> On Apr 6, 2024, at 6:07 AM, Les Schaffer <[email protected]> wrote:
>
> What's your take on Tim Bray's suggestion?
>
> https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
I think it's worth reading and affects everybody using a computer although most
won't read it. Heartbleed probably affected everyone on this list, and the
OpenSSl flaw that permitted it is still operational in tens of thousands of web
servers a decade later. There are a few things I would add to the article.
1. We should assume that the some US intelligence agency found flaws in some
widely-used open source software (OSS) packages or tools that others have not,
and the NSA are exploiting the flaws it finds. I think the US NSA has OSS
"bugged," or activists should assume that's the case because the NSA has had
the tech industry thoroughly bugged for decades (viz., Snowden's revelations; I
actually worked with a person whose name popped up on one of Snowden's docs; at
the time, those of us at the particular company suspected as much and joked
about whether or not a spook gets to draw two salaries). The NSA won't shut
down hospitals with software exploits, unless it really needs to, but it also
won't reveal bugs to those who can fix them, or at least activists should
assume that.
2. I don't think Tim Bray has a security background, but the first question I
have is the size of the "attack surface" through which people can implant or
exploit bugs in OSS. We cannot count how many lines of source code are in open
source libraries, the genome project has 300 billion, and ChatGPT put the
estimate as high as trillions of lines of code. The same is true for the
number of software packages that hold those lines of code. Chatgpt thought
that 2 million packages represented a small fraction of the total.
3. Nothing was said about AI, but it seems unlikely that a single institute
would accomplish much of the work of finding problems in even the most widely
used OSS packages. Perhaps they would write software tools for companies to do
the work on the OSS that they use in their products. That's an expense that
the sales and marketing-oriented leadership of US companies have demonstrated
in the past that they are most likely to forgo. We don't need AI to find a
buffer-overflow bug like Heartbleed, but people will need to use a lot of
automation to find this problem. I am actually impressed that he did not drag
out the AI buzzword in the essay, but I think they may need the technology.
It will be hard to secure open-source software in our national-security state
so long as powerful adversaries with the deep pockets of the US government are
intent upon exploiting bugs and no doubt planting them (as Bernstein and others
said the NSA does with standards cryptographic algorithms). Maybe Bray could
get further in Canada or find an ally in the EU.
Thanks for sending it.
Mark
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#29816): https://groups.io/g/marxmail/message/29816
Mute This Topic: https://groups.io/mt/105362381/21656
-=-=-
POSTING RULES & NOTES
#1 YOU MUST clip all extraneous text when replying to a message.
#2 This mail-list, like most, is publicly & permanently archived.
#3 Subscribe and post under an alias if #2 is a concern.
#4 Do not exceed five posts a day.
-=-=-
Group Owner: [email protected]
Unsubscribe: https://groups.io/g/marxmail/leave/8674936/21656/1316126222/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
