Discussion:
New 'Bash' software bug may pose bigger threat than 'Heartbleed'
(too old to reply)
Mok-Kong Shen
2014-09-28 13:05:39 UTC
Permalink
http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924

Only not very long ago was the Heartbleed Bug publically known. Such
recurring stories very seriously question the trustworthiness of
open-source IT-security software that are commonly implicitly involved
in Internet communications (i.e. rather independent of whether the end
users like them or not). For some of my personal opinions, see the
prologue and epilogue in http://s13.zetaboards.com/Crypto/topic/7234475/1/

M. K. Shen
William Unruh
2014-09-28 16:13:34 UTC
Permalink
Post by Mok-Kong Shen
http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924
Only not very long ago was the Heartbleed Bug publically known. Such
recurring stories very seriously question the trustworthiness of
open-source IT-security software that are commonly implicitly involved
in Internet communications (i.e. rather independent of whether the end
users like them or not). For some of my personal opinions, see the
prologue and epilogue in http://s13.zetaboards.com/Crypto/topic/7234475/1/
And why would we want your personal opinion?
What expertise in software, security, or open source do you have that
your opinion should be worth reading?

The bash bugs have now been fixed. They were found, not through attacks
but through auditing of the open source code.
Post by Mok-Kong Shen
M. K. Shen
Mok-Kong Shen
2014-09-30 09:42:18 UTC
Permalink
Post by William Unruh
The bash bugs have now been fixed. They were found, not through attacks
but through auditing of the open source code.
Who "surely" knows that the bugs had not been exploited in the past?

M. K. Shen
William Unruh
2014-09-30 18:10:24 UTC
Permalink
Post by Mok-Kong Shen
Post by William Unruh
The bash bugs have now been fixed. They were found, not through attacks
but through auditing of the open source code.
Who "surely" knows that the bugs had not been exploited in the past?
noone except the ones who exploited them (eg, NSA?)
As I said, they were not found through attacks, sso if someone else
found them and exploited them, they were careful and discrete.
Post by Mok-Kong Shen
M. K. Shen
Mok-Kong Shen
2014-09-30 19:07:29 UTC
Permalink
Post by William Unruh
Post by Mok-Kong Shen
Post by William Unruh
The bash bugs have now been fixed. They were found, not through attacks
but through auditing of the open source code.
Who "surely" knows that the bugs had not been exploited in the past?
noone except the ones who exploited them (eg, NSA?)
As I said, they were not found through attacks, sso if someone else
found them and exploited them, they were careful and discrete.
That the bugs now had been publically found and how they were
found might be as such quite interesting. However, IMHO such
matters don't affect the fact that large and/or poorly documented
open-source software have a very serious intrinsic problem, namely
that independent experts may not have in general the time and/or
interest to examine them in all details and that implies quite
naturally that bugs would have a significant probablity of remaining
long time unkown to the public, if at all, such that, in case some
bad guys happen to be able to detect the bugs (of course they wouldn't
tell of their discoveries) and exploit them, catastrophes could result
and some of these catastrophes might remain unknown forever even to
the victims.

Is there any really entirely satisfactory solution to that? I highly
doubt that. I guess that one feasible remedy (not any 100% solution)
maybe to sacrifice much efficiency and have the coding be done
in some sort of very high level language such that a correctness
check would be much simpler doable and then have perhaps a hierarchy
of good compilers/interpreters to transform the carefully examined
codes automatically to the corresponding executable files.

M. K. Shen
William Unruh
2014-09-30 22:28:12 UTC
Permalink
Post by Mok-Kong Shen
Post by William Unruh
Post by Mok-Kong Shen
Post by William Unruh
The bash bugs have now been fixed. They were found, not through attacks
but through auditing of the open source code.
Who "surely" knows that the bugs had not been exploited in the past?
noone except the ones who exploited them (eg, NSA?)
As I said, they were not found through attacks, sso if someone else
found them and exploited them, they were careful and discrete.
That the bugs now had been publically found and how they were
found might be as such quite interesting. However, IMHO such
matters don't affect the fact that large and/or poorly documented
bash is large and is absurdly well documented (well the flippant tone of
the comments put on off at times, but almost every line is commented.)
Post by Mok-Kong Shen
open-source software have a very serious intrinsic problem, namely
that independent experts may not have in general the time and/or
interest to examine them in all details and that implies quite
naturally that bugs would have a significant probablity of remaining
That is far more likely for a closed source program since very few can
read the source, and most of those are under pressure to produce new
code, not gaze at old code.
Like democracy, open source is not perfect, just better than the
options.
Post by Mok-Kong Shen
long time unkown to the public, if at all, such that, in case some
bad guys happen to be able to detect the bugs (of course they wouldn't
tell of their discoveries) and exploit them, catastrophes could result
and some of these catastrophes might remain unknown forever even to
the victims.
If they remain unknown to the victim, they are hardly catastrophes.

Yes, I agree bugs are bad. The question is, what is the best way of
eliminating them. They will occur.
Post by Mok-Kong Shen
Is there any really entirely satisfactory solution to that? I highly
doubt that. I guess that one feasible remedy (not any 100% solution)
maybe to sacrifice much efficiency and have the coding be done
in some sort of very high level language such that a correctness
check would be much simpler doable and then have perhaps a hierarchy
of good compilers/interpreters to transform the carefully examined
codes automatically to the corresponding executable files.
M. K. Shen
Mok-Kong Shen
2014-10-01 14:16:09 UTC
Permalink
Post by William Unruh
Post by Mok-Kong Shen
That the bugs now had been publically found and how they were
found might be as such quite interesting. However, IMHO such
matters don't affect the fact that large and/or poorly documented
bash is large and is absurdly well documented (well the flippant tone of
the comments put on off at times, but almost every line is commented.)
I wrote "and/or" above. Analogy: The sheer huge volume of a book could
be a negative criterion for people to purchase and read it.
Post by William Unruh
Post by Mok-Kong Shen
open-source software have a very serious intrinsic problem, namely
that independent experts may not have in general the time and/or
interest to examine them in all details and that implies quite
naturally that bugs would have a significant probablity of remaining
That is far more likely for a closed source program since very few can
read the source, and most of those are under pressure to produce new
code, not gaze at old code.
Like democracy, open source is not perfect, just better than the
options.
Post by Mok-Kong Shen
long time unkown to the public, if at all, such that, in case some
bad guys happen to be able to detect the bugs (of course they wouldn't
tell of their discoveries) and exploit them, catastrophes could result
and some of these catastrophes might remain unknown forever even to
the victims.
If they remain unknown to the victim, they are hardly catastrophes.
When two firms compete for a contract with a purchaser, it could
well happen that leakage of some critical informations of one firm
could cause it to fail to get the contract, even though it should
otherwise get it. Now if the spionage is well done and that other
firm is competent enough to eliminate all traces of its bad
activities, one would have such a case, for the first firm remains
forever ignorant of that leakage and would think that its failure
were due to some bad luck etc.
Post by William Unruh
Yes, I agree bugs are bad. The question is, what is the best way of
eliminating them. They will occur.
I wrote some thoughts below. I know that's very hard to realize but
believe that's anyway one of the promising directions.

M. K. Shen
Post by William Unruh
Post by Mok-Kong Shen
Is there any really entirely satisfactory solution to that? I highly
doubt that. I guess that one feasible remedy (not any 100% solution)
maybe to sacrifice much efficiency and have the coding be done
in some sort of very high level language such that a correctness
check would be much simpler doable and then have perhaps a hierarchy
of good compilers/interpreters to transform the carefully examined
codes automatically to the corresponding executable files.
M. K. Shen
Benoit
2014-10-01 15:17:17 UTC
Permalink
However, IMHO such matters don't affect the fact that large and/or poorly
documented open-source software have a very serious intrinsic problem,
namely that independent experts may not have in general the time and/or
interest to examine them in all details and that implies quite naturally
that bugs would have a significant probablity of remaining long time
unkown to the public, if at all, such that, in case some bad guys happen
to be able to detect the bugs (of course they wouldn't tell of their
discoveries) and exploit them, catastrophes could result and some of these
catastrophes might remain unknown forever even to the victims.
Same for closed source, can you give me a case where a bad guy
detects a bug, exploits it and things are different for the victims
because they had a closed sourced and not an open sourced software?

In all that you say, the fact that software is closed or open
sourced does not make a difference.
--
"La théorie, c'est quand on sait tout et que rien ne fonctionne. La
pratique, c'est quand tout fonctionne et que personne ne sait pourquoi.
Ici, nous avons réuni théorie et pratique : Rien ne fonctionne... et
personne ne sait pourquoi !" [ Albert Einstein ]
Barry Margolin
2014-10-01 15:26:58 UTC
Permalink
Post by Benoit
However, IMHO such matters don't affect the fact that large and/or poorly
documented open-source software have a very serious intrinsic problem,
namely that independent experts may not have in general the time and/or
interest to examine them in all details and that implies quite naturally
that bugs would have a significant probablity of remaining long time
unkown to the public, if at all, such that, in case some bad guys happen
to be able to detect the bugs (of course they wouldn't tell of their
discoveries) and exploit them, catastrophes could result and some of these
catastrophes might remain unknown forever even to the victims.
Same for closed source, can you give me a case where a bad guy
detects a bug, exploits it and things are different for the victims
because they had a closed sourced and not an open sourced software?
In all that you say, the fact that software is closed or open
sourced does not make a difference.
Bad News: Open source may make it easier for the bad guys to find the
bugs and develop exploits.

Good News: Open source means more good guys can try to fix the bugs.
--
Barry Margolin, ***@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Benoit
2014-10-01 17:07:31 UTC
Permalink
Post by Barry Margolin
Bad News: Open source may make it easier for the bad guys to find the
bugs and develop exploits.
Good news : Open source makes it easier for the good guys to be the
first to find the bug.
Post by Barry Margolin
Good News: Open source means more good guys can try to fix the bugs.
Bad news : Closed source means only bad guys try to find the bugs
and no one knows about it for a loooooooooong time.
--
"La théorie, c'est quand on sait tout et que rien ne fonctionne. La
pratique, c'est quand tout fonctionne et que personne ne sait pourquoi.
Ici, nous avons réuni théorie et pratique : Rien ne fonctionne... et
personne ne sait pourquoi !" [ Albert Einstein ]
Loading...