Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software

[MacRumors]

Apple will be among several U.S. tech giants to attend a meeting at the White House today to discuss cybersecurity and possible security threats posed by open-source software, Reuters reports.

The meeting will be held by U.S. National Security Advisor Jake Sullivan and will focus on "concerns around the security of open-source software and how it can be improved." The meeting was prompted by concerns around a security vulnerability found in open-source software Log4j.

The vulnerability, which posed a threat to organizations that use Log4j around the world, allowed hackers to control a system and remotely execute malicious code.

According to Sullivan, open-source software such as Log4j presents a "key national security concern" as it is often used and maintained by volunteers. Google, IBM, Meta, Microsoft, and Oracle are also expected to attend the meeting.

Article Link: Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software

 

[AngerDanger]

"We're not secure in how much money open-sourced software makes us."

 

[bbeagle]

I'm waiting for all the rabbid open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look at. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.

 

[Kuckuckstein]

The entire Linux community is open source, and yet this is a much more secure platform than Windows has been. And Mac OS and their browsers have heavily benefited from the give and take between Unix and Linux (macOS building on a Unix rather than Linux kernel )

I am almost certain that there have been more security faults in proprietary systems than well maintained open source projects, because the drive behind open source is a more idealistic than the industries “quick to market / milk them all”

With that being said, especially when it comes to web development and the package repositories I see there, I am more doubtful and careful with using and relying on them. I feel it often moves too fast and the community has a different background than e.g. hardcore Linux developers.

 

[Tres]

I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.

Not a rabid open sores fan at all (except back in my teenage years when I went through a rebellious Linux phase ugh), but obscurity does not imply security.

 

[Kuckuckstein]

I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.

Agree - to me the fact that it is open for digging around has always been my main concern.

Yet you don’t see an equivalent count of threats. It seems that the work done by the community is very solid and that even though all is in plain sight it is difficult to exploit in running systems.

There are pros and cons to both, but I hope that this discussion will not result in some handcuffs from the industry on the open source community.

 

[azentropy]

I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.

Yep. Unfortunately there is more money to be made exploiting Open Source security flaws/bugs then there is fixing them. Maybe that is something that will be discussed, having these larger companies offer better bounties for finding and reporting bugs.

 

[bsbeamer]

Apple should be able to use most of the same anti-open source arguments to keep their App Store running pretty much as-is.

 

[blackcrayon]

Apple should be able to use most of the same anti-open source arguments to keep their App Store running pretty much as-is.

Is that a popular complaint about the App Store? "But we can't see the source code!" ?

 

[shanson27]

Prepare better for what is coming, it can impact your life

 

[lazyrighteye]

Wait - they put national security data behind a source that was open?

 

[ian87w]

Ah, US government cherry picking things to "discuss" security threat of open source. Because they "know" better.

I think the US government should focus on telling their own politicians like AOC to wear masks. They don't seem to even understand what they were spitting from their own mouth.

 

[jdb8167]

The biggest problem with the Log4J debacle is that the logging library is used indiscriminately in other libraries—both open-source and proprietary. Anyone who is developing new software should be using SLF4J and java.util.logging but that doesn’t help much if a library still uses Log4J either because it is old or just from inertia in the project.

It’s a huge problem in this specific case. There aren’t that many ubiquitous libraries used like Log4J which the original version is over 20 years old. It’ll be interesting to see what comes from this discussion.

 

[huge_apple_fangirl]

What about a meeting on the dangers of proprietary, closed software?

 

[nwcs]

Just more security theatre. Nothing Apple or other corps can do about open source and nothing the government can realistically do, either. Hacking for hire for both companies and nation-states is the real issue as it is rapidly increasing.

 

[AngerDanger]

I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

The worst part is that because they're so cute, it's hard to evaluate their arguments objectively.

 

[threesixty360]

Maybe there could be a public body that ratifies many of the most popular core libraries. Some kind of governmental agency or non profit company. The issue is more that there are a certain amount of core libs that everyone has in their builds. I think now its the Wild West because its no one person/ orgs job to check any of these libs or certify them.

I suppose a bit like an https cert or something. If your build has a lib that hasn't been validated by this body it will throw up an alert. Use it at your own risk.

We are leaving for too many core components to be looked after by people for free with no incentive to make sure everything is ok.

 

[ian87w]

You all know where this is going. Whenever US government gathers the tech companies to discuss "security," the actual agenda is probably to enforce backdoors.

 

[jdb8167]

The issue is more that there are a certain amount of core libs that everyone has in their builds. I think now its the Wild West because its no one person/ orgs job to check any of these libs or certify them.
…
We are leaving for too many core components to be looked after by people for free with no incentive to make sure everything is ok.

There is always an XKCD cartoon…

Dependency

 

[killawat]

Security Theater. The obvious answer is to fund OSS. Scores of backend technology powering MacRumors, Google, Amazon and yes even Apple are powered by the efforts of unpaid, overworked volunteers. Billions of dollars in revenue.
The only time an open source project is "adopted" is when a particular corporation wants to exert influence over the direction of the product, but most OSS never sees a dime. Enough is enough. Fund open source efforts right on the GitHub.

Why didn't OSS get this type of "attention" after the Equifax hack (apache struts)? Why focus on Log4j.

 

[827538]

I trust open-source OS's more than I trust the likes of Windows. Security through obscurity is not security.

 

[rgeneral]

closed. I mean just look at Microsoft on patch Tuesday every month.

 

[jdb8167]

Why didn't OSS get this type of "attention" after the Equifax hack (apache struts)? Why focus on Log4j.

Struts is very similar to the problem with Log4J. No one who knows what they doing would start a project today or even in the last 10 years with Struts but there is so much legacy crap still in use that no one maintains that a major security flaw will get exploited even if a mitigation had been available for years.

 

[huge_apple_fangirl]

Security Theater. The obvious answer is to fund OSS. Scores of backend technology powering MacRumors, Google, Amazon and yes even Apple are powered by the efforts of unpaid, overworked volunteers. Billions of dollars in revenue.

A lot of the work on open source software is actually done by paid engineers at tech companies.

 

[killawat]

Some kind of governmental agency or non profit company. The issue is more that there are a certain amount of core libs that everyone has in their builds.

Funny that you mention that. OSS builds get more scrutiny in the government sector than many closed source builds because. OSS is scanned using off the shelf apps that scan for vulnerabilities. Closed source apps can also be scanned but in many cases, the vendors will simply refuse to have their code (their intellectual property) to be scanned. This particular Log4j vuln was found due to the efforts of Alibaba Cloud Security.

Regardless there are hundreds of these types of libs that you describe. Where does it end? Is it only for backend or does it extend to front end? No one, certainly the government has the capability to ensure the security of the literally hundreds of packages that make up a common stack.