Has the Heartbleed debacle proved than even open source is vulnerable and far from foolproof?

Question:

Megan

2014-04-16 04:44:30 UTC

Open source may be supported by genius developers but its blind adoption can expose chinks in its armor, as evidenced by the OpenSSL bug. All it took was an oversight by a developer to unleash the Heartbleed hysteria.

For long, Microsoft bashers have had a field day with their discoveries of numerous vulnerabilities over the years. But all that seems to have been overshadowed by the news, panic and (mis)information about the Heartbleed bug.

That, and the sheer number of sites affected.

So does this mean that we should look at anything open source with healthy skepticism rather than idealistic awe?

Five answers:

Blackened

2014-04-16 05:56:39 UTC

It only proves that all software can be vulnerable. The biggest problem with this particular piece of software is that is was embedded into a myriad of devices and programs, a lot of which have no easy way of being automatically updated.

It'd be lovely if we were forced to create all our programs with dynamically linked software repositories that automatically updated vulnerable code, and that is the promise of the cloud. But a vulnerability like this just emphasizes how far we are from being able to handle bugs like this.

The culture of white hat hackers trying to hack big name software vendors won't change anytime soon since they will usually spend their resources where there is money to be made, and where there is notoriety to be gained. The reality is that hacking takes time and money and hackers usually want a return on their investment. That's a shame since we know that there are plenty of black hat hackers who won't discriminate on who created the vulnerability.

Tony RB

2014-04-16 16:18:00 UTC

It proves that well-meaning people make small mistakes that become big mistakes for other people who trust them.

The mistake that was made was that too few people did a thorough review of the code change. No one at IBM or Intel or Cisco, spotted the mistake, and those three companies are huge supporters of Linux and other open-source software, and they all have enormous experience with networking. They had the source code but chose to not run checks on it to test the boundary conditions.

Richard Stallman did not spot the mistake either.

The programming mistake in this case was very simple, he did not check boundaries. Yet it was really several mistakes together.

As for other software, most software is so complex and the languages used to create the software tend to obscure what they are really doing, and are understood by so few that reverse-engineering the software with the source code is difficult and expensive, and doesn't work if the language itself has bugs. Misunderstanding the language modules is also common, due to the bizarre definitions given to common words to describe the work the modules are doing.

Reverse-engineering the machine language is vastly more difficult. It's all one has when they get software from Microsoft or Apple, or from any developer who uses the program-creating software these two companies write, or from third party companies.

∅

2014-04-16 05:43:41 UTC

wow, you have ONE major bug and determine that Open Source is the devil?!? you must have already hated it.

EVERY software has the potential for security holes. how many security patches has Microsoft released JUST THIS YEAR? even Java had some security issues last year, so it is not just Open Source software.

if anything, the HeartBleed situation shows us (yet again) that there is no perfect security. anyone who thinks they cannot be hacked is deluding themselves. even with HeartBleed patched, there is still the potential for being hacked, no matter which SSL you use.

the important thing to take back from this is that the NSA knew about HeartBleed for over 2 years, and didn't tell anyone. and if they knew, well, just think of how many hackers are smarter than them...

2014-04-16 04:59:05 UTC

No.

It proves (again) that there are untold numbers of hackers, located around the world, tirelessly attempting to exploit every line of code and unsecured piece of hardware for their own ends.

Open-source obviously isn't immune to this - and while Microsoft is obviously a huge target as well, they have also been responsible for knowingly selling software replete with security flaws, even after those flaws have been pointed out to them.

2014-04-16 04:49:37 UTC

It is just confirming that no software is hundred percent bug free.

With isn't something new.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese