Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Open Source Security United States

White House Enlists Software Industry To Improve Open-Source Security (bloomberg.com) 63

White House officials are asking major software companies and developers to work with them to improve the security of open-source software, according to an administration official. From a report: The invitation follows the disclosure of a vulnerability in popular open-source Apache software that cybersecurity officials have described as one of the most serious in recent memory. In a letter Thursday, National Security Advisor Jake Sullivan invited major players in the software industry to discuss initiatives to improve open-source software security, the official said. Dozens of open-source software projects have become crucial components of global commerce and are mostly maintained by volunteers. The effort will start with a one-day discussion in January hosted by Anne Neuberger, the deputy national security advisor for cyber and emerging technology, according to the official. In the letter, Sullivan wrote that open-source software has accelerated the pace of innovation but pointed out that the fact that it is broadly used and maintained by volunteers is a "combination that is a key national security concern, as we are experiencing with the Log4j vulnerability," the official said.
This discussion has been archived. No new comments can be posted.

White House Enlists Software Industry To Improve Open-Source Security

Comments Filter:
  • Pay wages (Score:5, Insightful)

    by Tailhook ( 98486 ) on Friday December 24, 2021 @08:05AM (#62111755)

    Talk all you want. Until there people are paid to audit and rework code it won't happen.

    • Re:Pay wages (Score:5, Insightful)

      by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Friday December 24, 2021 @08:38AM (#62111817) Homepage

      Too many organisations just take/use Open Source and contribute nothing back. If they all gave even small amounts the benefits would be great.

      The trouble is that there is not a direct link between an Open Source user and the increase in security gained by that user. The result is that users (I'm talking about corporations who could afford to drop some cash to projects) see no point in helping - they just rely on others doing so; some are ignorant enough to say "It is free, I have no obligation to give any money.".

      Government could help, just a small fraction of national defence budgets would be great and cost/benefit on national security be good; but again: why should one country donate when others are providing help (cash). The other problem is that proprietary vendors would complain of tax money helping their competitors.

    • "... and we're here to help".

    • by AmiMoJo ( 196126 )

      Google does that.

    • Just realize that commercial software isn't better, but it's harder to find potential attack vectors in it.

    • Your company already pays you a wage. Change GPL to include a mandatory minimum number of hours volunteered to open source projects. That would allow employees to force employers to comply. Employees in the US are basically powerless and companies have a fiduciary responsibility to be greedy and not give back.

    • So Oracle has no commercial interest in keeping the Java ecosystem secure? It's open source. Any commercial entity using it has an obligation to their own customers to ensure the FOSS packages they are using are secure. This is just capitalism in action. All the companies which were vulnerable should not be trusted with sensitive data any longer as they failed a critical exercise in security. The log4j flaw would have been obvious to any skilled developer approaching it from a security perspective. The au
    • Exactly - not only are companies greedy in using volunteer create open source s/w they are short sighted in not developing in-house expertise to fix and extend these tools and this voice back to the open source community.
    • I would say some of the issue is that open source developers don't see themselves as accountable to anyone because they 'open source'. Why would someone pay large sums of money to anyone who will tell you they will get to your issue if they think it is important enough. Meanwhile the developers will keep working on some 'new feature' they think is important. And even if a company pays someone to implement something or fix a potential security flaw, it won't be merged into the code unless the open source de

      • I would say some of the issue is that open source developers don't see themselves as accountable to anyone because they 'open source'.

        You are quite correct. I'm one of them. I'd give a giant "EAT SHIT" to anyone who wants me to code for free then add features or fix bugs they want ... because why again? Did you pay fuck all for what you got? No. Did you contribute anything more than whining and pontificating about what is to be done with these incorrigible coders? No. In short, FUCK YOU PAY ME [youtube.com]. Oh, and by the way, in the meantime while you are digging in your wallet, I'd also like you to know that I'll be cobbling together what ever half-

  • Get serious (Score:4, Interesting)

    by registrations_suck ( 1075251 ) on Friday December 24, 2021 @08:10AM (#62111763)

    If they wanted to get serious, they would pay open source developers on a 1099 basis, based on contributions/submissions (accepted) to various projects.

    The govt can pay welfare recipients for doing nothing and/or breeding babies. It can pay actual contributors to society's technical infrastructure as well.

    • If they wanted to get serious they'd expand SSI to pay everyone a UBI, paid for by taxes on the wealthiest and a reduction in military spending. Taking care of people's needs reduces crime.

      Of course, we have to do similar things across the whole world in order to reduce internet crime, since it's global... good luck!

      • You kind of shot your own argument in the foot in the end. But youre right, most cybercrime is coming from foreign actors. Each with different motives. When it comes to motive and that motive is financial gain, then you can usually count on Russia and India as a source location. There is also state sponsored fraud by N Korea, because that government cant afford to rub two nickels together. But there is still a ton of cybercrime sponsored by many nations with the sole intent of destabilizing economies. No ch
      • UBI, contrary to what its proponents claim, won't take care of people's problems. It could in the short term, but in the long term it just increases the money supply without increasing the availability of resources. Money just enables trade, it doesn't produce anything, nor does it make people more productive.

        By the way, you've probably never noticed this, but UBI experiments always seem to end up with the same result: People either quit their jobs, they just remain unemployed if they already didn't have a

  • Fact of life... (Score:4, Informative)

    by jonathantn ( 6373084 ) on Friday December 24, 2021 @08:14AM (#62111775)
    It's a good open source project. It just had a vulnerability that someone found. This is how open source works. There are going to be vulnerabilities in stuff. Since the source code is open, when the fix is committed others are going to notice the change and realize it's a security fix. Inevitably that results in the upgrade wave that we're seeing right now. No amount of government involvement is going to change the reality of what happens when one of these vulnerabilities is discovered. If the government wants to do anything useful, fund an OS bug bounty program for popular open source projects that the government relies upon.
    • Re: (Score:3, Interesting)

      by white5moke ( 9028929 )
      log4j? it's awful. every project i've used that has it as a dependency is a buggy mess, right out the gate. i wasn't aware that an intrinsic logging library was meant to report on itself first go at it!!!?!?!?!?!?! i ended ripping the dependency out of all my code. it's been broken for years, and sloppily maintained, and that's why we're at this juncture. poorly maintained because no sane person will dedicate their time and effort to something that cannot sustain their quality of life. sure contribution is
      • IT really has become like any other urban infrastructure.

        Some parts of it are new and shiny and comply with all the latest guidance and engineering sophistication. Some parts are sort of new, but have a bit of kludgery applied at the edges.

        The rest is a duct tape and bailing wire mess, a spaghetti that really can only be thrown out and started over.

        And it's not just code, but whole environments which run more or less by the grace of god and are so fucked up nobody is willing to tinker with them (or pay the

      • Look at it this way, would you rather have everybody roll their own? Log4J is successful because it solved a need and worked. Your points about poorly being maintained are not accurate however, this was a feature that was introduced and not fully thought out.

        • Sure. Spurs innovative ideas. I for one don't like using popular libraries in my code because 1) it's always a target, and 2) decentralized code speaks volumes. Everything in the history of mankind has proven that we build things too large, and too interconnected, and everything goes to shit for that particular entity. My points may not be accurate, yet here we are debating something that could have been catastrophic in contrast to the efforts and financing placed into independent open source software. My
      • It's garbage. I totally agree after many bad experiences with it. I also agree with the point that nobody is going to fix it for free despite lots of moron's recriminations and backbiting on open source. When someone's best skill is "whiny little bitch" they shouldn't complain about free software with bugs in it and be very polite when reporting them, too. Ingrate folks should be glad anyone contributed software to their dumb ass in the first place. I'd love to know if there is another hobby or profession w
    • It's a good open source project. It just had a vulnerability that someone found.

      The real problem we face is a serious design problem. We have absurd monolithic applications like Apache that are overprivileged and outside any reasonable scope. The original reason for this was to streamline the processing of requests when we had single-threaded processors. Despite the overabundance of processing power and memory available, software has not shifted toward become small isolated worker processes that do one job and pass on the results. Software flaws are inevitable part of computer prog

      • by AmiMoJo ( 196126 )

        Not quite all our software. Browsers are pretty good at compartmentalizing stuff.

        The bigger issue is that when problems are found and an update is required, many people are too scared to change a working system. If an upgrade is even compatible, it's still a big risk and likely means downtime or out of hours work.

        • Browsers aren't privileged system services but rather applications. I would argue that compartmentalization was only needed after JIT compilation and other features made page content a credible threat. You don't need extreme isolation measures when using a JavaScript interpreter which means it's really a self-inflicted wound.

          As for the issue of updating, this is a non-issue because properly isolated system services don't even exist for Linux, they are all monoliths running as highly privileged users.

    • You forgot the hype curve and multiple scramble fixes that go along with it. Update your POMs folks and push it.

    • by butlerm ( 3112 )

      Unfortunately, Log4J 2 did not fail due to the presence of any kind of bug. It failed due to a defective design that the developers refused to fix for years. It is still defective, and no one in their right mind should use it. Why should anyone trust software from developers with a fatal case of confusion between code and data?

      Who think that scanning and evaluating attacker controlled data for lookup expressions is a convenient design feature? In engineering terms, they are insane, and the software in ver

      • by butlerm ( 3112 )

        I should back pedal on that. It appears that the Log4J 2 developers have had a change of heart due to recent events and really are trying to prevent any kind of substitution in untrusted data, including thread context data, and may have succeeded as of version 2.17.

  • by Martin S. ( 98249 ) on Friday December 24, 2021 @08:51AM (#62111837) Journal

    The big issue this incident has exposed is the failure of risk management. The reality is that adopting widely used, popular tools like Log4J present a very low barrier because it is free as in beer. That appears to absolve its users/adopters of their fiducial responsibility, but should not. How often have you faced the need to present a business case to use Open Source software. Rarely if ever.

    So where does the fiduciary responsibility fall here?

    The Log4j development team are unpaid volunteers, this is the case with many Libre projects, but everybody expected them to drop everything, put their lives on hold and deal with it, and find a solution, but what about the organisations using it? This is despite the fact that free and open source software licences have a very explicit As-Is clauses in them.

    • Thank you for this shedding of light on the stain that the corporate element has introduced to the engineering of software. It's this little management process that puts quantity of work over quality, and profit over security. The US government wants to talk a big security game, but they don't want to back it up with money. Instead they would rather put things into policing drones that is just another way to spy on the population it keeps economically oppressed by it's own failures! At the end of the day, t
    • by decep ( 137319 )

      That appears to absolve its users/adopters of their fiducial responsibility, but should not.

      This is despite the fact that free and open source software licences have a very explicit As-Is clauses in them.

      What the hell are you going on about? "Fiduciary" makes absolutely no sense in this context, but I will just roll with it in the spirit of Christmas.

      If you are a commercial software vendor with support contracts with your customers, and you use open source software for your product, you bear the burden of support. You agreed to the as-is terms of the open source license and your users pay you to fix problems.

      If you are selling support contracts for your software, you bear the "fiduciary" burden of your co

      • #1 Fiduciary responsibility is absolutely relevant to being a professional software developer. That includes working on internal development projects.
        #2 Log4J and the Apache technology stack are open source development tools, not COTS and the are used extensively internal development project. I have worked with Java for two decades on very large scale projects, with UK Telco, UK Government Agencies, a UK Bank, a national UK supermarket chain and several E-Commerce.
        #3 My argument is that project management s

    • You never propose a business case for using open source software? Really? Because the awesome training, comprehensive features and easy-to-use UI's are always better than the commercial alternative I guess? Seriously, you always pay for software somehow and sometimes the commercial offering is worth it!
      • You are projecting and the rest of your comment shows you have little or no first hand familiarity with the Java/Apache technology stack or its use in Enterprise systems. The majority of Java developers are very familiar with Apache Java stack. The majority of that work is internal development projects not packaged solutions.

        This is not a unique to Java, I have seen the same issue of uncontrolled technology proliferation first hand with LAMP, Python and Microsoft development shops.

    • by AmiMoJo ( 196126 )

      The only way to solve that is to

      1. Pay people to contribute fixes, ideally the same ones who look for the bugs in the first place.

      2. Pay people to create easy update mechanisms for popular open source projects. Stable APIs or compatibility shims.

  • Enlistment: - To engage (persons or a person) for service in the armed forces. - To engage the support or cooperation of. - To enter the armed forces. So we don't have a choice to prosper off of our skills?!?!?! It has to be ported through compliance or the armed forces? Indentured servitude at it's apex!
  • by AcidFnTonic ( 791034 ) on Friday December 24, 2021 @10:49AM (#62112043) Homepage

    Aak their Tailored Access Group who sits on exploits for the nsa/cia/fbi.

    Anything else is pretending you dont already know the attack vectors.

  • White House is now a software development outfit?

    • by hey! ( 33014 )

      The White House need not be software engineers to advance system security any more than Eisenhower had to be a civil engineer to envision an Interstate Highway System or Kennedy had to be a rocket scientist to envision putting a man on the Moon. Al Gore didn't have to *invent* the Internet to be instrumental in making it happen and making it available to civilians.

      The power to get funding for something is not a thing to be underestimated.

  • After all they are awaiting to see if this administration will prosecute them for anti trust (timing / effort depending on DOJ's budget, according to one of the earlier stories here). They can always hint at making some big open source related investments if the government stops following up on the anti trust stuff.

    Otherwise they can always find bugs and fix them for internal use while not releasing their findings to the general public.

    Too evil? Or giving them ideas?

  • consider.
    as a part of security.
    employ software testing methods

  • You can find this article in many places without a paywall, but here's a version that has a tiny bit more info: https://siliconangle.com/2021/... [siliconangle.com]

  • I have tried to contact both Jake Sullivan and Anne Neuberger, but both have created walls to reaching them.
    These guys want to reach out to just a few top ppl, but really are not that interested in solving these issues.
    With a trivial bill, they could cut much of the cracking that is occurring.
  • When the government asks to "improve security," what it really wants is a back door.

  • Flaws won't be fixed magically. Follow up on EU-FOSSA, or just help accelerate OpenSSF's work. It could use more resources: https://www.philippecloutier.c... [philippecloutier.com]

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...