Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

After Heartbleed, Tech Giants Fund Open Source Security
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2014 | 6:02:22 AM
Psychology Change for FOSS Hackers
For decades there has been a combination of scientist and hobbyist hackers in the Free and Open Source (FOSS) community.  On one hand you've had the very formal and high-tech programmers, doing development projects with lifecycles, and on the other a more artistic and experimental effort that includes varying levels of code quality, consistency of function usage/behavior and a variety of security features, from none to ironclad.  In between, lots of solid programmers delivering usable code every day.  Here's the thing: funding isn't everything - in some cases, it's worthless.  Requirements psychology is a huge part of delivering a secure application, whether you're a PhD from MIT or a weekend Python hacker.  In other words, be formal, experimental, hack the code or design the code, but you must still hold to a set of requirements to which the end result is compared, and these days security must be part of your application requirements set.  I keep hearing about time to test and how putting code through more intensive QA in some FOSS projects might prevent the next Google or Facebook from emerging.  And, various cash sums are called out to "throw" at projects like OpenSSL to help make it more secure.  This defeats the very reason there are "free" and "open source" projects out there.  These projects are about community, not salaries; about innovation and giving to society, not about cash flow.  This means that the FOSS developer community as well as the user community need to shift their psychology to include security at every level of the programs they write, from code to executables.  The same amount of care hackers take to write a useful new extension for something like GNU Emacs, for instance, should also be put to the security and quality of the overall program.  Security bugs like Heartbleed are not about project money - it's simply about getting the community to learn about, care about and do something about the code they agreed to support as FOSS advocates and developers.  FOSS gives to society, and that comes with added responsibility.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 10:48:41 AM
Re: Drop in the bucket
Thanks for putting that in context, Jon. That's quite a jump from $2000 a year to $1.2 million. It will be interesting to see how much added security that buys a year from now.
User Rank: Strategist
4/29/2014 | 10:06:29 AM
Re: Drop in the bucket
It's not much relative to the profits of those business, but compared to the $2,000 annually the project was receiving in donations before, $1.2 million is significant. The budget just went from $167 per month to $100,000 per month.

Honestly I'm impressed that they chose to do as much as they are, given that they don't have responsibility for the software.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:34:29 PM
Drop in the bucket
 A pledge of $100,000 per year from the likes of Facebook, Google, IBM, and Microsoft etc seems like chump change. Is there something more that the industry should be doing to shore up open source security?
User Rank: Ninja
4/27/2014 | 8:15:07 AM
problem was not funding
the heartbleed error is what we classify as a "data dependency".   this is sometimes a careless error but more often an attitude problem where the programmer asserts: "if you send me good data my program will work fine" -- i.e. "I shouldn't have to check what you send me because it's your responsibility to send me good data"

i hope there are no questions about the lesson in this case.    if you are programming you have to sanitize your inputs.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:59:16 PM
Re: About time!
You are exactly correct.  It has been (unconfirmed) reported that the NSA has upwards of 1000 employees whose responsibility is solely to exam open source projects for possible vulnerabilities.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/25/2014 | 2:52:20 PM
Re: About time!
The funny thing is that the NSA and other intelligence agencies have probably already conducted audits of this sort, at taxpayer expense, on many open source projects. If only they'd share what we've paid for.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:11:01 PM
About time!
It is a shame that it has taken this long for this pledge to come through.  OpenSSL is a critical piece in the security of many organizations and applications and it should have been audited long ago.

As someone who has dug through the OpenSSL source code I can tell you that it is a nest of spaghetti code.  There could be backdoors intentionally programmed into the code but without an audit we would never know.

Recently, the Open Crypto Audit Project has raised $80,000 to begin the audit process of the Truecrypt source code.  Phase I of that project has completed and while it did not find any backdoors it did identify several minor issues that could lead to vulnerabilities. 

This is what needs to be done for all open source products that we rely on for security.  Although the code is open source and available to all, no single person has the ability or time to review a project in it's entirety.  Therefore it is important that money and resources are allocated to review the code.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
4/25/2014 | 2:09:54 PM
Somebody Else Will Fix It
I'm pleased to see the vendor community step up to fund a project like this. I think the open source community model has demonstrated that it can be robust and effective for producing good software, but Heartbleed also revealed a weakness. In a community model, it's way too easy to assume that somebody else is taking a careful look at the code. If everybody assumes somebody else is doing it, no one is.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-01
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
PUBLISHED: 2022-09-30
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end use...
PUBLISHED: 2022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.
PUBLISHED: 2022-09-30
Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.
PUBLISHED: 2022-09-30
A vulnerability in the LIEF::MachO::SegmentCommand::virtual_address function of LIEF v0.12.1 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted MachO file.