Heartbleed - the code that broke Internet security

Easter Bunny said:
if you don't like free software because of all the bugs, then go buy the thing with all the bugs from somewhere.
Click to expand...

I think this might well become reality soon. MS has been slowly picking up marketshare in the server OS space for years and years now - will be very interesting to see if the recent issues accelerate that.
 
Open source works well and is effective. In many cases it improves security because the code is open and can be reviewed (even if some large companies foolishly chose not to). Any commercial software which doesn't make the code available for review is potentially a security nightmare.

The problem now (going forward) is that criminals could easily pose as helpful volunteers, all the while steering the code in a direction of their choice and setting it so they themselves can gain access. That is roughly what the NSA did, but with open source, anyone can potentially manipulate outcomes for their own benefit
 
I'm loling at the number of big firms using a freebie then crying foul when it breaks. Really now mr bank.
 
Commercial projects are open source to security agencies

This is somewhat true ...
elvis_presley said:
This is one of the fundamental problems with open source software. The theory is there's tons of eyes looking at the code, but after this and the GnuTLS bug, it's quite apparent there are really very people working on the code, and proper review never happens for years, if ever.

If you look at the professional code review that was done of Truecrypt, it just leaves you shaking your head. Shameful. I think 2014 will mark a turning point in OSS, people who use it will HAVE to start giving back either in money or time. There are entities with unlimited resources (NSA, Chinese, Russian, USA government) who can hire as many professional coders as they want and go actively looking for exploits... if they haven't been already. Terrifying, really - as there have to be hundreds of critical holes like this in the code. It's hard to trust it completely anymore.
Click to expand...
But the problem is more severe with closed source commercial projects. For security purposes, the source code of these applications is readily available to criminal and government agencies. The black market considers an exploit that delivers less than root a little uninteresting. The only defence against these agencies is that some lowly hacker out there disrupts their grand plan by exposing some of their favourite exploits. This is much more likely in open source software than in commercial projects.

While it is easy for agencies to insinuate themselves into open source projects, it is also easier for their deeds to be discovered.

Infiltrating commercial projects is a more costly task, but once you have accomplished or discovered your vulnerability and backdoor, you can keep it forever, because nobody is ever going to look for it. For exploiting original errors in the original, commercial software provides a much more stable platform :cry:
 
Last edited:
cfilorux said:
But the problem is more severe with closed source commercial projects. For security purposes, the source code of these applications is readily available to criminal and government agencies.
Click to expand...

It's a very controlled access, they'll know what the government is looking at, and when. They can then get their own code review teams (which big closed source companies actually have) to double-check the code they've let others have access to. It's not impossible for the scenario you mentioned to happen, but the danger is far far less than the situation of OSS+Governments, as you're never going to have thousands of baddies secretly hunting for bugs in the Windows kernel source code, for example.

While it is easy for agencies to insinuate themselves into open source projects, it is also easier for their deeds to be discovered.
Click to expand...

That's the theory. I think we can all see now it doesn't happen like that in real life. GnuTLS bug over 10 years old. Truecrypt bootloader needs a 23-year old compiler to compile it, so the existing vulnerabilities in there must be decades old.

It's also interesting to note the memcpy that caused heartbleed should throw a compiler warning about being unsafe... although not impossible, it's HIGHLY unlikely this kind of amateur mistake would make it past quality control at a large corporation. Not that it would have fixed the problem, but it speaks to the quality of code and lack of even the most basic control and review in an open source project.
 
Last edited:
qwertydudeza said:
What you expect a free software of 4 guys doing part time must quality control dept.
The reality, people expect to much for free. $2000 donations in a year but then when there is a bug it is there fault. Get what you pay for. What trust worthy product, then pay for it.
Click to expand...

We all know the world is a little bit more complex than that.
 
elvis_presley said:
This is one of the fundamental problems with open source software. The theory is there's tons of eyes looking at the code, but after this and the GnuTLS bug, it's quite apparent there are really very people working on the code, and proper review never happens for years, if ever.
Click to expand...

This problem also extends to the paid for software world.


If you look at the professional code review that was done of Truecrypt, it just leaves you shaking your head. Shameful. I think 2014 will mark a turning point in OSS, people who use it will HAVE to start giving back either in money or time. There are entities with unlimited resources (NSA, Chinese, Russian, USA government) who can hire as many professional coders as they want and go actively looking for exploits... if they haven't been already. Terrifying, really - as there have to be hundreds of critical holes like this in the code. It's hard to trust it completely anymore.
Click to expand...

I think that depends on what the community intends to use the the software for. Coming up will be even more companies joining the digital world, and for most of them they just want a system that is moderately secure - not a fort to withstand entities with unlimited resources and affordable/free.

Banks, payment providers and highly confidential data companies will need to think about this... maybe. Whose to say that IIS based services don't have this type exploit that just hasn't been found yet - or even worse, secret government enforced backdoors?

But unless you're dealing with money and highly confidential information (like most of th web), I wouldn't worry about it.
 
eltherza said:
Coming up will be even more companies joining the digital world, and for most of them they just want a system that is moderately secure - not a fort to withstand entities with unlimited resources and affordable/free.
Click to expand...

The thing is, everyone uses the same OSS stuff here. That's by design, and one of OSS' strengths. The system is either secure, or it's not. If it's not, the hackers with unlimited resources are going to target the big prizes like banks and identity providers (Apple, MS, Google). and ignore the targets with no payoff.

Whose to say that IIS based services don't have this type exploit that just hasn't been found yet - or even worse, secret government enforced backdoors?
Click to expand...

There could well be exploits in IIS, in fact there are almost certainly bugs waiting to be found in IIS, Apache, OpenSSL... and it's clear which is easier to find. The Snowden stuff gave us a little bit of insight in to how little the big companies (Google, MS, Apple) knew about what the government was doing, it appears they weren't being forced to provide that kind of access to the systems. They all came out spitting hatred toward what happened.
 
Last edited:
elvis_presley said:
This is one of the fundamental problems with open source software. The theory is there's tons of eyes looking at the code, but after this and the GnuTLS bug, it's quite apparent there are really very people working on the code, and proper review never happens for years, if ever.

If you look at the professional code review that was done of Truecrypt, it just leaves you shaking your head. Shameful. I think 2014 will mark a turning point in OSS, people who use it will HAVE to start giving back either in money or time. There are entities with unlimited resources (NSA, Chinese, Russian, USA government) who can hire as many professional coders as they want and go actively looking for exploits... if they haven't been already. Terrifying, really - as there have to be hundreds of critical holes like this in the code. It's hard to trust it completely anymore.
Click to expand...

Closed source is worse. Many mistakes are missed as well. Patches generally take longer. It can take the vendors sometimes up to 6 months to fix serious exploitable vulnerabilities.
 
ghoti said:
Closed source is worse. Many mistakes are missed as well. Patches generally take longer. It can take the vendors sometimes up to 6 months to fix serious exploitable vulnerabilities.
Click to expand...

Sorry, these old arguments aren't working any more. One of the reasons patches take longer (6 months would most certainly be the exception to the rule) is because of stringent quality control and review/test regimes... which are designed to avoid exactly the problems which OSS had, that we're discussing.

I'm not an OSS hater, I use quite a bit of it myself, but I've never for one second bought in to the "it's more secure/stable because anyone can see the source code" argument. In fact, it's a running joke in the coding world, when am OSS bug, especially Linux, comes up that "hey, you can just grab the source and fix it yourself quickly!" OSS is great for many reasons, but that's never been one of them.
 
Last edited:
elvis_presley said:
Sorry, these old arguments aren't working any more. One of the reasons patches take longer (6 months would most certainly be the exception to the rule) is because of stringent quality control and review/test regimes... which are designed to avoid exactly the problems which OSS had, that we're discussing.
Click to expand...
Sorry, dont accept that opinion. Many vendors are still slow to patch. I have less vulnerability issues with my linux servers than I do with my windows servers (of which I have many of both groups).

I'm not an OSS hater, I use quite a bit of it myself, but I've never for one second bought in to the "it's more secure/stable because anyone can see the source code" argument. In fact, it's a running joke in the coding world, when am OSS bug, especially Linux, comes up that "hey, you can just grab the source and fix it yourself quickly!" OSS is great for many reasons, but that's never been one of them.
Click to expand...
Pretty irrelevant to the point I made.
 
ghoti said:
Sorry, dont accept that opinion. Many vendors are still slow to patch. I have less vulnerability issues with my linux servers than I do with my windows servers (of which I have many of both groups).
Click to expand...

You're free to accept or reject it, but this year has NOT been kind to your side of the discussion! 2 giant, critical gaping holes undiscovered for years vs "maybe MS has similar bugs" isn't convincing.
 
elvis_presley said:
You're free to accept or reject it, but this year has NOT been kind to your side of the discussion! 2 giant, critical gaping holes undiscovered for years vs "maybe MS has similar bugs" isn't convincing.
Click to expand...

Because holes in windows servers are so common they don't make the news anymore. A simple google search will show lists and lists of critical bugs found every year for versions as old as Server 2003... over 10 year old security flaws

Close source software has these things slip through the cracks pretty often.
 
Last edited:
qwertydudeza said:
How was Y2K a media frenzy? It was a very real bug affecting a lot of systems. The fact virtually everyone of importance fixed it is testament that things were fixed and planes never fell from the sky type dooms day.
Click to expand...

why would the date ticking over to 1980 suddenly make a plane's engines stop?
 
elvis_presley said:
You're free to accept or reject it, but this year has NOT been kind to your side of the discussion! 2 giant, critical gaping holes undiscovered for years vs "maybe MS has similar bugs" isn't convincing.
Click to expand...

The best approach is to accept the (obvious) benefits of both options and also the fact that open source has also forced previously near monopoly software providers to innovate and up their game.

We should then move the debate to the best steps needed to mitigate the shortcomings of both in terms of security.

The fact that companies now place less trust in software, and take more responsibility, is a great start
 
Well it's no wonder. They made the poor guy work on a New Years Eve. He was probably rushing not to miss the count-down at the local pub with his mates.
 
entrepr said:
The best approach is to accept the (obvious) benefits of both options and also the fact that open source has also forced previously near monopoly software providers to innovate and up their game.
Click to expand...

Yes, and that's one aspect of OSS that's succeeding spectacularly well.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X