MESSAGE
| DATE | 2014-06-16 |
| FROM | einker
|
| SUBJECT | Subject: [NYLXS - HANGOUT] Stupidity of the highest order ...
|
From owner-hangout-outgoing-at-mrbrklyn.com Mon Jun 16 10:05:44 2014
Return-Path:
X-Original-To: archive-at-mrbrklyn.com
Delivered-To: archive-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix)
id 085C5161137; Mon, 16 Jun 2014 10:05:44 -0400 (EDT)
Delivered-To: hangout-outgoing-at-mrbrklyn.com
Received: by mrbrklyn.com (Postfix, from userid 28)
id E382C16113C; Mon, 16 Jun 2014 10:05:43 -0400 (EDT)
Delivered-To: hangout-at-nylxs.com
Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171])
by mrbrklyn.com (Postfix) with ESMTP id 2ED58161137
for ; Mon, 16 Jun 2014 10:05:43 -0400 (EDT)
Received: by mail-ie0-f171.google.com with SMTP id x19so5036562ier.16
for ; Mon, 16 Jun 2014 07:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=mime-version:date:message-id:subject:from:to:content-type;
bh=I6PIfrbYdVF8Qt9RFeuooA0K45QsKUylfoFpo6aR8vU=;
b=vuHLkExgk5qV8l3i2cuV6fu0V/BQdGqKb+00mmYtN0iJNLcf+Whn125B7sODLFQBmC
1yTBkU+yKKMdbexls6OgXZUjiJSafBJwrkUV08d5g2x3OGzDsbGar+iYsBrkmkSxACC4
X9vA8odP1nKo8uMe+oy39YTq3zhsQ0kJndHy4ITleoZ11uijqupaDGnhMFUaUuynuEv4
Gh+rxsuMA29Zl/CJDUUb3DsF3lPmZySs0gBhxPx6FojIs4Es/bUPheR8gTOtRtHqCU4u
tfMJnVCFVXFJqeqn4HF7MEha1QtVlQeC8q8O/W3K3IDWi2sc/iqM+brzTgH6HQ5z1/Di
etJg==
MIME-Version: 1.0
X-Received: by 10.50.36.106 with SMTP id p10mr26107585igj.9.1402927542084;
Mon, 16 Jun 2014 07:05:42 -0700 (PDT)
Received: by 10.64.76.12 with HTTP; Mon, 16 Jun 2014 07:05:42 -0700 (PDT)
Date: Mon, 16 Jun 2014 10:05:42 -0400
Message-ID:
Subject: [NYLXS - HANGOUT] Stupidity of the highest order ...
From: einker
To: Hangout
Content-Type: multipart/alternative; boundary=089e0115ebd0cac05b04fbf485fc
Sender: owner-hangout-at-mrbrklyn.com
Precedence: bulk
Reply-To: hangout-at-mrbrklyn.com
--089e0115ebd0cac05b04fbf485fc
Content-Type: text/plain; charset=UTF-8
Articles like this truly PISS ME OFF! Now, only Open Source Projects by
their sheer adherence to open source philosophy are hampered by security
flaws? BULLSHIT.
I guess all Microsoft and Apple products never had any security issues (You
wish!) and were pristine because commercial vendor tested them to a greater
degree than open source projects.
Give me a break! Commercial products are riddled with security and basic
programming issues. Best of all, you will never know since you can't see
the source/test and until its way too late and you've been screwed.
One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and Theo
does love you...) has only to remote holes in their base OS install in the
late 10 or more years.
It's amazing that Paul Rubens calls out open source / free software yet has
the audacity to reference free and open source security programs on his
website (rubens.org linking to http://www.clippings.me/paulrubens).
Isn't it amazing how you use the products but then bash their security
status and have the nerve to say that security reviews were never done.
For what its worth, if you have doubts/concerns about open source / free
software, do the rest of the planet a real service, don't use it. More
importantly, dig your head from out of your ass and check out the plethora
of opens ource / free source projects that have been responsible for
running and maintaining the internet for years. I would strongly suggest
looking ta netcraft surveys and then ask why is everyone using free OS /
servers to host on as opposed
to commercial offerings. Could it be SECURITY, VIABILITY or even should i
say it..... Best software going for the job!
For the Rubens of the World, please all turn off your computers whatever
you are suing and please go live in a cave with the other Neanderthals!
Why open source software isn't as secure as you think
A failure to spot a necessary validation in OpenSLL code before an update
caused the Heartbleed bug
Paul Rubens (CIO (US))
on 13 June,
2014 08:56
The OpenSSL Heartbleed fiasco
proves beyond any doubt what many people have suspected for a long time:
Just because open source code is available for inspection doesn't mean it's
actually being inspected and is secure.
It's an important point, as the security of open source software relies on
large numbers of sufficiently knowledgeable programmers scrutinising the
code to root out and fix bugs promptly. This is summed up in Linus's Law
: "Given enough eyeballs, all
bugs are shallow."
But look at what happened with OpenSSL. Robin Seggelemann, a German
programmer from Munster University, updated the OpenSLL code by adding a
new Heartbeat keep-alive function. Unfortunately, he missed a necessary
validation in his code to check that one particular variable had a
realistic value.
The member of the OpenSSL development team who checked the code before the
update was released also missed it. This caused the Heartbleed bug.
One reviewer, even a handful of reviewers, can easily miss a trivial error
such as this if they don't know there's a bug to be found. What's worrying
is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers
and in Web servers, yet no one in the open source community spotted it. Not
enough eyeballs scrutinised the code.
*Commercial vendors don't review open source code*
Also alarming is that OpenSSL was used as a component in hardware products
offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed
Technology and Barracuda Networks - all of whom failed to scrutinise the
code adequately before using it, according to Mamoon Yunus, CEO of Forum
Systems , a secure cloud gateway vendor.
"You would think that it would be my responsibility as a vendor, if I
commercialise OpenSSL, to put my eyeballs on it," he says. "You have to
take a level of ownership of the code if you build a company based on an
open source component."
Instead, Yunus believes vendors just regarded OpenSSL as a useful bolt-on
to their hardware products - and, since it was open source, assumed other
people were examining the code.
"Everyone assumed other eyeballs were looking at it. They took the attitude
that it was a million other people's responsibility to look at it, so it
wasn't their responsibility," he says. "That's where the negligence comes
in from an open source angle."
Yunus suggests that commercial vendors should run effective peer review
programs for any open source code that they use, run static and dynamic
analysis tools over it and "fuzz" the code to ensure it's as bug-free as
possible. "What have these companies been doing for the last 10 or 15
years? If I were them, I would be taking a long, hard look at QA processes."
In fact, Yunus questions whether OpenSSL should ever have been written in a
relatively low-level language such as C
, echoing
security expert Bruce Schneier
by
suggesting it could be seen as "criminal negligence" to use a language that
lacks memory management for such a security sensitive application.
Jeffrey Hammond, a security analyst at Forrester Research, contradicts this
view. He points out that performance is a key attribute of OpenSSL as it
has to deal with huge volumes of packets.
"If you have access to memory you are going to be open to some types of
attacks, but you get the performance," Hammond points out. "I wouldn't say
they should never have developed OpenSSL in C, but it's true that with
performance comes responsibility."
*OpenSSL, Truecrypt show limits of open source code review*
One problem facing many open source projects - and the reason it's hard to
blame Seggelemann or the rest of the OpenSSL team - is that carrying out a
rigorous code security review is immensely time consuming and requires a
high level of skill. That means it's very expensive.
This is illustrated by another open source project: The TrueCrypt
encryption program. The code has been open to anyone who cares to look at
it since the project started 10 years ago - but it's only very recently,
following fundraising campaigns on Indiegogo and Fundfill that yielded
US$60,000, that the code has undergone a proper security audit.
An initial report
into just the bootloader and Windows kernel driver of the program
identified 11 vulnerabilities, said that the quality of the source code was
bad and pointed out that compiling TrueCrypt from source required using
outdated (in one case, 21-year-old) and unsigned build tools that could be
modified maliciously and that are hard to access from trustworthy sources.
The code auditors said, "Overall, the
source code for both the bootloader and the Windows kernel driver did not
meet expected standards for secure code. "
What's worrying is that this only came to light after funds where raised to
hire the resources to carry out a code review. The open source community
had plenty of opportunities to do this over the last 10 years - but the
truth is that the community doesn't have the time, skills or resources
(including money) to do the job properly.
A new problem will affect the security of OpenSSL going forward, too: The
code is being forked, thanks to an initiative called LibreSSL
led by the OpenBSD
team. LibreSSL is intended to be a stripped down version of OpenSSL; in the
first week of the LibreSLL project, more than 90,000 lines of code were
removed, including those supporting operating systems such as VMS and OS/2.
The problem, simply stated: Since it's easy to see what's being removed
from LibreSSL, and which bits are being replaced as they're deemed
insecure, OpenSSL users are left exposed to malicious hackers who may
exploit the weaknesses that LibreSSL discovers and removes - that is,
unless the OpenSSL project can keep up with LibreSSL's progress.
Security by obscurity is never a good idea, but once vulnerabilities are
made public, they need to be fixed right away. It's not clear that the
OpenSSL team is in a position to do that - it's said that the project only
had one full-time maintainer - or that software and hardware products that
use OpenSSL will necessarily be updated promptly even if the OpenSSL
software itself is.
*Taking open source security seriously after Heardbleed*
The good news for those concerned about the security of open source
projects like OpenSSL is that help could be on its way in the shape of the Core
Infrastructure Initiative (CII)
, a
new project founded by the Linux Foundation in response to Heartbleed. Its
purpose is to funnel needed money into software projects such as OpenSSL
that are critical to the functioning of the Internet.
"Our global economy is built on top of many open source projects," says Jim
Zemlin, the Linux Foundation's executive director. "We will now be able to
support additional developers and maintainers to work full-time supporting
other essential open source projects."
Support from the CII may also include funding for security audits,
computing and test infrastructure. So far, about US$4 million has been
pledged over the next three years by companies including Google, Microsoft
and Facebook.
*Paul Rubens is a technology journalist based in England. Contact him at
paul-at-rubens.org .*
--
Regards,
Evan M. Inker
--089e0115ebd0cac05b04fbf485fc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Articles like this=
truly PISS ME OFF! Now, only Open Source Projects by their sheer adherence=
to open source philosophy are hampered by security flaws? BULLSHIT.
iv>
I guess all Microsoft and Apple products never had any security issues (You=
wish!) and were pristine because commercial vendor tested them to a greate=
r degree than open source projects.
Give me a break! Commercial p= roducts are riddled with security and basic programming issues. Best of all= , you will never know since you can't see the source/test=C2=A0 and unt= il its way too late and you've been screwed. One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and T= heo does love you...) has only to remote holes in their base OS install in = the late 10 or more years. It's amazing that Paul Rubens c= alls out open source / free software yet has the audacity to reference free= and open source security programs on his website ( .org">rubens.org linking to ns">http://www.clippings.me/paulrubens). Isn't it amazing how you use the products but then bash their sec= urity status and have the nerve to say that security reviews were never don= e. For what its worth, if you have doubts/concerns about open sour= ce / free software, do the rest of the planet a real service, don't use= it. More importantly, dig your head from out of your ass and check out the= plethora of opens ource / free source projects that have been responsible = for running and maintaining the internet for years. I would strongly sugges= t looking ta netcraft surveys and then ask why is everyone using free OS / = servers to host on as opposed to commercial offerings. Could it be SECURITY, VIABILITY or even shou= ld i say it..... Best software going for the job! For the Rube= ns of the World, please all turn off your computers whatever you are suing = and please go live in a cave with the other Neanderthals! name">Why open source software isn't as secure as you think A failure to spot a necessary validation in OpenSLL code be=
fore an update caused the Heartbleed bug =09 =09 ens/articles">Paul Rubens (CIO (US)) on 13 June, 2014 08:56 lass=3D"">The ainst_the_OpenSSL_Heartbleed_Flaw">OpenSSL Heartbleed fiasco
proves beyond any doubt what many people have suspected for a long=20
time: Just because open source code is available for inspection doesn't=
=20
mean it's actually being inspected and is secure. It&#=
39;s
an important point, as the security of open source software relies on=20
large numbers of sufficiently knowledgeable programmers scrutinising the
code to root out and fix bugs promptly. This is summed up in tp://en.wikipedia.org/wiki/Linus%27s_Law">Linus's Law: "Given =
enough eyeballs, all bugs are shallow." But
look at what happened with OpenSSL. Robin Seggelemann, a German=20
programmer from Munster University, updated the OpenSLL code by adding a
new Heartbeat keep-alive function. Unfortunately, he missed a necessary
validation in his code to check that one particular variable had a=20
realistic value. The member of the OpenSSL=20
development team who checked the code before the update was released=20
also missed it. This caused the Heartbleed bug. One
reviewer, even a handful of reviewers, can easily miss a trivial error=20
such as this if they don't know there's a bug to be found. What'=
;s=20
worrying is that, for two years, the Heartbleed bug existed in OpenSLL,=20
in browsers and in Web servers, yet no one in the open source community=20
spotted it. Not enough eyeballs scrutinised the code. C=
ommercial vendors don't review open source code Al=
so
alarming is that OpenSSL was used as a component in hardware products=20
offered by commercial vendors such as F5 Networks, Citrix Systems,=20
Riverbed Technology and Barracuda Networks - all of whom failed to=20
scrutinise the code adequately before using it, according to Mamoon=20
Yunus, CEO of Forum Systems, a sec=
ure cloud gateway vendor. "You
would think that it would be my responsibility as a vendor, if I=20
commercialise OpenSSL, to put my eyeballs on it," he says. "You h=
ave to=20
take a level of ownership of the code if you build a company based on an
open source component." Instead, Yunus believes
vendors just regarded OpenSSL as a useful bolt-on to their hardware=20
products - and, since it was open source, assumed other people were=20
examining the code. "Everyone assumed other=20
eyeballs were looking at it. They took the attitude that it was a=20
million other people's responsibility to look at it, so it wasn't t=
heir=20
responsibility," he says. "That's where the negligence comes =
in from an=20
open source angle."
">Yunus
suggests that commercial vendors should run effective peer review=20
programs for any open source code that they use, run static and dynamic=20
analysis tools over it and "fuzz" the code to ensure it's as =
bug-free as
possible. "What have these companies been doing for the last 10 or 15=
=20
years? If I were them, I would be taking a long, hard look at QA=20
processes." In fact, Yunus questions whether OpenSSL =
should ever have been written in a relatively ogyreview.com/review/527956/imposing-security/">low-level language such as =
C, echoing security expert hives/2014/04/more_on_heartbl.html">Bruce Schneier
by suggesting it could be seen as "criminal negligence" to use a=
=20
language that lacks memory management for such a security sensitive=20
application. Jeffrey Hammond, a security analyst
at Forrester Research, contradicts this view. He points out that=20
performance is a key attribute of OpenSSL as it has to deal with huge=20
volumes of packets. "If you have access to=20
memory you are going to be open to some types of attacks, but you get=20
the performance," Hammond points out. "I wouldn't say they sh=
ould never=20
have developed OpenSSL in C, but it's true that with performance comes=
=20
responsibility." OpenSSL, Truecrypt show limits of=
open source code review One
problem facing many open source projects - and the reason it's hard to=
=20
blame Seggelemann or the rest of the OpenSSL team - is that carrying out
a rigorous code security review is immensely time consuming and=20
requires a high level of skill. That means it's very expensive. lass=3D"">This
is illustrated by another open source project: The TrueCrypt encryption
program. The code has been open to anyone who cares to look at it since
the project started 10 years ago - but it's only very recently,=20
following fundraising campaigns on Indiegogo and Fundfill that yielded=20
US$60,000, that the code has undergone a proper security audit. =3D""> An initial cryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Secu=
rity_Assessment.pdf">report
into just the bootloader and Windows kernel driver of the program=20
identified 11 vulnerabilities, said that the quality of the source code=20
was bad and pointed out that compiling TrueCrypt from source required=20
using outdated (in one case, 21-year-old) and unsigned build tools that=20
could be modified maliciously and that are hard to access from=20
trustworthy sources. The tedyet.com/">code auditors
said, "Overall, the source code for both the bootloader and the Windo=
ws
kernel driver did not meet expected standards for secure code. " <= p class=3D"">What's worrying is that this only came to light after funds where raised to=20 hire the resources to carry out a code review. The open source community had plenty of opportunities to do this over the last 10 years - but the truth is that the community doesn't have the time, skills or resources= =20 (including money) to do the job properly. A new problem wi=
ll affect the security of OpenSSL going forward, too: The code is being for=
ked, thanks to an initiative called Li=
breSSL led by the OpenBSD
team. LibreSSL is intended to be a stripped down version of OpenSSL; in
the first week of the LibreSLL project, more than 90,000 lines of code=20
were removed, including those supporting operating systems such as VMS=20
and OS/2. The problem, simply stated: Since it's
easy to see what's being removed from LibreSSL, and which bits are=20
being replaced as they're deemed insecure, OpenSSL users are left=20
exposed to malicious hackers who may exploit the weaknesses that=20
LibreSSL discovers and removes - that is, unless the OpenSSL project can
keep up with LibreSSL's progress. Security by=20
obscurity is never a good idea, but once vulnerabilities are made=20
public, they need to be fixed right away. It's not clear that the=20
OpenSSL team is in a position to do that - it's said that the project=
=20
only had one full-time maintainer - or that software and hardware=20
products that use OpenSSL will necessarily be updated promptly even if=20
the OpenSSL software itself is. Taking open source secu=
rity seriously after Heardbleed The
good news for those concerned about the security of open source=20
projects like OpenSSL is that help could be on its way in the shape of=20
the initiative">Core Infrastructure Initiative (CII),
a new project founded by the Linux Foundation in response to=20
Heartbleed. Its purpose is to funnel needed money into software projects
such as OpenSSL that are critical to the functioning of the Internet. <= p class=3D"">"Our global economy is built on top of many open source projects," says Ji= m=20 Zemlin, the Linux Foundation's executive director. "We will now be= able=20 to support additional developers and maintainers to work full-time=20 supporting other essential open source projects." Sup=
port
from the CII may also include funding for security audits, computing=20
and test infrastructure. So far, about US$4 million has been pledged=20
over the next three years by companies including Google, Microsoft and=20
Facebook. Paul Rubens is a technology journalist based =
in England. Contact him at paul-at-rubens.o=
rg. -- Regards, r>
Evan M. Inker
--089e0115ebd0cac05b04fbf485fc-- --089e0115ebd0cac05b04fbf485fc Content-Type: text/plain; charset=UTF-8 Articles like this truly PISS ME OFF! Now, only Open Source Projects by their sheer adherence to open source philosophy are hampered by security flaws? BULLSHIT. I guess all Microsoft and Apple products never had any security issues (You wish!) and were pristine because commercial vendor tested them to a greater degree than open source projects. Give me a break! Commercial products are riddled with security and basic programming issues. Best of all, you will never know since you can't see the source/test and until its way too late and you've been screwed. One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and Theo does love you...) has only to remote holes in their base OS install in the late 10 or more years. It's amazing that Paul Rubens calls out open source / free software yet has the audacity to reference free and open source security programs on his website (rubens.org linking to http://www.clippings.me/paulrubens). Isn't it amazing how you use the products but then bash their security status and have the nerve to say that security reviews were never done. For what its worth, if you have doubts/concerns about open source / free software, do the rest of the planet a real service, don't use it. More importantly, dig your head from out of your ass and check out the plethora of opens ource / free source projects that have been responsible for running and maintaining the internet for years. I would strongly suggest looking ta netcraft surveys and then ask why is everyone using free OS / servers to host on as opposed to commercial offerings. Could it be SECURITY, VIABILITY or even should i say it..... Best software going for the job! For the Rubens of the World, please all turn off your computers whatever you are suing and please go live in a cave with the other Neanderthals! Why open source software isn't as secure as you think A failure to spot a necessary validation in OpenSLL code before an update caused the Heartbleed bug Paul Rubens (CIO (US)) on 13 June,
2014 08:56
The OpenSSL Heartbleed fiasco
proves beyond any doubt what many people have suspected for a long time:
Just because open source code is available for inspection doesn't mean it's
actually being inspected and is secure.
It's an important point, as the security of open source software relies on
large numbers of sufficiently knowledgeable programmers scrutinising the
code to root out and fix bugs promptly. This is summed up in Linus's Law
: "Given enough eyeballs, all
bugs are shallow."
But look at what happened with OpenSSL. Robin Seggelemann, a German
programmer from Munster University, updated the OpenSLL code by adding a
new Heartbeat keep-alive function. Unfortunately, he missed a necessary
validation in his code to check that one particular variable had a
realistic value.
The member of the OpenSSL development team who checked the code before the
update was released also missed it. This caused the Heartbleed bug.
One reviewer, even a handful of reviewers, can easily miss a trivial error
such as this if they don't know there's a bug to be found. What's worrying
is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers
and in Web servers, yet no one in the open source community spotted it. Not
enough eyeballs scrutinised the code.
*Commercial vendors don't review open source code*
Also alarming is that OpenSSL was used as a component in hardware products
offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed
Technology and Barracuda Networks - all of whom failed to scrutinise the
code adequately before using it, according to Mamoon Yunus, CEO of Forum
Systems , a secure cloud gateway vendor.
"You would think that it would be my responsibility as a vendor, if I
commercialise OpenSSL, to put my eyeballs on it," he says. "You have to
take a level of ownership of the code if you build a company based on an
open source component."
Instead, Yunus believes vendors just regarded OpenSSL as a useful bolt-on
to their hardware products - and, since it was open source, assumed other
people were examining the code.
"Everyone assumed other eyeballs were looking at it. They took the attitude
that it was a million other people's responsibility to look at it, so it
wasn't their responsibility," he says. "That's where the negligence comes
in from an open source angle."
Yunus suggests that commercial vendors should run effective peer review
programs for any open source code that they use, run static and dynamic
analysis tools over it and "fuzz" the code to ensure it's as bug-free as
possible. "What have these companies been doing for the last 10 or 15
years? If I were them, I would be taking a long, hard look at QA processes."
In fact, Yunus questions whether OpenSSL should ever have been written in a
relatively low-level language such as C
, echoing
security expert Bruce Schneier
by
suggesting it could be seen as "criminal negligence" to use a language that
lacks memory management for such a security sensitive application.
Jeffrey Hammond, a security analyst at Forrester Research, contradicts this
view. He points out that performance is a key attribute of OpenSSL as it
has to deal with huge volumes of packets.
"If you have access to memory you are going to be open to some types of
attacks, but you get the performance," Hammond points out. "I wouldn't say
they should never have developed OpenSSL in C, but it's true that with
performance comes responsibility."
*OpenSSL, Truecrypt show limits of open source code review*
One problem facing many open source projects - and the reason it's hard to
blame Seggelemann or the rest of the OpenSSL team - is that carrying out a
rigorous code security review is immensely time consuming and requires a
high level of skill. That means it's very expensive.
This is illustrated by another open source project: The TrueCrypt
encryption program. The code has been open to anyone who cares to look at
it since the project started 10 years ago - but it's only very recently,
following fundraising campaigns on Indiegogo and Fundfill that yielded
US$60,000, that the code has undergone a proper security audit.
An initial report
into just the bootloader and Windows kernel driver of the program
identified 11 vulnerabilities, said that the quality of the source code was
bad and pointed out that compiling TrueCrypt from source required using
outdated (in one case, 21-year-old) and unsigned build tools that could be
modified maliciously and that are hard to access from trustworthy sources.
The code auditors said, "Overall, the
source code for both the bootloader and the Windows kernel driver did not
meet expected standards for secure code. "
What's worrying is that this only came to light after funds where raised to
hire the resources to carry out a code review. The open source community
had plenty of opportunities to do this over the last 10 years - but the
truth is that the community doesn't have the time, skills or resources
(including money) to do the job properly.
A new problem will affect the security of OpenSSL going forward, too: The
code is being forked, thanks to an initiative called LibreSSL
led by the OpenBSD
team. LibreSSL is intended to be a stripped down version of OpenSSL; in the
first week of the LibreSLL project, more than 90,000 lines of code were
removed, including those supporting operating systems such as VMS and OS/2.
The problem, simply stated: Since it's easy to see what's being removed
from LibreSSL, and which bits are being replaced as they're deemed
insecure, OpenSSL users are left exposed to malicious hackers who may
exploit the weaknesses that LibreSSL discovers and removes - that is,
unless the OpenSSL project can keep up with LibreSSL's progress.
Security by obscurity is never a good idea, but once vulnerabilities are
made public, they need to be fixed right away. It's not clear that the
OpenSSL team is in a position to do that - it's said that the project only
had one full-time maintainer - or that software and hardware products that
use OpenSSL will necessarily be updated promptly even if the OpenSSL
software itself is.
*Taking open source security seriously after Heardbleed*
The good news for those concerned about the security of open source
projects like OpenSSL is that help could be on its way in the shape of the Core
Infrastructure Initiative (CII)
, a
new project founded by the Linux Foundation in response to Heartbleed. Its
purpose is to funnel needed money into software projects such as OpenSSL
that are critical to the functioning of the Internet.
"Our global economy is built on top of many open source projects," says Jim
Zemlin, the Linux Foundation's executive director. "We will now be able to
support additional developers and maintainers to work full-time supporting
other essential open source projects."
Support from the CII may also include funding for security audits,
computing and test infrastructure. So far, about US$4 million has been
pledged over the next three years by companies including Google, Microsoft
and Facebook.
*Paul Rubens is a technology journalist based in England. Contact him at
paul-at-rubens.org .*
--
Regards,
Evan M. Inker
--089e0115ebd0cac05b04fbf485fc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Articles like this=
truly PISS ME OFF! Now, only Open Source Projects by their sheer adherence=
to open source philosophy are hampered by security flaws? BULLSHIT.
iv>
I guess all Microsoft and Apple products never had any security issues (You=
wish!) and were pristine because commercial vendor tested them to a greate=
r degree than open source projects.
Give me a break! Commercial p= roducts are riddled with security and basic programming issues. Best of all= , you will never know since you can't see the source/test=C2=A0 and unt= il its way too late and you've been screwed. One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and T= heo does love you...) has only to remote holes in their base OS install in = the late 10 or more years. It's amazing that Paul Rubens c= alls out open source / free software yet has the audacity to reference free= and open source security programs on his website ( .org">rubens.org linking to ns">http://www.clippings.me/paulrubens). Isn't it amazing how you use the products but then bash their sec= urity status and have the nerve to say that security reviews were never don= e. For what its worth, if you have doubts/concerns about open sour= ce / free software, do the rest of the planet a real service, don't use= it. More importantly, dig your head from out of your ass and check out the= plethora of opens ource / free source projects that have been responsible = for running and maintaining the internet for years. I would strongly sugges= t looking ta netcraft surveys and then ask why is everyone using free OS / = servers to host on as opposed to commercial offerings. Could it be SECURITY, VIABILITY or even shou= ld i say it..... Best software going for the job! For the Rube= ns of the World, please all turn off your computers whatever you are suing = and please go live in a cave with the other Neanderthals! name">Why open source software isn't as secure as you think A failure to spot a necessary validation in OpenSLL code be=
fore an update caused the Heartbleed bug =09 =09 ens/articles">Paul Rubens (CIO (US)) on 13 June, 2014 08:56 lass=3D"">The ainst_the_OpenSSL_Heartbleed_Flaw">OpenSSL Heartbleed fiasco
proves beyond any doubt what many people have suspected for a long=20
time: Just because open source code is available for inspection doesn't=
=20
mean it's actually being inspected and is secure. It&#=
39;s
an important point, as the security of open source software relies on=20
large numbers of sufficiently knowledgeable programmers scrutinising the
code to root out and fix bugs promptly. This is summed up in tp://en.wikipedia.org/wiki/Linus%27s_Law">Linus's Law: "Given =
enough eyeballs, all bugs are shallow." But
look at what happened with OpenSSL. Robin Seggelemann, a German=20
programmer from Munster University, updated the OpenSLL code by adding a
new Heartbeat keep-alive function. Unfortunately, he missed a necessary
validation in his code to check that one particular variable had a=20
realistic value. The member of the OpenSSL=20
development team who checked the code before the update was released=20
also missed it. This caused the Heartbleed bug. One
reviewer, even a handful of reviewers, can easily miss a trivial error=20
such as this if they don't know there's a bug to be found. What'=
;s=20
worrying is that, for two years, the Heartbleed bug existed in OpenSLL,=20
in browsers and in Web servers, yet no one in the open source community=20
spotted it. Not enough eyeballs scrutinised the code. C=
ommercial vendors don't review open source code Al=
so
alarming is that OpenSSL was used as a component in hardware products=20
offered by commercial vendors such as F5 Networks, Citrix Systems,=20
Riverbed Technology and Barracuda Networks - all of whom failed to=20
scrutinise the code adequately before using it, according to Mamoon=20
Yunus, CEO of Forum Systems, a sec=
ure cloud gateway vendor. "You
would think that it would be my responsibility as a vendor, if I=20
commercialise OpenSSL, to put my eyeballs on it," he says. "You h=
ave to=20
take a level of ownership of the code if you build a company based on an
open source component." Instead, Yunus believes
vendors just regarded OpenSSL as a useful bolt-on to their hardware=20
products - and, since it was open source, assumed other people were=20
examining the code. "Everyone assumed other=20
eyeballs were looking at it. They took the attitude that it was a=20
million other people's responsibility to look at it, so it wasn't t=
heir=20
responsibility," he says. "That's where the negligence comes =
in from an=20
open source angle."
">Yunus
suggests that commercial vendors should run effective peer review=20
programs for any open source code that they use, run static and dynamic=20
analysis tools over it and "fuzz" the code to ensure it's as =
bug-free as
possible. "What have these companies been doing for the last 10 or 15=
=20
years? If I were them, I would be taking a long, hard look at QA=20
processes." In fact, Yunus questions whether OpenSSL =
should ever have been written in a relatively ogyreview.com/review/527956/imposing-security/">low-level language such as =
C, echoing security expert hives/2014/04/more_on_heartbl.html">Bruce Schneier
by suggesting it could be seen as "criminal negligence" to use a=
=20
language that lacks memory management for such a security sensitive=20
application. Jeffrey Hammond, a security analyst
at Forrester Research, contradicts this view. He points out that=20
performance is a key attribute of OpenSSL as it has to deal with huge=20
volumes of packets. "If you have access to=20
memory you are going to be open to some types of attacks, but you get=20
the performance," Hammond points out. "I wouldn't say they sh=
ould never=20
have developed OpenSSL in C, but it's true that with performance comes=
=20
responsibility." OpenSSL, Truecrypt show limits of=
open source code review One
problem facing many open source projects - and the reason it's hard to=
=20
blame Seggelemann or the rest of the OpenSSL team - is that carrying out
a rigorous code security review is immensely time consuming and=20
requires a high level of skill. That means it's very expensive. lass=3D"">This
is illustrated by another open source project: The TrueCrypt encryption
program. The code has been open to anyone who cares to look at it since
the project started 10 years ago - but it's only very recently,=20
following fundraising campaigns on Indiegogo and Fundfill that yielded=20
US$60,000, that the code has undergone a proper security audit. =3D""> An initial cryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Secu=
rity_Assessment.pdf">report
into just the bootloader and Windows kernel driver of the program=20
identified 11 vulnerabilities, said that the quality of the source code=20
was bad and pointed out that compiling TrueCrypt from source required=20
using outdated (in one case, 21-year-old) and unsigned build tools that=20
could be modified maliciously and that are hard to access from=20
trustworthy sources. The tedyet.com/">code auditors
said, "Overall, the source code for both the bootloader and the Windo=
ws
kernel driver did not meet expected standards for secure code. " <= p class=3D"">What's worrying is that this only came to light after funds where raised to=20 hire the resources to carry out a code review. The open source community had plenty of opportunities to do this over the last 10 years - but the truth is that the community doesn't have the time, skills or resources= =20 (including money) to do the job properly. A new problem wi=
ll affect the security of OpenSSL going forward, too: The code is being for=
ked, thanks to an initiative called Li=
breSSL led by the OpenBSD
team. LibreSSL is intended to be a stripped down version of OpenSSL; in
the first week of the LibreSLL project, more than 90,000 lines of code=20
were removed, including those supporting operating systems such as VMS=20
and OS/2. The problem, simply stated: Since it's
easy to see what's being removed from LibreSSL, and which bits are=20
being replaced as they're deemed insecure, OpenSSL users are left=20
exposed to malicious hackers who may exploit the weaknesses that=20
LibreSSL discovers and removes - that is, unless the OpenSSL project can
keep up with LibreSSL's progress. Security by=20
obscurity is never a good idea, but once vulnerabilities are made=20
public, they need to be fixed right away. It's not clear that the=20
OpenSSL team is in a position to do that - it's said that the project=
=20
only had one full-time maintainer - or that software and hardware=20
products that use OpenSSL will necessarily be updated promptly even if=20
the OpenSSL software itself is. Taking open source secu=
rity seriously after Heardbleed The
good news for those concerned about the security of open source=20
projects like OpenSSL is that help could be on its way in the shape of=20
the initiative">Core Infrastructure Initiative (CII),
a new project founded by the Linux Foundation in response to=20
Heartbleed. Its purpose is to funnel needed money into software projects
such as OpenSSL that are critical to the functioning of the Internet. <= p class=3D"">"Our global economy is built on top of many open source projects," says Ji= m=20 Zemlin, the Linux Foundation's executive director. "We will now be= able=20 to support additional developers and maintainers to work full-time=20 supporting other essential open source projects." Sup=
port
from the CII may also include funding for security audits, computing=20
and test infrastructure. So far, about US$4 million has been pledged=20
over the next three years by companies including Google, Microsoft and=20
Facebook. Paul Rubens is a technology journalist based =
in England. Contact him at paul-at-rubens.o=
rg. -- Regards, r>
Evan M. Inker
--089e0115ebd0cac05b04fbf485fc-- |
|
