Have Heartbleed and Shellshock changed your attitude to open source security?
Linus’s Law states: “given enough eyeballs, all bugs are shallow”. In other words, when many people can look at source code, bugs and security holes should be discovered quickly. This is one of the benefits of open source and free software – at least, it’s one that many of us talk about.
But after two major FOSS vulnerabilities in recent months, Heartbleed and Shellshock, can we keep advocating open source in this way? Do you look at FOSS in a different light now? Or is the real problem that, despite being open source projects, very few people were actively working on OpenSSL and Bash?
Let us know your thoughts, and we’ll read out the best comments in our upcoming podcast – to be recorded at OggCamp this weekend!
Related Posts
About The Author
Mike Saunders
Mike stores his data by printing out hex dumps and laminating the sheets. He's the author of The Haynes Linux Manual and the creator of MikeOS, an operating system hand-built from assembly language.
Yes, These are big wake up calls for all levels of user. I was straight onto my desktop and server to check patch availability. The time between vulnerability and patch were worrying and emphasised the need for a very good firewall with all unnecessary ports closed to the outside world.
Too many open source projects lack the firm direction and leadership needed to turn away or trim off dubious code. Both heartbleed and shellshock were the result of programs trying to do more than they need to, using code that was added long ago and never looked at since.
Sadly, the same can be said for Linux as a whole: too much stuff is added, too little is removed, and too many people are scratching their own itch without worrying about the big picture. Other free, open Unix-like operating systems seem to offer a saner, safer development model.
Nothing has changed for me.
I always wondered who was looking, I don’t have the skill. This has always been such a repeated mantra I thought there must be thousands of programmers pouring over every line but not likely.
Good that they are getting fixed and the principle is being tested. I’ve never trusted security through obscurity.
I think this has dispelled some of the complacency in open source projects. The internet depends on these apps and they need to be better maintained. The big companies should be paying people to audit them.
What heartbleed highlighted to me was that some Free Software projects which are used by countless corporations, some of whom are extremely wealthy, are desperately under-maintained. Those companies really should take some responsibility for projects they depend upon for their operation, which has happened with OpenSSL (at least their’s been a promise) but needs to become a broader thing.
Shellshock is less of a big deal since here needs to be another vulnerability in place in order to take advantage of the vulnerability in bash.
I didn’t feel personally threatened or worried by either of these bugs. The fact that they were found, disclosed and speedily addressed was Free Software working like it should.
But yeah, big companies who rely on (and therefore profit from) these things really should be helping out, making sure projects are adequately maintained and clubbing together to hire coders where necessary. The kernel gets plenty of attention but all these little components, and their importance, seem to be forgotten. A chain is only as strong as its weakest link, and all that.
Actually, I haven’t changed a lot because of these – but I think the community should be more aware of security. Since *the internet* depends on FLOSS and its security, and one of the key selling points for GNU/Linux is the “virus-free” tag, all of us should pay more attention to the security of the ecosystem. Shellshock – even if it might turn out to be not a super-dangerous thing in the end – is warning: How can critical bugs in a very basic programme go undisclosed for an eternity? It seems as if a lot of both, users and maintainers, have not paid enough attention (e.g. money…^^) to it.
On the other hand: In both cases the reaction of “the community” was prompt and helpful. Compared to Microsoft or Apple, I still think GNU/Linux does a good job in ironing out issues!
Neither Heartbleed nor Shellshock have changed my view of security issues with Open Source software. But the hyper-FUD spread by the media has confirmed my already very low opinion of the biased, deceptive talking heads that consider themselves to be journalists.
Not really changed my opinion. The software had security issues, sure, but it’s the open nature of them that led to their discovery and fixing (wasn’t it?). I believe that proprietry software has security issues too but they’ve not been exposed because very few people can see it.
Actually I guess I’m felling more confident, because more devs and gurus will now be looking each corner and dark spot of the sources they use/support/package/whatever.
A good example is the LibreSSL launched by OpenBSD devs, after the Heartbleed blow, to clean up and secure the OpenSSL code. I guess the result will be industries TOP NOTCH.
And we might think, if this happened with completely open source software, imagine what might be well hidden in proprietary binaries… Be afraid, very afraid closed source fans! 😉
Cheers from sunny Portugal!
Of the two I was more bothered by Heartbleed than Shellshock. Heck, the two patches for Shellshock on RH were issued pretty fast and we rolled them out at work within two days.
There is a degree of “it’s open source so it’s perfect” attitude which hopefully these two incident will scupper, but I’m still generally positive about OSS. And remember that if you’re still on an old version then you can compile/patch yourself – try doing that with Windows etc…
End with a quote: “Some one has justly remarked, that ‘eternal vigilance is the price of liberty.’ Let the sentinels on the watch-tower sleep not, and slumber not.”
All it emphasied was how good FOSS is. Those who found and helped fix this were people outside of the core team. With proprietary software this wouldn’t have been possible. Most copanies will have “blackbox” chunks of code someone who has left wrote 15 years ago, no one understands and everyone is afraid to touch.
It’s good it was found, no doubt there are more spread about all projects, but I wouldn’t make me change how I run servers. Always assume there is a bug and use all tools you can to minimize risk.
I do agree that large corporaions who are poor community members, who have the cash to fund some code review do have a lot to answer for though. Especially the likes of Cisco etc. who use a lot of the code tools like SSL etc. on their kit.
I’m going to enable apt-cron on my Raspberry Pi firewall !
The amazing thing with shellshock is the amazing speed that the issue has been researched, analyzed and fixed. In a matter of hours bash was pounded on, people running fuzzing attacks, the limitations of the original patch found, and fixed. As well as discussions of structural change to eliminate the class of vulnerabilities.
This is a testament to the power of open source.
Well, at least we know we have security holes, and therefore we can do something about it—fix the problems, or avoid a particular piece of software altogether.
What I’ve changed is the kind of free software I choose, more simpler, less bloated software. Simpler software means less code. Less code means less spots for bugs. Less bugs means better software. Avoid emacs! =P
I thought both of these weaknesses were discovered by code audits, thereby proving that many eyes do find the bugs. Its just that publishing the weakness will always get the crooks to write an exploit.
To be honest, I was surprised and, well, shocked by the bash vulnerability, since it is such a central piece of unix like os and the vulnerability seemed to be fairly basic and simple in its structure (as was heartbleed, in a way). It may have been naive, and a function of being fairly new to the linux world, but I wouldn’t have thought that this kind of bug exists.
But that doesn’t change the fact that in comparison to unfree software, open source code can be audited and fixed better, faster, and more independent of commercial interest.
However, I think that there is a certain hypocrisy or sanctimoniousness in the community regarding the involvement of big corporations in open source development. You can’t claim that the system is independent of such companies, and point the finger of blame for lack of code-maintenance at them for not contributing. (At least not in too categorical a way, as both claims are somewhat true.)
Yes, it’s made me all the more glad I don’t use a proprietary system. Can you imagine how many of these sort of bugs are out there in those systems, never getting looked at?
We get two serious widespread vulnerabilities and some people the world is coming to an end – how many Internet Explorer 0-days are patched every single month?
yeah, i agree.
the openness and speed with which it was all handled actually increased my trust in open software and the community.
If anything, they’ve improved my attitude towards open source security. I’ve never assumed that any system is secure, and at least with Shellshock and Heartbleed I get full disclosure and the ability to both test and quickly patch my machines.
When there’s a security issue in Windows or OS X sometimes the only pieces of information I get are hyped up media reports and a vague ‘this is an important update’ message in Windows Update. Not knowing how serious the security flaw is means I assume the worst.
Quick answer: no.
When talking about security we have to specify because there are two different scenerios.
One is in the desktop. Nobody cares about it. It is hard to fool a linux desktop user. The binaries (almost) always comes from trusted sources (the distro). Finally they (we) are so few and so diverse it is not a real target.
The other side is on the server. This always has been the wild wild west. Also: there are no news about security vulnerabilities for Windows (for example) because nobody runs a naked windows on the internet in 2014. Also: some years ago there was shared hosting. Now there a bunch of morons running their own VPS and get owned → Hilarity ensues.
Not really, Linux/FOSS has bugs and security holes in it.
To be honest, it’s actually made me feel a bit better about open source security:
Yes, we’ve had two big ones, recently, but serious issues like this definitely seem to occur far less than in proprietary software.
The fixes were out quicker than is usual for proprietary software. Hell, one example is the fix for my Raspberry Pi XBMC build was out 3 days ahead of when Apple announced their fix was released – so a few guys working in their spare time can turn around a critical fix quicker than a multinational company!
These facts make me want to use open source over proprietary even more.
That should be “Not really, Linux/FOSS has bugs and security holes in it just like any other piece of software.”
An interesting take I heard was that the response to the bugs was quite inspiring. Instead of 30 programmers working in a room at MS or Apple, the bugs were effectively crowd-sourced for patching and testing to individuals and instituitons around the world within hours, and things got patched and repatched multiple times within a day or two.
No.
Free Software projects report users of their bugs, and perhaps apologise in doing so.
(“More Evil”?) Proprietary software developers aid its exploitation, while not telling users about it. The users are then given a false sense of security, hence your post?