|FROM ||Ruben Safir
|SUBJECT ||Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
|From owner-hangout-outgoing-at-mrbrklyn.com Mon Jun 16 12:14:33 2014
Received: by mrbrklyn.com (Postfix)
id EC40116113C; Mon, 16 Jun 2014 12:14:32 -0400 (EDT)
Received: by mrbrklyn.com (Postfix, from userid 28)
id DA592161140; Mon, 16 Jun 2014 12:14:32 -0400 (EDT)
Received: from mailbackend.panix.com (mailbackend.panix.com [22.214.171.124])
by mrbrklyn.com (Postfix) with ESMTP id 3EBBE16113C
for ; Mon, 16 Jun 2014 12:14:32 -0400 (EDT)
Received: from panix2.panix.com (panix2.panix.com [126.96.36.199])
by mailbackend.panix.com (Postfix) with ESMTP id AF6072E7FA;
Mon, 16 Jun 2014 12:14:31 -0400 (EDT)
Received: by panix2.panix.com (Postfix, from userid 20529)
id 78B7233CCD; Mon, 16 Jun 2014 12:14:31 -0400 (EDT)
Date: Mon, 16 Jun 2014 12:14:31 -0400
From: Ruben Safir
Subject: Re: [NYLXS - HANGOUT] Stupidity of the highest order ...
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/1.5.23 (2014-03-12)
On Mon, Jun 16, 2014 at 10:05:42AM -0400, einker wrote:
> Articles like this truly PISS ME OFF! Now, only Open Source Projects by
> their sheer adherence to open source philosophy are hampered by security
> flaws? BULLSHIT.
> I guess all Microsoft and Apple products never had any security issues (You
> wish!) and were pristine because commercial vendor tested them to a greater
> degree than open source projects.
> Give me a break! Commercial products are riddled with security and basic
> programming issues. Best of all, you will never know since you can't see
> the source/test and until its way too late and you've been screwed.
> One of my favorites, OpenBSD (Calm down Ruben! Nothing personal and Theo
> does love you...) has only to remote holes in their base OS install in the
> late 10 or more years.
> It's amazing that Paul Rubens calls out open source / free software yet has
> the audacity to reference free and open source security programs on his
> website (rubens.org linking to http://www.clippings.me/paulrubens).
> Isn't it amazing how you use the products but then bash their security
> status and have the nerve to say that security reviews were never done.
> For what its worth, if you have doubts/concerns about open source / free
> software, do the rest of the planet a real service, don't use it. More
> importantly, dig your head from out of your ass and check out the plethora
> of opens ource / free source projects that have been responsible for
> running and maintaining the internet for years. I would strongly suggest
> looking ta netcraft surveys and then ask why is everyone using free OS /
> servers to host on as opposed
> to commercial offerings. Could it be SECURITY, VIABILITY or even should i
> say it..... Best software going for the job!
> For the Rubens of the World, please all turn off your computers whatever
> you are suing and please go live in a cave with the other Neanderthals!
> Why open source software isn't as secure as you think
> A failure to spot a necessary validation in OpenSLL code before an update
> caused the Heartbleed bug
> Paul Rubens (CIO (US))
> on 13 June,
> 2014 08:56
> The OpenSSL Heartbleed fiasco
> proves beyond any doubt what many people have suspected for a long time:
> Just because open source code is available for inspection doesn't mean it's
> actually being inspected and is secure.
> It's an important point, as the security of open source software relies on
> large numbers of sufficiently knowledgeable programmers scrutinising the
> code to root out and fix bugs promptly. This is summed up in Linus's Law
> : "Given enough eyeballs, all
> bugs are shallow."
> But look at what happened with OpenSSL. Robin Seggelemann, a German
> programmer from Munster University, updated the OpenSLL code by adding a
> new Heartbeat keep-alive function. Unfortunately, he missed a necessary
> validation in his code to check that one particular variable had a
> realistic value.
> The member of the OpenSSL development team who checked the code before the
> update was released also missed it. This caused the Heartbleed bug.
> One reviewer, even a handful of reviewers, can easily miss a trivial error
> such as this if they don't know there's a bug to be found. What's worrying
> is that, for two years, the Heartbleed bug existed in OpenSLL, in browsers
> and in Web servers, yet no one in the open source community spotted it. Not
> enough eyeballs scrutinised the code.
> *Commercial vendors don't review open source code*
I was expecting to have more feedback on this as it happened but even at
this late date, just to point out some of the falicy of this moronic
rant buy a claerly undereducated writer, is that most Free Software
projects are INDEED wrtten, funded and scrutenized by commercial
vendors. They go through a huge number of security checks and are
written and overseen by the worlds best programming talent.
Also, the noted expected security fix, checking if a variable result is
within an expect range, that is not only a crappy way of making code
secure, it is a sure way to bring speed of software to a crawl.
Additionally, by the time the varibable is overloaded, its a bit late to
check its size. This is not an efficient or secure means of dealing
Outlook express however, I nobody vouch for that. And we do know it is not
> Also alarming is that OpenSSL was used as a component in hardware products
> offered by commercial vendors such as F5 Networks, Citrix Systems, Riverbed
> Technology and Barracuda Networks - all of whom failed to scrutinise the
> code adequately before using it, according to Mamoon Yunus, CEO of Forum
> Systems , a secure cloud gateway vendor.