Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Open Source Security Software

Confidence Shaken In Open Source Security Idealism 265

iONiUM writes: According to a few news articles, the general public has taken notice of all the recent security breaches in open source software. From the article: "Hackers have shaken the free-software movement that once symbolized the Web's idealism. Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off each other's work."

While it's true that open source means you can review the actual code to ensure there's no data-theft, loggers, or glaring security holes, that idealism doesn't really help out most people who simply don't have time, or the knowledge, to do it. As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"
This discussion has been archived. No new comments can be posted.

Confidence Shaken In Open Source Security Idealism

Comments Filter:
  • I don't buy it (Score:5, Insightful)

    by GameboyRMH ( 1153867 ) <gameboyrmh@gma i l . com> on Tuesday October 14, 2014 @03:05PM (#48143071) Journal

    Am I supposed to believe that the general public is aware of open-source software at all? They're hardly aware of the concept of "openness" in the first place.

    • Re:I don't buy it (Score:5, Insightful)

      by Lilith's Heart-shape ( 1224784 ) on Tuesday October 14, 2014 @03:16PM (#48143175) Homepage
      Most of the general public can't tell a compiler from a Cuisinart. We can eventually fix this by teaching kids to code, which has the additional benefit of showing them that their feelings don't matter to anybody else.
      • Re:I don't buy it (Score:4, Interesting)

        by postbigbang ( 761081 ) on Tuesday October 14, 2014 @04:21PM (#48143845)

        Some kids will become good and responsible coders, but not all kids. Some will be artists, musicians, mechanics, farmers, etc., and for the rest of the world that doesn't code, a heavy responsibility is placed on the FOSS community to do code reviews.

        People don't compile at all. They download binaries, and they don't know the difference between an MD5, a SHA-x and a hole in the ground. Binaries therefore need special protection. Open Source doesn't mean anyone's actually looking at the code, and there needs to be peer review on critical components given with distros, but this isn't guaranteed to happen. Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

        • by xvan ( 2935999 )
          Actually, I can't remember last Linux Zero-Day bug.
          And the bugs this article refers to are BSD's and GNU's fault.

          Maybe, just maybe, Linus' way is the right way.
        • Instead, there's an incredible bloat of stuff that we HOPE is good. An actual process might be better. What kind? Something more than Linus yelling at you.

          But this just leads back to the final line in OP:

          As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

          And despite Betteridge's Law, the answer to this is Yes. Because when flaws are found, the community DOES audit, and repair.

          Great example: a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

          Was that specifically a security issue? No. But it's still illustrative of the difference.

          • a couple of years after Oracle assumed control of MySQL, people left in droves. Why? Because when it was open source it was better maintained, security flaws were patched faster and more often, etc.

            It is not the best example, one could object that MySQL was bought to be eventually snuffed.
            On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

            • It is not the best example, one could object that MySQL was bought to be eventually snuffed.

              Actually, that's just part of the same argument. Open source has no way to snuff programs. They're just picked up by others and carried on.

              And in fact, that's what happened to MySQL. Many -- possibly even a majority by now -- webhosts have replaced MySQL with MariaDB, and hardly anybody even notices. MariaDB is a fork of the pre-Oracle, open-source MySQL. So if Oracle was really trying to kill it, they failed. It lives on, newer and in many ways better, just under a different name.

              On the other hand this highlights the very problem with non-free software. All considerations, including security, are secondary to the corporation's mission. So, there needs to be free software no matter what, else security will get worse.

              I certainly agree with

      • by gweihir ( 88907 )

        To be fair, modern compilers have some similarities with Cuisinarts.

    • Re: I don't buy it (Score:5, Informative)

      by BarbaraHudson ( 3785311 ) <barbarahudsononline AT gmail DOT com> on Tuesday October 14, 2014 @03:35PM (#48143389) Journal
      The article makes the claim with absolutely no statistics to back it up. The public knows more about Kim Kardasian and Ebola than open source security flaws. Sounds like the writer has been taking lessons from Florida Muttonhead. Ã
    • Yes and no. Most of the general public that deal with software who have any real influence are your managers/executives and I think they're the ones more or less meant in this article. My company won't lay in bed with Open Source because of the recent issues and their opinions on the lack of support. I'm not saying FOSS is bad, just why ONE company chooses not to.
      • Re:I don't buy it (Score:5, Insightful)

        by GameboyRMH ( 1153867 ) <gameboyrmh@gma i l . com> on Tuesday October 14, 2014 @03:58PM (#48143645) Journal

        Wow really, the recent issues are a factor? My company uses plenty of FLOSS and heartbleed/shellshock haven't been a bigger blip than any of the Windows/IE/Flash/Adobe Reader zero-days that are routinely discovered.

      • Re:I don't buy it (Score:5, Insightful)

        by ArhcAngel ( 247594 ) on Tuesday October 14, 2014 @04:28PM (#48143907)
        Big corp CIO's need somebody to blame when things don't work. Open Source doesn't easily facilitate that. That is why Red Hat and Canonical have thrived. They have taken on the risk of deploying an open source product out of the CIO's hands. The support for proprietary products is in most part an illusion. I can't count the number of times I have had a product languish with an issue that the ISV had no intentions of fixing. Unless the problems affects a large enough group most ISV's aren't going to lift a finger to correct it. At least with OSS even if the maintainers of a project dismiss your issue you are still able to hire someone or find someone who happens to be interested in your issue to modify and possibly correct the issue. That's not even an option with proprietary software.
    • by swschrad ( 312009 ) on Tuesday October 14, 2014 @03:56PM (#48143623) Homepage Journal

      yes, sir, sure would hate to be vendor-bound at work or home with insecure systems, or using a network full of spies and lies, to access online sales where I and my financial records might actually be the product. Yep, you can trust brand-name software and systems totally.

      • Re: (Score:2, Informative)

        by GameboyRMH ( 1153867 )

        The MS salesmen actually use the threat of spies coding on open source projects as a scare tactic. Unironically.

    • "...the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

      Closed source works? They're the ones the bad guys make mega-bank on. Get real. So the holes are there, they get filled up in the FOSS world a lot faster than some other a== clown closed system, even factoring in that the close source community cares.
    • I even know a bunch of software developers who pretend to embrace open-source software without knowing what it is all about. Imagine the general public, they just know about free software like in free beer. Even large corporations using open-source software just like the free part like in beer, that's why these critical pieces of software don't have the resources they deserve.
    • "Open Source software is free!"
      "So? On bittorrent, any software is free"

      • Open Source software is legally free!"
        "So? On bittorrent, any software is free"
        You forgot most likely illegal -- just because the "cost" appears to be zero for you, doesn't mean it is legally free.

        FTFY.

    • by gweihir ( 88907 )

      Many seem to think that FOSS is these "terrorist-like" "hacker kids" that "threaten modern society". Hence you can sell them anything but do not expect any understanding.

  • by jedidiah ( 1196 ) on Tuesday October 14, 2014 @03:05PM (#48143077) Homepage

    All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

    This is just the usual professional troll click bait that we've come to expect from the news media lately. They need to feed the 24 hour news cycle and will do so by any means necessary.

    • Thank you. I said essentially the same thing above but got downmodded for it.

    • by i kan reed ( 749298 ) on Tuesday October 14, 2014 @03:20PM (#48143225) Homepage Journal

      On the other hand, if you can't trust OpenSSL for security, a major open source project whose entire purpose is security, who can you trust in the OS world?

      Obviously, as a developer, I know that security flaws are just another way to make mistakes, but once you know about heartbleed, how can you assume nothing else of similar scale has been found by nefarious actors?

      • by FuzzyDustBall ( 751425 ) on Tuesday October 14, 2014 @03:43PM (#48143467)
        On the third hand, if you can't trust RSA for security, a major closed source project whose entire purpose is security, who can you trust in the OS world? The real difference from security Between open source and closed source is attitude towards the product, In closed source there is incentives to hide issues, where in open source there are very few.
      • somebody else's job (Score:3, Interesting)

        by Anonymous Coward
        I'm pretty sure i kan reed said he'd audit it.

        This is a little story about four people named Everybody, Somebody, Anybody, and Nobody.
        There was an important job to be done and Everybody was sure that Somebody would do it.
        Anybody could have done it, but Nobody did it.
        Somebody got angry about that because it was Everybody's job.
        Everybody thought that Anybody could do it, but Nobody realized that Everybody wouldn't do it.
        It ended up that Everybody blamed Somebody when Nobody did what Anybody could
        • There aren't because:

          1. no one is paying for them (or at least not enough to make a difference and catch stuff like heartbleed and shellshock)
          2. auditing existing code doesn't "scratch an itch" for anyone on the hobbyist side

          Closed source companies like MS have to weigh up costs of security auditing vs. cost of reputational damage of getting it wrong (i.e. if you think safety is expensive try having an accident). For a long time, MS was so secure as a monopoly that the reputational damage wasn't worth them

      • by udippel ( 562132 ) on Tuesday October 14, 2014 @03:49PM (#48143537)

        You can't. But that's not the point at all.
        But in one case one could, if only one wanted, to check the code quality and apply a patch; in the other case this door is totally shut. The first alternative is light-years ahead of the second, irrespective of the field. Because it leaves you the freedom of choice. Be it contributing to retirement benefits or invest your money at your own discretion, the decision to smoke certain substances or not, choice always has a connotation of freedom. The same choice that one has to buy this operating system or that one.
        Once you decide for closed source, you are
        1. totally dependent on the manufacturer
        2. without a chance to check yourself
        3. unable to analyze if the manufacturer has inserted some malicious code like a trapdoor, eventually on purpose
        Now, where would be any advantage in using a system of closed source?

      • Traffic analysis would show.

        A nefarious actor would probably act upon his discovery. For the simple reason that as long as it is his and his alone, he can capitalize on it. This is something traffic would reflect. He would probably try to use it to the maximum effect before it becomes widely known and a patch against it gets developed.

        Today we're at the point where we can in hindsight identify such occasions. After a flaw gets revealed, certain "odd" firewall logs start to make sense. The next step would be

    • by Cabriel ( 803429 ) on Tuesday October 14, 2014 @03:21PM (#48143235)

      Not so. When there are articles about governmental offices switching whole-hog to open source software, that shows immediately that there is an awareness among the general public. When there is an article about one minister claiming open source software isn't working for his office and another minister countering that claim saying no one in the office has had an issue, there's a strong suggestion that there is an awareness of open source software. When an open source OS is advertised as being superior to a closed source competitor, there's absolutely going to be an awareness of open source and free software (Android vs iOS).

      While this may still be professional click-bait, I think calling it trolling is, itself, putting the cart before the horse.

    • Not to mention that the article in question is based entirely on two bugs. The first one was thwarted by security researchers while the 2nd is a direct result of legacy code running on old machines/mainframes. So I fail to see how the open source community is shaken by all of this...I'm certainly not pissing myself!
      • by pixelpusher220 ( 529617 ) on Tuesday October 14, 2014 @03:38PM (#48143419)
        And lets also remember that corporate software has so many many bugs and vulnerabilities that they had to schedule a MONTHLY day to do them. Only to find yet more bugs so critically important that they broke their own rules well more than 2 times to release out of cycle fixes.

        OS will almost always beat corporate in terms of defects and response time. Anyone care to guess how many 'heartbleeds' currently exist in Windows code that we know nothing about?
    • All of this presupposes a pre-existing awareness of Open Source and Free Software among the general public. Due due the typically communal nature of Free Software, this awareness really doesn't exist to begin with. It's absurd to talk about the "general public" and how their confidence is "shaken" when they are blissfully unaware to begin with.

      Before ranting about the ignorance of the "general public", it would help to read the article first, which makes no mention of them at all, but rather talks about multiple professional developers, and their response to these security breaches.

      • by jedidiah ( 1196 )

        What professional developers?

        The original article doesn't really say anything meaningful at all. It doesn't appear to actually make any effort to judge the perceived impact of these problems?

        Besides, it's not the "professional developers" that matter here really. It's the end users including Fortune 100 companies that might have a VP position dedicated to Linux.

        The whole thing was content-free trolling masquerading as journalism.

  • perfect timing. (Score:5, Interesting)

    by gandhi_2 ( 1108023 ) on Tuesday October 14, 2014 @03:06PM (#48143083) Homepage

    amazing this article is posted on the same day as 3 0days for MS products.
    one of which has been known for over a month, and will soon have a logo.

  • by Anonymous Coward on Tuesday October 14, 2014 @03:08PM (#48143107)

    The schematics for cars are available, just review them to make sure there's no structural or design flaws.
    The chemical formulas for prescription drugs are available, just review them to make sure they're not poisonous.
    The texts of the laws are available, just review them to make sure there's no conflicts with constitutional rights and other laws.

    The point is, get off your high horse, not everyone knows how to code. And even if you do know how to code, with the dozens of programming languages out there, and the almost infinite coding styles of programmers, you shouldn't expect even other coders to be able to review your code.

  • by ysth ( 1368415 ) on Tuesday October 14, 2014 @03:09PM (#48143117)

    Yes, it really is so different.

    With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

    • by ljw1004 ( 764174 ) on Tuesday October 14, 2014 @04:00PM (#48143671)

      Yes, it really is so different.

      With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed. I submit that this would likely not have been the case with closed source software.

      Why do you submit that?

      I work on the VB/C# compiler teams. These compilers used to be closed-source for ten years, and were made open-source earlier this year. Whenever we have a bug, we ALWAYS do careful investigation to look for all the related issues we can find. That's been no different between our closed- and open-source eras. We do it because "high quality software" is the number one driver of satisfaction, and if we make higher quality software then we get more sales. I think it works: you almost never hear people being bitten by VB/C# compiler bugs. We pay people full time to do careful investigations of stuff that (I reckon) most people would find too boring to do without a salary. None of this is affected by closed- vs open-source.

      What I've enjoyed is "open-source language design". The language design decisions are still made by stewards of the language as before. But by opening up the process of language-design, we see a lot more viewpoints and ideas from everyone. Better to fix bugs at the design-stage rather than wait until after the thing's been implemented.

      I'm willing to believe your submission is true -- but not without evidence, since your claim contradicts my own experience.

    • With both the recent openssl and bash bugs, in addition to fixing the bug, careful investigation was done by the respective communities and additional problems were/are being addressed.

      Excuse me for saying that I find all these platitudes less than reassuring.

      The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.

      Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves, with Fox undertaking the work as an employee of FSF. Fox released Bash as a beta, version .99, on June 7, 1989 and remained the primary maintainer until sometime between mid-1992 and mid-1994, when he was laid off from FSF.

      A security hole in Bash dubbed Shellshock, dating from version 1.03, was discovered in early September 2014.

      Bash (Unix Shell) [wikipedia.org]

      Analysis of the source code history of Bash shows the vulnerabilities had existed since version 1.03 of Bash released in September 1989.

      Shellshock (software bug) [wikipedia.org]

      A 25 year old bug with the potential to do enormous damage.

      In the UNIX shell in almost universal use by *NIX professionals, and a spate-no-expense project conceived and funded by the FSF.

  • And this makes how many?

    • by bigpat ( 158134 )
      And more importantly... who in their right mind still uses IE? Internet Explorer is currently blocked by my company's proxy server because it is considered so insecure and isn't likely to get unblocked any time soon.
  • Heartbleed & Shellshock have impacted for-profit companies quite significantly. I don't have an objection to them using opensource within the boundaries of the license but should THEY not be vetting before rolling it into a commercial product?
    No one company has to do it all alone - it can be done through a team effort & foundation, just like OpenStack.

    • by LWATCDR ( 28044 )

      Heartbleed and Shellshock show that nothing is really free.
      Those bugs would have been found long ago if big companies had put resources into FOSS.
      OpenSSL was used by everyone but had less than 20 active devs and a super skimpy budget.
      Bash? When was the last build of Bash before Shellshock?

      • by Bengie ( 1121981 )
        It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.
        • by spitzak ( 4019 ) on Tuesday October 14, 2014 @03:52PM (#48143579) Homepage

          No, bash was NOT working as expected.

          The expectation was that a bash shell function could be defined by starting an environment variable value with "() {". The purpose of the code was to do exactly that, no more and no less. Yes it did assume the string came from a trusted source and the idea is questionable, but that was not the hole.

          The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

          I think it is interesting that this bug was visible in source code for 20 years and until now nobody found it. This includes the black-hats. Not sure what this means...

          • by Bengie ( 1121981 )

            The fact that the code could cause arbitrary commands in the value to be executed at startup was certainly not intended.

            There seems to be several "bugs" associated with "ShellShock". At least one of the security issues was postponed because there was no way to fix it without breaking the feature. OpenBSD, then FreeBSD decided just to disable the feature all together. I am not aware of any follow-up on whatever "bug" that was, but it sounded like a "working as expected" issue.

            Since I cannot find anything sounding like this on Wiki, I'll assume that I'm wrong.

        • It wasn't a bug in bash, it was working exactly as expected. What wasn't expected was web devs passing in data directly from the Internet into bash. Bash incorrectly assumed that environmental variables were assigned from a trusted source.

          Nope. It was a bug. While it was the intention that bash would "import" function definitions from env vars, it was *never* the intention that it would directly and without confirmation execute any commands *following* the function definitions in the env vars.

          So yes, a serious bug.

      • Heartbleed and Shellshock show that nothing is really free.
        Those bugs would have been found long ago if big companies had put resources into FOSS.

        But that's special pleading.

        FOSS is supposed to be an alternative to stuff put out by big companies; why is it suddenly incumbent upon them to be fixing security holes 20+ years old?

    • by Cabriel ( 803429 )

      So, you're saying that the F/OSS community isn't responsible for the bugs in their software?

      • by haruchai ( 17472 )

        Not at all. But anyone who uses F/OSS IS a member of the community and that includes companies who chose to use it in commercial products.

  • Yes. Yes it is. (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 14, 2014 @03:11PM (#48143145)

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?"

    Yes. Yes it is. Because with open source, you have the possibility of dedicated community members examining, testing, and fixing the code even before a major breach happens. You even have the option of doing it yourself.

    With closed source you have companies that will spend the minimal amount they can on security, and sweep issues under the rug as long as no one is complaining with arguments like, "oh, the odds of someone exploiting THAT are astronomical". Which means that the first people who discover the problem are usually the black hats.

  • by casings ( 257363 ) on Tuesday October 14, 2014 @03:11PM (#48143149)

    Last time I checked, the general public was pretty ignorant about just about everything related to computers outside of checking their email and viewing the latest cat pictures on reddit.

    I'd rather consult a magic 8 ball than the general public.

  • Vojjne. (Score:4, Insightful)

    by Anonymous Coward on Tuesday October 14, 2014 @03:12PM (#48143153)

    Meanwhile my Windows 8.1 is downloading 16 fixes in 97MiB, of which one was used for military and industrial espionage if the security firm that found it in the wild SIX WEEKS AGO is to be believed.

    There is no magic alternative that is better than open.

  • I think when it comes to security related projects, like security libraries, that are used all over the place, we should demand higher quality code and better design and code practices, like those of OpenBSD. We should not compromise on quality when it comes to this kind of stuff. Do it correctly or don't do it at all.
  • by Bob9113 ( 14996 ) on Tuesday October 14, 2014 @03:18PM (#48143195) Homepage

    As such, the trust is left to the open source community, and is that really so different than leaving it to a corporation with closed source?

    Yes, it really is so different. Open Source provides an additional avenue for security auditing. With closed source software, any auditing body must be authorized to view the source code by the owner of the software. With Open Source, anyone can audit it. That does not mean that anyone has audited it, but being able to do so without having to contact the software distributor and get their permission is a substantial difference.

    If you want highly secure software, you have to verify that one or more trusted third parties have audited the code. You can't skip that step with either kind of software, it's just easier to get it done with Open Source.

  • by Ckwop ( 707653 ) <Simon.Johnson@gmail.com> on Tuesday October 14, 2014 @03:25PM (#48143283) Homepage

    I'd be surprised if a random member of the public could even define what free software is. They'd probably think it's connected to the cost of the software rather than its freedom giving properties.

    That said, I think that the view that with enough eyes all bugs are shallow is false. Given that bash is used in millions and millions of servers and the bug took decades to root out, we must think of a better way to get eyes on the code.

    The whole stack needs a line by line review by security experts. That will cost tens if not hundreds of millions of dollars but my view is that it's probably worth it. Then we have to make sure all changes get reviewed in the same way.

    The result of this process would be a super-hardened version of OpenBSD. It would come with a nice fat government certification and if you want to do business with the government, you have to use that distro.

    That might rub people up the wrong way but I think that's what's ultimately going to happen eventually. A lot of this infrastructure is so critical to the modern economy that we can't just run any old code anymore.

  • by Charliemopps ( 1157495 ) on Tuesday October 14, 2014 @03:27PM (#48143301)

    The difference between Open Source and Closed source is not the number of bugs and flaws... the numbers of bugs and flaws are likely equal. The difference is the number of bugs that were found and fixed. Just as many problems exist and are as equally dangerous in closed source software. The differences is that because it's closed, they remain there, undiscovered by the general public, for a very very long time.

    All of these discoveries should be celebrated. They are examples of Open source working as it should.

  • by stealth.c ( 724419 ) on Tuesday October 14, 2014 @03:29PM (#48143317)
    The Open Source approach has worked so well because people are at complete liberty to build on existing ideas and existing work, *not* because users are supposed to audit the code they're running. Almost no one does that, but a few do, and sometimes they decide to take what does work and throw out what doesn't. In FLOSS this can happen faster and with greater frequency than with IP-encumbered code. Whether you have faith in it or not, it works.
  • Look, people in the USA are more worried about Ebola, an infinitesimal risk, than are worried about getting a polio shot (we're losing herd immunity in major cities right now) or a flu shot (which WILL kill thousands of people this year).

    I'm not that concerned that "the public" is worried about Open Source, as most of the people polled think it means "open sores".

  • Somebody saw something weird, looked at the code analyzed the logic, found the bug, reported it, and it was fixed.

    Nobody said those thousand eyes would find bugs instantly.

  • >> is that really so different than leaving it to a corporation with closed source?"

    Yes its COMPLETELY different.

    Can there be exploitable bugs in open source? Of course. That remains true for all software, open or not. It is incredibly naive to imagine that anyone could effectively predict every potential future use of any product, especially a complex system.

    Not only are exploits less likely in opensource in the first place (beacuse of the larger numbers of eyes looking at the code) but detection is

  • by reikae ( 80981 ) on Tuesday October 14, 2014 @03:44PM (#48143481)

    Free software is about ideology. About the availability of source code and the permission to examine, modify and redistribute it. It doesn't mean better security or indeed better by any quality metric, and that's not the point. Much like freedom of speech: it's important even if I never say or write anything and it doesn't make everyone Shakespeare either.

    Posted from my Windows computer btw; I think there is value in software freedom, but I use what best meets my current needs and wants, and encourage others to do so too.

  • pay them!! (Score:4, Interesting)

    by lkcl ( 517947 ) <lkcl@lkcl.net> on Tuesday October 14, 2014 @03:54PM (#48143609) Homepage

    the key point that people keep missing is that corporations - which are legally obligated to maximise profits - take whatever they can get "for free". software libre developers *do not have* the opportunity that is normally present in business transactions to present the person receiving their work with the VERY IMPORTANT opportunity to transfer to that developer a reward (payment) which represents the value of the software that the person is receiving.

    so it should come as absolutely no surprise that those software libre developers are not equipped with the financial means to support themselves (the Gentoo leader ending up with a $50,000 credit-card debt and having to quit and go work for Microsoft is an example that springs to mind) and they *CERTAINLY* don't have the financial means to pay for e.g. security reviews or security tools.

    the solution is incredibly simple: if you are using software libre for your business, PAY THE DEVELOPERS. find a way. pick a project that's important or fundamental to your business, and PAY THEM.

    • the key point that people keep missing is that corporations - which are legally obligated to maximise profits

      That supposed legal obligation doesn't always exist, and far too much is made of it even where it does. Can you show me any examples of companies being prosecuted, or even investigated, for failing to maximize their profits? It doesn't happen. And you can easily spot any number of examples of companies failing to take opportunities to maximize profits.

      Drop that tired meme, it's really not true in practice, even when it's true in theory -- which isn't always the case, even for for-profit corporations.

      Wha

    • 100% agree!

      If businesses were smart they all would chip in $10 say towards LibreOffice [libreoffice.org], Inkscape [inkscape.org], Krita [krita.org], FreeNAS [freenas.org], GimpShop [gimpshop.com], etc.

      They could be free of the tyranny of proprietary vendor-lock file formats for once and for all. But yet they would rather pay to suffer ! **shrugs**

      Could you image how much development could get done if open source alternatives to X could get funding!? Not say money is a silver bullet TM but it certainly would go a long way!

  • by ruir ( 2709173 )
    "Closed" software also has lots or more security problems, and then you do not have the source to look at and fix it. This article is a troll.
  • Being open-source is what allowed these flaws to become publicly exposed. This article assumes that this is a 100% bad thing. The better question is how many closed-source security holes exist and are being actively exploited that we don't know about?
  • TFA starts off with this as the very first sentence:

    Hackers have shaken the free-software movement that once symbolized the Web’s idealism.

    And then fails to provide any real evidence that this is true. It should take strong evidence to reach the conclusion that an entire "movement" has been "shaken" to the point that it has lost its symbolic meaning. I skimmed the rest of the article, but the authors pretty much lost me after that bit of nonsense.

    People (both good and bad) have been finding flaws in open source software for decades. No one in the "movement" was surprised or "shaken" to h

  • by trawg ( 308495 ) on Tuesday October 14, 2014 @04:07PM (#48143729) Homepage

    I think some of Schneier's words [schneier.com] apply here:

    "I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."

    If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.

    If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?

  • Whether you trust the community or trust a closed vendor, you're still trusting that they got it right and/or haven't been compromised by moles working for crooks or governments. The bottom line is you should assume any easily accessible security software is compromised and build multilayer security around the asset you want protected. At least with open software you can audit it yourself or have it audited by someone you do trust. Closed? forget it, unless you're a government.

  • A big difference is probably that with open source you know you don't have glaring issues like a mail client that checks all incoming and outgoing emails for specific keywords, then sends a report to Microsoft and the NSA if any of those keywords are used. It's not that both open source and proprietary can't both have subtle bugs, of course they can. If an open source project such as say Apache decided to start sending tracking data to Apache.org, we'd all know about it before the version was even release

    • by Yunzil ( 181064 )

      As ESR famously said (but with context this time):
      given enough eyeballs, all bugs are shallow.

      Addendum: Of course, it might take 20 years for anyone to notice, because everyone is assuming that someone else is looking at it, but whatever.

      • Yes, that quote talks about once a problem is noticed, the right solution will be clear if many people look at the problem.

        It says nothing about positive or negative about how subtle bugs might be or when they'll be found. The answer to that question largely depends on the architecture of the code and the style, whether side-effects are common. Linus prefers kernel functions to be no more than a few lines long. If a function is three lines, you can pretty easily see if it's correct or not. A fu

  • Specifically, anti-vaxxers.

    "If so many people refuse to get vaccinated, herd immunity can't work. So why bother?"

    "Because if all you voluntary natural selection candidates want to kill yourselves, my own vaccination will at least partially protect me."

    Open Source at least offers the opportunity to protect yourself, to the extent of your own skill and effort. Which is the most anyone can realistically expect in this world. I have no intentions of allowing my fate to rest entirely at the tender mercy of peopl

  • before its anywhere near close Windows security failures over the years.

  • Yes, the advantage of open source is that good actors can read the code and find and fix security flaws. The disadvantage is that bad actors can also read the code and find and exploit security flaws. One would hope good actors would outweigh the bad ones, but my fear that that governments and organized crime have become bad and worse actors in a big way. Even when a particular flaw is fixed, we all know that there are still flaws to be found and exploited in any big software project, and nowadays the bi
  • The reality is that doing security audits and code reviews are boring. Unless you have someone who is really dedicated and knows their stuff taking on the task for an open source project, or someone paying a team to do it (TrueCrypt/VeraCrypt), it's not going to happen. In theory corporations are paying their staff so it should happen, but in reality corporations are likely to push such reviews way down the priority list because they cost money. Spending money is bad to a corporation, m'kay?

    Personally

  • by Opportunist ( 166417 ) on Tuesday October 14, 2014 @06:28PM (#48144937)

    The general public? Please. The general public is a mass of ignorant people. If you want to find the IQ of a group of random people, take the dumbest person and divide by the number of legs. I.e. the more people you get, the stupider they are.

    Need proof? Just take any reaction to any "sky-is-falling" information they ever got. From 9/11 to Ebola, the reaction is blind panic. You want to use THAT mass of idiots to gauge the sensibility of something esotheric like a coding paradigm?

    Please.

As in certain cults it is possible to kill a process if you know its true name. -- Ken Thompson and Dennis M. Ritchie

Working...