Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-10-02
Bullshit, and nice trolling btw.
Companies have little financial incentive to audit their code, not even when explicitly paid for it. They will audit the code exactly as little as they can get away with - and no more. There's a reason the most insecure software packages are proprietary packages. Because they cannot be effectively audited.
FLOSS projects have an incentive that no proprietary project will ever have: Street credit.
Member since:2008-03-17
How about being a little less hostile?
Many companies do as little as possible but there are also those that do an average job and those that do an excellent job. Blanket statement FAIL.
Security Companies DO have financial incentives to audit their code as it would be highly embarrassing and financially damaging if things like this were to be found.
The "Real" difference between closed source is that number and variety of people that can look at the code increasing coverage against poor coding or just plain human error (in the code and in checking the code).
However, there is not real statistical way to accurately quantify security verification. Are 3 less intelligent/fastidious code checkers in an OSS project than 1 very fastidious/Intelligent code checker better?
The fact that OSS is more secure is still only a (probable) hypothesis. NOT 100% proven theory.
I would say that it is likely that the low hanging security bugs are more likely to be caught in OSS that closed source, but the really tricky stuff in critical software is probably a much more level playing field.
Edited 2010-12-15 14:53 UTC
Member since:2006-02-05
I am literally in the middle of exactly that kind of audit right now.
Our customers care about that kind of thing, they care about our test coverage, and they care about our engineering practices. They are serious companies that are literally putting their future in the hands of our software, and our answers to those kinds of questions can be the difference between making a sale, and losing it.
The reason that I said "to argue the other side" is because I don't really agree with the origional post, exactly because of the street cred thing. It is rare to have security experts reviewing open source code to prove they are badasses publically, but at the same time its rare for a company to have the engineering practices we do, and I don't think one really trumps the other.
Member since:2010-05-19
Member since:2008-03-17
Did you actually read what he wrote instead of imagining what he didn't write?
He did not say that open source developers don't get paid. Just that Closed source companies have incentives to improve their code.
Red Hat has incentives to make sure that the code they ship is good. The difference is that the burden on maintaining and fixing the code isn't solely Red Hats responsibility.
A closed source company has sole responsibility for their code, theoretically they should be more paranoid therefore paying people to ship and check good software.
Where Red hat has to build trust and in turn trust the community for the software it supports, the closed source company has to put developers/money on the code to fix/maintain.
Both can be better or worse. in OSS less popular software has fewer eyeballs checking the source, In closed source a company has to put competent people because they can't make up the diversity and volume of eyballs that a OSS project has.
Member since:2006-02-05
security audits are boring things. many aspects of writing code are pure fun, that is not one of them. I have added features I thought would be cool to open source projects many times before, I have fixed bugs I have run into many times before, but I have never done an audit of a codebase.
On the flip side, thats what I have been doing at work for the last few weeks. Boring as hell, and wouldn't do it if I wasn't getting paid.
Member since:2006-02-05
Member since:2007-03-06
Member since:2010-05-19
Heh.
Precisely.
http://www.junauza.com/2010/12/top-50-programming-quotes-of-all-tim...
“If McDonalds were run like a software company, one out of every hundred Big Macs would give you food poisoning, and the response would be, ‘We’re sorry, here’s a coupon for two more.’ “
- Mark Minasi
Posted here on the 14th.
Member since:2006-02-05
"Microsoft has sensationally abandoned its controversial plans to restrict the sharing of XBox One games, and has also removed daily online authentication requirements for its forthcoming console", reports The Guardian. They had no choice. Still a good move."A snippet of code in the Steam digital distribution platform has revealed that Valve may be planning to let users easily share their games with friends in the future. The Verge has verified the code's authenticity, which was originally spotted by a member of the NeoGAF gaming forum; the code references a 'shared game library' and a notification that would alert a user when their games are currently in use by a borrower." This would change the, uh, game.
Official Apple statement on PRISM and privacy: "Regardless of the circumstances, our Legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities. In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it." This is basically Apple re-publishing their earlier statement in a more official manner. You either believe it, or you don't.
The open source Contiki operating system and its commercial Thingsquare distribution are making strides towards the connected home. According to a Computerworld article, a new LED light bulb manufacturer is putting small computers into their light bulbs. Each computer runs the Contiki OS, which gives each bulb an IP address and allows them to be controlled with a smartphone application. To connect the bulbs to the application, the bulbs use both Wi-Fi and the much lower power IEEE 802.15.4 mesh technology.
"Google asked the secretive Foreign Intelligence Surveillance Court on Tuesday to ease long-standing gag orders over data requests it makes, arguing that the company has a constitutional right to speak about information it's forced to give the government. The legal filing, which cites the First Amendment's guarantee of free speech, is the latest move by the California-based tech giant to protect its reputation in the aftermath of news reports about sweeping National Security Agency surveillance of Internet traffic." Draining the ditch after the cow has drowned in it."I can't find one person who has been using the Nexus 7 for an extended period of time, and hasn't seen a massive downgrade in performance. Just what kind of downgrade are we talking here? I cannot pick up my Nexus 7 without experiencing problems like a lag of ten seconds, or more, just to rotate the display; touches refusing to acknowledged; stuttering notification panel actions; and unresponsive apps." Fully and utterly agreed. My Nexus 7 was blazing-fast and awesome for a few months, and at some point, it just started sucking. Just like that. I've tried loads of ROMs, and nothing helps.A new release of the hobby operating system MenuetOS! The release notes are a bit non-descript, but you'll have to take what you can get: "updates and improvements (picview, httpc, ehci, ...)"."The Internet is one of the most transformative technologies of our lifetimes. But for 2 out of every 3 people on earth, a fast, affordable Internet connection is still out of reach. And this is far from being a solved problem. There are many terrestrial challenges to Internet connectivity - jungles, archipelagos, mountains. There are also major cost challenges. Right now, for example, in most of the countries in the southern hemisphere, the cost of an Internet connection is more than a month's income. Solving these problems isn't simply a question of time: it requires looking at the problem of access from new angles. So today we're unveiling our latest moonshot from Google[x]: balloon-powered Internet access." Insane."MineAssemble is a tiny bootable Minecraft clone written partly in x86 assembly. I made it first and foremost because a university assignment required me to implement a game in assembly for a computer systems course. Because I had never implemented anything more complex than a 'Hello World' bootloader before, I decided I wanted to learn about writing my own kernel code at the same time. Note that the goal of this project was not to write highly efficient hand-optimized assembly code, but rather to have fun and write code that balances readability and speed. This is primarily accomplished by proper commenting and consistent code structuring." Just cool.
Jon Rubinstein, former CEO of Palm: "Well, I'm not sure I would have sold the company to HP. That's for sure. Talk about a waste. Not that I had any choice because when you sell a company you don't get to decide that. Obviously, the board and shareholders decide that. If we had known they were just going to shut it down and never really give it a chance to flourish, what would have been the point of selling the company? I think the deal we had with Verizon really hurt us, but who knew that at the time? These things are all hindsight."
Member since:
2006-02-05
To argue the other side; With closed source, a company has financial incentive to audit their code, since they can be sued if something goes wrong. In open source, nobody has that incentive.