[liberationtech] Communities needed to mitigate heartbleed type bugs

Jonathan Wilkes jancsika at yahoo.com
Sat Apr 26 11:37:37 PDT 2014 

On 04/25/2014 03:16 PM, Louis Suárez-Potts wrote:
> On 25 Apr  2014, at 14:21, Jonathan Wilkes <jancsika at yahoo.com> wrote:
>
>> On 04/23/2014 10:04 AM, Louis Suárez-Potts wrote:
>>> On 23 Apr  2014, at 08:38, Nick <liberationtech at njw.me.uk> wrote:
>>>
>>>> I took the liberty of changing the subject line to something that
>>>> hopefully somewhat summarises your email.
>>>>
>>>> Quoth Arnaud Legout:
>>>>> As polemical as it can be, deeply-held belief such as "I will always
>>>>> go for open source code because its security will
>>>>> be much higher than any closed source counter parts" should be
>>>>> seriously reconsidered
>>>>> when there is not a strong community of developers working on code
>>>>> maintenance.
>>>> There is a lot of shitty code around. That has always been the case,
>>>> and will always be so. Anyone who has used the OpenSSL codebase or
>>>> looked at it even briefly has seen that it's shitty years ago, and
>>>> probably won't have been too surprised by the recent heartbleed bug.
>>>> Strong code can and does come out of small teams, including those of
>>>> one or two people.  I would recommend rather than judging a the
>>>> quality of a project by whether there is a "strong community of
>>>> developers" or how the project is financially backed, you take a few
>>>> minutes to look at the state of the source code. That isn't a deep
>>>> audit, of course, but can give you a sense for the tastes and cares
>>>> of the people behind the code.  Needless to say proprietary code
>>>> which forbids such examination should be avoided, for this and other
>>>> good reasons.
>>> When I was "leading" OpenOffice.org I proposed that students, mentored by employed experts and who would probably be project committers (and who might be in fact instructors at colleges and universities), learn about open source collaboration and also programming by working on outstanding bugs and other issues brought to their attention by their teachers and relevant project members. Other large open source projects had people with similar ideas and some, as we did, acted on it.
>>>
>>> The idea is not to exploit student labour; and I am aware that a lot of important work actually demands the attention of experts, not students. I am also aware that many professors and teachers are indeed moving to use open source projects' code for their classes. But more could probably be done both to uncover and even fix flawed and hoary code and also teach students open source collaboration techniques. (I also would mean for this to be a global effort, not particular to any one country or region.) Thus, one element of a solution could well be the promotion of known or suspected problem code and architecture for student investigation. Any proposed bug fixes would have to go through the usual (or even more than usual) protocols before inclusion into the accepted codebases.
>> It sounds like you want to foster a learning environment that has the added benefit of improving security software.  But in reality I think your proposal would create an environment for rationalizing insecurity.
> Okay; fair enough, though of course that's hardly what I or anyone else (who's like me) would want! Judging from your response, I think I wasn't very clear in my summary and proposal.

I understand the impetus.  It's a set of extraordinary circumstances, 
however.  Imagine if a handful of people had been warning scientists for 
the past decade about the need to defend the general population from 
aliens.  Imagine that the scientific consensus was that it's too costly 
to plan for the off chance that nefarious aliens even exist.

Then a rogue alien breaks off and tells the population that not only has 
there been an ongoing attack, but the aliens have infiltrated and 
weakened the scant protections put in place by the few scientists who 
cared to build and maintain them.

In that case, it doesn't make much sense for the scientific community to 
start a worldwide campaign to teach non-specialists how to detect and 
fix shoddy defenses.  It makes sense for the scientific community to 
come together, study what the rogue alien had to say, and come up and 
_follow_ more scientific procedures to better defend against alien 
attacks.  Until that point, there isn't sufficient expertise to guide a 
large-scale (or even federated) education campaign.

When you combine that with inadequate funding, I don't see how you end 
up with anything except security theater like the TSA.  And while the 
TSA is better than nothing, I don't think it's the best use of already 
scant resources.

-Jonathan

More information about the liberationtech mailing list