Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
After Heartbleed, Tech Giants Fund Open Source Security
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/22/2014 | 6:02:22 AM
Psychology Change for FOSS Hackers
For decades there has been a combination of scientist and hobbyist hackers in the Free and Open Source (FOSS) community.  On one hand you've had the very formal and high-tech programmers, doing development projects with lifecycles, and on the other a more artistic and experimental effort that includes varying levels of code quality, consistency of function usage/behavior and a variety of security features, from none to ironclad.  In between, lots of solid programmers delivering usable code every day.  Here's the thing: funding isn't everything - in some cases, it's worthless.  Requirements psychology is a huge part of delivering a secure application, whether you're a PhD from MIT or a weekend Python hacker.  In other words, be formal, experimental, hack the code or design the code, but you must still hold to a set of requirements to which the end result is compared, and these days security must be part of your application requirements set.  I keep hearing about time to test and how putting code through more intensive QA in some FOSS projects might prevent the next Google or Facebook from emerging.  And, various cash sums are called out to "throw" at projects like OpenSSL to help make it more secure.  This defeats the very reason there are "free" and "open source" projects out there.  These projects are about community, not salaries; about innovation and giving to society, not about cash flow.  This means that the FOSS developer community as well as the user community need to shift their psychology to include security at every level of the programs they write, from code to executables.  The same amount of care hackers take to write a useful new extension for something like GNU Emacs, for instance, should also be put to the security and quality of the overall program.  Security bugs like Heartbleed are not about project money - it's simply about getting the community to learn about, care about and do something about the code they agreed to support as FOSS advocates and developers.  FOSS gives to society, and that comes with added responsibility.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 10:48:41 AM
Re: Drop in the bucket
Thanks for putting that in context, Jon. That's quite a jump from $2000 a year to $1.2 million. It will be interesting to see how much added security that buys a year from now.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Strategist
4/29/2014 | 10:06:29 AM
Re: Drop in the bucket
It's not much relative to the profits of those business, but compared to the $2,000 annually the project was receiving in donations before, $1.2 million is significant. The budget just went from $167 per month to $100,000 per month.

Honestly I'm impressed that they chose to do as much as they are, given that they don't have responsibility for the software.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:34:29 PM
Drop in the bucket
 A pledge of $100,000 per year from the likes of Facebook, Google, IBM, and Microsoft etc seems like chump change. Is there something more that the industry should be doing to shore up open source security?
macker490
50%
50%
macker490,
User Rank: Ninja
4/27/2014 | 8:15:07 AM
problem was not funding
the heartbleed error is what we classify as a "data dependency".   this is sometimes a careless error but more often an attitude problem where the programmer asserts: "if you send me good data my program will work fine" -- i.e. "I shouldn't have to check what you send me because it's your responsibility to send me good data"

i hope there are no questions about the lesson in this case.    if you are programming you have to sanitize your inputs.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:59:16 PM
Re: About time!
You are exactly correct.  It has been (unconfirmed) reported that the NSA has upwards of 1000 employees whose responsibility is solely to exam open source projects for possible vulnerabilities.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
4/25/2014 | 2:52:20 PM
Re: About time!
The funny thing is that the NSA and other intelligence agencies have probably already conducted audits of this sort, at taxpayer expense, on many open source projects. If only they'd share what we've paid for.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:11:01 PM
About time!
It is a shame that it has taken this long for this pledge to come through.  OpenSSL is a critical piece in the security of many organizations and applications and it should have been audited long ago.

As someone who has dug through the OpenSSL source code I can tell you that it is a nest of spaghetti code.  There could be backdoors intentionally programmed into the code but without an audit we would never know.

Recently, the Open Crypto Audit Project has raised $80,000 to begin the audit process of the Truecrypt source code.  Phase I of that project has completed and while it did not find any backdoors it did identify several minor issues that could lead to vulnerabilities. 

This is what needs to be done for all open source products that we rely on for security.  Although the code is open source and available to all, no single person has the ability or time to review a project in it's entirety.  Therefore it is important that money and resources are allocated to review the code.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/25/2014 | 2:09:54 PM
Somebody Else Will Fix It
I'm pleased to see the vendor community step up to fund a project like this. I think the open source community model has demonstrated that it can be robust and effective for producing good software, but Heartbleed also revealed a weakness. In a community model, it's way too easy to assume that somebody else is taking a careful look at the code. If everybody assumes somebody else is doing it, no one is.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24330
PUBLISHED: 2020-08-13
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges instead of by the tss user, it fails to drop the root gid privilege when no longer needed.
CVE-2020-24331
PUBLISHED: 2020-08-13
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the tss user still has read and write access to the /etc/tcsd.conf file (which contains various settings related to this daemon).
CVE-2020-24332
PUBLISHED: 2020-08-13
An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon is started with root privileges, the creation of the system.data file is prone to symlink attacks. The tss user can be used to create or corrupt existing files, which could possibly lead to a DoS attack.
CVE-2020-0261
PUBLISHED: 2020-08-13
In C2 flame devices, there is a possible bypass of seccomp due to a missing configuration file. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-14605...
CVE-2020-17498
PUBLISHED: 2020-08-13
In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could crash. This was addressed in epan/dissectors/packet-kafka.c by avoiding a double free during LZ4 decompression.