Confidence Shaken In Open Source Security Idealism

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

I don't buy it

[GameboyRMH]

Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

Re:I don't buy it

[Lilith's Heart-shape]

Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.

Re:I don't buy it

[postbigbang]

Some kids will become good and responsible coders, but not all kids. Some will be artists, musicians, mechanics, farmers, etc., and for the rest of the world that doesn't code, a heavy responsibility is placed on the FOSS community to do code reviews.

People don't compile at all. They download binaries, and they don't know the difference between an MD5, a SHA-x and a hole in the ground. Binaries therefore need special protection. Open Source doesn't mean anyone's actually looking at the code, and there needs to be peer review on critical components given with distros, but this isn't guaranteed to happen. Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

Re:

[xvan]

Actually, I can't remember last Linux Zero-Day bug.
And the bugs this article refers to are BSD's and GNU's fault.

Maybe, just maybe, Linus' way is the right way.

Re:I don't buy it

[postbigbang]

Try an energy link and go check CVEs using the string openssh for starters. Kernel? No. All the crap in the back? Oh, yeah.

Re:I don't buy it

[Anonymous Coward]

Actually, I can't remember last Linux Zero-Day bug.

Linux has certainly had a number of security bugs that existed for many years and could have been exploited for privilege escalation and unauthorized access to machines:
5-year-old privilege escalation bug [theregister.co.uk]
8-year-old privilege escalation bug [fiercecio.com]
14-year-old sigreturn bug [phoronix.com]

Now you could take the dismissive, naive approach and say these don't matter and weren't exploited simply because you didn't hear about it in any well-publicized, poorly-executed attack but how many more of these ancient (and recent) vulnerabilities exist in the Linux kernel unfixed and unbeknownst to the maintainers? There could be none (unlikely), there could be many (much more likely) and as the kernel gets more and more complex and more and more bloated with kernel-mode drivers in the source tree it becomes even more likely that security vulnerabilities will be incorporated and go unnoticed.

NB: I'm not discussing this in the context of Linux Vs something else or Open Vs Closed, just that the Linux kernel is no more secure than any other software.

Re:I don't buy it

[UnknownSoldier]

> http://www.phoronix.com/ [phoronix.com]

Please don't link to Phoronix garbage -- all they care about is linking to themselves instead of actually linking to the source
i.e.

* https://lkml.org/lkml/2010/9/1... [lkml.org] Linux 2.6.36-rc4
* https://lkml.org/lkml/2010/9/2... [lkml.org] Linux 2.6.36-rc5 <-- alpha: fix a 14 years old bug in sigreturn tracing

Re:

[Jane Q. Public]

Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

But this just leads back to the final line in OP:

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

And despite Betteridge's Law, the answer to this is Yes. Because when flaws are found, the community DOES audit, and repair.

Great example: a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

Was that specifically a security issue? No. But it's still illustrative of the difference.

Re:

[marcello_dl]

a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

It is not the best example, one could object that MySQL was bought to be eventually snuffed.
On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

Re:

[Jane Q. Public]

It is not the best example, one could object that MySQL was bought to be eventually snuffed.

Actually, that's just part of the same argument. Open source has no way to snuff programs. They're just picked up by others and carried on.

And in fact, that's what happened to MySQL. Many -- possibly even a majority by now -- webhosts have replaced MySQL with MariaDB, and hardly anybody even notices. MariaDB is a fork of the pre-Oracle, open-source MySQL. So if Oracle was really trying to kill it, they failed. It lives on, newer and in many ways better, just under a different name.

On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

I certainly agree with

Re:

[gweihir]

To be fair, modern compilers have some similarities with Cuisinarts.

Re: I don't buy it

[BarbaraHudson]

The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã

Re:

[LifesABeach]

coffee..on..keyboard,..damn,..cleaning..it..up..before..boss..gets..back

Re:

[mlw4428]

Yes and no. Most of the general public that deal with software who have any real influence are your managers/executives and I think they're the ones more or less meant in this article. My company won't lay in bed with Open Source because of the recent issues and their opinions on the lack of support. I'm not saying FOSS is bad, just why ONE company chooses not to.

Re:I don't buy it

[GameboyRMH]

Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

Re:I don't buy it

[ArhcAngel]

Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.

Damn good thing Windows has no holes!

[swschrad]

yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.

Re:

[GameboyRMH]

The MS salesmen actually use the threat of spies coding on open source projects as a scare tactic. Unironically.

Re:

[LifesABeach]

"...the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Closed source works? They're the ones the bad guys make mega-bank on. Get real. So the holes are there, they get filled up in the FOSS world a lot faster than some other a== clown closed system, even factoring in that the close source community cares.

Re:I don't buy it

[Opportunist]

...and 2 days after it got known.

The main difference between OSS and CSS is that in OSS you can actually find the security holes. In CSS, all you can do is hope that the vendor finds them, or at least cares enough to look for them in the first place.

Re:

[AchilleTalon]

I even know a bunch of software developers who pretend to embrace open-source software without knowing what it is all about. Imagine the general public, they just know about free software like in free beer. Even large corporations using open-source software just like the free part like in beer, that's why these critical pieces of software don't have the resources they deserve.

Re:

[Opportunist]

"Open Source software is free!"
"So? On bittorrent, any software is free"

Re:

[UnknownSoldier]

Open Source software is legally free!"
"So? On bittorrent, any software is free"
You forgot most likely illegal -- just because the "cost" appears to be zero for you, doesn't mean it is legally free.

FTFY.

Re:

[gweihir]

Many seem to think that FOSS is these "terrorist-like" "hacker kids" that "threaten modern society". Hence you can sell them anything but do not expect any understanding.

Re:I don't buy it

[The Ickle Jones]

Corporations will definitely be re-evaluating the option of open-source after these two issues.

Maybe they should also avoid proprietary software, for similar reasons. That leaves them with... nothing. Oh, well, they can always pretend that perfect software exists.

Re:

[r1348]

Not when it comes to encryption.

Re:

[leenks]

I found their language courses incomprehensible too...

Re:

[Opportunist]

Nope. For the same reason they don't give a shit about any sky-is-falling announcement in any other software they use. The cost to change anything is SO prohibitively high that there is no option but to simply carry the risk.

Every time someone announces "there has been a huge security flaw in X", someone will invariably follow up with "oh, now corporations will drop it instantly and not touch it with a 10 foot pole anymore".

It usually shows more about the lack of knowledge of corporate structures and corpor

Re:

[ray-auch]

How did you fix them in minutes when it took several days for correct patches to come out, for entirely predictable reasons (laughable approach of trying to find and fix all bugs at once in a parser never designed to be secure, when the real issue is that it should never be being fed untrusted input) ?

To my mind, that is the biggest failure of open source / free software in this case
- 20+ yr old bug / insecure-feature in an obscure corner of a system never designed for today's threat environment - forgiveab

Re:I don't buy it

[TemporalBeing]

How did you fix them in minutes when it took several days for correct patches to come out, for entirely predictable reasons (laughable approach of trying to find and fix all bugs at once in a parser never designed to be secure, when the real issue is that it should never be being fed untrusted input) ?

To my mind, that is the biggest failure of open source / free software in this case - 20+ yr old bug / insecure-feature in an obscure corner of a system never designed for today's threat environment - forgiveable - responsible disclosure, working with maintainers under embargo - good - publication along with a patch that was broken again within hours if not minutes - fail - everyone and his dog then panic-issuing further patches for one parser vulnerability after another before eventually someone (actually more than one different approach) fixes it properly the way it should have been done in the first place - spectacular fail

And yet Microsoft has a known policy that they don't fix any exploit proven or not unless it is actively being exploited; when an unknown exploit is exploited they take up to 30 days to release, and that still may not have everything fixed. So to put this in context, if Microsoft were the developers of Bash:

• They would have sat on the bug for 20 years too if there were no known active exploits of it.
• The first patch would have taken 30 days, not under 2 weeks (I don't know the real number, but it wasn't very long; and certainly under 2 weeks if not under 1 week).
• The second patch would have still been needed, but would have taken yet another 30 days
• Only a few developers would have had access to be able to review and fix anything

Re:I don't buy it

[TemporalBeing]

I didn't say MS was better, I said the bash response was poor, and the poster I replied to couldn't possibly have had fixes in place within minutes as claimed.

I'm just pointing out that however poor the Bash devs response was, Microsoft's would have been worse.

Oh, and in your argument "up to 30 days" suddenly becomes "taken 30 days" - actually if bugs come in uniformly distributed in the 30 day cycle then average would be 15 days, or lower since sometimes they do go out-of-band.

Actually, my comment regarding "taken 30 days" for Microsoft is well founded in their historical turn-around for CVEs that they have acknowledged as being fixed. With a rare exception, they don't deliver any patches in under 30 days; and even 30 days is being gracious as it's usually more like 6 months so I'm already putting them on their own expedited schedule for such fixes.

Again, pointing out that however poor the Bash devs response was, Microsoft's at it best is worse.

Plus, the second (and third and fourth and so on) patches are only needed if the first (and second and third.,.) one is inadequate and not properly tested.

If the numerous people reviewing Bash, from multiple companies, and disciplines didn't find the issue with the first patch, then how would Microsoft with a far more limited set of people looking at the code be able to get the same kind of patch correct the first time and get all the corner cases figured out and fixed before releasing the first patch?

I'm not saying the Bash devs had 1 million eyes on this; but they certainly had a few hundred if not a thousand or so in total. Microsoft's equivalent group probably is no greater than 50 devs at best, likely smaller; and probably no where near the cross-discipinary skill set match either.

So if the Bash guys had to do a second patch (or even a third, etc) to fix it; chances are Microsoft would have had to have at least as many patches too.

Maybe MS are just as bad at that too, but the developers of Bash were certainly not good at it.

Agreed - kinda. The main point of the origin of this thread (article?) was that F/LOSS software could not deal as well as proprietary software; that somehow the proprietary vendors could do better with these kinds of bugs - both catching them and responding to them.

My point, is that based on its history - documented in numerous articles over the years - Microsoft is a prime example of showing that's not the case. That proprietary vendor's own policies and procedures prevent them from delivering anywhere near as good a turn around.

But here's the kicker - there is a similar exploit for cmd.exe. It's yet to be patched. ;-)
here's an example: https://twitter.com/FioraAeter... [twitter.com]
(And yes, I've seen it from other sources, just don't have those links right now.)

Cart before the horse.

[jedidiah]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

Re:

[GameboyRMH]

Thank you. I said essentially the same thing above but got downmodded for it.

Re:

[Curunir_wolf]

Never forget, we are at /.

And, it's GameboyRMH, who has so many "freaks" he probably gets modded down regularly just for being who he is.

Re:Cart before the horse.

[i kan reed]

On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

Obviously, as a developer, I know that security flaws are just another way to make mistakes, but once you know about heartbleed, how can you assume nothing else of similar scale has been found by nefarious actors?

Re:Cart before the horse.

[FuzzyDustBall]

On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.

somebody else's job

[Anonymous Coward]

I'm pretty sure i kan reed said he'd audit it.

This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
There was an important job to be done and Everybody was sure that Somebody would do it.
Anybody could have done it, but Nobody did it.
Somebody got angry about that because it was Everybody's job.
Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
It ended up that Everybody blamed Somebody when Nobody did what Anybody could

Re:

[ray-auch]

There aren't because:

1. no one is paying for them (or at least not enough to make a difference and catch stuff like heartbleed and shellshock)
2. auditing existing code doesn't "scratch an itch" for anyone on the hobbyist side

Closed source companies like MS have to weigh up costs of security auditing vs. cost of reputational damage of getting it wrong (i.e. if you think safety is expensive try having an accident). For a long time, MS was so secure as a monopoly that the reputational damage wasn't worth them

Re:Cart before the horse.

[udippel]

You can't. But that's not the point at all.
But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
Once you decide for closed source, you are
1. totally dependent on the manufacturer
2. without a chance to check yourself
3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
Now, where would be any advantage in using a system of closed source?

Re:

[Opportunist]

Traffic analysis would show.

A nefarious actor would probably act upon his discovery. For the simple reason that as long as it is his and his alone, he can capitalize on it. This is something traffic would reflect. He would probably try to use it to the maximum effect before it becomes widely known and a patch against it gets developed.

Today we're at the point where we can in hindsight identify such occasions. After a flaw gets revealed, certain "odd" firewall logs start to make sense. The next step would be

Re:Cart before the horse.

[Cabriel]

Not so. When there are articles about governmental offices switching whole-hog to open source software, that shows immediately that there is an awareness among the general public. When there is an article about one minister claiming open source software isn't working for his office and another minister countering that claim saying no one in the office has had an issue, there's a strong suggestion that there is an awareness of open source software. When an open source OS is advertised as being superior to a closed source competitor, there's absolutely going to be an awareness of open source and free software (Android vs iOS).

While this may still be professional click-bait, I think calling it trolling is, itself, putting the cart before the horse.

Re: Cart before the horse.

[BarbaraHudson]

We notice these articles because they're in our field of interest. The general public? They're more aware of Apples latest problems because they have iThingees.

Re:

[Famak1994]

Not to mention that the article in question is based entirely on two bugs. The first one was thwarted by security researchers while the 2nd is a direct result of legacy code running on old machines/mainframes. So I fail to see how the open source community is shaken by all of this...I'm certainly not pissing myself!

Re:Cart before the horse.

[pixelpusher220]

And lets also remember that corporate software has so many many bugs and vulnerabilities that they had to schedule a MONTHLY day to do them. Only to find yet more bugs so critically important that they broke their own rules well more than 2 times to release out of cycle fixes.

OS will almost always beat corporate in terms of defects and response time. Anyone care to guess how many 'heartbleeds' currently exist in Windows code that we know nothing about?

Re:

[Frescard]

All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

Before ranting about the ignorance of the "general public", it would help to read the article first, which makes no mention of them at all, but rather talks about multiple professional developers, and their response to these security breaches.

Re:

[jedidiah]

What professional developers?

The original article doesn't really say anything meaningful at all. It doesn't appear to actually make any effort to judge the perceived impact of these problems?

Besides, it's not the "professional developers" that matter here really. It's the end users including Fortune 100 companies that might have a VP position dedicated to Linux.

The whole thing was content-free trolling masquerading as journalism.

perfect timing.

[gandhi_2]

amazing this article is posted on the same day as 3 0days for MS products.
one of which has been known for over a month, and will soon have a logo.

Re:perfect timing.

[fustakrakich]

It's why a lot of people switched to Apple.

Boy, are they in for a surprise!

Re:

[Anonymous Coward]

AC because modding. My experience (as unpaid maintainer of friends and family computers) is that the new breed of Apple users are the most inept and clueless of all of them; believing that Apple is 'secure' they click away at phishing emails, visit websites that they have been warned have been pwned and generally abdicate all responsibility for their own security. That Nigeriean Prince only cares that they have a Mac because it means they probably have more he can steal from them.

The source is there, just read it

[Anonymous Coward]

The schematics for cars are available, just review them to make sure there's no structural or design flaws.
The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

Yes, it really is so different.

[ysth]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Re:Yes, it really is so different.

[ljw1004]

Yes, it really is so different.

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

Why do you submit that?

I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.

Some things can't be papered over.

[westlake]

With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed.

Excuse me for saying that I find all these platitudes less than reassuring.

The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.

Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves, with Fox undertaking the work as an employee of FSF. Fox released Bash as a beta, version .99, on June 7, 1989 and remained the primary maintainer until sometime between mid-1992 and mid-1994, when he was laid off from FSF.

A security hole in Bash dubbed Shellshock, dating from version 1.03, was discovered in early September 2014.

Bash (Unix Shell) [wikipedia.org]

Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

Shellshock (software bug) [wikipedia.org]

A 25 year old bug with the potential to do enormous damage.

In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.

How many patches did MS push down today for IE?

[schwit1]

And this makes how many?

Re:

[bigpat]

And more importantly... who in their right mind still uses IE? Internet Explorer is currently blocked by my company's proxy server because it is considered so insecure and isn't likely to get unblocked any time soon.

Open Source in commercial products

[haruchai]

Heartbleed & Shellshock have impacted for-profit companies quite significantly. I don't have an objection to them using opensource within the boundaries of the license but should THEY not be vetting before rolling it into a commercial product?
No one company has to do it all alone - it can be done through a team effort & foundation, just like OpenStack.

Re:

[LWATCDR]

Heartbleed and Shellshock show that nothing is really free.
Those bugs would have been found long ago if big companies had put resources into FOSS.
OpenSSL was used by everyone but had less than 20 active devs and a super skimpy budget.
Bash? When was the last build of Bash before Shellshock?

Re:

[Bengie]

It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

Re:Open Source in commercial products

[spitzak]

No, bash was NOT working as expected.

The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.

The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

Re:

[Bengie]

The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

There seems to be several "bugs" associated with "ShellShock". At least one of the security issues was postponed because there was no way to fix it without breaking the feature. OpenBSD, then FreeBSD decided just to disable the feature all together. I am not aware of any follow-up on whatever "bug" that was, but it sounded like a "working as expected" issue.

Since I cannot find anything sounding like this on Wiki, I'll assume that I'm wrong.

Re:

[benjymouse]

It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

Nope. It was a bug. While it was the intention that bash would "import" function definitions from env vars, it was *never* the intention that it would directly and without confirmation execute any commands *following* the function definitions in the env vars.

So yes, a serious bug.

Re:

[neilo_1701D]

Heartbleed and Shellshock show that nothing is really free.
Those bugs would have been found long ago if big companies had put resources into FOSS.

But that's special pleading.

FOSS is supposed to be an alternative to stuff put out by big companies; why is it suddenly incumbent upon them to be fixing security holes 20+ years old?

Re:

[swillden]

FOSS is supposed to be an alternative to stuff put out by big companies

Cite?

Re:

[Cabriel]

So, you're saying that the F/OSS community isn't responsible for the bugs in their software?

Re:

[haruchai]

Not at all. But anyone who uses F/OSS IS a member of the community and that includes companies who chose to use it in commercial products.

Yes. Yes it is.

[Anonymous Coward]

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

And that matters, how?

[casings]

Last time I checked, the general public was pretty ignorant about just about everything related to computers outside of checking their email and viewing the latest cat pictures on reddit.

I'd rather consult a magic 8 ball than the general public.

Vojjne.

[Anonymous Coward]

Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.

There is no magic alternative that is better than open.

OpenBSD

[Bengie]

I think when it comes to security related projects, like security libraries, that are used all over the place, we should demand higher quality code and better design and code practices, like those of OpenBSD. We should not compromise on quality when it comes to this kind of stuff. Do it correctly or don't do it at all.

Open Source is More Easily Auditable

[Bob9113]

As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

I doubt it

[Ckwop]

I'd be surprised if a random member of the public could even define what free software is. They'd probably think it's connected to the cost of the software rather than its freedom giving properties.

That said, I think that the view that with enough eyes all bugs are shallow is false. Given that bash is used in millions and millions of servers and the bug took decades to root out, we must think of a better way to get eyes on the code.

The whole stack needs a line by line review by security experts. That will cost tens if not hundreds of millions of dollars but my view is that it's probably worth it. Then we have to make sure all changes get reviewed in the same way.

The result of this process would be a super-hardened version of OpenBSD. It would come with a nice fat government certification and if you want to do business with the government, you have to use that distro.

That might rub people up the wrong way but I think that's what's ultimately going to happen eventually. A lot of this infrastructure is so critical to the modern economy that we can't just run any old code anymore.

The difference

[Charliemopps]

The difference between Open Source and Closed source is not the number of bugs and flaws... the numbers of bugs and flaws are likely equal. The difference is the number of bugs that were found and fixed. Just as many problems exist and are as equally dangerous in closed source software. The differences is that because it's closed, they remain there, undiscovered by the general public, for a very very long time.

All of these discoveries should be celebrated. They are examples of Open source working as it should.

Re:

[Charliemopps]

Sometimes Microsoft knows about a flaw and simply DOESN'T patch it.

...and that's another very good point... Fixing bugs often is a "Cost benefit" thing.
"It will cost us $100k to fix this and the worst thing they could get are the first names of client contacts" = Not getting fixed
"It will cost us $100k to fix this and the worst thing they could get are the nuclear launch codes" = Getting fixed

With closed source, the decision to fix that is in the hands of the developers.
"99% of our customers will continue using this despite the bug. We'll lose the defense department but oh

Forking, not audits, is the reason openness works

[stealth.c]

The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.

66 pct of America worried about Ebola

[WillAffleckUW]

Look, people in the USA are more worried about Ebola, an infinitesimal risk, than are worried about getting a polio shot (we're losing herd immunity in major cities right now) or a flu shot (which WILL kill thousands of people this year).

I'm not that concerned that "the public" is worried about Open Source, as most of the people polled think it means "open sores".

Looks like free software is working

[El_Muerte_TDS]

Somebody saw something weird, looked at the code analyzed the logic, found the bug, reported it, and it was fixed.

Nobody said those thousand eyes would find bugs instantly.

What a dumb question

[JustNiz]

>> is that really so different than leaving it to a corporation with closed source?"

Yes its COMPLETELY different.

Can there be exploitable bugs in open source? Of course. That remains true for all software, open or not. It is incredibly naive to imagine that anyone could effectively predict every potential future use of any product, especially a complex system.

Not only are exploits less likely in opensource in the first place (beacuse of the larger numbers of eyes looking at the code) but detection is

Nothing's changed

[reikae]

Free software is about ideology. About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point. Much like freedom of speech: it's important even if I never say or write anything and it doesn't make everyone Shakespeare either.

Posted from my Windows computer btw; I think there is value in software freedom, but I use what best meets my current needs and wants, and encourage others to do so too.

pay them!!

[lkcl]

the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.

so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.

the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.

Re:

[swillden]

the key point that people keep missing is that corporations - which are legally obligated to maximise profits

That supposed legal obligation doesn't always exist, and far too much is made of it even where it does. Can you show me any examples of companies being prosecuted, or even investigated, for failing to maximize their profits? It doesn't happen. And you can easily spot any number of examples of companies failing to take opportunities to maximize profits.

Drop that tired meme, it's really not true in practice, even when it's true in theory -- which isn't always the case, even for for-profit corporations.

Wha

Re:

[UnknownSoldier]

100% agree!

If businesses were smart they all would chip in $10 say towards LibreOffice [libreoffice.org], Inkscape [inkscape.org], Krita [krita.org], FreeNAS [freenas.org], GimpShop [gimpshop.com], etc.

They could be free of the tyranny of proprietary vendor-lock file formats for once and for all. But yet they would rather pay to suffer ! **shrugs**

Could you image how much development could get done if open source alternatives to X could get funding!? Not say money is a silver bullet TM but it certainly would go a long way!

FUD

[ruir]

"Closed" software also has lots or more security problems, and then you do not have the source to look at and fix it. This article is a troll.

Publicity.....

[Dega704]

Being open-source is what allowed these flaws to become publicly exposed. This article assumes that this is a 100% bad thing. The better question is how many closed-source security holes exist and are being actively exploited that we don't know about?

false premise

[binarstu]

TFA starts off with this as the very first sentence:

Hackers have shaken the free-software movement that once symbolized the Web’s idealism.

And then fails to provide any real evidence that this is true. It should take strong evidence to reach the conclusion that an entire "movement" has been "shaken" to the point that it has lost its symbolic meaning. I skimmed the rest of the article, but the authors pretty much lost me after that bit of nonsense.

People (both good and bad) have been finding flaws in open source software for decades. No one in the "movement" was surprised or "shaken" to h

"...if it's in the news, don't worry about it."

[trawg]

I think some of Schneier's words [schneier.com] apply here:

"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."

If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.

If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?

Either way it's about trust

[epyT-R]

Whether you trust the community or trust a closed vendor, you're still trusting that they got it right and/or haven't been compromised by moles working for crooks or governments. The bottom line is you should assume any easily accessible security software is compromised and build multilayer security around the asset you want protected. At least with open software you can audit it yourself or have it audited by someone you do trust. Closed? forget it, unless you're a government.

Speedy fixes and obvious "relay all to Microsoft"

[raymorris]

A big difference is probably that with open source you know you don't have glaring issues like a mail client that checks all incoming and outgoing emails for specific keywords, then sends a report to Microsoft and the NSA if any of those keywords are used. It's not that both open source and proprietary can't both have subtle bugs, of course they can. If an open source project such as say Apache decided to start sending tracking data to Apache.org, we'd all know about it before the version was even release

Re:

[Yunzil]

As ESR famously said (but with context this time):
given enough eyeballs, all bugs are shallow.

Addendum: Of course, it might take 20 years for anyone to notice, because everyone is assuming that someone else is looking at it, but whatever.

yes, shallow/deep refers to solvability

[raymorris]

Yes, that quote talks about once a problem is noticed, the right solution will be clear if many people look at the problem.

It says nothing about positive or negative about how subtle bugs might be or when they'll be found. The answer to that question largely depends on the architecture of the code and the style, whether side-effects are common. Linus prefers kernel functions to be no more than a few lines long. If a function is three lines, you can pretty easily see if it's correct or not. A fu

I've heard this argument before

[idontgno]

Specifically, anti-vaxxers.

"If so many people refuse to get vaccinated, herd immunity can't work. So why bother?"

"Because if all you voluntary natural selection candidates want to kill yourselves, my own vaccination will at least partially protect me."

Open Source at least offers the opportunity to protect yourself, to the extent of your own skill and effort. Which is the most anyone can realistically expect in this world. I have no intentions of allowing my fate to rest entirely at the tender mercy of peopl

Lots of shaking to go

[future assassin]

before its anywhere near close Windows security failures over the years.

Open Source Tradeoff

[scruffy]

Yes, the advantage of open source is that good actors can read the code and find and fix security flaws. The disadvantage is that bad actors can also read the code and find and exploit security flaws. One would hope good actors would outweigh the bad ones, but my fear that that governments and organized crime have become bad and worse actors in a big way. Even when a particular flaw is fixed, we all know that there are still flaws to be found and exploited in any big software project, and nowadays the bi

The reality

[msobkow]

The reality is that doing security audits and code reviews are boring. Unless you have someone who is really dedicated and knows their stuff taking on the task for an open source project, or someone paying a team to do it (TrueCrypt/VeraCrypt), it's not going to happen. In theory corporations are paying their staff so it should happen, but in reality corporations are likely to push such reviews way down the priority list because they cost money. Spending money is bad to a corporation, m'kay?

Personally

The general public? Really?

[Opportunist]

The general public? Please. The general public is a mass of ignorant people. If you want to find the IQ of a group of random people, take the dumbest person and divide by the number of legs. I.e. the more people you get, the stupider they are.

Need proof? Just take any reaction to any "sky-is-falling" information they ever got. From 9/11 to Ebola, the reaction is blind panic. You want to use THAT mass of idiots to gauge the sensibility of something esotheric like a coding paradigm?

Please.

Re:Really?

[Anon-Admin]

Ill disagree, I still believe it is because Windows is far less secure.

Linux == 98% of all super computers (Top 500 List)
Linux/Android == 74% of all Mobile devices (Gartner)
Linux/Android == 61.9% of all Tablets (Gartner)
Linux == 78% of all internet Servers (Security Tech)
Linux == 28% of mainframes (Gartner)
Linux Desktops == 1.65% (From Gartner as the total number of systems shipped with Linux pre-installed) up to 20% depending on the source.

That is not even getting into all the routers and smart switches, embedded devices, etc.

Open source and Linux make a very large target with lots of high profile targets. I am surprised that there are not more exploits and the simple lack of viruses should be proof enough that linux is far more secure.

Re:

[Opportunist]

Yes, but all those high profile targets also don't suffer from being "administrated" (I'll use that term loosely here) by Joe Randomsurfer.

Super computers: Not only are few of them readily accessibly via internet, they usually reside behind atomic-bomb-grade firewalls and are administrated by people whose net worth is more or less directly tied to that super computer's well being.

Android Phone/Tablets: Give it time, the malware writers are only just getting into the mobile market. But they're already pretty

Re: Really?

[Anon-Admin]

And a competent windows admin still deals with viruses on their servers.

I was unaware that all the android phones, tablets, and devices as well as all the home routers, set top boxes, etc. were only managed by "IT professionals"

Re:

[DaTrueDave]

For example Android userland doesn't give you much access to anything but the app store. They aren't managed as general use computing devices.

What does that even mean? Any Android user can download and install an application from anywhere, not just from an app store.

Re:

[iggymanz]

you are full of shit, the important stuff is not on windows and the infrastructure of the internet is not built using window

Re:

[Yunzil]

Examples?

Wait, you want examples of people who are too busy to review other people's code? OK, here's one: me.