with a vengance
whoopsies

Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems. The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years. A patch has been distributed, but that can do nothing to repair the damage that has occurred to compromise systems. Worse yet, it appears that through the installation of compromised keys on other systems, numerous systems not even running the code have likely been compromised.

Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected. Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems.

Good article except this bit made me laugh:

This reckons back to controversial statements made by Steve Gibson, a highly respected security consultant, when a major bug was found in Windows.

widely respected?

edit: doh, apparently grcsucks.com no longer exists. Here's a snapshot from archive.org's wayback machine

last edited by trog at 10:25:29 27/May/08

Debian, the Linux variant used largely by security professionals

made me laugh.

Yeah news about this has been out for a bit. Long enough for an xkcd comic to address it (see end of my post). Pretty newb screwup.

Steve Gibson, a highly respected security consultant

Schneier is highly respected. Gibson is nothing but a joke.

http://imgs.xkcd.com/comics/security_holes.png

One developer more alarmingly points out that the vulnerability has showed a perhaps fatal flaw in the state of the open source industry and in the computer security in general. One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications.

This is why I deliberately choose not to produce Open Source code. I want control over the software I produce - I don't want someone with a less clear picture of the problem space making changes and redistributing something that is ultimately recognised as the product of my efforts.

Through no fault of their own OpenSSL are involved in this mess. Hell, look at the XKCD: the 'Debian-OpenSSL fiasco'! No wonder their devs are 'raging'.

If my company f***s up working in isolation, at least I know its the failure of our work and ultimately my responsibility.

last edited by Hogfather at 10:42:05 27/May/08

If it was closed source though, the same problem is just as likely to occur, just noone will find out about it

anyone stupid enough to continue running the standard ssl library YEARS after installation is asking to get powned and I have 0 remorse for them

If it was closed source though, the same problem is just as likely to occur, just noone will find out about it

Oh?

OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand! Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."

This bug is a direct result of people editing code they do not understand - code they wouldn't have had access to if the source was closed.

This is why I deliberately choose not to produce Open Source code. I want control over the software I produce - I don't want someone with a less clear picture of the problem space making changes and redistributing something that is ultimately recognised as the product of my efforts.

So what happens when your project gets too big for a couple of ninja-coders to maintain all by themselves? You'll be having multiple people working on overlapping parts of the code, each with a non-identical view of the issue. Same problem.

If my company f***s up working in isolation, at least I know its the failure of our work and ultimately my responsibility.

Laying blame and responsibility doesn't change the damage done by an error.

This bug is a direct result of people editing code they do not understand - code they wouldn't have had access to if the source was closed.

Both my Troll and my Naive-o-meter just went off. Not sure which to listen to.

You sir have got a very warped view.

So what happens when your project gets too big for a couple of ninja-coders to maintain all by themselves? You'll be having multiple people working on overlapping parts of the code, each with a non-identical view of the issue. Same problem.

Same problem but its a problem completely under the control of a single executive - me. And I would have the power to control access to the source code among the teams, distributing the common functionality via compiled assemblies.

In this way HogSSL team would still control the HogSSL module, and HogDebian team would have to request any changes / report bugs to the HogSSL team - they can't just go in and change it. HogSSL are responsible for the validity and correctness of their code, see?

Running a closed source operation is not a warped perspective - its just not one that you or the OS Evangelists support. It doesn't make me twisted or munted, just differet to you - so quit it with the ad homo stuff if you want to discuss it.

Otherwise I can just go all QGL and call you a big f***ing wanker c***face in response, rather than discussing the issue?

last edited by Hogfather at 11:05:49 27/May/08

This bug is a direct result of people editing code they do not understand - code they wouldn't have had access to if the source was closed.

? The only way this'd happen even in closed-source-world if there was only ever one person editing code, or one person that personally reviews all code. Maybe that's feasible in small operations but its not possible in any projects of decent size. We write "closed source" stuff as well and I know for a fact we have just as many bugs in our applications because of people editing stuff they don't understand; I've personally been responsible for some whoppers in my time

I'm not saying that closed source stops bugs (seriously, wtf guys??), but it OBVIOUSLY stops people who you have no involvement with or control over introducing bugs to the code.

How could this bug have occured if Debian had to ask OpenSSL to make the change when OpenSSL say they wouldn't have done it?

last edited by Hogfather at 11:15:02 27/May/08

The fact that its open source is irrelevant. It's their software maintenance practices and policies that bit them on the arse (and hard it seems).

Even if I developed open source software I would want a certain amount of control over what code goes where, until that party is trusted and experienced enough not to f*** things up. This can be enforced through code reviews and decent enough testing designed to expose any major flaws (of course there are a variety of other measures).

Good software requires a whole lot more than just good programmers.

well, sure, but it also stops people who you have no involvement with or control over from spotting your own bugs or adding their own improvements

This is a lame bug and it sucks that it happened, but its just as possible this bug or a similar one would have happened with closed-source and not been caught until it'd been exploited. I just see this as further proof of the self-correcting method of open source software, which I think is more valuable than the intangible "security" offered by closed source software.

It's much better to know of the problem and make it public so people can take steps to correct this. If this bug had happened in Microsoft land they probably would just silently fix it (if they noticed it before security researchers) and there's be a bunch of less secure certs lying around because of it.

The problem here is not open source. The problem here is people not doing things the right way.

If you have a patch or bug it should be submitted for testing/peer review back in to the original project. ie. Debian should have put it back in to OpenSSL.

The failure was with the humans not the methodology.

I think submitting patches for peer review is part of the methodology.
If they were already doing that, then yeah, problem with the humans...

I'm not saying that closed source stops bugs (seriously, wtf guys??), but it OBVIOUSLY stops people who you have no involvement with or control over introducing bugs to the code.

Yes while there is the risk of people modifying your code improperly and redistributing it, you ignore the aspect of peer review (has hinted earlier). Peer review isn't 100% effective obviously, but I'd rather know that for popular software packages there are heaps of developers either specifically looking for or coming across bugs. I'd take a large number of eyes over a small number of eyes any day.

How could this bug have occured if Debian had to ask OpenSSL to make the change when OpenSSL say they wouldn't have done it?

So by your logic in this thread, OpenSSL should just pack up and stop releasing code so that it doesn't get modified? Ok.

all software should have to be ok'd by dan bernstein

Yes while there is the risk of people modifying your code improperly and redistributing it, you ignore the aspect of peer review (has hinted earlier). Peer review isn't 100% effective obviously, but I'd rather know that for popular software packages there are heaps of developers either specifically looking for or coming across bugs. I'd take a large number of eyes over a small number of eyes any day.

I'm not ignoring peer review - I consider it very important, and obviously the more review the better. I'd rather it be eyes that I know, trust and have a common methodology with however.

So by your logic in this thread, OpenSSL should just pack up and stop releasing code so that it doesn't get modified? Ok.

Not my logic at all; that's your derivation.

I have simply said that this is one of the pitfalls of Open Source. Its sort of similar to the Wikipedia problem (analogy has holes I know, I'm just making a point generally). Everyone can contribute, but everyone was not created equal.

This is one of the reasons why my company chose not to use Open Source methodologies or tools (there are other more commercially reasons). I'm not against OSS - I think its great in principle! - its just not where we are going or suitable to the work we are doing. This was a nice example of one of the reasons why.

I have simply said that this is one of the pitfalls of Open Source. Its sort of similar to the Wikipedia problem (analogy has holes I know, I'm just making a point generally). Everyone can contribute, but everyone was not created equal.

Not true, only authorized people can contribute to an OS project. However people can modify and redistribute under some OS licenses. As long as you download the project from official sources it shouldn't be an issue.

I'm not ignoring peer review - I consider it very important, and obviously the more review the better. I'd rather it be eyes that I know, trust and have a common methodology with however.

Again, that'd have to be a pretty small project or dev-team where you can personally keep track of and trust everyone and the code that they write. With bigger or more technically specialised projects your ideal setup doesn't really work.

That is, except in very mission critical teams and projects (NASA or in the military). E.g. how it costs tens of millions of dollars in testing recertification if you change a single line of code for a military plane. Even with large teams and code-bases, they have very mature protocols and rules in place to make sure everything is quadruple checked.

For regular software where the testing measures aren't as drastic, I don't really see much to back up your claim that closed-source software is inherently safer or more secure.

Not true, only authorized people can contribute to an OS project. However people can modify and redistribute under some OS licenses. As long as you download the project from official sources it shouldn't be an issue.

I think that sums it up.

Again, that'd have to be a pretty small project or dev-team where you can personally keep track of and trust everyone and the code that they write. With bigger or more technically specialised projects your ideal setup doesn't really work.

yeah, and its not a matter of trust. its a matter of many eyes. problem with this openssl branch was that not enough people were looking at it, someone (probably someone important) made a change, nobody saw that code again for 2 years.

For regular software where the testing measures aren't as drastic, I don't really see much to back up your claim that closed-source software is inherently safer or more secure.

No such claim exists! Quit it with the straw man bulls*** already - that's twice now. For an apparently clever guy you do tend to fall for quite mundane argument fallacies.

My assertion is that this bug is an example of an inherent pitfall of OSS - one that can only be managed by people 'doing the right thing'. Because people generally suck at doing the right thing, in software development we try to erect interfaces and binding contracts to prevent this. The most simple example is the use of private member variables in OO, and more complex design patterns follow.

The freedom and power of OSS is inherently a danger. The lauded eyes of the many can also become the noise of the crowd rather than emerging as a single clear solution. OSS is not a panacea, and the observation of its drawbacks in different scenarios shouldn't be treated as a broad-scale degradation.

I've said that its not a good fit for our company. You say a few times that this is only true for small operations. Well, we are a small operation - why would it make sense for us to make strategic decisions on any other basis?

I attempt to address points that you are directly implying, and you try to pull the straw man card.

Looks like I'm wasting my time here, good luck with the company.

I didn't 'try' the straw man fallacy; you admit reliance on implied interpretations. This is very common in internet forum discussions and the root cause of most flame wars.

Have a look at what I have written from a neutral perspective. Other than as an emotive reaction to criticisms of OSS, where can it be said that I even remotely imply that CS was inherently better than OSS? I've said a few times - even in my first post - that my criticisms were mostly to do with our situation.

Hell, even if I loved the s*** out of OSS it wouldn't be applicable. My clients quite jealously defend their IP and business processes - we am legally bound not to release pretty much anything we am producing at the moment. As a custom software shop developing tailored tools for business this is not likely to change.

Thanks for the well wishes though parabol if they are sincere.

last edited by Hogfather at 10:30:41 28/May/08

My assertion is that this bug is an example of an inherent pitfall of OSS - one that can only be managed by people 'doing the right thing'.

I think the argument everyone else is making is that those same pitfalls exist to similar levels of magnitude in closed source development - sure, there might be some difference but at the end of the day, any difference is not evident in the quality of software that we see being released from closed source developers.

I would guess that the cost of bugs and flaws in closed source software (see: Microsoft-related worms, IE spyware infections, Outlook email worms) has been significantly greater than the cost of such bugs in open source software - I'm not really aware of any open source exploits that have lead to the same amount of sheer chaos as those things.

Sure, there's less end-user open source software out there, but there's still a s***load in use on a daily basis, and one of the reasons why they lead to less problems is that security flaws are found and fixed and published so that people can take steps to correct against them.

I dunno if you're not using ANY open source software in your company (eg, do you use firefox and encourage employees to use it? if not you'd arguably be mad), but it seems a shame to miss out on the huge variety of excellent open source software that is available to software developers.

Sure, there's less end-user open source software out there, but there's still a s***load in use on a daily basis, and one of the reasons why they lead to less problems is that security flaws are found and fixed and published so that people can take steps to correct against them.

That's really hard to test because not only is OSS less widely used (compare MS Office to Open Office ...) it is much lower profile. You just can't compare Thunderbird to Outlook Express on Windows 98.

Consider the increasing number of security updates for FF as it becomes more mainstream. This most recent SSL bug is pretty huge. As OSS grows and user take-up increases, will black hats turn their attention to it?

It is also interesting to observe that this change could have been maliciously added - how will OSS defend itself against that? Bugs are hard enough to find due to the regressive and whack-a-mole nature of problems. The collaborative nature of OSS seems to open itself to this - a black hat posting a change that looks good on anything but military-style mathematical proof review, but actually causes a complicated flaw with distantly related code. This can happen in CS, but relies on industrial espionage to get past the gatekeeper to even review the code and find the holes.

Does OSS provide black hats with a clear roadmap to find exploits and holes? Does it provide them a vector to 'poison' a product for later malicious purpose?

Look at phpBB - a while ago there was a hole discovered that allowed an intruder to discover usernames and passwords. phpBB was used in a lot of communities for WoW, and heaps of people had their accounts compromised because they used the same credentials. No they shouldn't have done that, it was stupid, but people are stupid and we by default need to shield them from their stupidity when we can.

Not everyone scrutinising the naked code is doing so for the right reasons.

Before someone goes all straw man on me I probably should make something plain - this isn't to say that the OSS movement is inherently flawed. But brushing concerns like the above under the mat because you don't like them, or because you have unshakeable belief in many eyes theory is hardly a good idea. The OSS communiy will have a huge challenge as these packages become more mainstream, not just for security but also useability (see many complaints about Open Office and GIMP just being a pain in the arse to work with).

Bugs exist in pretty much ALL software - but the path to discovering and exploiting them is made much easier if the blueprints are available for public review.

I have nothing but praise for Open Office with one exception. The spell checker. And people that use it don't even realize its something different until you tell them. Office 2007 however gets instant resistance because its different.

Firefox also nothing but praise.


Seriously Hogfather ... you need get off your closed soruce high horse, you want to do it ? fine great whatever. But open source is the only form software applying pressure to the MS monopoly. As such needs to be supported by every savy it person out there.

A lack of competition is always a bad thing.

That's really hard to test because not only is OSS less widely used (compare MS Office to Open Office ...) it is much lower profile. You just can't compare Thunderbird to Outlook Express on Windows 98.

Well, yeh, but you can compare things like IIS to apache. There's been apache bugs, but have any of them rivaled the IIS worms?!

It is also interesting to observe that this change could have been maliciously added - how will OSS defend itself against that? Bugs are hard enough to find due to the regressive and whack-a-mole nature of problems. The collaborative nature of OSS seems to open itself to this - a black hat posting a change that looks good on anything but military-style mathematical proof review, but actually causes a complicated flaw with distantly related code. This can happen in CS, but relies on industrial espionage to get past the gatekeeper to even review the code and find the holes.

I can point to a billion, billion examples of closed source back doors. As much as I'm not inclined to trust GRC because of the many negative comments about him, I do believe its possible for MS to have backdoored their applications at the request of the US government. I don't think its likely, but it's certainly possible.

Also, http://www.codinghorror.com/blog/archives/001072.html

Black hats are much much much more likely to work with closed source software because there is no peer review. You're a million times more likely to get boned by some douchebag doing something like the above than you are by a random open source application.

Seriously Hogfather ... you need get off your closed soruce high horse, you want to do it ? fine great whatever. But open source is the only form software applying pressure to the MS monopoly. As such needs to be supported by every savy it person out there.

A lack of competition is always a bad thing.

Argument By Emotive Language.

"High horse"? Ad hominem now along with the rest? I will make business decisions to the benefit of my company without relying on touchy-feely altruistic ideals. Nobody can tell me that this is the wrong thing to do.

Again, I am not antagonistic to OSS' goals. I have concerns about what people can do with the combination of free information and free collaboration. I'd love to end the MS monopoly believe it or not.

But I live in a world where money pays my mortgage. I don't have the luxury of spending years in the wilderness building the OSS movement while my family lives on boied rice. Best guess is that I have 10-15 years to set my family up for the rest of our lives before I can no longer work. If that means being a .Net developer and working with proprietary client data & logic then I will do so.

There's no high horse about it, its the reality of the situation. The only people on high horses are those preaching OSS with religious zeal.


last edited by Hogfather at 11:38:28 28/May/08

Black hats are much much much more likely to work with closed source software because there is no peer review. You're a million times more likely to get boned by some douchebag doing something like the above than you are by a random open source application.

Burden of proof.

Being one of the good guys, I am assuming that you don't run in black hat circles much. How can you know how, what or why they do what they do?

I don't know any better, but personally would think that a black hat would be more interested in gaining maximum exposure and yield for their efforts than anything else. More passwords, more private data etc. etc.

You can't really demonstrate that I am wrong (and vice versa) because there isn't the hard data to back up either position; until OSS gains a larger market share so that meaningful stats can be derived. All we can do is provide examples and counter examples which in isolation is hardly very useful.

Burden of proof.

did you see the link I posted? Did you see the references I made elsewhere to IIS worms, Outlook worms, all the other PC-destroying problems MS software has caused in the Internet-connected world?

There's such an abundance of proof that the majority of malware, spyware, backdoors, trojans and viruses come from closed source software I can't even take your question seriously!

Hogfather at the moment with out open source, there is no alternative OS, no alternative Office app, no alternative browsers or web servers. Open source whether you use it or not is vital to the future of IT... unless you want to be forced into whatever Microsoft deem you need at whatever cost they feel free to pluck out of the air.

Just remember the MS started with an Open Source product. The source for IBM-DOS was in the manual.

Do whatever for your own app but don't go smashing Open Source because it doesn't suit your needs. I bet you benefit somewhere from open source apps in your organisation.

Well yes - most security holes, viruses and worms come from closed source software. Most software in use today is closed source, with a few exceptions (such as apache).

The point is that its not meaningful to compare the two. With a few exceptions OSS hasn't yet had the trial by fire that in particular MS has. We are talking about fuzzy social interactions as well so we can't even say that if OSS has 5% of the market share then its fair to compare its problems to 5% of the bugs from CS.

You can say that it is, but its not really, because the baseline conditions giving rise to the worms are not the same. Maybe black hats attack IIS because they hate MS and love apache? Does that make apache objectively more secure? Who knows!

If OSS brings down the monopoly and becomes the New Way then what will all these black hats do with their time? Will they retire?

OSS is yet to prove itself as a (more) secure alternative to the CS products out there such as MS' offerings (although BY FAR they are not the only closed source operator). As an aside, I'm always interested in why OSS evangelists seem to like Google when they are really part of the evil empire rather than the resistance.

Do whatever for your own app but don't go smashing Open Source because it doesn't suit your needs. I bet you benefit somewhere from open source apps in your organisation.

Are you saying that people should not point out or even discuss perceived flaws, just because it is OSS? That seems awfully like censorship.

Is it wrong morally to speak or write critically of anything to do with OSS just because it presents an alternative to the MS monopoly? As a computer scientist, shouldn't these things be able to be critially reviewed without emotive bias or retribution against the reviewer?

The point is that its not meaningful to compare the two.

compare what two?

OSS is yet to prove itself as a (more) secure alternative to the CS products out there such as MS' offerings (although BY FAR they are not the only closed source operator).

well, I disagree with this on many levels but don't have time to dig up stats to back up my arguments. I will say that if you switch to running Ubuntu on your desktop you're instantly not exposed to any of the Microsoft vulnerabilities which ARE the target of the majority of criminal elements, so arguably you are instantly more secure.

As an aside, I'm always interested in why OSS evangelists seem to like Google when they are really part of the evil empire rather than the resistance.

Because Google themselves rely heavily on open source and contribute massively, possibly more so than any other company in the world except maybe IBM and Yahoo, to it. See: Summer of Code, Google Code, Google MySQL patches, etc, etc

also:

until OSS gains a larger market share so that meaningful stats can be derived

Meaningful stats can never be derived because we have no idea what security flaws exist in closed source software and what ones are patched without our knowledge. Most Microsoft patches appear to be the result of security researches finding vulnerabilities, rather than through any sort of internal code review process.

I thought this was a perfect example of why distribution maintainers should stick to maintaining their distributions and stop f***ing with the code of the applications they use.

Is it wrong morally to speak or write critically of anything to do with OSS just because it presents an alternative to the MS monopoly? As a computer scientist, shouldn't these things be able to be critially reviewed without emotive bias or retribution against the reviewer?

You seem incapable of saying that open source is useful and if followed it can be good and it can work, as such your comments are not critical. Closed and Open Source both have their places and their uses. Zealtory for either as the only solution is not a good result as I see it.


Trog you left out Novell ! They are a big OSS contributer these days. And Sun.

Jesus H Christ I am channeling typo today. But its a good discussion and somethign close to my heart.

Google's search algorithm is a closely-guarded secret, providing them with absolute domainance as the world's leading search engine. Its nice that they contribute to OSS while not practising it themselves - Bill Gates is the biggest philanthropist in the world! Does that make MS OK now? Does this mean that Google effectively purchased the goodwill of the OSS community?

well, I disagree with this on many levels but don't have time to dig up stats to back up my arguments. I will say that if you switch to running Ubuntu on your desktop you're instantly not exposed to any of the Microsoft vulnerabilities which ARE the target of the majority of criminal elements, so arguably you are instantly more secure.

And I wouldn't be able to work, at least not as productively for my clients who run AD-conrolled wn32 domains. Vista is secure enough that if I am not a d******* I am safe, and I can do my work on it.

Meaningful stats can never be derived because we have no idea what security flaws exist in closed source software and what ones are patched without our knowledge. Most Microsoft patches appear to be the result of security researches finding vulnerabilities, rather than through any sort of internal code review process.

Again, burden of proof on the emhasised area. I've read a fair few books by MS devs past and present and there is both truth and misdirection in your statement.

Anyway that's basically my point Mr trog, and I want it back ;)

Strangely enough I (and operators like me) are not the enemy some of the OSS guys would like to paint me as. I'm just a guy trying to get by in the world by practicing my craft. I've said time and again in this thread that I have no hate for OSS (although I obviously have some reservations about the nakedness of the source code).

I love the new emphasis on open standards in particular, and I know this has come from pressure from outside MS. I'm glad that maybe soon we'll no longer need to continually check for content consistency in IE and FF - anyone who works with me will kow how much I loathe Internet f***ing Explorer 6. Today I am in love with the fact that I can write a SOAP web service in C# for ASP and some guy in python or php can interface with it out of apache. That's really f***en hot!

But I do need to pay my wa in the world. Its just not a good business decision today to switch to OSS. Maybe tomorrow..

You seem incapable of saying that open source is useful and if followed it can be good and it can work, as such your comments are not critical. Closed and Open Source both have their places and their uses. Zealtory for either as the only solution is not a good result as I see it.

How does the above fit in with your admonition that Open Source "needs to be supported by every savy it person out there." That's not true at all and is the most zealous statement in the entire thread. What OSS needs is to stand on its feet and be a viable, compelling alternative to MS' closed technologies without all the blind evangelical support that the suits see through instantly. In fact only by critically evaluation will it be fit to break the MS desktop monopoly before desktop computing becomes irrelevant.

The Business Case is all that matters to the suits.

I can't say good things about OSS? See the above Obes - rather ironically I finished that just as your response came in. Re-read my posts. I said I wasn't antagonstic to OSS on every second post, just that the open model presents challenges and is unsuitable to my operation. As an aside we had a talk about the inherent danger of open code combined with open collaboration. I tried to say even then that it wasn't a broad bash on OSS - but I guess you were too busy seeing red to think clearly?

I'm not the zealot here, I work with the best tool I can find for the purpose at hand. I just happen to have decided that right now the best choice for my operation is MS technology, and a closed source environment is both mandated by my clients and my personal preference for a variey of commercial reasons.

last edited by Hogfather at 12:32:13 28/May/08

I thought this was a perfect example of why distribution maintainers should stick to maintaining their distributions and stop f***ing with the code of the applications they use.

See now this is fantastic, and where I had hoped someone might take us rather than responding to an imaginary call to arms because I criticised a facet of OSS. This is what I was talking about regarding interfaces and code protection! How is / can this be enforced or regulated under the GPL while retaining the basic ethos of OSS that you can see, edit and manage the code youself if you so wish?

I don't know much about package and distro preparation. Is there a control in place so that end users can verify that their important packages are all from the direct source rather than post-modified? Can this be achieved so that a distro can be flagged if it contains unauthorised, modified code? Modifying and extending a KDE theme probably doesn't matter too much, but changing the underlying SSL code would seem important!

Or is this just something that contributors need to self-discipline on?

last edited by Hogfather at 12:39:23 28/May/08

Again, burden of proof on the emhasised area. I've read a fair few books by MS devs past and present and there is both truth and misdirection in your statement.

Well, I read (almost) all the vulnerability announcements by Microsoft on Windows Update day to see what they're about and almost always they're thanking someone for reporting the patch. The three critical ones for May (so far) all acknowledge third-party researches for reporting the problem.

I'm sure they fix other stuff, but because its not an open process we have no way of knowing what stuff is fixed, what other new bugs might be introduced in a fix, and how many other problems there are.

I should point out, I don't think OSS is a magic bullet for security either. I studied it at uni and was unconvinced then. I am a little more convinced now that OSS is BETTER though because I think the only way we can have a decent system is through full disclosure and for everything to be as open as possible. I personally think this whole OpenSSL incident is actually a demonstration of the success of OSS, rather than a failure.

I didn't particularly want to contribute further but this is getting ridiculous:

Are you saying that people should not point out or even discuss perceived flaws, just because it is OSS? That seems awfully like censorship.

With all of your yelling of "straw man" you seem to do a good job of it yourself hey?

This is why I deliberately choose not to produce Open Source code. I want control over the software I produce

Example #1 where you imply closed source is better (for your specific situation or otherwise).

This bug is a direct result of people editing code they do not understand - code they wouldn't have had access to if the source was closed.

Example #2

How could this bug have occured if Debian had to ask OpenSSL to make the change when OpenSSL say they wouldn't have done it?

Example #3

I'd rather it be eyes that I know, trust and have a common methodology with however.

Example #4

The freedom and power of OSS is inherently a danger. The lauded eyes of the many can also become the noise of the crowd rather than emerging as a single clear solution.

Example #5

a black hat posting a change that looks good on anything but military-style mathematical proof review, but actually causes a complicated flaw with distantly related code. This can happen in CS, but relies on industrial espionage to get past the gatekeeper to even review the code and find the holes.

Example #6

Otherwise I can just go all QGL and call you a big f***ing wanker c***face in response, rather than discussing the issue?

I somehow missed this quote when I first read your post. What the hell dude?

This is what I was talking about regarding interfaces and code protection! How is / can this be enforced or regulated under the GPL while retaining the basic ethos of OSS that you can see, edit and manage the code youself if you so wish?

OpenSSL isn't licensed under the GPL.

There's also nothing stopping you from creating your own project with your own made-up license or tagging extra clauses on the end of an existing license if you wish.

Also you keep continually implying that some random can come in and mess up the original code-base. If that's not what you're implying, perhaps you should reword what you say.

I don't know that I would make much distinction between a 3rd party finding a 'sploit from empirical observation or legal reverse engineering and a code reviewer external to the project finding a bug in OS code. If 'good' people are finding & reporting holes before they become raging worms of doom then isn't that a positive outcome?

Objectively, the measure should be the quantity and severity of black hat stuff - worms, trojans, viruses, evil little packets of code that f*** your s*** up. I would definetly agree that at the moment Microsoft's track record is behind its competitors in these terms, and that this has helped apache to win @ internets and increase GNU Linux's market share.

I am concerned that if the trend continues that the OSS movement could be damaged - you can bet that MS are crowing right now with this event and will be watching for more.

Anyway I do agree that in this case it was successful, although IMNSHO the severity of the flaw makes this a element of good fortune rather than an emergent property of the system of OSS. This could have been so very much worse, SSL underpins the new e-conomy and its built mostly on OSS servers. The person who found the flaw had a lot of power to do harm.

parabol, none of those examples add up to what you accused me of. I've said it before and I'll say it over and over if you like - I don't think CS is better than OSS. I don't think that CS is better or more secure tan OSS.

OK?

OSS has a different set of drawbacks to CS. Revealing the code makes it easier for a nsty to find the holes. It also makes it easier for the good guys to defend against the nasties. Only time will tell if this balance remains in favour of the good guys as OSS gains share. I honestly hope it does. I shudder to think what might have happened if a bad guy had discovered this SSL bug - by any measure its a biggy.

I threatened to call you names in response to "Both my Troll and my Naive-o-meter just went off. Not sure which to listen to. You sir have got a very warped view." which was clearly an unprovoked personal attack.

For the record:

Also you keep continually implying that some random can come in and mess up the original code-base. If that's not what you're implying, perhaps you should reword what you say.

Not what I am saying. I've said that OpenSSL has been tarnished with actions taken by deriviative work - the fact that they are pissed off is testament enough to that.

I said that someone can propose a seemingly positive change to the original code-base and actually be creating a new exploit. Not everyone is perfect and even the original authors could be fooled by such a measure. As you've mentioned only the military go to extremes evaluating outcomes of changes.

Sure its certainly fanciful but its a possibility.

I'm not an OSS guy (obviously) so I'm not sure what your reference to the GPL and OpenSSL means. In the referenced paragraph I was making a general remark not about a particular project or package.

In the referenced paragraph I was making a general remark not about a particular project or package.

If it was general then why did you bring up the GPL specifically? Could have just said "OSS license".

in response to "Both my Troll and my Naive-o-meter just went off. Not sure which to listen to. You sir have got a very warped view."

You made a very bold and naive claim about code access, hence I could not tell if you were trolling and I said just that. That a bit different to saying "big f***ing wanker c***face".

none of those examples add up to what you accused me of. I've said it before and I'll say it over and over if you like - I don't think CS is better than OSS. I don't think that CS is better or more secure tan OSS.

Wow, just wow. You say a heap of things, then claim you meant something else all along in conclusion.

Sorry but I seriously can't argue against a moving target like this. Carry on.

I would just like to add that when you say CS my first instinct is that you mean Counter-Strike

Wow, just wow. You say a heap of things, then claim you meant something else all along in conclusion.

Sorry but I seriously can't argue against a moving target like this. Carry on.

OK ... I guess? I'm sorry I swore at you; I was in the middle of something and you pissed me off with your assumptions of naivete. Like anyone I have a lot of professional pride in my field and you got to me a bit.

That's part of why I tried to keep the discussion on track by pointing out argument flaws; I saw how quickly I was slipping on my own. I f***ed up but thought it would be better to leave it in than to edit it out, as I knew I mightn eed to come back and refer to my original statements in this.

Had a feeling it might get long as its a good topic.

Anyway, brodie's on what I've been trying to get across:

OSS has some drawbacks specific to it (like everything, including CS). There's no panacea for this stuff. I think this is a pretty safe point.

In my opinion how this error crept into millions of systems is a manifestation of the above. This is opinion, has been argued and is not a fact obviously.

That OSS and its tools is not a good fit for everyone's situation including my company. This is my opinion, but mine is the only one that matters for my company!

The above point doesn't necessarily mean that OSS is a bad fit for everyone, or that its inferior in general, or less correct, or that I am against it somehow in principle. When I talk about why I, or my company, does something in a non-Open fashion, this doesn't automatically tie to a broader generalisation about OSS.

In the end I try to be a good, neutral businessman and scientist and judge my tools on their fit to the task. See stuff about SOAP etc. The client's Business Case is all that matters.

Like everyone I have bias and at this time my bias is towards MS techology because I've worked in it for many years. Other people have other bias - I try not to let mine get in the way of the above.

Along the way I've made all those points at varying stages in this thread. Nothing that you have quoted contradicts any of the above, but can in isolation be read to imply contradictions (I have no control over that).

Are they mutually exclusive in some way I can't work out? If my communication has been unclear then I'm sorry but the above is what I meant all along.

last edited by Hogfather at 14:17:26 28/May/08

trog: haha yeh no s***. I just got tired of typing 'closed source' or 'proprietary' all the time. Maybe I should just use 'evil'? :p

How does the above fit in with your admonition that Open Source "needs to be supported by every savy it person out there." That's not true at all and is the most zealous statement in the entire thread.

No its the alternative, it has to be supported or there is no alternative. That doesn't mean you need to use it.

Even Microsoft seen to be the Evil empire and totally closed source recognize and support open source in their own twisted way ... http://www.microsoft.com/opensource/default.mspx

I said I wasn't antagonstic to OSS on every second post

Yet your posts were and continue to be very much so.

Even Microsoft seen to be the Evil empire and totally closed source recognize and support open source in their own twisted way ... http://www.microsoft.com/opensource/default.mspx

I haven't read their licensing terms in detail but some of the comments I've read about MS's open source licenses aren't great. I'll look tonight for summaries.

Yet your posts were and continue to be very much so.

There's no real way to change your mind on that - there's a difference between critical and antagonistic.

I've expressed admiration for the ideology and the goals of OSS, and professional appreciation of the improvements and innovation that the open source guys have brought to the scene. In particular the moves to open standards are just huge, overdue and very much welcome.

It doesn't change my opinion that OSS has drawbacks, isn't a good fit for my circumstances, or allay my fears for what the baddies can do with perfect system knowledge. There's not much more to say; I can't do much with simplistic "yes you are" assertions..