LINUX BLOG SAFARI

FOSS and the Fear Factor

In a world that’s been dominated for far too long by the Systemd Inferno, Linux fans will have to be forgiven if they seize perhaps a bit too gleefully upon the scraps of cheerful news that come along on any given day.

Of course, for cheerful news, there’s never any better place to look than the Reglue effort. Run by longtime Linux advocate and all-around-hero-for-kids Ken Starks, as alert readers may recall, Reglue just last week launched a brand-new fundraising effort on Indiegogo to support its efforts over the coming year.

Since 2005, Reglue has placed more than 1,600 donated and then refurbished computers into the homes of financially disadvantaged kids in Central Texas. Over the next year, it aims to place 200 more, as well as paying for the first 90 days of Internet connection for each of them.

“As overused as the term is, the ‘Digital Divide’ is alive and well in some parts of America,” Starks explained. “We will bridge that divide where we can.”

How’s that for a heaping helping of hope and inspiration? Windows as Attack VectorLinux Girl

Offering discouraged FOSS fans a bit of well-earned validation, meanwhile — and perhaps even a bit of levity — is the news that Russian hackers apparently have begun using Windows as a weapon against the rest of the world.

“Russian hackers use Windows against NATO” is the headline over at Fortune, making it plain for all the world to see that Windows isn’t the bastion of security some might say it is.

The sarcasm is knee-deep in the comments section on Google+ over that one. ‘Hackers Shake Confidence’ Of course, malicious hacking is no laughing matter, and the FOSS world has gotten a bitter taste of the effects for itself in recent months with the Heartbleed and Shellshock flaws, to name just two.

Has it been enough to scare Linux aficionados away?

That essentially is the suggestion over at Bloomberg, whose story, entitled “Hackers Shake Confidence in 1980s Free Software Idealism,” has gotten more than a few FOSS fans’ knickers in a twist.

‘No Software Is Perfect’

“None of this has shaken my confidence in the slightest,” asserted Linux Rants blogger Mike Stone down at the blogosphere’s Broken Windows Lounge, for instance.

“I remember a time when you couldn’t put a Windows machine on the network without firewall software or it would be infected with viruses/malware in seconds,” he explained. “I don’t recall the articles claiming that confidence had been shaken in Microsoft.

“The fact of the matter is that no software is perfect, not even FOSS, but it comes closer than the alternatives,” Stone opined.

‘My Faith Is Just Fine’

“It is hard to even begin to get into where the Bloomberg article fails,” began consultant and Slashdot blogger Gerhard Mack.

“For one, decompilers have existed for ages and allow black hats to find flaws in proprietary software, so the black-hats can find problems but cannot admit they found them let alone fix them,” Mack explained. “Secondly, it has been a long time since most open source was volunteer-written, and most contributions need to be paid.

“The author goes on to rip into people who use open source for not contributing monetarily, when most of the listed companies are already Linux Foundation members, so they are already contributing,” he added.

In short, “my faith in open source is just fine, and no clickbait Bloomberg article will change that,” Mack concluded.

‘The Author Is Wrong’

“Clickbait” is also the term Google+ blogger Alessandro Ebersol chose to describe the Bloomberg account.

“I could not see the point the author was trying to make, except sensationalism and views,” he told Linux Girl.

“The author is wrong,” Ebersol charged. “He should educate himself on the topic. The flaws are results of lack of funding, and too many corporations taking advantage of free software and giving nothing back.”

Moreover, “I still believe that a piece of code that can be studied and checked by many is far more secure than a piece made by a few,” Google+ blogger Gonzalo Velasco C. chimed in.

“All the rumors that FLOSS is as weak as proprietary software are only FUD — period,” he said. “It is even more sad when it comes from private companies that drink in the FLOSS fountain.”

‘Source Helps Ensure Security’

Chris Travers, a blogger who works on the LedgerSMB project, had a similar view.

“I do think that having the source available helps ensure security for well-designed, well-maintained software,” he began.

“Those of us who do development on such software must necessarily approach the security process under a different set of constraints than proprietary vendors do,” Travers explained.

“Since our code changes are public, when we release a security fix this also provides effectively full disclosure,” he said, “ensuring that the concerns for unpatched systems are higher than they would be for proprietary solutions absent full disclosure.”

At the same time, “this disclosure cuts both ways, as software security vendors can use this to provide further testing and uncover more problems,” Travers pointed out. “In the long run, this leads to more secure software, but in the short run it has security costs for users.”

Bottom line: “If there is good communication with the community, if there is good software maintenance and if there is good design,” he said, “then the software will be secure.”

‘Source Code Isn’t Magic Fairy Dust’

SoylentNews blogger hairyfeet had a very different view.

“‘Many eyes’ is a complete and total myth,” hairyfeet charged. “I bet my last dollar that if you looked at every.single.package. that makes up your most popular distros and then looked at how many have actually downloaded the source for those various packages, you’d find that there is less than 30 percent of the packages that are downloaded by anybody but the guys that actually maintain the things.

“How many people have done a code audit on Firefox? LibreOffice? Gimp? I bet you won’t find a single one, because everybody ASSUMES that somebody else did it,” he added.

“At the end of the day, Wall Street is finding out what guys like me have been saying for years: Source code isn’t magic fairy dust that makes the bugs go away,” hairyfeet observed.

‘No One Actually Looked at It’

“The problem with SSL was that everyone assumed the code was good, but almost no one had actually looked at, so you never had the ‘many eyeballs’ making the bugs shallow,” Google+ blogger Kevin O’Brien conceded.

Still, “I think the methodology and the idealism are separable,” he suggested. “Open source is a way of writing software in which the value created for everyone is much greater than the value captured by any one entity, which is why it is so powerful.

“The idea that corporate contributions somehow sully the purity is a stupid idea,” added O’Brien. “Corporate involvement is not inherently bad; what is bad is trying to lock other people out of the value created. Many companies handle this well, such as Red Hat.”

‘The Right Way to Do IT’

Last but not least, “my confidence in FLOSS is unshaken,” blogger Robert Pogson declared.

“After all, I need software to run my computers, and as bad as some flaws are in FLOSS, that vulnerability pales into insignificance compared to the flaws in that other OS — you know, the one that thinks images are executable and has so much complexity that no one, not even M$ with its $billions, can fix.”

FOSS is “the right way to do IT,” Pogson added. “The world can and does make its own software, and the world has more and better programmers than the big corporations.

“Those big corporations use FLOSS and should support FLOSS,” he maintained, offering “thanks to the corporations who hire FLOSS programmers; sponsor websites, mirrors and projects; and who give back code — the fuel in the FLOSS economy.”

Katherine Noyes is always on duty in her role as Linux Girl, whose cape she has worn since 2007. A mild-mannered journalist by day, she spends her evenings haunting the seedy bars and watering holes of the Linux blogosphere in search of the latest gossip. You can also find her on Twitter and Google+.

2 Comments

  • "’Many eyes’ is a complete and total myth," hairyfeet is completely wrong. The real myth is that FOSS is maintained by pale, unemployed hackers living in their parents’ basements finding meaning in their pathetic lives by spending their days pouring over FOSS code.

    The difference between FOSS and proprietary software is that when a corporation with resources such as in house employees with the ability to write code find a problem in FOSS software, or something they simply don’t like, or something they would like to add, they don’t have to wait for weeks, months or years to go through the process of submitting bug reports, suggestions, or support requests to the developer of the software they are using and wait for those developers to get around to handling their requests and producing a fix or adding a feature. They can do it themselves, and then submit their work to the maintainers of the software for everyone to take advantage of, if it is acceptable.

    All you need to do is look at the difference between what happened with Heartbleed and Shellshock, and what happens with serious problems with proprietary software developed by companies like M$ and Apple. With Heartbleed and Shellshock fixes were available within hours of the vulnerabilities becoming common knowledge. With M$ and Apple it’s typical for that kind of fix to take at least a week before before it becomes available through the proprietary patching services.

    Or you can have a situation such as the vulnerabilities in the sidebar systems in Windows Vista and 7 where M$ just threw up it’s hands, refused to fix it, and told everyone to stop using it. In spite of the fact that not using it eliminates some significant functionality of the operating system, which is not yet end of life and unsupported, and which literally millions are still using. That would never happen with FOSS software that was still being actively maintained and had a significant user base.

    • Uh huh, hows that Shelshock BASHing coming along? Bash was the MOST VETTED CODE IN THE HISTORY OF FOSS and you STILL got royally pwned and pwned hard. Oh and who cost the world billions with Heartbleed?

      "Many eyes" is no different than Santa and the Tooth Fairy, its a myth. You wanna know what those lovely corporations give you? systemd, Linux’ very own SVCHOST binary logging ever growing corporate loveletter to the Linux community, don’t want it? Tough just like Pulse you are getting it anyway.

      Say what you will but at least Windows users have the power of voting with their wallets, what power have you got? Pulse, KDE 4, systemd all show you have NO power, NO ability to do anything but take what you are given. What happened when MSFT tried to pull a systemd with Metro? the users used the power of the wallet and now we have the most lovely Windows 10, the increased speed of Windows 8 with the nice GUI of Windows 7.

      If you wanna believe in "many eyes" or the Easter bunny or a flat earth? Go right ahead, but the BASHing, Heartbleed, the 17 year old Debian bug that was fixed last year?Drive a stake right through the heart of that myth.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

When a website asks me to accept or decline cookies, I...
Loading ... Loading ...

LinuxInsider Channels