a stretch to do so. This may be true for popular software but that's actually not the majority of open source software.
  And no, I'm a Linux user. A registered Linux user actually. I'm just not a zealot and am inclined to try to be honest. It's the internet, you can do that here.
  
  --
  "So long and thanks for all the fish."
21. Re:Guarantee by KGIII · 2015-10-27 10:16 · Score: 1
  
  A generic .config is usually in the source but that often gets edited and is not included in the source. Why would it be included in this source?
  
  --
  "So long and thanks for all the fish."
22. Re:Guarantee by Capt.Albatross · 2015-10-27 11:12 · Score: 1
  
  The fact that bugs are found and fixed in open-source code does not allow you to conclude that open-sourcing will improve bug discovery to any significant extent. That is the issue where wishful thinking is being substituted for evidence.
23. Re:Guarantee by exomondo · 2015-10-27 13:02 · Score: 1
  
  I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.
  What's the difference? If you don't have the time or resources to replace it then it's not going to get replaced. Generally most people don't have the time, but do have the resources to get engine parts replaced.
24. Re:Guarantee by KGIII · 2015-10-27 14:03 · Score: 1
  
  Actually, I kind of have a theory that every single one of those abandoned projects is still running somewhere - probably on a headless device, in the closet, in the back of a server room, and was installed by a guy who quit ten years ago. I think they're spectral. I'm only partially kidding.
  
  --
  "So long and thanks for all the fish."
25. Re:Guarantee by mwvdlee · 2015-10-27 18:12 · Score: 1
  
  A generic config file is something that is supposed to be tailored to the individual end-user. In the case you describe it would be a static file that would be identical for each installation of the code. How is that any different from a very specialized domain-specific programming language?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
26. Re:Guarantee by Runaway1956 · 2015-10-27 19:34 · Score: 1
  
  "significant extent."
  Define "significant". If someone makes a patch which I apply to MY CAR, that is significant, to me.
  And, because I applied the patch, my car DOES NOT accelerate uncontrollably, or veer off the road, or catch fire and blow up, or turn into a Decepticon in your children's school zone, it's pretty significant to you as well.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
27. Re:Guarantee by KGIII · 2015-10-27 20:04 · Score: 1
  
  They don't use the code across multiple vehicles with different configurations and settings?
  
  --
  "So long and thanks for all the fish."
28. Re:Guarantee by mwvdlee · 2015-10-27 20:20 · Score: 1
  
  They sure can. But the settings files for the individual vehicles will be identical accross all cars of the same model.
  It's kinda like translations; you're only using one set of them, but they're still considered part of the code.
  Otherwise, please explain why programming language IS source code and some more specialized and limited language (what these files are) ISN'T source code.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
29. Re:Guarantee by jellomizer · 2015-10-27 22:32 · Score: 1
  
  I would probably draw the line on if the config file contains something the equivalent of an IF statement.
  Where using the config file will define the order and decision making based on previous inputs.
  That would include #ifdef style commands.
  However if it is just a table...
  Default = 50
  60 kph = 40
  While it may perform critical roll in the decision process it isn't changing the logic just the thresholds.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
30. Re: Guarantee by Capt.Albatross · 2015-10-27 23:34 · Score: 1
  
  You missed out the bit about significance. Without that, your observation is irrelevant.
31. Re:Guarantee by KGIII · 2015-10-28 00:47 · Score: 1
  
  Why? Oh, just 'cause they'd use it to hide it still. But it doesn't seem *likely* that the settings file (the .config) will be identical across vehicles. Sometimes you even get a generic config that you'd change yourself to suit the environment variables. They could easily say, "Well, there's the source code." They'd be accurate, I guess. I'm kind of thinking along the lines of, say, a PHP script with manual installation.
  
  --
  "So long and thanks for all the fish."
32. Re:Guarantee by F.Ultra · 2015-10-28 07:19 · Score: 1
  
  Where do you think companies such as Coverty finds source code to improve their scanners, it's probably not in closed software.
33. Re:Guarantee by F.Ultra · 2015-10-28 07:26 · Score: 1
  
  And how many of these 98% are forked into new maintained projects? If it's completely abandoned then it probably also does not have any users?
34. Re:Guarantee by KGIII · 2015-10-28 07:57 · Score: 1
  
  Probably very few and I think the definition of abandoned that they used was also a little flawed, to be fair. I think they defined it as any project not getting updated in a year which is, well, kind of silly. I forget how many never got finished, never had their features fully implemented, etc... It was a pretty high amount. I still figure someone's using the half-baked version somewhere, code doesn't really die these days. It just gets tucked away in a server closet.
  
  --
  "So long and thanks for all the fish."
35. Re:Guarantee by Capt.Albatross · 2015-10-28 10:14 · Score: 1
  
  Well, there is also the code of their paying customers, but you make a good point - the only one I have seen so far that doesn't seem to depend on wishful thinking.
  Ironically, Coverity's own code is closed.
36. Re:Guarantee by F.Ultra · 2015-10-29 09:09 · Score: 1
  
  Yes there is the code of their paying customers but they would get no where as a startup without access to the great wealth of open source code, and while they are closed source themselves they have somewhat paid back by reporting the bugs they found to each project.
37. Re:Guarantee by F.Ultra · 2015-10-29 09:15 · Score: 1
  
  Granted, however there is probably just as much if not more closed project dying the vary same death inside companies, of course they are used only for internal stuff. In every workplace that I have been to there has always been the "this system we do not ever touch because no one knows what it does or how it works, but it does". And the source of most of these projects are also long gone, a situation that we at least don't have with the open projects.
38. Re:Guarantee by KGIII · 2015-10-29 09:35 · Score: 1
  
  Absolutely true and not a point I was asking about or commenting on. I was simply addressing the idea way back up there in the initial post that I replied to. ;-) I quite agree with the rest of your statement. Hell, I don't even know who the OP was any more. Hmm... Ah yes - "you can be sure to a big percentage that some one else is hacking it." No, not really. You can be sure, to a big percent, that someone *could* be. Not that there is. It's not even statistically likely that someone is actively hacking it with 98% of them being abandoned/no longer developed.
  
  --
  "So long and thanks for all the fish."
"Open == Secure"? by Anonymous Coward · 2015-10-27 03:49 · Score: 1

"Open == Secure" Or "Open == More Secure than Closed"?
These are very different claims.
1. Re:"Open == Secure"? by SecurityGuy · 2015-10-27 03:55 · Score: 3, Insightful
  
  They're both wrong.
  Open == You can audit it if you want. It's absolutely no guarantee that anyone ever has.
2. Re:"Open == Secure"? by vyvepe · 2015-10-27 04:03 · Score: 1
  
  They're both wrong.
  Open == You can audit it if you want. It's absolutely no guarantee that anyone ever has.
  There may not be a guarantee but there is a good change it is statistically true. There exists a group of people who may want to audit a car software and they can do it only when it is open. Therefore open source software should have a higher chance of being audited.
3. Re:"Open == Secure"? by SecurityGuy · 2015-10-27 04:20 · Score: 1
  
  Closed source, commercial software is written by people who are paid to do it. Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing. Therefore closed source software has a higher chance of being audited.
  We're both just constructing arguments that may or may not be true. My point is that those arguments are irrelevant. A given piece of software either has or has not been audited. It doesn't matter if it's closed or open, it matters if it's been audited by someone who is technically proficient enough to do the job to the satisfaction of the user.
4. Re:"Open == Secure"? by gweihir · 2015-10-27 04:21 · Score: 1
  
  No. "closed" => "almost sure not secure".
  Opening it is only one step that _must_ be done to make it secure. It is necessary, but not sufficient.
  Hence for those too limited to understand implications, it is
  "closed == insecure" and
  "open == secure or insecure"
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:"Open == Secure"? by pixelpusher220 · 2015-10-27 04:21 · Score: 1
  
  Indeed....or Perfect, meet Good...try not to be enemies.
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
6. Re:"Open == Secure"? by firewrought · 2015-10-27 04:35 · Score: 1
  
  A given piece of software either has or has not been audited. It doesn't matter if it's closed or open, it matters if it's been audited by someone who is technically proficient enough.
  Close... you have to trust not only the auditor's technical proficiency, but also their intentions. With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  
  Closed source, commercial software is written by people who are paid to do it.
  So is open source, in a surprising number of cases.
  
  --
  -1, Too Many Layers Of Abstraction
7. Re:"Open == Secure"? by ShanghaiBill · 2015-10-27 04:42 · Score: 1
  
  Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing.
  I have worked on plenty of both open source and closed source projects over the last 30 years, and this is nonsense. If someone is being paid to do it, then a PHB is setting the priorities, and the programmer is working for pay rather than passion.
  I have worked on projects that converted from closed to open source. It was a months long process to clean up all the vomit code, before the company wasn't too embarrassed to make it public. When Netscape went open source, the open source community looked at their code, and decided it was such a pile of crap that it would be easier to just throw it all away and start from scratch.
  Also, plenty of people get paid to work on open source.
  
  Therefore closed source software has a higher chance of being audited.
  Hogwash.
8. Re:"Open == Secure"? by Capt.Albatross · 2015-10-27 04:43 · Score: 1
  
  This is not addressed to you specifically, but to everyone who supports the proposition that open-sourcing is an important step in achieving security:
  1) Did you make any use of OpenSSL before Heartbleed was made public? (if not, are you sure?)
  2) If so, did you discover this vulnerability during your inspection of the code?
9. Re:"Open == Secure"? by jellomizer · 2015-10-27 04:47 · Score: 1
  
  How you licence and distribute your code doesn't equate to its quality.
  Normally Open Source code is made to be viewed by others will avoid taking shortcuts, while closed source will try to hide time saving methods. But it isn't always the case. A company who is offering a warranty on their code with a good enough penalty for issues will be more thorough than with an open source project.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
10. Re:"Open == Secure"? by vyvepe · 2015-10-27 04:51 · Score: 1
  
  Closed source, commercial software is written by people who are paid to do it. Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing. Therefore closed source software has a higher chance of being audited.
  Why do you think a car company would not audit open source software it is using in their cars? They can get publicly ridiculed for low quality of their code. Would you buy a car from a company which was shown to have crappy and insecure code in their cars? This is not like a PC which you can reboot and all is fine. And why do you think a company which does not audit its open source code would audit its closed source code?
  
  We're both just constructing arguments that may or may not be true. My point is that those arguments are irrelevant. A given piece of software either has or has not been audited.
  I agree with you. My point is that in the case of a car software the openness of the source code would give the company even more incentives to audit it yourself compared to a closed source code. And moreover there are people who are really interested in cars and which would definitely look at the code. What about all the rodhoders?
  I mean you want to move experience from simple PC software to car software. I do not think this is valid.
11. Re:"Open == Secure"? by Hognoxious · 2015-10-27 04:53 · Score: 2
  
  With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  
  Better yet, from one of their competitors.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
12. Re:"Open == Secure"? by thechemic · 2015-10-27 05:16 · Score: 1
  
  My point is that those arguments are irrelevant.
  Closed source software is written by people that are BOTH not paid to do it and paid to do it. Open source software is written by people that are BOTH not paid to do it and paid to do it. You make incorrect assumptions and irrelevant points in your arguments to illustrate that somebody else's arguments are irrelevant.
  Closed source can only be audited by people whom are granted the permission to view the code by the copyright holder (small pool of auditors). Open source software can be audited by anyone (larger pool of potential auditors). When it concerns public safety, copyright holders have an interest in protecting access to flaws which would tarnish their reputation so they control auditor access. However, the public has an interest in auditing software which renders products/service unsafe to use, so the power of the community is employed to audit and improve open source software in ways which make it safer. Clearly, when it concerns matters of public safety, open source software is more likely to be audited.
  
  --
  Let's make like a bird... and get the flock outta here.
13. Re:"Open == Secure"? by SecurityGuy · 2015-10-27 05:19 · Score: 1
  
  Of course it's hogwash. You missed my point that it, like vyvepe's argument, is arbitrary speculation and not based in actual fact.
  Closed source doesn't make software secure. Open source doesn't make software secure. Securing software makes it secure. Assuming that someone else always bothered to do that for any given piece of open source software is foolish.
14. Re:"Open == Secure"? by ThosLives · 2015-10-27 05:23 · Score: 1
  
  There is no philosophical (or mathematical) argument that supports the notion that "opening" source code is necessary for the software it represents to be secure. Both proprietary and "open" software have examples of both "secure" and "insecure" software.
  It's all about the validation process; not who performs it.
  
  --
  "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
15. Re:"Open == Secure"? by gweihir · 2015-10-27 05:44 · Score: 1
  
  Actually, it is very much about who performs it. "Processes" are basically useless in making anything secure.
  And who said anything about "philosophical" or "mathematical"? You are barking up the wrong tree entirely. The arguments are economical and psychological.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
16. Re:"Open == Secure"? by Archangel+Michael · 2015-10-27 05:46 · Score: 1
  
  Open == Secure
  Closed == Secure
  The only secure software is one that is repeatedly tested and fixed to stay that way. Vulnerabilities will exist in both Open and Closed software, the question isn't which has more (or less) it is once discovered, what can YOU (the end user) do to fix it.
  In this case Just look at the Android Marketplace and all the various versions of Android out there, and how the Manufacturers support them. If it wasn't for CyangenMod and others many of these usable devices would never get updated. Ever.
  And that is my fear when I look at other "systems" out there. And quite frankly, from what I've seen, the security is an afterthought mentality is criminal. Give me access to fix what you can't or won't, or don't do it at all. Period.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
17. Re:"Open == Secure"? by Capt.Albatross · 2015-10-27 06:21 · Score: 1
  
  Even if that were true, it would not follow that closed-source code is necessarily insecure.
18. Re:"Open == Secure"? by phantomfive · 2015-10-27 06:24 · Score: 1
  
  Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing.
  
  Citation needed.
  In my experience, closed source projects are lower quality, and I've never worked on a closed-source project that was audited by a third party (I'm sure it happens sometimes, but it happens a lot with open source). With closed source software, at best an acquiring company will send a manager to skim through the code to determine if it is worth acquiring. Even in those cases, the manager typically doesn't check out the project and build it himself, he just looks over it, sometimes guided by the author of the code.
  
  Open source code usually has higher quality, because the people writing it actually care. People at work are there to get paid.
  
  --
  "First they came for the slanderers and i said nothing."
19. Re:"Open == Secure"? by BasilBrush · 2015-10-27 07:48 · Score: 1
  
  This is counting angels on the head of a pin. There's no evidence whatsoever that open source gets audited at all. The fact that OpenSSL, the software with the most need to be secure, was broken for many years is evidence that it probably isn't.
  The fact that *IF* you had the expertise and the time and reason to audit it if you wanted to is hypothetical and irrelevant if no one ever does.
  
  So is open source, in a surprising number of cases.
  And in a surprising number of cases it's done as a side project that no one cares about beyond it performing the specific task that it's used for by the paid person and their organisation.
20. Re:"Open == Secure"? by Capt.Albatross · 2015-10-27 09:03 · Score: 1
  
  And you point is? If you desire to be recognized as a smart-ass, congratulations, you have established that you are. Only a smart-ass talks absolutes in a discussion like this.
  You were eager to participate in just such a discussion until I called your bluff.
21. Re:"Open == Secure"? by gweihir · 2015-10-27 10:25 · Score: 1
  
  And an inflated ego in addition to being a moron. Fascinating.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
22. Re:"Open == Secure"? by KGIII · 2015-10-27 10:30 · Score: 1
  
  Err... Didn't you say that software ABSOLUTELY must be open to be secure up above? Some "must be done" part... Now you're saying not to speak in absolutes. Methinks you lost this one.
  
  --
  "So long and thanks for all the fish."
23. Re:"Open == Secure"? by Capt.Albatross · 2015-10-27 10:37 · Score: 1
  
  And an inflated ego in addition to being a moron. Fascinating.
  Your descent into schoolyard taunts gives me the satisfaction of knowing that I have hit the nail squarely on the head.
24. Re:"Open == Secure"? by exomondo · 2015-10-27 14:06 · Score: 1
  
  Close... you have to trust not only the auditor's technical proficiency, but also their intentions. With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  Right but does anybody actually do this? Like it sounds good in theory but does it work in practise. Strikes me there are a lot of existing open source projects that would be viable candidates to prove this out.
25. Re:"Open == Secure"? by exomondo · 2015-10-27 14:23 · Score: 1
  
  "open == secure or insecure"
  So what is an example of an open project that is audited and verified as secure? The ability to do this is very often quoted as a benefit so there should be a lot of examples that could be used as case studies to further justify it.
26. Re:"Open == Secure"? by bingoUV · 2015-10-27 22:24 · Score: 1
  
  Closed source, commercial software is written by people who are paid to do it
  1. Not true - e.g. non-open-source shareware
  2. Open source software is also at times written by people who are paid to do it.
  So imagine " Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing"
  It is a closed source software at this point, with X level of security. NOW open source it - it becomes Y level of security.
  Claim is that Y >= X.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
27. Re:"Open == Secure"? by bingoUV · 2015-10-27 22:27 · Score: 1
  
  But does anybody actually audit closed source software?
  Like it sounds good in theory but does it work in practise[sic]. Strikes me there are a lot of existing closed source projects that would be viable candidates to prove this out.
  As far as guarantee of competent audit goes - it is in neither open nor closed source software. As far as existence of insecure software goes - it is in both open and closed source software.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
28. Re:"Open == Secure"? by exomondo · 2015-10-28 09:36 · Score: 1
  
  But does anybody actually audit closed source software?
  Did you read the post I was responding to I even quoted it but I'll do it again: With open source, you have the option--no, the power--of getting a second opinion." so the question stands. Why are you talking about closed source?
  
  Like it sounds good in theory but does it work in practise[sic]. Strikes me there are a lot of existing closed source projects that would be viable candidates to prove this out.
  Prove what out? I don't think I've ever seen the "ability to audit" paraded as an advantage of closed source software, but I certainly have for open source software, hence the question.
  
  As far as guarantee of competent audit goes - it is in neither open nor closed source software. As far as existence of insecure software goes - it is in both open and closed source software.
  I'm not talking about closed source software, I'm talking about open source software. What part of what was written are you having difficulty understanding? It's not that complicated.
29. Re:"Open == Secure"? by bingoUV · 2015-10-28 13:22 · Score: 1
  
  1. What kind of software is NOT open source?
  2. Audit is being touted as an "advantage" of open source software over what other kind of software?
  3. Can "advantage " ever stand without comparing with a disadvantage?
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
30. Re:"Open == Secure"? by exomondo · 2015-10-28 14:15 · Score: 1
  
  So you're actually saying that you can't answer my question until I answer your question which is just repeating my question but replacing "open" with "closed"?
  Whether it is practical or not and whether one can or does audit open source software is not affected in any way, shape or form by the ability to do in closed source software. So you being a braindead parrot just demonstrates you don't know how to answer the question. But I'll answer your question anyway:
  But does anybody actually audit closed source software?
  I don't know.
  Like it sounds good in theory but does it work in practise[sic]. Strikes me there are a lot of existing closed source projects that would be viable candidates to prove this out.
  Prove what out? This is a nonsensical restatement of what I wrote.
31. Re:"Open == Secure"? by bingoUV · 2015-10-28 16:21 · Score: 1
  
  So you're actually saying that you can't answer my question until I answer your question which is just repeating my question but replacing "open" with "closed"?
  
  No, I am asking even more basic questions because you are demonstrating ignorance of even more basic points. So tell me, can an "advantage" ever exist without comparison with a "disadvantage" ?
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
32. Re:"Open == Secure"? by exomondo · 2015-10-28 16:38 · Score: 1
  
  No, I am asking even more basic questions
  Wrong, you just restated my initial question because you couldn't answer it you idiot.
  
  So tell me, can an "advantage" ever exist without comparison with a "disadvantage" ?
  Irrelevant, the question you failed to answer said nothing about "advantage":
  Right but does anybody actually do this? Like it sounds good in theory but does it work in practise. Strikes me there are a lot of existing open source projects that would be viable candidates to prove this out.
  It's a very simple question, why do you have so much difficulty with it?
33. Re:"Open == Secure"? by bingoUV · 2015-10-28 17:55 · Score: 1
  
  Irrelevant, the question you failed to answer said nothing about "advantage":
  That is why I didn't ask the aforementioned "even more basic questions" until this, where you did say something about "advantage". In fact you used this word in its entirety with correct spelling.
  So after you did mention "advantage", I ask this to see if you have any clue about what "advantage" means. I do this because from your other sentences it appears you don't have such a clue, but appearances can be deceptive. And until you do acquire such a clue, making any statement to you about this subject which includes a concept of advantage as you demonstrate yourself by using the word will be fruitless.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
34. Re:"Open == Secure"? by bingoUV · 2015-10-29 04:26 · Score: 1
  
  1. What kind of software is NOT open source?
  Software that does not fit the Open Source Definition.
  
  No, I didn't ask about Open Source. I asked about open source.
  
  2. Audit is being touted as an "advantage" of open source software over what other kind of software?
  Probably software that does not fit the Open Source Definition.
  
  No, source visible and some sort of verification that same source code is actually creating the executing code is enough for touting audit as an advantage.
  
  3. Can "advantage " ever stand without comparing with a disadvantage?
  The question appears to be whether the advantage is valid at all.
  Appears wrong to you then. I am not asking that question.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
35. Re:"Open == Secure"? by exomondo · 2015-11-03 10:17 · Score: 1
  
  Here it is, yet again:
  >>Close... you have to trust not only the auditor's technical proficiency, but also their intentions. With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  >Right but does anybody actually do this? Like it sounds good in theory but does it work in practise. Strikes me there are a lot of existing open source projects that would be viable candidates to prove this out.
  Here.
  Try again, it really is not that complicated.
36. Re:"Open == Secure"? by bingoUV · 2015-11-03 16:02 · Score: 1
  
  Have you recalled using the word "advantage" yet?
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
37. Re:"Open == Secure"? by exomondo · 2015-11-03 17:12 · Score: 1
  
  I never said I didn't, merely that it wasn't in the initial question and is not relevant at this stage.
  So here is the initial question, in context, yet again:
  >>Close... you have to trust not only the auditor's technical proficiency, but also their intentions. With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  >Right but does anybody actually do this? Like it sounds good in theory but does it work in practise. Strikes me there are a lot of existing open source projects that would be viable candidates to prove this out.
  Try again, it really is not that complicated...well not for most people though you are obviously having a great amount of difficulty with it.
38. Re:"Open == Secure"? by bingoUV · 2015-11-03 21:44 · Score: 1
  
  Ok, great. In the context where you used the word "advantage", can advantage be relevant without comparison with a disadvantage?
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
39. Re:"Open == Secure"? by exomondo · 2015-11-04 09:56 · Score: 1
  
  Ok, great. In the context where you used the word "advantage", can advantage be relevant without comparison with a disadvantage?
  If the ability to audit software is advantageous - which is precisely what I'm trying to establish, but you obviously have no idea hence your inability to answer the question - then comparable software which does not have this ability would be at a disadvantage with respect to this. However at this point that is completely and utterly irrelevant because the question remains:
  >>Close... you have to trust not only the auditor's technical proficiency, but also their intentions. With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.
  >Right but does anybody actually do this? Like it sounds good in theory but does it work in practise. Strikes me there are a lot of existing open source projects that would be viable candidates to prove this out.
  Again, it isn't that complicated so why can't you answer it? It seems no matter how many times it is posed you lack the basic cognitive function to understand a very very simple question. Unfortunately it seems it cannot be dumbed down to your level.
40. Re:"Open == Secure"? by bingoUV · 2015-11-04 11:34 · Score: 1
  
  So you're saying that in the context where you used the word "advantage", advantage can be relevant without comparison with a disadvantage, if the ability to audit software is advantageous. Basic cognitive function indeed.
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
41. Re:"Open == Secure"? by exomondo · 2015-11-04 12:27 · Score: 1
  
  So you're saying that in the context where you used the word "advantage", advantage can be relevant without comparison with a disadvantage, if the ability to audit software is advantageous.
  No, nowhere did I say nor infer that. Try again.
42. Re:"Open == Secure"? by bingoUV · 2015-11-04 16:26 · Score: 1
  
  It was nearly directly from your post, but considering your intelligence, this should be slightly clearer :
  
  Ok, great. In the context where you used the word "advantage", can advantage be relevant without comparison with a disadvantage?
  If the ability to audit software is advantageous ...
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
43. Re:"Open == Secure"? by exomondo · 2015-11-04 16:55 · Score: 1
  
  Sorry but that in no way infers this try again. This need to "try again" on simple statements really is a recurring theme with you.
  But back to the question at hand, the question you originally responded to yet are unable to answer here. Try again to answer it, but of course like the several other times I have posed the exact question you have failed time and time again. It's not that hard, I know you're frustrated at your cognitive disability but surely if you read it slowly you can answer it and see how discussions of whether it is an "advantage" are not relevant or in any way necessary to answer that question. Your inability to answer it thus far has already proved you a simpleton but even you should be able to manage it given enough attempts.
44. Re:"Open == Secure"? by bingoUV · 2015-11-04 18:26 · Score: 1
  
  OK, so you don't recognize a yes/no question when you see one. Try answering this again (hint: this can only be answered in yes or no, if you feel other words coming forth, you have not understood the question which is not surprising so read it again.)
  "In the context where you used the word "advantage", can advantage be relevant without comparison with a disadvantage?"
  
  --
  Bingo Dictionary - Pragmatist, n. A myopic idealist.
However.. by Anonymous Coward · 2015-10-27 03:57 · Score: 4, Interesting

The more insight into code, the less likely companies will do what VW did because its open to public scrutiny. I think we should be focusing on the "Open, therefore open to scrutiny" than the misconception of "Open, therefore secure".
"Open, therefore secure" by gQuigs · 2015-10-27 04:00 · Score: 4, Interesting

or maybe...
Open, therefore not illegal to review?
Not a straw man! by Mjlner · 2015-10-27 04:01 · Score: 1

A straw man attack consists of refuting an argument which no one is making. It is not a generic term for false arguments. "Open, therefore secure" may be false, but it is not a straw man.
OTOH, since no one is making the case that open source is secure by default, the last line does look like a straw man. (But it's not really.)

--
Lemon curry???
1. Re:Not a straw man! by Anonymous Coward · 2015-10-27 04:03 · Score: 1
  
  You just refuted your own point. "Open, therefore secure" is an argument which no one is making.
-1 Stupid by Grishnakh · 2015-10-27 04:03 · Score: 1, Insightful

This software absolutely should be open-source. The OpenSSL issue is an example of why open source is superior, even though it's obviously no guarantee you'll have no problems: when the vulnerability was discovered, it was fixed very quickly.
The problem with proprietary software is that there's no way to actually fix it, unless the vendor wants to. When the OpenSSL problem was found, a fix was made and rolled out, and everyone was able to install it.
When a vulnerability is found on your 5-year-old Jeep and publicized, what do you do when Jeep decides they don't feel like fixing it for you? Guess what, you're screwed! Now hackers can take control of your vehicle and drive you off a cliff, and there's nothing you can do about it because the vendor doesn't care and there's no way to upgrade the software yourself.
This kind of thing shows exactly why Stallman had the right idea about "TiVOization". Not only is it important that you can have access to the source code for your device so that you can modify or fix the code, but it's equally important that you can actually get the fix *onto* the device so you can use it. Otherwise you're at the vendor's mercy.
Luckily cars are so heavily regulated that my Jeep scenario above is unlikely, simply because of government regulation and also lawsuits, but this isn't true of other places where physical safety isn't a factor. With the current "IoT" push to connect every little device to the internet, having the firmware open-source is more important than ever because of the security issues, combined with the **proven** tendency of vendors to abandon support after a few months.
1. Re:-1 Stupid by MyNicknameSucks · 2015-10-27 05:03 · Score: 1
  
  Jeep releases vehicle with buggy software.
  Buggy software comprises 10 million lines of code (the estimate of the size of the offending VW code).
  Years down the road, after extensive analysis, white hat posts new and improved software to Git.
  ????
  At issue here is how does a third party hack get distributed to end users?
  Further, car makers really don't like it when you chip your car. Last year, I got a warranty notice for my A3 TDI saying my car needed new software to fix part of the emissions control system (ha!). There was an extensive bit saying that chipped cars were ineligible for (in my case, extended) warranty work. The reason for this is straightforward enough: most people chip their cars for performance which can introduce added stress to components.
2. Re:-1 Stupid by thegarbz · 2015-10-27 06:48 · Score: 1
  
  The OpenSSL issue is an example of why open source is superior, even though it's obviously no guarantee you'll have no problems: when the vulnerability was discovered, it was fixed very quickly.
  I think the OpenSSL issue is an example of exactly the opposite. It was a text book example of an open source project that had convoluted and complicated code that actively disincentives anyone to look at the code and thus allow code to go without review and bugs unseen. The idea was that all bugs are shallow yet Heartbleed and Shellshock have both shown some bugs that have stayed with the system despite repeated modifications to the source code and presumably people reading and working with it for many years.
  Open source is superior only in that it provides an ability to do a code review. Clearly that has failed spectacularly in some of our most common and most depended upon open source components.
3. Re:-1 Stupid by Grishnakh · 2015-10-27 10:48 · Score: 1
  
  Only a complete moron would think that proprietary software is immune to problems and that proprietary vendors are proactive about finding and fixing security vulnerabilities.
4. Re:-1 Stupid by Grishnakh · 2015-10-27 10:53 · Score: 1
  
  I don't see how it'd be any different for proprietary vs. open-source here. They're both going to have vulnerabilities; that's unavoidable with software of any kind. There's always going to be some time between when the bug is found and when it's fixed, during which it can be exploited (worse if black-hats find it first and sell it or use it). The difference between the two is how fast you get a fix, and if you get one at all. With proprietary, you're entirely at the vendor's mercy; if they're really good, you get a fix very quickly. If they're mediocre, you get a fix after some time, and hopefully you don't suffer serious consequences. If they really suck, you don't get a fix at all, ever, because they don't feel like it, and they tell you to just go buy their latest version. With open-source, you have multiple avenues: hopefully there's a community that issues a fix, otherwise you still have the ability to fix it yourself or hire someone competent to do it for you.
5. Re:-1 Stupid by Grishnakh · 2015-10-27 10:55 · Score: 1
  
  It IS different. If the project's unmaintained, you still have the source code available and can fix it yourself.
  You can't do that with a proprietary product. If the proprietary vendor doesn't feel like fixing it, you can't force them to, and you can't do it yourself because you don't have the source code.
  If you don't see what the difference is here, I can't help you.
6. Re:-1 Stupid by Grishnakh · 2015-10-27 10:57 · Score: 1
  
  Open source is superior only in that it provides an ability to do a code review. Clearly that has failed spectacularly in some of our most common and most depended upon open source components.
  Huh? I never said OS was perfect; far from it in fact. It's also no guarantee that people are actually going to audit it. I don't understand why people keep thinking this. But if you think proprietary software is of higher quality on average, you're deluded. There's crap code in both camps.
7. Re:-1 Stupid by thegarbz · 2015-10-28 10:08 · Score: 1
  
  But if you think proprietary software is of higher quality on average, you're deluded.
  I implied nothing of the sort. Only that OpenSSL showed that open source is not actually all that superior unless you back it with very strict conditions. It can be superior but that requires distribution infrastructure and regular code audits. Otherwise an unread open source is as superior as a completely closed source.
  But to address your comment very directly, OpenSSL showed how slowly such systems actually get patched. With openness comes fragmentation. I didn't just have to wait for OpenSSL to fix the bug, I had to wait for my distro to release and update their specific version (which to their specific credit they did quite quickly, others not so).
  To be clear, open source has many advantages, but it also has disadvantages, and it also plenty of misinformation and misunderstandings associated with it.
8. Re:-1 Stupid by Grishnakh · 2015-10-28 12:22 · Score: 1
  
  Otherwise an unread open source is as superior as a completely closed source.
  The superiority of open-source software isn't in the code quality; that's a misconception. It's in the openness. The code quality can be good or bad, just like with proprietary software. Code that's audited more heavily and managed better is going to have better quality, whereas code that isn't audited or inspected is going to be luck-of-the-draw (basically depending on how good a coder the one guy who wrote it is). The difference is that open-source is *open*. So if you're really interested, you can look at it to judge the quality for yourself. You can't do that with proprietary software. For all you know, Adobe Reader could be total spaghetti code, or it could be excellent. There's no real way to know since you can't see the code. And there's no easy way to see if it has backdoors or malware built in, except by black-box testing.
  But to address your comment very directly, OpenSSL showed how slowly such systems actually get patched. With openness comes fragmentation. I didn't just have to wait for OpenSSL to fix the bug, I had to wait for my distro to release and update their specific version (which to their specific credit they did quite quickly, others not so).
  I don't see how that's a problem, that seems like a strength to me. You picked a good distro, and they fixed the problem "quite quickly", so what are you complaining about? You're mad because some other crappy distro didn't? Then don't use that distro. With proprietary software, you don't have this freedom. MS has been known to not proactively patch problems in the past, and prefer that they not be publicized. What's your alternative if you decide you don't like the way MS manages its "distro"? You don't have one. You can abandon Windows altogether, or run it in a VM, or some other crappy workaround, but you can't find an alternative company with a slightly different version of Windows to run all your Windows applications on. With your Linux distro, you do. If you decide your current distro sucks and isn't handling security problems very well, you can easily switch to an alternative distro. Going from Ubuntu to Mint is easy, going from Mint to Debian isn't too hard, going from RHEL to Suse is easy, etc. Even going between the Red Hat and Debian camps isn't *that* hard. This isn't "fragmentation", this is competition. They were apparently all using OpenSSL, so it was just a matter of patching the problem and rolling out the fix. Fragmentation is when they all decide to make their own, incompatible versions of something. That's what happened with old UNIX, where compiling software to run on HP-UX was significantly different than compiling it for Solaris. Linux isn't fragmented that badly at all. It could use more standardization for sure, but it's really not that bad, considering how much diversity there is. Having the same kernel across all distros, and the kernel having a very strict policy of never altering or deprecating syscalls probably is a big help there, plus they all seem to use glibc.
  Anyway, I went off on a tangent there. The other big strength with open-source is that you were able to get OpenSSL patched. With proprietary software, there's no such guarantee. OpenSSL was open-source, so if the maintainers didn't bother to fix it, or to do it quickly, someone else could fairly easily have done so, since everyone has access to the source code. With proprietary software, if the vendor decides they just don't feel like fixing the problem, then you're screwed. What do you do when MS says they're not making any more security updates for XP, but you have expensive network-connected industrial equipment built on it? Well, you're screwed, and you either get it off the network or rely on a bunch of firewalling or other workarounds. If it were built on Linux, you'd be able to patch it.
Open Source is no guarantee... by CAOgdin · 2015-10-27 04:07 · Score: 1

...but it admits to the possibilities that a) an enterprising white hat (or black hat) CAN inspect the code for integrity, logical structure, and fitness for purpose, and b) if a black hat can (or could, or does) exploit the code, a white hat can improve the code to close that security breach. Closed Source limits the potential white hats to those the intellectual property owner chooses...and they have little economic incentive to choose well or comprehensively, or ask for expensive comprehensive inspection of the code to find potential flaws, because it will increase their costs.
1. Re:Open Source is no guarantee... by Bert64 · 2015-10-27 04:36 · Score: 1
  
  And blackhats frequently do have illegal access to closed source code, putting whitehats (and every other user) at a significant disadvantage.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:'Open, therefore secure', LOL by Anonymous Coward · 2015-10-27 04:11 · Score: 1

Nobody finds vulnerabilities by reading source or machine code.
You fuzzy it until it crashes, then you analyze the core dump - no source code needed.
You don't care what it does, or where it crashes, you care what input makes it crash, where the input ends up in memory, and what you can do placing shellcode there.
Duh... by gweihir · 2015-10-27 04:15 · Score: 4, Insightful

Another stupid comment by people that do not understand the difference between a "necessary condition" and a "sufficient condition".
Open-sourcing the software/firmware in question is a necessary thing. That means it must be done. It is not a sufficient condition. That means it is not enough. It still must be done, but other things must be done in addition to get the desired outcome.
It is almost as if people do not understand basic logic anymore. No surprise so many things in the IT space get screwed up badly these days.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re:Duh... by swillden · 2015-10-27 10:23 · Score: 1
  
  Open-sourcing the software/firmware in question is a necessary thing. That means it must be done. It is not a sufficient condition.
  I love open source, and I think the default approach for much software should be open, but it's neither necessary nor sufficient. The insufficiency is clear, at least in the short term. With regard to necessity, there are lots of other options. Here are a few:
  1. The vendor could be held liable for any and all security breaches and reliability problems due to their software. That is, they could be required to provide warranties/guarantees, and to be bonded to ensure that they can't skip out of payment by filing bankruptcy.
  2. The vendor could be required to submit to regular and thorough third-party audits. The audits would be performed under NDA so very few people would see the source, but good audits are both necessary and sufficient, whether the source is open or not.
  3. Government regulators could take responsibility for auditing and validating the source. This is just a variation on third-party audits, with a specific third party. It's worth pointing out, though because it's actually pretty common.
  4. Organizations can use detailed and careful design and implementation methodologies. This, plus liability, is what makes aerospace code generally very good, even without actual audits.
  I think in most cases open source is easier, cheaper and better, and it's my default option. But it's not actually necessary.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
2. Re:Duh... by gweihir · 2015-10-27 10:36 · Score: 1
  
  While these approaches all sound nice in theory, they are unworkable or mostly worthless in practice for the type of software under discussion here.
  I have done such audits. You get 5 days to review 1000 lines of badly structured and undocumented code. In the end you conclude "no obvious backdoors or vulnerabilities", the vendor is off the hook and the code still sucks. And point 4? Until people doing the code are actually paid wages that attract those that can do it, forget it. Methodologies are vastly overrated. What makes the result good is that bad engineers usually cannot follow the methodology and get weeded out. But it is not the methodology that makes the code good, it is the people creating it.
  That is what makes open-sourcing the code the only viable option at this time, unless a lot of money can be thrown at making the code secure. The latter is not the case in most scenarios.
  Your aerospace example incidentally has another aspect that makes it non-general: Little change and a very well defined problem. Also, basically security by isolation, so the by far most difficult property of good code (security) is irrelevant in aerospace. Also refer to the Ariane IV first launch (800 Million Euro losses), Mars Climate Orbiter (160 Million USD loss), and others. No, aerospace code is not that good.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Duh... by swillden · 2015-10-27 11:33 · Score: 1
  
  I have done such audits. You get 5 days to review 1000 lines of badly structured and undocumented code.
  Then you haven't done the audits I'm talking about. I have, and I've had my code audited. It takes many weeks, includes the active participation of the developers and is very thorough.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Duh... by gweihir · 2015-10-27 15:01 · Score: 1
  
  I have. But that type is not within the financial means of most projects, hence the meaningless ElCheapo version.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Jeep hack by freeze128 · 2015-10-27 04:18 · Score: 1

After the Cherokee hacking debacle, a few people at Jeep/Chrysler *need* to feel bad.
Re:'Open, therefore secure', LOL by gweihir · 2015-10-27 04:19 · Score: 1

You have misunderstood the implication. It is "closed source" => "insecure". It is not "open source" => "secure". These are two different things. You can never (in practice and under usual economic border conditions) make closed source secure. On the other hand, while you must make it open in order for it to be possibly secure, you must do other things in addition.
Really, get a grip on basic logic and stop claiming bullshit.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
tip fo the iceberg by cheap.computer · 2015-10-27 04:25 · Score: 1

Just wait till we have fully autonomous cars
1. Re:tip fo the iceberg by ShanghaiBill · 2015-10-27 05:39 · Score: 1
  
  Just wait till we have fully autonomous cars
  We already have fully autonomous cars. You just can't buy one yet.
Re:'Open, therefore secure', LOL by ShanghaiBill · 2015-10-27 04:25 · Score: 1

Have any of you ever decompiled machine code and from that tried to figure out how it worked?
Yes.

It's damned difficult
Full reverse engineering is difficult. But a hacker doesn't need to do that. He is just looking for potential stack overflows, buffer overruns, weak user authentication code, etc. If they exist, those are easy to find, using a disassembler and a VM.

In my opinion it's going to be tougher all around if the firmware/software is closed-source
Security through obscurity doesn't work. Open source is no guarantee of perfect security, but it has a better track record than closed source.
Re:'Open, therefore secure', LOL by RabidReindeer · 2015-10-27 04:29 · Score: 1

Not only does releasing the source code open you up to hacks, but it also makes it trivially easy for someone to modify the code, adding backdoors, exploits, etc and recompile it. A simple replacement of the original code with the 'improved' codes means you have been completely pwned.
In other words, replacing the legitimate module with a trojan one.
With certain exceptions, it's very hard even allowing for the lax attention to security that is so prevalent today for an outside agent to swap out an arbitrary app in someone's shop for a trojan. And if you're getting pre-built open-source binaries from a reputable repository, that repository typically carries checksums that are intended to ensure that the module you download is the one that they built. Also, the people who built the repository don't accept arbitrary source changes from just anyone.
On the other hand, disassembling and hacking closed-source binaries isn't nearly as hard as it's made out to be. I speak from experience, both on my own part and on the part of other people I know. Although if that's not good enough, I'll simply point you to the innumerable exploits made on Windows, Flash, and other critical system resources despite the fact that few, if any of the corrupted modules had publicly-visible source code.
Nothing can prevent vulnerabilities by Willuz · 2015-10-27 04:29 · Score: 2

Open source vehicle code isn't about preventing vulnerabilities, it's about allowing owners to fix issues that the manufacturer does not fix. In the US an auto manufacturer is only required to perform recalls for 10 years after the initial sale of a vehicle. There are plenty of well maintained vehicles over 10 years old but if a new vulnerability were discovered in the software then the owner would have no way to get it fixed. If the software were open source then it would likely be fixed by someone other than the manufacturer and the owner could take the car to any shop to have the patch installed. Perhaps there needs to be a regulation requiring auto manufacturers to open source all of the code if they have not fixed a vulnerability within a set period of time. This would allow them to fix it and protect their code or force them to let someone else fix it if they don't want to do it.
Did you compile it yourself? by sjbe · 2015-10-27 04:31 · Score: 1

But it allows you to create guarantee because you can audit it.
Only if you compile it yourself and have the actually ability to audit the software. (and you have a compiler you trust)

For closed source software, you have to trust the supplier and their guarantee.
This is true of most open source software as well with the exceptions mentioned above. If Mozilla provided a warranty for firefox, I have no actual ability to audit their software and even if I did, such an audit would be meaningless unless I compiled the software myself. For any non-trivial piece of open source software, this means that functionally there is little difference between trusting closed or open source software. The only real difference is that with open source I can hope that someone else might figure out that there is a problem but that is just a hope, not a certainty.

Do you trust yourself or your proprietary software vendor more?
Irrelevant since I am not a programmer. And even if I was it is not as if I could realistically audit all the source code for a project the size of the linux kernel. Don't get me wrong I think there are great advantages to open source software but this particular one is hugely overblown.
1. Re:Did you compile it yourself? by orasio · 2015-10-27 05:19 · Score: 1
  
  That's proof by lack of will, or imagination.
  Open source means that you, or an army of people like you, can get it audited, somehow.
  For example, you can set up a kickstarter for it and pay someone you trust.
  You might also have the competition look at cheats.
  Your government can also audit the source, if it's important enough.
  People do have power, it takes a lot of getting together with others and stuff, but a lot more is possible than what you can do personally.
2. Re:Did you compile it yourself? by Holi · 2015-10-27 06:18 · Score: 1
  
  >Your government can also audit the source, if it's important enough
  
  Your government can do that regardless of whether or not the software is open or not.
  
  --
  Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
3. Re:Did you compile it yourself? by Anonymous Coward · 2015-10-27 13:11 · Score: 1
  
  Open source means that you, or an army of people like you, can get it audited, somehow.
  Ok but there is plenty of open source software out there for many many years for which this could have been done, so where are the examples of this? And how successful have they been? Certainly there is plenty of open source software for which this ought to be done so why has it not and why would automotive be any different?
4. Re:Did you compile it yourself? by orasio · 2015-10-28 01:11 · Score: 1
  
  What you say doesn't deny what I said.
  You say that some open source code went unaudited, even though it should have been audited.
  Open source enables people to do stuff, it doesn't magically make them do it.
  Just because openssl could be audited, it didn't magically get audited. But still, it _could_ be audited. That's the first step.
  In the case of cars, it's easy, you can just have governments pay for auditing. But you need the code for that to be manageable.
5. Re:Did you compile it yourself? by orasio · 2015-10-28 01:17 · Score: 1
  
  My government can't.
  My government _could_ do it or pay someone to do it, if the code was open.
Re:'Open, therefore secure', LOL by Bert64 · 2015-10-27 04:34 · Score: 1

Vulnerabilities are easier to find in open code, but they are also easier to fix.
In open code, both blackhat and whitehat hackers will be looking at the code, with closed source code whitehats cannot look but blackhats often have illegal access to closed source code.
And yes, closed source vendors will often just try to hide vulnerabilities - but that simply doesn't work, they will be found anyway. Just look at the number of security advisories and exploits in closed source software.
Not to mention unsupported closed source, where there's no way to fix the vulnerabilities - leaving users with a useless product.
And of course, most security centric products out there (e.g. firewalls) are based on open source code, either bsd or linux.
I'd pick open over closed any day...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Re:'Open, therefore secure', LOL by jeremyp · 2015-10-27 04:44 · Score: 1

It has a better track record than closed source.... hmm, not sure I believe that. Certainly some of the more recent high profile issues were in open source software.
I think the real problem is not closed source == insecure, open source == maybe secure. In theory, either can be made secure through audits (probably not in practice), however the only people who can fully audit closed source software is the owner of the code.
The issue is actually one of trust. Microsoft can audit their software to death and they can, at least theoretically, make it secure. The problem is that, when they say they have audited their software and it is fine, you can't be certain they are telling the truth.

--
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Right by Impy+the+Impiuos+Imp · 2015-10-27 05:19 · Score: 2

When we considered open source in the vehicle 15 years ago, the lawyers clobbered it as they company likes putting the supplier on the hook for recalls.
In any case, the company is responsible for defects in the open source. You cannot wave away the rights of anyone you plow into, regardless of the cleverness of any disclaimers.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re:Open source is easily abused to create malware by UnknownSoldier · 2015-10-27 05:35 · Score: 1

And who cares? /sarcasm Because no-one ever clones physical hardware
Whether a product is open or closed is irrelevant. It won't stop people from cloning it.
--
Only an self-entitled idiot wants to rob Paul to pay Peter
Onto the device is the important bit by koick · 2015-10-27 05:52 · Score: 1

it's equally important that you can actually get the fix *onto* the device
Don't even get me started on how I can't flash vanilla Android onto the Samsung Galaxy S4 that I own because they locked down the bootloader. Moved onto a Nexus device and will never give my money to Samsung as long as they continue with that shit.
Re:'Open, therefore secure', LOL by TheRaven64 · 2015-10-27 06:15 · Score: 1

Full reverse engineering is difficult. But a hacker doesn't need to do that. He is just looking for potential stack overflows, buffer overruns, weak user authentication code, etc. If they exist, those are easy to find, using a disassembler and a VM.
Some of what you say is true. Stack buffer overflows are trivial to spot in both source and binary if they're local. If they're non-local, then you need to do some interprocedural analysis, but it's slightly easier to spot the root cause (someone passes a pointer to something that's on the stack) in source analysis. Heap buffer overflows are really hard to automatically detect with anything short of symbolic execution, though some heuristics can find likely places to look (are you doing pointer arithmetic without a bounds check?) and these are relatively easy in both compiled and binary, though going back and understanding what the invariants about the size are, which can elide the need for bounds checks is usually easier in source form.
Higher-level vulnerabilities in use of crypto, failure to correctly handle errors, and so on are all much easier to find in source form.

--
I am TheRaven on Soylent News
Guarantee, Warranty, Whatever by ClickOnThis · 2015-10-27 06:22 · Score: 1

Since when did any software, open or otherwise, come with a warranty or guarantee of any kind?
Software licenses are notorious for claiming practically nothing about the effectiveness of the software they cover. Typically they're full of legalese that goes to great length at how the software is offered with no warranty of any kind, not even an implied warranty or merchantability (whatever that means) or fitness for any particular purpose, blah blah blah.

--
If it weren't for deadlines, nothing would be late.
Closed Source Code isn't a Warranty by nickweller · 2015-10-27 09:05 · Score: 1

What warranty do the Closed Source companies give to the users of the software?
only part of the solution by cas2000 · 2015-10-27 11:53 · Score: 1

It's not THE solution all by itself, but open source is an essential part of the solution.
A GPL-v3 style anti-tivoization clause is necessary too, otherwise you can't verify that the published source is actually what is running on the device.
Re:Open source is easily abused to create malware by UnknownSoldier · 2015-10-27 14:01 · Score: 1

**Anything** can be used, or mis-used. Film at 11.
What you're describing isn't new.
Open source, documentation, tools, training... by iamacat · 2015-10-27 14:52 · Score: 1

Obviously, a machine code binary is a form of open source, just not a very useful one. The most open state of a software project is when any outside contributor has exactly same access to knowledge as founder/CEO, including personal one on one attention from key developers. This is impractical in practice. The best we can hope for is that all machine-readable materials are equally available to all contributors.
Re:'Open, therefore secure', LOL by Crazy+Taco · 2015-10-27 17:25 · Score: 1

You can never (in practice and under usual economic border conditions) make closed source secure. On the other hand, while you must make it open in order for it to be possibly secure, you must do other things in addition.
Really, get a grip on basic logic and stop claiming bullshit.
Sorry, but I've spent WAY too much time over the last year or two dealing with huge vulnerabilities in open source to believe any of the stuff you are spouting. OpenSSL alone (Heartbleed and several other critical flaws) has cost me a huge amount of time, and that's one of those open source security related products that theoretically will attract the most auditing attention and should be "secure due to the number of eyeballs theoretically always auditing it". Yet despite being open, it has not become secure, or even close to secure.
On my web hosting team (which hosts thousands of websites and uses both Linux and Windows), we have spent far less time over the last couple of years patching or dealing with closed source critical Windows vulnerabilities than we have spent on various open source critical vulnerabilities. Things always go in cycles, and probably we'll have a year here soon where Windows racks up the most major headaches again, but the point is, there's no way you can claim you can "never make closed source secure" but that "making it open could make it possibly secure if you take some additional steps". That's all nonsense. Neither model is any better than the other when it comes to security, and neither can ever be made totally secure, especially as complexity continues to rise.
Open source has its benefits, but security has never been one of them, as recent history demonstrates. It just seemed that way for a while when it had less of an install base. Now that everyone, even commercial products, are embedding open source packages like OpenSSL into them, the target base is easily big enough to invite the black hat attention, and we see that things are basically the same as they are for closed source packages with a large install base.
PS - The Linux foundation is working with researchers to make a huge push to audit OpenSSL to look for issues. This, again, proves things are the same between open and closed source. Windows gets repeatedly, badly owned, and Bill Gates writes his secure computing memo directing a huge amount of resources at security training and auditing, and things do actually improve (though they are never perfect). Now, OpenSSL gets owned, someone directs huge resources at it, and it will probably improve, in the same way and for the same reasons as closed source. Put the resources behind it, you can improve security, but without a dedicated, directed push, things slide in both models because programmers, whether in closed or open shops, are in general are fairly lazy and like new shiny things, and don't really enjoy doing mundane boring tasks like auditing old code.

--
Beware of bugs in the above code; I have only proved it correct, not tried it.
source vs binary by sad_ · 2015-10-27 23:45 · Score: 1

and then we get into the discussion that the source provided might not be the same as what is actually running in your ECU.
who's going to check those things?

--
On a long enough timeline, the survival rate for everyone drops to zero.
Fallacy: Open source has more eyes and security by rhyous · 2015-10-28 04:50 · Score: 1

Fallacy: Open source has more eyes and security
All open source means is that more people "could" look at the code. It doesn't ensure more people "do" look at the code.
Also, "more eyes" are useless for adding security if those eyes have no security knowledge. To make open source more security, you need more security skilled eyes to look at it and find and remove security holes.
Also, there is an argument that secure is a a bool value. You are either secure or your not. If you have 1 remote hole you are just as vulnerable as if you have 10 remote holes. You either have 0 remote holes or you are insecure. However, there is no way to prove 0 remote holes. You can prove a security hole exists, but you can't prove 0 security holes exist because not all possibly security holes are even known.
The "public" does not write the headlines by kmoser · 2015-10-28 08:10 · Score: 1

...have made headlines this year, which means the public is thinking about...

The media decides what to write about, and therefore what the public will think about. The public doesn't say, "Hey, media, I heard VW did something bad, would you please write about it?"