Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source (techweekeurope.co.uk) 77
Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."
Re: (Score:1, Flamebait)
Re: (Score:2, Insightful)
I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvio
Re: (Score:1)
They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead. So, a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.
Re: (Score:2)
They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead.
Uh no [fortlewis.edu]. Explorer is basically equivalent to nautilus+gnome-panel. It's a graphic and file manager and program launcher, and it provides a notification area. Windows has a kernel like any normal operating system. Explorer can die and be restarted without affecting the kernel at all.
a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.
It doesn't matter by how much they separate them, because these statistics cover publicly known vulnerabilities. Microsoft could potentially know about hundreds or even thousands (or merely dozens) of bugs with security implication
Re:This contradicts history. (Score:5, Insightful)
The article on that page reports more OS vulnerabilities for OSX and other Apple products.
Generally speaking, that's not the attack surface most people need to worry about.
The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.
The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.
Re: This contradicts history. (Score:1)
Hardly. People left Windows because TCO on Linux is lower. Security is a tiny part of TCO in either. Keeping Linux up to date ain't free time wise either.
obviously, "move" (Score:2)
what OSS is insecure? (Score:2)
Re: (Score:1)
Re: what OSS is insecure? (Score:2)
That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some. Lame users want to use computers too.
Re: (Score:1)
Re: (Score:2)
That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some.
Secure boot and trust chains where I choose what to boot and who to trust wouldn't be a walled garden, it would be a libertarian paradise... or the computing equivalent. The problem isn't the technology, it is how it is (inevitably?) used.
Lame users want to use computers too.
As well they should. It would be nice if there were more credible options for everyone else, though. Google is taking steps to lock down Android somewhat in Marshmallow, with possible ramifications both for ad blockers and for modification tools like the Xposed framework.
Re: (Score:1)
OpenSSL and GPG both have had numerous security flaws opened against them in the last 6 months or so.
The Linux Kernel regularly gets critical security updates.
A better question is, "What OSS *isn't* insecure?" If you think anything is magically "secure" you're in for a bad time.
Re: (Score:2)
So do Windows and a number of other applications and operating systems. Mostly the security issue is just a small thing but now and then a big issue appears.
Many large issues are also caused by not one single mistake but by a chain of mistakes where each mistake by itself wasn't fatal. This isn't limited to software alone but we see it from time to time in the physical world as well.
Re: (Score:2)
Re: (Score:2)
I will politely refer you to the recent Hatton Gardens
Re: (Score:2)
Re: (Score:1, Interesting)
Step 1: Get 100 million dollars. Surely you are born into money, so this step goes almost without saying. .1% range.
Step 2: Buy some companies.
Step 3: Bribe politicians to pass laws that benefit you and your companies, while preventing pesky competition from stealing your profitsessss.
Step 4: MOAR profits!
Step 5: Repeat steps 2-4 until you are into the
it needed to happen. (Score:5, Interesting)
heartbleed was a blessing in disguise because companies were blindly assuming this software was secure and thus never investing a dime in it's development. this internet-scale problem woke up some people and now they are actually investing in real security.
Heartbleed should've been way more of a yawn (Score:5, Interesting)
That's the lesson. Code audits are great, but they still miss stuff and are expensive. Take good practices more seriously, and you get a lot of bang for your investment in time/money/whatever.
Re: (Score:3)
Re: (Score:2)
Open Source is working as intended (Score:5, Insightful)
It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.
At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.
Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.
Re: (Score:1)
Making the critical security infrastructure for the internet closed source would be insane.
All of the Cisco networking gear runs on closed source software.
Re: (Score:1)
LOL, and look how secure Cisco gear has been lately! But more importantly, even Cisco is going down the software-defined networking route with open source NOS.
Proprietary Firmware (Score:1, Insightful)
The problem is that low-level "bootstrapping" software like the BIOS is still closed source, and—worse—becoming so complex that it's basically an entire operating system unto itself.
Consider Intel's Management Engine and the associated Active Management Technology that is in every modern (though, upper-middle quality) Intel-based desktop/laptop these days; it provides a whole personal computer within what you, the user, think is the actual personal computer, and that embedded personal computer h
Re: (Score:2)
Intel's management engine and the like are not some vast conspirac
Vendors don't want interoperability (Score:3)
But it is in the interest of the customers to make sure their data never gets locked up in a format they don't control. Why wouldn't the fortune 500 companies invest a tiny part of their IT budgets to support ACM or IEEE to play the role of arbitrator when it comes to file formats, data and export/import protocols, fundamental security etc. These things should be neutral and no vendor should see them as yet another way to invade and occupy their customer's systems and processes.
Objective proof that proprietary is more secure? (Score:2)
If there is no such evidence, then how does this article make any sense?
Re: (Score:3)
Switching to C++ is just opening another can of worms.
C++ just have the bad stuff from C and the bad stuff from object oriented design combined.
If you want a language for an OS that is better you will need to look at ADA or some completely different language. One of the more secure operating systems out there is OpenVMS and that's written in BLISS.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:1)
Doesn't all C code run as C++ code with no code changes by default? I'm not sure where I'm going with this but I am not a programmer (not a good one, at any rate) and I'm mostly curious. With my limited knowledge, well, I can't really think of any reason to switch but I can't see any harm in switching by default. So long as the practice was good in C shouldn't it also be good in C++? After all, I thought you could literally take the C and just put it in C++ and it worked natively?
Re: (Score:2)
Pretty much. A "C++ programmer" doesn't typically write C-style programs, however, but uses the more advanced language features to buy some amount of extra compile-time safety. At least, that's the idea.
Re: (Score:2)
Not exactly. All C is not valid C++.
However, it may be considered good practice for C code to be written so as to make it valid C++. In is not a big effort and allows you to take advantage of the added safeties included is C++ compilers. Think of it as static analysis.
One trouble however of using C++ is the lack of a binary standard, so, while compiling your C code as C++ may be a good test, actually shipping C code compiled with a C++ compiler may not be a good idea.
Re: (Score:2)
This is not the golden age of FoSS (Score:3, Insightful)
If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.
Nobody is talking about the root causes yet.... (Score:2)
The root cause of all of these security problems has been in plain sight since 1970 or so, yet only a few people are even aware of it. It's obvious once you get it, and the scope of fixing things comes clearly into place. So, do you really want to take on forking every program to build a new version of it? If so, you can fix it, if not... this will continue to happen, and government will try to fix it by fiat, badly.
The cause is that our operating systems operate on the assumption that programs can be trus
Re: (Score:2)
The cause is that our operating systems operate on the assumption that programs can be trusted.
Android tries to sandbox programs, pretty successfully until you find a hole in the sandbox someplace. Two new Stagefright vulnerabilities have been found recently. I was just patched, too. I guess a new edition of the custom rom I'm running will be available shortly. And there's always selinux, but configuring it is still a massive PITA. The tools and their build processes are immature.
Re: (Score:2)
Re: (Score:1)
A remarkably beautiful young lady revealed something to me just the other day. This is from a pop song in 1982 - I'd never noticed it when it was popular and getting radio play.
Back at base, bugs in the software
Flash the message
"Something's out there"
Yup... Ah well, we'll always have bugs. Anyhow, isn't the idea of a microkernel meant to minimize such? IIRC that was the guy from MINIX (I forget his name) big complaint about Linux. Stability and security come at a cost of performance but the price might be worth paying now that we have hardware that is so speedy.
Oh, the song is 99
Re: (Score:3)
But the
Re: (Score:1)
Thank you for the insight. I really need to fire up MINIX in a VM and see what's going on. I'm a maths grad and not a CS grad so it will be fun for me to learn about the various ins and outs. One of the things I assume is that, in realistic use, today's hardware will cope with the added overhead with nary a problem - I'd imagine the processing rate to be only trivially slower if I'm understanding everything properly (and I may not be).
I kind of like the checks, or the idea - I'm not fluent enough to say tha
Re: (Score:1)
Physically Isolate the operating system from the rest of the system. Let it run from completely different memory and storage so that is impossible to access from the rest of the system. Let it be a monolithic program that has its own drivers and its own network stack.
If you need to make a change to the operating system, you must physically switch to the operating system control and from
Re: (Score:2)
I think we need to go further and fundamentaly redesign the hardware architecture that the operating system runs from
Physically Isolate the operating system from the rest of the system.
Don't we have hardware in the CPU which is effectively supposed to do that? And don't we just keep poking holes in it so that we can get better performance?
Re: (Score:2)
Re: (Score:2)