There's a Moose loose aboot this hoose: Linux worm hijacks Twitter feeds for spam slinging ESET researchers Olivier Bilodeau and Thomas Dupuy have found malware capable of compromising routers and embedded devices, seizing control of social networking accounts, and booting out competitors. The duo report the Moose malware exploits weak login credentials in the networking gear, and does not require vulnerabilities to …
> How the hell are we going to get the consumer market[…]
We're not.
That is far too complicated. (And by "far" I mean: distance to the edge of the observable universe far, not round the corner to the chemist.)
Any solution needs to be easy enough that no user interaction is needed, and cheap enough that it becomes the default.
He looks like Demis Roussos coming down off acid, but he's right:
http://www.theregister.co.uk/2015/05/25/stallman_windows_and_mac_are_malware/
Stallman makes a valid if perhaps less hyperbolic point; that many commercial software houses are notoriously focused on time-to-market and at best bolt security checks on at the end of development, if at all.
...one of Stallman's claims is that FOSS is 'better' because it is less prone to security issues thanks to the (trivially disproved) myth of the 'many eyes' approach. (Stallman's egotism in his Guardian rant really don't help his anachronistic* 'cause'. With friends like him, the GNU and FOSS communities really don't need enemies.)
Problem is, you need those 'many eyes' to be bothered to look into all that Open Source code first, and wading through yet another router's firmware is pretty bloody tedious and ranks right up there with writing user guides and translation work in its thanklessness. Nobody in their right mind would do it willingly, unless they were being paid to do so. If Heartbleed taught us anything, it's that it's really, really hard to get volunteers interested in doing the boring stuff.
Note that the article clearly states that the research was done—and paid for—by ESET. This wasn't a FOSS community effort. ESET would happily research and highlight flaws in proprietary software too given their line of work.
* (Open Source and all that "Free as in Speech" stuff made sense back in the 1970s and early '80s, when computers were still mostly the preserve of lab-coated folk who could actually program in rooms filled with Winchester disks and photogenic tape drives covered in blinking lights. It makes no sense today. What's important now is the _data_, not the code. As long as we can access our data, it matters not one whit whether the code that originally created it ceased being run a decade earlier. The code doesn't matter any more. It's become a disposable component of a much greater whole.)
You are partially right, in that its hard to get anyone to understand stuff like cryptography in the first place, let alone to apply effort in to making it better by review and bug-fixing.
But you are also wrong in two very important ways:
Firstly having something open makes it a bigger risk to back-door, and certainly makes it very hard for anyone to be offering it and not to have the come-back if they were the one putting in back-doors or spyware. With COTS stuff you have to take it on trust, which is low these days, or to try and intercept all communications with wireshark or similar and to decode/decrypt them to find out what is happening. Are people willing to do that any more common that those willing to review open source code?
Secondly the idea that open source is not needed any more is utterly wrong, as today perhaps more than ever, we are seeing a "walled garden" approach to machines where some company decides what you can do with your own hardware, and what others are allowed to offer you. Similarly having data open only works if (a) the format is published AND correct, and (b) you have access to alternative software to make use of it. Without FOSS options there would be no pressure on the likes of MS, etc, to even pretend to offer open standards and protocols.
Remember how it took an EU anti-trust suite to get the SMB/CIFS protocol opened? Or how Oracle tried to sue Google on the basis that APIs should be copyright and thus no one can make interoperable code without a license?
@ sean
My intention was this was not a FOSS vs Closed debate but it was a point that security is often a shoddy afterthought as it's not in commercial interest. If product liability and consequential loss applied to commercial software in respect of security you can bet that it would suddenly become number one priority.
She was Karving her initials on the moose with the sharpened end
of an interspace toothbrush given her by Svenge - her brother-in-law - an
Oslo dentist and star of many Norwegian movies: "The Hot Hands of an Oslo
Dentist", "Fillings of Passion", "The Huge Molars of Horst Nordfink"...
Møøse trained to mix concrete and sign complicated insurance forms by JURHORSTGG
Møøses' noses wiped by BJØRN IRKESTØM-SLATER WALKER
Large møøse on the left hand side of the screen in the third scene from the end, given a thorough grounding in Latin, French and "O" Level Geography by BO BENN
Suggestive poses for the Møøse suggested by VIC ROTTER
Antler-care by LIV THATCHER
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
