Jumat, 11 April 2014

A Few Words About the “Heartbleed” Bug and Open Source Software…

We certainly found out through the bug how connected we all are and then the questions came up about open source software.  Is there someone to “really” blame here?  As you may have already read most have already patched their systems with the bug and changing your password is never a bad idea but doing after a patch has been initiated of course is the way to go.  Now we are also hearing the bug is in Cisco routers and that’s huge and big chore.  Good news is that they are working on it. 

Two thirds of the internet relies on Open SSL, all our banking for one. image There were many sites identified with everything from a dating site such as OKCupid, Motley Fool, DuckDuckgo search engine and many more.  Just those three names give you an idea of the diversification here and that you couldn’t pinpoint any particular industry at all and add in Publisher’s Clearinghouse and Yahoo for a couple other big names. 

Below is article written by Cathy O’Neill, “Mathbabe” as she is known on the web, a Quant and Mathematician who formerly worked on Wall Street.  It’s a good article and opinion piece here and she pretty much states something that most are missing and I talk about it all the time…read the last paragraph….

“Public would need to acknowledge how freaking hard it is to program”

If you don’t understand what a Quant does, watch video #2 in the footer, the documentary as it’s one that even the layman can understand that describes modeling and then software creation to execute, and of course sub-prime could have never happened without it.   Also watch video #3 with Cathy too in my footer smart lady who used write models years ago for Larry Summers.  So yes it is “freaking hard” to program today with all the code running out there and we will always have bugs and as we learned here, some are by accident and then we have the bad guys doing it on purpose. 

The ransom programs do their thing and we need those folks out there finding them.  Sometimes in the news you read you don’t get this impression with programming as the push is to tell you how wonderful and great something is and programmers have gone to great length to make it easy for you to use.  That’s what we do, but behind the nice user interface there’s so much code running that it would make your head spin, and due to that face we do live in the “era of the bug”. 

Code can be written to generate profits too, so don’t forget that portion either.  This is also why we need this data seller index as how much of your information passed through these networks infected?  We don’t know do we at all?  We need that index as we are still identifying locations of the bug and where did your information pass through? Not a clue as government just works on verbiage with laws and some digital centric laws will have to be initiated at some point when those making laws finally come to the reality that “code runs hog ass wild” out there. 

One Really Good Reason to License and Excise Data Sellers, Huge Breach As the “Data Selling Epidemic” Both Legally and Illegally Continues To Grow-All We Have Are Lawyers Who Only Do Verbiage While “Code Runs Hog Ass Wild” -Due Diligence is Dead

Read what Cathy has to say as her opinion and observations are good and we don’t want something like this to destroy open source either.  If you want to learn more about some of the coding and how it impacts the financial world and other every day algorithms out there, visit my Algo Duping/Attack of the Killer Algorithm page and read and take in some videos and you'll be smarter for it.  BD 


By now most of you have read about the major bug that was found in OpenSSL, an open source security software toolkit. The bug itself is called the Heartbleed Bug, and there’s lots of information about it and how to fix it here. People are super upset about this, and lots of questions remain.

For example, was it intentionally undermined? Has the NSA deliberately inserted weaknesses into this as well? It seems like the jury is out right now, but if I’m the guy who put in the bug, I’m changing my name and going undercover just in case.

Next, how widely was the weakness exploited? If you’re super worried about stuff, or if you are a particular target of attack, the answer is probably “widely.” The frustrating thing is that there’s seemingly no way to measure or test that assumption, since the attackers would leave no trace.

Here’s what I find interesting the most interesting question: what will the long-term reaction be to open source software? People might think that open source code is a bust after this. They will complain that something like this should never have been allowed to happen – that the whole point of open software is that people should be checking this stuff as it comes in – and it never would have happened if there were people getting paid to test the software.

First of all, it did work as intended, even though it took two years instead of two days like people might have wanted. And maybe this shouldn’t have happened like it did, but I suspect that people will learn this particular lesson really well as of now.

But in general terms, bugs are everywhere. Think about Knight Capital’s trading debacle or the ObamaCare website, just two famous recent problems with large-scale coding projects that aren’t open source.

Even when people are paid to fix bugs, they fix the kind of bugs that cause the software to stop a lot sooner than the kind of bug that doesn’t make anything explode, lets people see information they shouldn’t see, and leaves no trace. So for every Knight’s Capital there are tons of other bugs in software that continue to exist.

In other words it’s more a question of who knows about the bugs and who can exploit them. And of course, whether those weaknesses will ever be exposed to the public at all.

It would be great to see the OpenSSL bug story become, over time, a success story. This would mean that, on the one hand the nerds becoming more vigilant in checking vitally important code, and learning to think like assholes, but also the public would need to acknowledge how freaking hard it is to program.


http://mathbabe.org/2014/04/10/does-openssl-bug-prove-that-open-source-code-doesnt-work/#comments

Tidak ada komentar:

Posting Komentar