{"id":25096,"date":"2014-04-11T07:03:00","date_gmt":"2014-04-11T12:03:00","guid":{"rendered":"http:\/\/quotulatiousness.ca\/blog\/?p=25096"},"modified":"2014-04-11T08:17:04","modified_gmt":"2014-04-11T13:17:04","slug":"open-source-software-and-the-heartbleed-bug","status":"publish","type":"post","link":"https:\/\/quotulatiousness.ca\/blog\/2014\/04\/11\/open-source-software-and-the-heartbleed-bug\/","title":{"rendered":"Open source software and the Heartbleed bug"},"content":{"rendered":"<p>Some people are claiming that the Heartbleed bug proves that open source software is a failure. <a href=\"http:\/\/esr.ibiblio.org\/?p=5665\" target=\"_blank\">ESR<\/a> quickly addresses that idiotic claim:<\/p>\n<blockquote><p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/quotulatiousness.ca\/blog\/wp-content\/uploads\/2014\/04\/Heartbleed-bug-123x150.png\" alt=\"Heartbleed bug\" width=\"123\" height=\"150\" class=\"alignright size-thumbnail wp-image-25098\" srcset=\"https:\/\/quotulatiousness.ca\/blog\/wp-content\/uploads\/2014\/04\/Heartbleed-bug-123x150.png 123w, https:\/\/quotulatiousness.ca\/blog\/wp-content\/uploads\/2014\/04\/Heartbleed-bug.png 341w\" sizes=\"auto, (max-width: 123px) 100vw, 123px\" \/>I actually chuckled when I read rumor that the few anti-open-source advocates still standing were crowing about the Heartbleed bug, because I\u2019ve seen this movie before after every serious security flap in an open-source tool. The script, which includes a bunch of people indignantly exclaiming that many-eyeballs is useless because bug X lurked in a dusty corner for Y months, is so predictable that I can anticipate a lot of the lines.<\/p>\n<p>The mistake being made here is a classic example of Frederic Bastiat\u2019s \u201cthings seen versus things unseen\u201d. Critics of Linus\u2019s Law overweight the bug they can see and underweight the high probability that equivalently positioned closed-source security flaws they can\u2019t see are actually far worse, just so far undiscovered.<\/p>\n<p>That\u2019s how it seems to go whenever we get a hint of the defect rate inside closed-source blobs, anyway. As a very pertinent example, in the last couple months I\u2019ve learned some things about the security-defect density in proprietary firmware on residential and small business Internet routers that would absolutely curl your hair. It\u2019s far, far worse than most people understand out there.<\/p>\n<p>[&#8230;]<\/p>\n<p>Ironically enough this will happen precisely because the open-source process is working \u2026 while, elsewhere, bugs that are far worse lurk in closed-source router firmware. Things seen vs. things unseen\u2026<\/p>\n<p>Returning to Heartbleed, one thing conspicuously missing from the downshouting against OpenSSL is any pointer to an implementation that is known to have a lower defect rate over time. This is for the very good reason that no such empirically-better implementation exists. What is the defect history on proprietary SSL\/TLS blobs out there? We don\u2019t know; the vendors aren\u2019t saying. And we can\u2019t even estimate the quality of their code, because we can\u2019t audit it.<\/p>\n<p>The response to the Heartbleed bug illustrates another huge advantage of open source: how rapidly we can push fixes. The repair for my Linux systems was a push-one-button fix less than two days after the bug hit the news. Proprietary-software customers will be lucky to see a fix within two months, and all too many of them will never see a fix patch. <\/p><\/blockquote>\n<p><strong>Update<\/strong>: There are lots of sites offering tools to test whether a given site is vulnerable to the Heartbeat bug, but you need to step carefully there, as there&#8217;s a thin line between what&#8217;s legal in some countries and <a href=\"http:\/\/www.theregister.co.uk\/2014\/04\/11\/heartbleed_health_checking_services_may_be_illegal\/\" target=\"_blank\">what counts as an illegal break-in attempt<\/a>:<\/p>\n<blockquote><p>Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL&#8217;s mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.<\/p>\n<p>Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission.<\/p>\n<p>Testing to see what version of OpenSSL a site is running, and whether it is also supports the vulnerable Heartbeat protocol, would be legal. But doing anything more active &mdash; without permission from website owners &mdash; would take security researchers onto the wrong side of the law.<\/p><\/blockquote>\n<p>And you shouldn&#8217;t just rush out and change all your passwords right now (you&#8217;ll probably need to do it, but the timing matters):<\/p>\n<blockquote><p>Heartbleed is a catastrophic bug in widely used OpenSSL that creates a means for attackers to lift passwords, crypto-keys and other sensitive data from the memory of secure server software, 64KB at a time. The mega-vulnerability was patched earlier this week, and software should be updated to use the new version, 1.0.1g. But to fully clean up the problem, admins of at-risk servers should generate new public-private key pairs, destroy their session cookies, and update their SSL certificates before telling users to change every potentially compromised password on the vulnerable systems.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Some people are claiming that the Heartbleed bug proves that open source software is a failure. ESR quickly addresses that idiotic claim: I actually chuckled when I read rumor that the few anti-open-source advocates still standing were crowing about the Heartbleed bug, because I\u2019ve seen this movie before after every serious security flap in an [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[15],"tags":[129,58,93,334,92],"class_list":["post-25096","post","type-post","status-publish","format-standard","hentry","category-technology","tag-hack","tag-internet","tag-opensource","tag-security","tag-software"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p2hpV6-6wM","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/25096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/comments?post=25096"}],"version-history":[{"count":4,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/25096\/revisions"}],"predecessor-version":[{"id":25107,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/posts\/25096\/revisions\/25107"}],"wp:attachment":[{"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/media?parent=25096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/categories?post=25096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/quotulatiousness.ca\/blog\/wp-json\/wp\/v2\/tags?post=25096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}