Security Of FLOSS

“Just like the OpenSSL Heartbleed security hole, once you look at the code, the problem leaps out at you. But, if you don’t look, it just hides there in plain sight. Open-source security only works if you actually read the code.
 
What’s even more annoying, this only works if you’ve encrypted your system partition. Yes, by doing the smart thing of using encryption, you’ve actually opened the door to this attack. Fun!”
 
See Major Linux security hole gapes open
I’ve worked with IT since the 1960s. I’ve seen systems that fell down just idling. I’ve seen systems that were insecure by design. Their creators just didn’t seem to care. I’ve seen systems that were made to get you. Their creators wanted to own your soul. I’ve also used FLOSS. They are secure by design. Their insecurities tend to be inadvertent and occasional. My GNU/Linux system doesn’t have 50K bugs like M$ used to ship… Is it 100% secure? Nope. That’s not possible in the maze of software we run on a desktop system today. However, for the cost of $0 and my time to configure it the way I want, Debian GNU/Linux is a great bargain and far superior to That Other OS with its superb integrationsuperhighway for malware. If GNU/Linux is this good with so few eyes on it, imagine how good it will be when it takes over the world. GNU/Linux is still growing so that will happen sooner or later.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , , , , , , . Bookmark the permalink.

31 Responses to Security Of FLOSS

  1. oiaohm says:

    Certainly not. Much of the software is already tested before Debian gets it. Building from source is the big thing. I would not expect individuals to build all their software from source.
    Most of the issues are not found by people building from source. Building from source these days can be fairly well automated. In fact Debian is currently talking over going to a maintainer-less model.

    I am not expecting users to build from source. The problem here is simple human maintainer or a automated build bot only only test a percentage of the applications functionality. Sid and Testing exist in debian so users can get their hands on the pre-build packages sooner to find out if there is a defect or not.

    The reality here is 1/10 of the work is making the binary. Processing the 9/10 of user responses sorting out what bits of that are unique issues and valid issues it is also getting people to submit that information and follow up.

    Big issue here is a fault comes in developer attempts to replicate it cannot replicate it for some reason asks person who report problem for more information and they are not contactable. This has cost developer time what is bad. It also means the fault normally turns up again in future because it was not fixed. This is why a person giving back and following up on a bug report is kind of important.

    You can give a binary to million users and only 1 of them find a critical hidden security flaw by luck. Where the other 999,999 users in that case a waste of time no. You did not know what 1 user in the million would do the action that would find the fault. This is what makes QA so hard and so resource consuming..

    On a major bug is nothing strange for have 20+ people testing out fixed binary package who do not know how to build it from source. Each of those 20+ people most likely test for longer than the developer would have and more completely testing.

    Debian works for ~2 years to integrate a release and that work is replicated millions of times with ease.
    Most of that 2 years is in fact spent in people using sid and testing prebuilt binaries to find faults. So most of the work is in QA activities of in fact using the stuff to confirm it works. Most of the QA process is required time waste because it works and you are hunting the small percentage of cases where it fails.

    One of the reasons why maintainer-less is being considered is human maintainers building stuff have caused a lot of major stuff ups for Debian by forgetting to-do simple things like run test suites. Yes Debian is a big server core and will remain a big server core. Most packages in debian are not built on the maintainers own machine any more either instead built in the debian server farm because it faster.

    With automation building the binaries is going to come less than 1/1000 of the human work required to make debian.

    Really a lot have the wrong idea that the majority of the work is the maintainers/developers. The majority of work is documentation writing and testing. Testing does not require that high of skill in fact some cases lower the skill the better so they will try more stupid actions that programmer might have not allowed for.

  2. oiaohm wrote, “Collecting and packaging and distributing the software is about 1/10 of the required work.”

    Certainly not. Much of the software is already tested before Debian gets it. Building from source is the big thing. I would not expect individuals to build all their software from source. Debian does that and ensures all the packages are well integrated. That’s a huge service. Meanwhile the end-user or admin runs APT periodically and everything works. Debian works for ~2 years to integrate a release and that work is replicated millions of times with ease.

  3. oiaohm says:

    Robert Pogson you are not getting mine. Testing software is not a highly skilled job. Its time consuming when things go wrong. When it works not that time consuming at at all. So the task you are performing deploying software is not that high.

    if Debian is doing most of the work of collecting and packaging the software and distributing it.
    Without broad testing Debian is not 100 percent sure those packages work. Microsoft with windows 10 updates failing big time is exactly the same thing.

    Collecting and packaging and distributing the software is about 1/10 of the required work. The 9/10 is spread with everyone deploying the software to find out if there are any hidden issues. This is really the straw that breaks the camel back. So each person deploying the software is a straw and when you total those up its quite a massive thing.

    That’s why so many PCs grind to a halt or fail to boot.
    This is linked to why it happens to windows so often. Are people updating there windows system as often on as broad of range of hardware to find the niggling bugs the answer is no they are not. The size and completeness of debian quality control does not exist in paid for operating systems. There is basically a price for charging people to deploy software and that is that people will avoid updating software and deployment the software as broadly so limit your testing.

    Every action has trade off. Yes selling the software usage right might bring you more money in for in house development but you cannot afford to own the broad range of hardware you have lost by charging for the software to perform quality control.

    So is a reason why you see some closed source software choosing what parts to protect and what parts to give away. Game demos classic example of this the main game data in the paid game you can test every way but lose perfectly fine but if the game engine will work everywhere that is next to impossible to test in house because you cannot afford all the hardware. Solution give away a demo to get the broad testing.

    Commercial software development fairly much means deciding what you are willing to give away for free as well as considering what you must give away for free to get quality software out the other end. This is where calling people using free software moochers is wrong without the users reporting faults the quality of free software is a lot lower.

    Maybe more parties should go the open source licence route because in some cases they are only hurting their customers out comes by avoiding it.

  4. oiaohm wrote, “not having the support services means someone has to have the skills locally to maintain it”.

    You’re not getting my point. It takes very little skill locally to install and to maintain GNU/Linux if Debian is doing most of the work of collecting and packaging the software and distributing it. There’s barely any maintenance required locally except “apt-get update;apt-get upgrade” from time to time. Compare that with TOOS where one has to fight malware all day long. Re-re-reboot. Panic on Patch Tuesday every month… It’s a lot of work and it scales poorly on smallish organizations like many schools. That’s why so many PCs grind to a halt or fail to boot. A single person can’t keep a reasonable sized fleet running. With Debian GNU/Linux it’s a few minutes per day without crises and that scales to hundreds of seats with little or no more work than a few. So, the work Debian does is very valuable and is software support essentially. In fact TOOS has negative value because it’s working for M$ and not my organization. It’s in M$’s best interest that the software fail so that the user will be pressured to replace it with yet another step on the Wintel treadmill. There’s no such pressure with GNU/Linux.

  5. oiaohm says:

    That’s true in the sense of a contract for service, but for many years I’ve benefited from Debian debugging, configuring (e.g. defaults), distributing and automating provision of dependencies and installations. That’s a Hell of a lot of service provided for $0 and some donations. Without that support GNU/Linux would not be feasible for most individuals and small schools and organizations.

    True not having the support services means someone has to have the skills locally to maintain it. So cash poor time rich can use a GNU/Linux solution. Debian is not always 100 percent perfect. A lot is provided for appears to be $0. You have made a package you need to know if it s dependable to deploy on a server having a stack of users try first . Microsoft does not charge people to be in the Beta test programs. People doing commercial support what everything has heavily tested as possible. You are not being paid a wage for testing the software.

    Now those providing support services for debian if they attempted to-do quality assurance individually they would not be able to afford to-do it.

    This is the problem everyone is getting software also everyone other than those providing paid support is not getting paid money for the work they are doing. This is how FOSS really works. Even in commercial software you see companies working out how they don’t have to pay like not paying beta testers and giving them a free copy of the product at the end.

    Nothing happening in foss does not happen in different closed source development around the world somewhere.

  6. oiaohm wrote, “a person using open source software for free does not get support services”.

    That’s true in the sense of a contract for service, but for many years I’ve benefited from Debian debugging, configuring (e.g. defaults), distributing and automating provision of dependencies and installations. That’s a Hell of a lot of service provided for $0 and some donations. Without that support GNU/Linux would not be feasible for most individuals and small schools and organizations.

  7. Wizard Emeritus says:

    “Wizard Emeritus but you said moocher with understand that its status normal.”

    Moocher represents my opinion of Robert Pogson expressed as an afterthought. You wall of text still remains irrelevant to what I said.

  8. oiaohm says:

    Wizard Emeritus but you said moocher with understand that its status normal.

    Do software developers pay for SQL licenses to prototype with the answer is no.

    There is a big question here should all software be free and the support services be paid. The problem at the moment is the person who is using the closed source software for free and the person paying money for closed source software are getting basically exactly the same thing.

    Now a person using open source software for free does not get support services. Those paying for open source software get support services so have got something different for their dollar.

    Also when governments buy closed source software a lot of times they demand that it comes with proper support.

    Sorry Wizard Emeritus you use normal insults about free software usage that have no base in fact. Closed and open source users are equally likely to want to use the software for free. There are thousands of closed source applications put out their free of charge. So commercial software is sometimes purchased it is sometime not. Remember I said that libreoffice was commercial software then you counted with that you mean only closed source commerical software.

    The reality is there is only minor differences between open source and closed source commercial software in if users pay or not. Big different is what people get when they pay dollars. Commercial Open source software you pay dollars you get support where with Commercial Closed source you pay dollars and you might only get the right to run the software. This brings a bang for buck question.

  9. Wizard Emeritus says:

    “Wizard Emeritus so you basically attacking Robert for being a moocher has absolutely no clue how software marketing in the office suite and many other fields is done.”

    Robert Pogson has made it quite clear that he feels that the software that he has been blessed with for free should be that way that all software is made. He made his usual statement about the world being capable of creating and sharing “its own” software. I countered with the equally accurate statement that the world also purchases commercial software.

    All of your verbiage on the subject is as usual an irrelevancy.

  10. dougman says:

    Black-faced Abo, how much do you mooch of the Australian gravy train?

  11. oiaohm says:

    dougman since you have had all your attacks wrong you now have to spam off topic.

    Correction: I should have stated closed source commercial software.
    Wizard Emeritus and that was not the only thing wrong either. Is not all commercial software is charged for even if it closed source. Microsoft office for Android comes to mind. Its free as long as you don’t use particular features. So most businesses is part moocher. Libreoffice is free but the commercial version has a few extra update features.

    http://www.digitaltrends.com/computing/use-microsoft-office-free/
    Like students in schools getting free copies of Microsoft Office. This is because Microsoft understands that moochers are marketing. Does not Robert do marketing in different places for open source stuff. So he is an effective moocher.
    Lot of open source and closed source is like this. Moochers are expected and moochers are advertising. Some of the reason why Microsoft has not gone after software thieves as effectively as they could have.

    Wizard Emeritus so you basically attacking Robert for being a moocher has absolutely no clue how software marketing in the office suite and many other fields is done. So giving away free software is mandatory to compete in the Office suite field along with many other fields.

  12. dougman says:

    So resorting to miss quoting because you cannot accept being wrong. No its possible to mock a person without miss quoting. Of course cannot like being pulled up that miss quoting is invalid so now is going to quote everything to try to get me to give that miss quoting is allow.

    Sorry it attack my IQ again because you were pulled up for being completely wrong again.

    This just shows the level idiot you are who does not know the difference between mocking and miss quoting. Its the old idiot excuse that mocking allows them to do miss quoting and other major mistakes.

    So lets be more of a fraud . I have not raise the fact you don’t have a clue about farm equipment or anything else. It was me who point out that the breakages robert was suffering from was avoidable by ploughing.

    You know, this is a super big maybe. I have mentioned it before but the process is a pain in ass. The fact you referring to miss quoting as mocking really means you are a idiot. You said that miss quoting is fine for mocking right.

    Please use reference sources that are not conflict of interest in future then you may not be basing you ideas fiction.

    Badly packages applications exist. Depending how built Yes it would be better at long last has agreed to sit down and work Ok it would be nicer

    Interesting point. There is something interesting here. Since you were completely wrong again please do this to yourself.

    There are about 12 cases that has done this on different topics including religion. I typed that line because I am sick of the same repeated mistake. So much the 100 percent normal idiot game play.

    Since I suffer from dyslexia I have to understand the diagnostic methods used for it and the statistics about it.

    Dougman you have painted yourself in a corner you accused ltsp of not being in active that was not the case.

    opps typo.

  13. Wizard Emeritus says:

    “Libreoffice is commercial software. So open source does not mean its not commercial software.”

    Correction: I should have stated closed source commercial software.

  14. oiaohm says:

    WRONG! Why would I own your stolen device? Obviously, this was too hard a question for your feeble mind, for even a simpleton could answer it correctly, which you did not.
    Dougman learn to read.
    dougman by law you still do.
    Key words by law. Because those two words inverted the question. You refers to original owner in this case.
    If someone steals your electronic device, who owns it now?
    By answering starting with dougman by law mean that the your in that question has been replaced by your name dougman. So I should send a conman with the right contracts to your door and have you sign your assets away because you would not get these finer points.

    World also does purchase and use commercial software that is made for purpose. Not everyone expects quality software for free as you do – moocher.
    Libreoffice is commercial software. So open source does not mean its not commercial software.

    In the meanwhile, Office 365 is enjoying a 70% growth. There must be a reason these 20 million people to pay their $12 / month and ignore LO completely.

    Deafspy what evidence that those 20 million paying $12 a month are not using Libreoffice to access old documents that current Office 365 cannot open. So the reality here part of that claim is a claim without evidence because you have no evidence that they are ignoring LO but instead using wishful guessing.

    https://www.collaboraoffice.com/community-news/updated-libreoffice-growth-infographic-2016/

    Paid for libreoffice growth rate is quite impressive as well. 20 million a year with no sign of slowing down. 70% growth is only about 2 million with Office 365. Yes collabora active users are based on who they have subscriptions for in one of their partners. So that 120 million is not every everyone using Libreoffice.

    http://www.windowscentral.com/there-are-now-12-billion-office-users-60-million-office-365-commercial-customers
    The interesting point is the biggest growing sector of Microsoft Office is the mobile office suite section where people are not paying.

    I also love how Microsoft says 1.2 billion office users without stating what editions.

    The catch here is a place choosing to use MS Office does not mean they will not choose to have libreoffice as well.

    You mean theft by way of taxation, so as to educate more feminists and social justice warriors. Free education is NOT free. Someone, somewhere has to pay for it.
    dougman sorry Free education and not educating people is right someone has to pay and it the government. If you don’t educate people and end up with more criminals the government still has to pay for those as well. So what is tax dollars better spent on jail cells or attempt to educate them so they don’t end up in jail cells.

    So it basically does not make any sense for the government not to provide decent free education or other wise you end up spending the money anyhow on the criminal side. Rehabilitation on criminals is down right expensive preventing by education is way cheaper.

    https://en.wikipedia.org/wiki/List_of_countries_by_incarceration_rate#/media/File:Map_of_incarceration_by_country.gif
    Yes incarceration rate is partly linked to the quality of the free education. USA free education is not particularly good so has a very high incarceration rate as expected. So to save spending on USA prisons the USA has to improve education outcomes.

    Of course questioning if the amount of money the government is spending compared to results on free education is a valid thing to-do. Key word is decent free education not gold plated education and not letting people skim money off the top and not providing the decent government funded education to the students.

    The reality is free education might cost government up front money now but in the end saves government costs in prisons. The reality is for every 1 dollar in free education spent effectively saves the government about 400 dollar in prison and police costs. In fact it has been show making prisoners take part in education in prison in fact reduces repeat offence rate. Want less criminals most effective documented way is education. If people cannot afford education expect more criminals. So education affordability is just as important as health affordability.

  15. dougman says:

    “Canadians pooling resources to educate students for a nominal fee of $0, covered by taxation.”

    You mean theft by way of taxation, so as to educate more feminists and social justice warriors. Free education is NOT free. Someone, somewhere has to pay for it.

    “It’s just another way of earning revenue.”

    How can an educational institution, that supposedly freely educates its citizens by utilizing tax dollars, build revenue for itself? Obviously, tax payers are being overcharged. All post-education can be supplanted with Khan Academy self-education and CLEP exams.

    “Governments are often by far the largest business in a country and education costing ~$10K per student per annum is huge.”

    Governments should NOT be in the realm of education at all; the next bubble slated for the U.S. is 2020. Just as the subprime mortgage crisis rattled the entire US economy, the student debt bubble will reverberate throughout the country

    The government inflated the housing bubble, the reason tuition’s are so high is because government guarantees the loans. Now students take these guarantees and bid tuition’s through the roof. Take the government out of the equation, and the colleges and universities have to lower tuition’s so students can afford to go.

  16. Deaf Spy, with his head in a dark place wrote, “State-funded is exactly the opposite of business. Business makes its own profit, or disappears.”

    Well, there’s nothing wrong with millions of Canadians pooling resources to educate students for a nominal fee of $0, covered by taxation. It’s just another way of earning revenue. Governments are often by far the largest business in a country and education costing ~$10K per student per annum is huge.

  17. Deaf Spy says:

    Education is a big business…

    Except it is not.

    Again. I type slowly, please read it slowly.

    Your own experience covers only state-funded schools. State-funded is exactly the opposite of business. Business makes its own profit, or disappears. State funds activities that are considered socially-beneficial but which cannot make their own profit.

    In the meanwhile, Office 365 is enjoying a 70% growth. There must be a reason these 20 million people to pay their $12 / month and ignore LO completely.

    No QED for you, Robert.

  18. Wizard Emeritus says:

    “Why? The world can and does make its own software and shares it. ”

    World also does purchase and use commercial software that is made for purpose. Not everyone expects quality software for free as you do – moocher.

  19. Deaf Spy wrote, “A claim, which you can’t backup. You still have to show a successful commercial / business story.”

    Why? The world can and does make its own software and shares it. Making money can be done with FLOSS but it’s not essential at all. Education is a big business and I’ve documented how schools can have twice as much IT for the same money whether building from scratch or repurposing old systems. Many others have done the same. QED

  20. Deaf Spy says:

    just more cost-effective than That Other OS. It’s been that way for decades

    A claim, which you can’t backup. You still have to show a successful commercial / business story. Please spare us the local administrations of municipalities and schools. Being funded by tax-payers money, these are anything but business entities.

  21. dougman says:

    “If someone steals your electronic device, who owns it now? – dougman by law you still do.”

    WRONG! Why would I own your stolen device? Obviously, this was too hard a question for your feeble mind, for even a simpleton could answer it correctly, which you did not.

  22. oiaohm says:

    If someone steals your electronic device, who owns it now?
    dougman by law you still do. I have had one of my mobile phones stolen before and the thief only got 200 metres before being caught by police. Not that I did anything it was the automatic reporting of being taken out or range of a item I wear and the police being informed of it stolen status and picking the idiot up.

    There are many nasty things you are allowed to-do to a device you own including explosive self destruction. If the thief had put the phone in a far-day cage where it could not call for assistance it would have self destructed. So the thief would have had non functional scrap. The right of the owner can be very dangerous to a thief. There are many funny painful cases of thief sticking die packs and self destructing electronic devices down pants and being on the receiving end of owners right to destroy own device.

    So the problem is not if someone steals one of my devices it if they get away so far every thief has failed the escape the defence systems.

    https://www.crowdsupply.com/design-shift/orwl this has enough open case space for a explosive charge. In fact the design includes the internal connections to connect up the charge. Opening highly secure devices without knowing how they have been rigged is a job for bomb disposal.

    Highly secure hardware you will be looking for a software weakness because all highly secure hardware has customisation options and you may or may not guess what they are correctly and guess wrong could equal dead.

    Physical access is double sided. Not only do you have physical chance to alter the hardware but the self defence hardware has physical access to modify you.

  23. Ivan wrote, “until those problems are solved you can’t justify its use.”

    Too bad for your species, Ivan. No reproduction until the perfect mate is found… GNU/Linux doesn’t need to be perfect, just more cost-effective than That Other OS. It’s been that way for decades.

  24. Ivan says:

    You sound like a cuckolded husband trying to justify his wife’s infidelity, Bob. Linux has problems and until those problems are solved you can’t justify its use.

  25. dougman says:

    “I’ve worked with IT since the 1960s. I’ve seen systems that fell down just idling. ”

    Would that include your worthless Cello and Odroid boards?

  26. dougman says:

    Fifi, here is a simple question for you. Ready?

    If someone steals your electronic device, who owns it now?

  27. oiaohm says:

    Well, if you have physical access to the machine already it is yours, so this bug albeit severe, is rather trivial to say the least.
    dougman really you comment is toilet paper. I did not mention something. This kind of fault in CVE-2016-4484 does effect computers in a physical access attack with proper secure boot validation. Physical access does not promise that the machine is yours is in all cases. Tamper proof system.

    https://www.crowdsupply.com/design-shift/orwl

    Dougman take on systems designed like the one above. Yes back in 2.6 linux kernel 2003-2004 when the CVE-2016-4484 bug was coded highly resistant hardware to physical attack did not exist.

    So how trivial the CVE-2016-4484 is is directly linked to what kind of hardware it is in fact operating on. This shows what we did class as secure even just 1 year ago can be classed as not secure now due to changes in hardware and usage.

    Basically as normal dougman does not have a clue on the topic how things have changed and keep on thinking the historic reality is now.

  28. dougman says:

    Fifi, since you are from the outback. Do you agree with the no toilet paper thing, or do you align with the fountain swimmers?

  29. oiaohm says:

    After all, the whole point of the Four Freedoms is for one of the many millions out there to Examine The Code. Which I am pretty sure you did, albeit apparently without noticing the defect.
    DrLoser the serous question is was it always a defect.
    http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html#exploit
    This bug in fact raises a interesting point.

    Back when the code was written it was security fine in 2003-4. Because it let you do nothing more than what you could have done otherwise with direct system access. We need not have network keyboard mouse and monitor switches that much back in 2003-4 so that exploit was direct physical access back then.

    So not everyone reading the code has the same security rules. Roberts setup with a network keyboard video monitor switch or virtual machine equal then the existence of CVE-2016-4484 most likely makes no security difference what so ever. The fact that different groups of people have different security requirements and will class something as defective that others will class as perfectly fine is why you need as broad peer review as you can possible get.

    DrLoser of course you being your normal idiot did not ask does this CVE even alter the security of Roberts stand alone setups. If someone has direct physical access on stand alone setup they can fairly much do all the same things with or without that bug. So a person looking at CVE-2016-4484 from a stand alone setup security point of view is not going to see a problem because its not providing any greater exploit than what naturally exists. Of course a person looking at CVE-2016-4484 from the point of view of a server running in what is called the cloud or with a network keyboard video mouse setup will see a security issue.

    Now how many closed source programs have faults like CVE-2016-4484 where you cannot see the source code to find them where the designer of the program has designed the program for the current conditions and with time the conditions have changes so turning that historical valid design choice into a security flaw.

    So what we class as secure today 1 year+ in the future could be classed as insecure. This is one of the reasons why updating compliers break old source code. As the way computers are used evolves what is classed as secure is changing.

  30. dougman says:

    FLOSS, hmmmm. Another useless acronym that no one uses.

    How many people go around asking if they use FLOSS? 100% of people will assume you mean using waxy string in between your teeth.

    Perhaps Robert should FLOSS his bum, as he does not use toilet paper.
    http://mrpogson.com/wp-content/uploads/2007/02/homepage/index.html

    Well, if you have physical access to the machine already it is yours, so this bug albeit severe, is rather trivial to say the least.

  31. DrLoser says:

    I’m guessing you would have spotted the Heartbleed issue in an instant, then, Robert.

    After all, the whole point of the Four Freedoms is for one of the many millions out there to Examine The Code. Which I am pretty sure you did, albeit apparently without noticing the defect.

    Alternatively, Robert, you just didn’t look, did you?

Leave a Reply