FLOSS Pays Real $ And Shines

FLOSS developers of major browsers put up cash for vulnerabilities and made payouts. Amazingly, “The update to Chrome 25 came about 24 hours after two researchers from U.K. firm MWR InfoSecurity exploited multiple bugs in the browser and Windows 7. In exchange for their attack code and vulnerabilities, Nils — a German who goes only by his first name — and Jon Butler were awarded $100,000 by Pwn2Own organizer HP TippingPoint and its Zero Day Initiative (ZDI) bug bounty program.
see Pwn2Own hacking contest winds down after paying a record $480K | ITworld.

Who do you love, a browser that fixes discovered problems in hours or in months? The answer is that you love FLOSS, folks, software that works for you and not some corporation hiding bugs so that salesmen can claim they don’t exist…

I recommend Debian GNU/Linux. It’s all FLOSS, folks, and it will work for you. When it comes to your information technology, choose software working rather than the fiscal goals of short-sighted corporations run by salesmen, like M$.

For more information see H-Online:
“In response to day one’s exploits, both Mozilla and Google have shipped updates to their browsers. Mozilla’s Firefox has been updated to version 19.0.2 with a fix for the vulnerability; the same fix, for a use-after-free in the HTML editor which could lead to arbitrary code execution, has also been applied to Firefox ESR 17.0.4, Thunderbird (ESR) 17.0.4 and SeaMonkey 2.16.1. Google has updated the stable channel for Chrome on Windows, Mac OS X and Linux for the type confusion flaw that was exploited by Nils and Jon of MWR Labs at Pwn2Own. Both the Firefox and Chrome updates are automatically downloaded by browsers and installed on browser restarts.”

see also Chrome OS Survives Pwnium and $pimillion prize…

All this good news makes my day.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged , , , . Bookmark the permalink.

11 Responses to FLOSS Pays Real $ And Shines

  1. oiaohm says:

    dougman that is just following tradition.

    http://www.engadget.com/2008/03/29/linux-becomes-only-os-to-escape-pwn-2-own-unscathed/

    2009 you see the excuses Ubuntu is not used enough.

    So 5 years later a Linux in some form is back and the Pwn to Own competition and its still resistant.

    Note something important chrome browser fell under Windows. Same faults did not drop Chrome OS or work against Linux Distributions running Chrome.

  2. dougman says:

    Do remember that all of the PWN test’s DO NOT test Linux systems.

    http://www.internetnews.com/skerner/2011/03/why-pwn2own-doesnt-target-linu.html

  3. kozmcrae says:

    Okay Trollrog, you want to go tit-for-tat, security hole for security hole, Microsoft’s OS against Linux? And when I say Linux I mean the OS, not the the GNU part with it as some unscrupulous researchers like to do. How long do you think the process would go before Linux would run out of security holes? How long do you think Windows would continue racking them up like they are right now?

    You are dishonest so I don’t expect the right answer to come from you. The truth is, and you know it, is that the number of security holes in Linux is finite and a small finite at that. As Microsoft continues adding layers they continue to add errors into their spaghetti code. The reality of the number of security holes in their OS is more likely in the land of 6 figures.

    It makes no difference how many patches they do each month. Microsoft’s Windows is a hopeless security wreck. You can point to as many security issues as you can find concerning Linux and you still cannot put Windows anywhere near an equal footing with Linux in security (I’ve seen those surveys that attempt to put Linux on the same level as Windows, they’re BS). Trollrog, you need to admit to yourself and everyone else that Windows is a security nightmare and that Linux is the most secure operating system in general use right now.

    Let’s hear it. Or let’s hear you lie. Maybe you’ll squirm around and not really say anything. You’re good at writing sentences that have a lot of words but don’t say anything that makes any sense.

  4. Der Balrog wrote, “I do give a crap about Pogson’s touting FLOSS inevitably superior security-wise when it’s simply not true. And this bug was just an example of that. Android is FLOSS after all.”

    Well, M$ ships an OS with 50K bugs and they are impossible for anyone, even M$, to fix so even Android/Linux is superior. Several OEMs of Android/Linux do permit users to take charge of their OS by rooting and they do publish the source-code too. The carriers as distributors of Android/Linux are a problem, not FLOSS. That problem can be fixed by market-forces or governments and they’d better do it sooner rather than later. I know the new BlackBerry could well flop considering how messed up the simple task of migrating the little woman’s contacts has become (two standard techniques and an improvisation used with previous BBs failing). My son is coming over on the weekend to have a go. If he can’t do it no one can. That problem is huge for BB. The fate of the company could hinge on that piece of non-Free software and for anyone familiar with Android the features of the phone are attractive but the change is a shocking experience. It took me minutes to get comfortable with Android but after a week I am still helpless with BB…

    M$ has had Vista, “phoney 7” and “8” failing in the market even though M$ has the channels locked up. People just are not buying that M$ is the one true source of OS these days. After a few quarters, the OEMs were up in arms. After a couple of years they are up in ARMs. GNU/Linux on x86/amd64 is next. These guys have to ship millions of units per quarter to pay the bills. M$’s stuff is not selling. Even the retailers are exasperated. M$ does not have enough money to pay everyone to keep shipping stuff that plugs the channels and doesn’t sell.

  5. oiaohm says:

    9 to 8 months because most bugs are found in 3 months after Android release then it goes silent. Of course then you have to add on how long before carrier decided to push out update. Add another 1 to 18 months.

    One big thing to take away from this we don’t want phone carriers in charge of our OS on phone updates they are crap at it.

  6. oiaohm says:

    –4.1.2 is in the wild, is it not?–
    Der Balrog yes it is in the wild.

    http://en.wikipedia.org/wiki/Android_version_history

    There is no 4.1.3 yet. Heck a lot of carriers are not even off 4.1.0 that has known security flaws that were fixed by the 4.1.1 and by the 4.1.2.

    Yes 9 October 2012 is when 4.1.2 released.

    4.1.3 is june/july 2013 this is when the bug can be formally closed. So that bug you are talking about can only be fixed for review by carriers in june. So Android developers have no rush. Since June is the soonest time they can push out an update. Of course that is if the carriers do push out the update to their phones.

    The reviewed status March 4 2013 means it will be in the 4.1.3 release fixed since its now committed to mainline. No rush they still had to June todo it. Due to carriers wanting lock step.

    There are no mid release updates for Android. This is a major issue with Android. A fault like this in a normal Linux Distribution would have been a package update.

    Exactly how come carriers have so much force. They have the signing key to approve installation on lots of phones they ship.

    –You’re all entertaining the false thought that there are no bugs in FLOSS (or at least a lot less) just because the bug trackers say there aren’t any. And this thought you entertain because even before that you’re wrongfully thinking that just because source code is open it’s automatically looked at by the “many eyes” day and night. How many FLOSS users are able to read code? How many of those actually do that as a pastime? How many of those find and fix bugs?–

    No with source code you can run audit tools over stuff. Static program analysis gets better every year. Compliers get better every year. Try building some old open source programs. Der Balrog lot don’t built any more because modern updated compliers find faults and decide to kill the build process.

    Majority of code faults are not found by humans these days in Foss. Majority are found by Static program analysis and test-suites running over code and fuzzes running over code. You cannot run them over effectively if you don’t have the source code.

    The fault you pointed to with Android required a human to find. Adding a test for it in the test suite makes sure that fault cannot happen again.

    The bug finding process in FOSS. Is user reports, Static program analysis and test-suites running over code and fuzzes running over code. Remember parties wanting to test new prototype Static program analysis tools or fuzzers also take FOSS programs since they can confirm if they have found valid errors or not.

    Most projects are moving to build servers in FOSS that every commit faces test-suites and Static Program Analysis before it can enter mainline.

    So sorry Der Balrog you are not keeping up with FOSS evolution. You are still presuming the eyes looking at the code have to be human. With FOSS some of those eyes are machines who don’t get exhausted.

    The 3 month delay you are talking about is going to be over 6 months and this will be short for a Android security fault fix. Average is basically 9 to 8 months.

    Do I class 8 to 9 months acceptable no I don’t Der Balrog. There is a reason why I hope tizen, firefox os, Ubuntu OS on phones takes off maybe one of them will offer a decent update cycle for security updates.

    Mind you 8 to 9 months is an improvement over some of the old phones that was basically never.

  7. Der Balrog says:

    Putting words in my mouth again, Peter? What has the Android release cycle got to do with this? This bug is out there: The PBKDF2 implementation in the 4.1.2 (and possibly earlier) versions […]. 4.1.2 is in the wild, is it not?

    But anyway, I don’t give a crap about Android specifically, but I do give a crap about Pogson’s touting FLOSS inevitably superior security-wise when it’s simply not true. And this bug was just an example of that. Android is FLOSS after all.

    You’re all entertaining the false thought that there are no bugs in FLOSS (or at least a lot less) just because the bug trackers say there aren’t any. And this thought you entertain because even before that you’re wrongfully thinking that just because source code is open it’s automatically looked at by the “many eyes” day and night. How many FLOSS users are able to read code? How many of those actually do that as a pastime? How many of those find and fix bugs?

    So in the end the bug finding process in FLOSS is limited by these constraints: users need to stumble over bugs, users need to report those bugs, reports have to somehow make their way to someone competent enough to reproduce and fix the bug. There’s actually no discernible advantage to be had here. Security by openness has merely a potential advantage which sometimes can transform into a real one.

  8. oiaohm says:

    Der Balrog if you want to complain about Android having crappy update system and that this leads to bugs being slow to be fixed I will not dispute it.

    This is why mono-cultures get bad.

  9. oiaohm says:

    Der Balrog really you missed the problem. Android gets sloppy because the fix could only go into the Next android release cycle reviewing could be put off. Comes down to carriers being in charge of applying updates.

    Der Balrog we want something that releases often. Android is not this.

  10. Der Balrog says:

    FLOSS is superior … blah, blah, blah.

    Bug open since November 2012, only reviewed more than 3 months after someone reported it: Android’s PBKDF2 implementation throws away the top 8 bits of Unicode passwords. [Source]

    That reminds me of this. Pogson also believes that it’s enough to hold aloft the magic sword and chant: “By the power of FLOSS! We have the power!”

    Chuckle!

Leave a Reply