Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

After Heartbleed, Tech Giants Fund Open Source Security
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/22/2014 | 6:02:22 AM
Psychology Change for FOSS Hackers
For decades there has been a combination of scientist and hobbyist hackers in the Free and Open Source (FOSS) community.  On one hand you've had the very formal and high-tech programmers, doing development projects with lifecycles, and on the other a more artistic and experimental effort that includes varying levels of code quality, consistency of function usage/behavior and a variety of security features, from none to ironclad.  In between, lots of solid programmers delivering usable code every day.  Here's the thing: funding isn't everything - in some cases, it's worthless.  Requirements psychology is a huge part of delivering a secure application, whether you're a PhD from MIT or a weekend Python hacker.  In other words, be formal, experimental, hack the code or design the code, but you must still hold to a set of requirements to which the end result is compared, and these days security must be part of your application requirements set.  I keep hearing about time to test and how putting code through more intensive QA in some FOSS projects might prevent the next Google or Facebook from emerging.  And, various cash sums are called out to "throw" at projects like OpenSSL to help make it more secure.  This defeats the very reason there are "free" and "open source" projects out there.  These projects are about community, not salaries; about innovation and giving to society, not about cash flow.  This means that the FOSS developer community as well as the user community need to shift their psychology to include security at every level of the programs they write, from code to executables.  The same amount of care hackers take to write a useful new extension for something like GNU Emacs, for instance, should also be put to the security and quality of the overall program.  Security bugs like Heartbleed are not about project money - it's simply about getting the community to learn about, care about and do something about the code they agreed to support as FOSS advocates and developers.  FOSS gives to society, and that comes with added responsibility.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 10:48:41 AM
Re: Drop in the bucket
Thanks for putting that in context, Jon. That's quite a jump from $2000 a year to $1.2 million. It will be interesting to see how much added security that buys a year from now.
User Rank: Strategist
4/29/2014 | 10:06:29 AM
Re: Drop in the bucket
It's not much relative to the profits of those business, but compared to the $2,000 annually the project was receiving in donations before, $1.2 million is significant. The budget just went from $167 per month to $100,000 per month.

Honestly I'm impressed that they chose to do as much as they are, given that they don't have responsibility for the software.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:34:29 PM
Drop in the bucket
 A pledge of $100,000 per year from the likes of Facebook, Google, IBM, and Microsoft etc seems like chump change. Is there something more that the industry should be doing to shore up open source security?
User Rank: Ninja
4/27/2014 | 8:15:07 AM
problem was not funding
the heartbleed error is what we classify as a "data dependency".   this is sometimes a careless error but more often an attitude problem where the programmer asserts: "if you send me good data my program will work fine" -- i.e. "I shouldn't have to check what you send me because it's your responsibility to send me good data"

i hope there are no questions about the lesson in this case.    if you are programming you have to sanitize your inputs.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:59:16 PM
Re: About time!
You are exactly correct.  It has been (unconfirmed) reported that the NSA has upwards of 1000 employees whose responsibility is solely to exam open source projects for possible vulnerabilities.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
4/25/2014 | 2:52:20 PM
Re: About time!
The funny thing is that the NSA and other intelligence agencies have probably already conducted audits of this sort, at taxpayer expense, on many open source projects. If only they'd share what we've paid for.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/25/2014 | 2:11:01 PM
About time!
It is a shame that it has taken this long for this pledge to come through.  OpenSSL is a critical piece in the security of many organizations and applications and it should have been audited long ago.

As someone who has dug through the OpenSSL source code I can tell you that it is a nest of spaghetti code.  There could be backdoors intentionally programmed into the code but without an audit we would never know.

Recently, the Open Crypto Audit Project has raised $80,000 to begin the audit process of the Truecrypt source code.  Phase I of that project has completed and while it did not find any backdoors it did identify several minor issues that could lead to vulnerabilities. 

This is what needs to be done for all open source products that we rely on for security.  Although the code is open source and available to all, no single person has the ability or time to review a project in it's entirety.  Therefore it is important that money and resources are allocated to review the code.
Drew Conry-Murray
Drew Conry-Murray,
User Rank: Ninja
4/25/2014 | 2:09:54 PM
Somebody Else Will Fix It
I'm pleased to see the vendor community step up to fund a project like this. I think the open source community model has demonstrated that it can be robust and effective for producing good software, but Heartbleed also revealed a weakness. In a community model, it's way too easy to assume that somebody else is taking a careful look at the code. If everybody assumes somebody else is doing it, no one is.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file