On Heartbleed, free software, security, and trust
@Will Hill is among those sharing a post suggesting that adopting free software is the way to keep national-actor surveillance operators out of your systems. This is grossly oversimplified and incomplete in multiple ways.
First off: OpenSSL is a free software project. It's not as if that status avoided the problem in the first place, and it's not the first time that similarly bone-headed mistakes have been made in open-source code. Take the Debian project's SSH key entropy error which resulted in a very small number of distinct keys being possible due to reliance on the time-of-day-in-seconds being a determinant of the key value. If I recall, this meant rather than astronomically large numbers of possible keys, only 86,400 were possible (a sufficiently small value that brute-forcing could happen in seconds to hours, depending on server configurations and rate-limiting).
Secondly: I'm not contesting that this being open source didn't help the problem become widely reported and rapidly fixed after the fact. And there's no telling what problems lurk deep within proprietary software. But even free-software but embedded appliances could remain vulnerable to the OpenSSL but for years to come if they can't be, or aren't, updated.
Thirdly: I've argued since the beginning of the heroic disclosures by Edward Snowden of NSA domestic surveillance and related tactics, that the main victim would be trust: trust of the NSA with its own operators and contractors, trust of users with network / "cloud"-based services, trust in hardware with known "lawful intercept" capabilities (virtually all networking hardware), with unknown surveillance capabilities (either Chinese government or NSA-introduced vulnerabilities, say, in Chinese products), in proprietary software, and among free software developers, and in online commerce and service offerings. Pretty much all of these scenarios have born out.
And finally: the NSA have denied use or knowledge of this exploit, though its record in full and truthful public disclosure is markedly less than perfect. I'm not aware of anyone who's come forward with conclusive evidence that the NSA had knowledge of or used the Heartbleed vulnerability, though the FSF have posted evidence that attacks using the exploit were made from an east-European IP in at least one case, in 2013. Definitive claims that the NSA (or other agencies) did make use of such mechanisms require a high level of proof. Those claiming so without it are hurting their own credibility. Yes, you, @Will Hill and Roy Schestowitz.
While I do feel that free software options tend to be the better choice, it's very, very, VERY clear that it is not, of itself, sufficient for true security.
#nsa #heartbleed #security #credibility #fsf #freesoftware #opensource
