Linux Foundation: Security Problems Threaten 'Golden Age' of Open Source

Mickeycaskill writes: Jim Zemlin, executive director of the Linux Foundation, has outlined the organization's plans to improve open source security. He says failing to do so could threaten a "golden age" which has created billion dollar companies and seen Microsoft, Apple, and others embrace open technologies. Not long ago, the organization launched the Core Infrastructure Initiative (CII), a body backed by 20 major IT firms, and is investing millions of dollars in grants, tools, and other support for open source projects that have been underfunded. This was never move obvious than following the discovery of the Heartbleed Open SSL bug last year. "Almost the entirety of the internet is entirely reliant on open source software," Zemlin said. "We've reached a golden age of open source. Virtually every technology and product and service is created using open source. Heartbleed literally broke the security of the Internet. Over a long period of time, whether we knew it or not, we became dependent on open source for the security and Integrity of the internet."

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

I post, trying to say that Linux people should take security seriously because it used to be a real problem for Microsoft and made their marketing difficult and you post a thing which shows that Microsoft is still sufficiently desperate that, instead of counting all their windows vulnerabilities together as with Linux, they break them down into separate categories for each separate build of their kernel? You show a total of almost 250 vulnerabilities for Windows compared to 119 for Linux with it very obvio

Re:

[KGIII]

They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead. So, a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.

Re:

[drinkypoo]

They should separate them. Like Linux, Linux is just the kernel. With Windows the kernel is the explorer.exe process, more or less, and you can actually load a different shell instead.

Uh no [fortlewis.edu]. Explorer is basically equivalent to nautilus+gnome-panel. It's a graphic and file manager and program launcher, and it provides a notification area. Windows has a kernel like any normal operating system. Explorer can die and be restarted without affecting the kernel at all.

a security flaw in IE is not a security flaw in Windows. Just like a Heartbleed wasn't a security flaw in Linux. They need, and should be in, separate categories.

It doesn't matter by how much they separate them, because these statistics cover publicly known vulnerabilities. Microsoft could potentially know about hundreds or even thousands (or merely dozens) of bugs with security implication

Re:This contradicts history.

[fyngyrz]

The article on that page reports more OS vulnerabilities for OSX and other Apple products.

Generally speaking, that's not the attack surface most people need to worry about.

The surfaces that most attacks are focused upon are Internet-facing. So, the web browser (IE has the most vulnerabilities) on one end, and the web server on the other; the web server, in addition, provides more vulnerable surfaces in the form of applications like wordpress and so on.

The article you linked to is not well written at all. The comments on it reveal numerous flaws in its conclusions.

Re: This contradicts history.

[Anonymous Coward]

Hardly. People left Windows because TCO on Linux is lower. Security is a tiny part of TCO in either. Keeping Linux up to date ain't free time wise either.

obviously, "move"

[turkeydance]

was more obvious

what OSS is insecure?

[Skapare]

what OSS is insecure? i think it is company executives and lame sysadmins that are insecure. of course easier-to-use security could help.

Re:

[jones_supa]

Well, installing a Debian package allows it to run a script that can execute arbitrary commands with superuser privileges. Pretty simple to nuke a system by just giving someone a hot_chicks_card_game.deb.

Re: what OSS is insecure?

[bill_mcgonigle]

That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some. Lame users want to use computers too.

Re:

[bbelt16ag]

Ok if you are talking about Desktop users Vs. Sysadmins in major corporations is what everyone else is talking about.

Re:

[drinkypoo]

That's the whole reason secure boot and trust chains exist. "Walled-gardens" to some.

Secure boot and trust chains where I choose what to boot and who to trust wouldn't be a walled garden, it would be a libertarian paradise... or the computing equivalent. The problem isn't the technology, it is how it is (inevitably?) used.

Lame users want to use computers too.

As well they should. It would be nice if there were more credible options for everyone else, though. Google is taking steps to lock down Android somewhat in Marshmallow, with possible ramifications both for ad blockers and for modification tools like the Xposed framework.

Re:

[Anonymous Coward]

OpenSSL and GPG both have had numerous security flaws opened against them in the last 6 months or so.

The Linux Kernel regularly gets critical security updates.

A better question is, "What OSS *isn't* insecure?" If you think anything is magically "secure" you're in for a bad time.

Re:

[Z00L00K]

So do Windows and a number of other applications and operating systems. Mostly the security issue is just a small thing but now and then a big issue appears.

Many large issues are also caused by not one single mistake but by a chain of mistakes where each mistake by itself wasn't fatal. This isn't limited to software alone but we see it from time to time in the physical world as well.

Re:

[WorBlux]

Not automatically. If your only building security is the lock on the front door it's not going to help you against targeted attacks of it you let employees have any sort of guest that they want in the office.

Re:

[jabuzz]

I will politely refer you to the recent Hatton Gardens

Re:

[Skapare]

maybe you should be reading "how to become a one percent-er, for dummies".

Re:

[Anonymous Coward]

Step 1: Get 100 million dollars. Surely you are born into money, so this step goes almost without saying.
Step 2: Buy some companies.
Step 3: Bribe politicians to pass laws that benefit you and your companies, while preventing pesky competition from stealing your profitsessss.
Step 4: MOAR profits!
Step 5: Repeat steps 2-4 until you are into the .1% range.

it needed to happen.

[Gravis Zero]

heartbleed was a blessing in disguise because companies were blindly assuming this software was secure and thus never investing a dime in it's development. this internet-scale problem woke up some people and now they are actually investing in real security.

Heartbleed should've been way more of a yawn

[somepunk]

Still a serious bug, but if forward secrecy [eff.org] had been widely deployed, much, much less threat exposure would have occurred.

That's the lesson. Code audits are great, but they still miss stuff and are expensive. Take good practices more seriously, and you get a lot of bang for your investment in time/money/whatever.

Re:

[Bengie]

OpenSSL issues weren't language issues, they were willful fundamental decisions made. Blindly accepting lengths claimed from the client, writing their own memory allocator, using the the raw private key for random data, creating their own RNG.

Re:

[Metabolife]

Look at the list of effected companies. You'll notice that none of them are financial institutions which were still on an older version. Some people do their due diligence and audit the code, others can't afford to.

Open Source is working as intended

[PvtVoid]

It's really, really good that somebody is stepping up and providing funding to maintain what have become critical Open Source infrastructures.

At the same time, it's totally disingenuous to imply that recent security issues are somehow caused by the fact that they are Open Source. There is no reason whatsoever to believe that, had the same services been proprietary, they would have had fewer bugs affecting security. In fact, the only effect of having critical services closed source would very likely have been that the security issues would have gone undiscovered for even longer. Making the critical security infrastructure for the internet closed source would be insane.

Open Source is working exactly as intended here: critical security issues were identified (ok, way too late, agreed), and fixed. Now the people who rely on those infrastructures are realizing (also way too late) that it is in their interest to provide funding to maintain them. This is how it's supposed to work.

Re:

[jones_supa]

Making the critical security infrastructure for the internet closed source would be insane.

All of the Cisco networking gear runs on closed source software.

Re:

[Anonymous Coward]

LOL, and look how secure Cisco gear has been lately! But more importantly, even Cisco is going down the software-defined networking route with open source NOS.

Proprietary Firmware

[Anonymous Coward]

The problem is that low-level "bootstrapping" software like the BIOS is still closed source, and—worse—becoming so complex that it's basically an entire operating system unto itself.

Consider Intel's Management Engine and the associated Active Management Technology that is in every modern (though, upper-middle quality) Intel-based desktop/laptop these days; it provides a whole personal computer within what you, the user, think is the actual personal computer, and that embedded personal computer h

Re:

[WorBlux]

You can even buy laptops now that are OSS from the firmware on up. There are dozens of OSS u-boot based dev boards availible. You can run a system of a CPU design loaded onto an FGPA. There are cellphones built with basebands you can load OSS firmware onto, or are not linked into DMA with main memory and have CPU controlled hard off switches. These aren't flagship consumer products, but they are available. Security is rarely convenient.

Intel's management engine and the like are not some vast conspirac

Vendors don't want interoperability

[140Mandak262Jamuna]

It is never in the interests of the vendors to support full two way interoperability. Up starts will support interoperability with established players when it suits them and sabotage interoperability to prevent people from leaving. From early days of Microsoft making sure unix file systems can be seen by windows but not vice versa to present day CAD vendors investing order of magnitude more effort in "importing" other vendor's CAD format but becoming very apathetic to bugs reported on their export capability. Parametric Technologies started encrypting its files to prevent Microedge or some such vendor from reading the files, and invoking DMCA to stop anyone else from reading the files. The format is PTC's but the data is the customers'. They use every trick in the book to hold the data hostage. Every CAD tool vendor does this, PTC is not particularly worse than any of its competitor. It is exactly the same fight between ODF and XLS. The "open" formats are STEP and IGES

But it is in the interest of the customers to make sure their data never gets locked up in a format they don't control. Why wouldn't the fortune 500 companies invest a tiny part of their IT budgets to support ACM or IEEE to play the role of arbitrator when it comes to file formats, data and export/import protocols, fundamental security etc. These things should be neutral and no vendor should see them as yet another way to invade and occupy their customer's systems and processes.

Objective proof that proprietary is more secure?

[walterbyrd]

If there is no such evidence, then how does this article make any sense?

Re:

[Z00L00K]

Switching to C++ is just opening another can of worms.

C++ just have the bad stuff from C and the bad stuff from object oriented design combined.

If you want a language for an OS that is better you will need to look at ADA or some completely different language. One of the more secure operating systems out there is OpenVMS and that's written in BLISS.

Re:

[WorBlux]

The only provably secure OS (L4) is written in C. I think there are good languages out at the application or platform level (Rust, Haskell, Scala) but systems level programming it's mostly just C. Alternatives are mostly just dressed up C (C++, D). Java and Haskell offer was to wrap application in a standalone VM, but largely due to the fact it uses shims in a controlled enviroment, it doesn't actually have to work with the messy hardware stuff.

Re:

[Bengie]

C++ is great for masking what is actually happening in the background, which is the opposite of what you want for a kernel.

Re:

[KGIII]

Doesn't all C code run as C++ code with no code changes by default? I'm not sure where I'm going with this but I am not a programmer (not a good one, at any rate) and I'm mostly curious. With my limited knowledge, well, I can't really think of any reason to switch but I can't see any harm in switching by default. So long as the practice was good in C shouldn't it also be good in C++? After all, I thought you could literally take the C and just put it in C++ and it worked natively?

Re:

[windwalkr]

Pretty much. A "C++ programmer" doesn't typically write C-style programs, however, but uses the more advanced language features to buy some amount of extra compile-time safety. At least, that's the idea.

Re:

[GuB-42]

Not exactly. All C is not valid C++.
However, it may be considered good practice for C code to be written so as to make it valid C++. In is not a big effort and allows you to take advantage of the added safeties included is C++ compilers. Think of it as static analysis.
One trouble however of using C++ is the lack of a binary standard, so, while compiling your C code as C++ may be a good test, actually shipping C code compiled with a C++ compiler may not be a good idea.

Re:

[Xabraxas]

The Windows kernel is written in C. Most kernels are written in C.

This is not the golden age of FoSS

[drinkypoo]

If this is the golden age of FoSS, it's only because humanity isn't going to make it long enough to have a real one. We'll have a real one of those when we abolish software patents. Suddenly, FoSS no longer has to fear attack on bullshit grounds by patent trolls, or megalithic competitors abusing their market position. Until then, it's still a war, and nobody wins.

Nobody is talking about the root causes yet....

[ka9dgx]

The root cause of all of these security problems has been in plain sight since 1970 or so, yet only a few people are even aware of it. It's obvious once you get it, and the scope of fixing things comes clearly into place. So, do you really want to take on forking every program to build a new version of it? If so, you can fix it, if not... this will continue to happen, and government will try to fix it by fiat, badly.

The cause is that our operating systems operate on the assumption that programs can be trus

Re:

[drinkypoo]

The cause is that our operating systems operate on the assumption that programs can be trusted.

Android tries to sandbox programs, pretty successfully until you find a hole in the sandbox someplace. Two new Stagefright vulnerabilities have been found recently. I was just patched, too. I guess a new edition of the custom rom I'm running will be available shortly. And there's always selinux, but configuring it is still a massive PITA. The tools and their build processes are immature.

Re:

[WorBlux]

Sound like a micro-kernel burnt into the microprocessor. It's almost kind of too specialized unless you already have a very strong use-case.

Re:

[KGIII]

A remarkably beautiful young lady revealed something to me just the other day. This is from a pop song in 1982 - I'd never noticed it when it was popular and getting radio play.

Back at base, bugs in the software
Flash the message
"Something's out there"

Yup... Ah well, we'll always have bugs. Anyhow, isn't the idea of a microkernel meant to minimize such? IIRC that was the guy from MINIX (I forget his name) big complaint about Linux. Stability and security come at a cost of performance but the price might be worth paying now that we have hardware that is so speedy.

Oh, the song is 99

Re:

[WorBlux]

A microkernel minimizes the amount of code you have to trust. MINIX as of 3.0 is also designed to be fault-tolerant, able to recover to almost any sort of bug. You tend to get a lot of transactional and message passing overhead though. For example the filesystem modules isn't allowed to access the disk controller, it has to ask the block layer to do it and pass the result. But the block layer can't actually pass the result directly, it has to check in with the microkernel to make sure it's okay.

But the

Re:

[KGIII]

Thank you for the insight. I really need to fire up MINIX in a VM and see what's going on. I'm a maths grad and not a CS grad so it will be fun for me to learn about the various ins and outs. One of the things I assume is that, in realistic use, today's hardware will cope with the added overhead with nary a problem - I'd imagine the processing rate to be only trivially slower if I'm understanding everything properly (and I may not be).

I kind of like the checks, or the idea - I'm not fluent enough to say tha

Re:

[dog77]

I think we need to go further and fundamentaly redesign the hardware architecture that the operating system runs from

Physically Isolate the operating system from the rest of the system. Let it run from completely different memory and storage so that is impossible to access from the rest of the system. Let it be a monolithic program that has its own drivers and its own network stack.

If you need to make a change to the operating system, you must physically switch to the operating system control and from

Re:

[drinkypoo]

I think we need to go further and fundamentaly redesign the hardware architecture that the operating system runs from
Physically Isolate the operating system from the rest of the system.

Don't we have hardware in the CPU which is effectively supposed to do that? And don't we just keep poking holes in it so that we can get better performance?

Re:

[WorBlux]

The existing hardware virtualization and security extensions actually let you do this. See L4 as an example.

Re:

[WorBlux]

Even if you can "prove" the software, how do you prove your hardware? And I think this sort of thing is very hard in a desktop system. Just take private namespaces. Within a single program you can be fairly sure as to what needs access to that data structure, on the desktop it's less sure what a user could want to have access to a particular file. There are server techs with isolate namespaces between services and processes, and there are techs which can fine-tune access of arbitrary executables to files a