Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software

[macdos]

If this were China, and Xiaomi were talking security with the government, there would be a slew of sanctions and other forms of American economic coercion. There would be talk about how the Party controls the tech sector, how tech and politics go hand in hand, and how we can't trust Chinese hardware and software.

Somehow it is OK in the US though. Prism. Xkeyscore. Echelon. Snowden.

 

[Wildkraut]

I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.

The issue is not open-source, it's these greedy corporations like Apple which keeps implementing open-source software into their products without investing back to it. You can argue that's open-source and freely available, but a decent company also invests into code reviews and development, and most of them simply don't.

It's also one of the reasons why this npm package dev went amok.
To Log4J, well it's based on Java, that says it all.

 

[PinkyMacGodess]

There is always an XKCD cartoon…

Dependency

View attachment 1943423

I've been amazed, when I've read the legal disclosures for software, at how many 'little guys' are mentioned for contributing a small part of the whole. They obviously were a large-ish part of the total project, but their little contribution wasn't copied/stolen. Maybe it's easier for corporate programming houses to mention someone, but paying a 'little guy' for their work is harder? *shrug*

Hurray for the little guys!!!

 

[PinkyMacGodess]

There is nothing inherently insecure, or less secure about open-source software. Heck, look at all the closed source software that has exposed billions/trillions of people and money to exploit. That and endless patches that people don't install, and default passwords people never change.

If anything the most insecure part of the whole IT industry is humans. Humans not testing software enough, humans not updating software enough, humans not configuring it properly, humans designing software so that it's a damn impossible task to update and configure their software.

Open source, or not, there are many reasons software is not secure. At least with most open-source software, the people that wrote it aren't trying to save face and hush up people identifying glaringly embarrassing zero-day flaws.

 

[jdb8167]

The issue is not open-source, it's these greedy corporations like Apple which keeps implementing open-source software into their products without investing back to it. You can argue that's open-source and freely available, but a decent company also invests into code reviews and development, and most of them simply don't.

Yeah except for WebKit, LLVM/Clang, Swift, Objective-C, Mach/Darwin, CUPS, and maybe some others, what has Apple ever done for open source?

 

[Analog Kid]

“It is the carefully considered opinion of the National Security Council that something is only a threat if we can see it.”

”Furthermore, upon recognizing that we can’t rely on volunteers to secure anything, we’ve decided to disband our famously ‘all volunteer Army’ and institute a draft. We suggest Linux do the same.”

 

[Wildkraut]

Every day I want to quote precise sentence, I am reminded how terrible safari is.

Give Linux 80% desktop OS marketshare, and after a few years, can you still say Linux is the safest system? macOS through its absolute obscurity still gets hacked and exploited here and there.

Only the ultimate power of the god will teach them the lesson they desperately need but refused to take. It’s kind of sad that we might not outlast them.

As if however many backdoors they have is not enough. How about making encryption illegal?

Well, Linux is probably safer than all OS's that currently exists.
It's mainly the core UNIX philosophy that makes it safer, and all the eyes looking on it.
A higher Desktop market share wouldn't change that much.

Linux, FreeBSD is probably a more interesting hacking target than any Desktop, simply because it runs on many critical infrastructure devices like Servers,Router,Switches, etc. and this is a target of higher value to hack.

 

[Madhatter32]

Closed sourced software is only as safe as the company that stands behind it. But, at least there is a responsible entity ... and that makes all the difference.

 

[npmacuser5]

The first step on the security side. Nothing to do with the political or rights side of the equation. Lock the front door. China and Russia are doing just that. They developed a good lock on the front door. Access to the internet through their portal only. Been to China, it works very well. I know we all have rights, etc. Want to make our systems hardened, especially key industries, lock the front door. To prove my point, how are we doing with security today. Not well at all. The bottom line, open access because we all have rights, weak security the cost of doing business. Cannot have it both ways.

 

[TheMacDaddy1]

I hope someone in that meeting asks Apple if they think their 250 BILLION dollar payment to the CCP helped fund the hacking of vulnerable log4j servers????

 

[scheinderrob]

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

i really doubt you have any understanding of how software works. closed source isn't anywhere near as 'closed' as you think it is.

 

[gaximus]

In open source, if someone finds a vulnerability, they usually want credit for finding it, can be used to get a better paying job or just to show off your skills. In closed source, if someone finds a vulnerability, they most likely want to use it.
Its not always the case, but in an open-source a vulnerability, its not going to be long before someone else finds it, and you'd loose any claim you had on finding it, so its best to report it right away.

 

[california_kid]

Well I feel a lot safer now.......NOT

 

[Spock]

Oh for goodness sakes, they control the freaking OS, efi, the whole kit and caboodle. When they were running intel nothing was stopping them from locking down the Mac iOS style.

This conspiracy theory that the Mac will get locked down has zero basis in reality, and is based on the notion that Apple is some snidely whiplash esque Saturday morning cartoon villain. Completely ignoring the fact that consumers have many options to buy machines, not just Macs.

This notion that the nefarious Tim Cook and the legion of doom are plotting, deep below the bowels of Apple HQ, to “trap” Mac users into the App Store doesn’t have basis in reality.

And yes, you would leave the platform. So would 99.99% of users. That’s what makes this theory fall apart, since now Apple is no longer selling any Macs, at all, period.

Which, even if we take this absurd scenario to its logical conclusion, what reason would Apple have to push the dastardly update onto the unsuspecting Mac user base, over just not making any more Macs? Just sell iOS devices, basically the same as a locked in Mac, and less costly than continuing to build computers with exactly the same functionality for zero people.

The Mac makes up about 10% of sales, Apple could kill the Mac, put its resources in services or somewhere else and still come out on top. Apple has been putting things in place like gatekeeper and the notarizing of macOS software and pushing the Mac App Store. Again, I am not saying that they will do it, I am just saying that I bet it is on more than one brainstorming boards at the Apple campus.

 

[Wildkraut]

Yeah except for WebKit, LLVM/Clang, Swift, Objective-C, Mach/Darwin, CUPS, and maybe some others, what has Apple ever done for open source?

Webkit = KHTML comes from KDE, nothing that Apple invented, they forked it, even Safari's User Agent still shows KHTML.
LLVM/Clang was released as open-source long before Chris Lattner was hired by Apple, they just wanted the developer, he left Apple btw.
Swift borrows a lot from c# and rust, and currently has no decent usage outside the Apple bubble and probably never will.
Obj-c an Apple bubble only language ready to die.
CUPS was bought by Apple, they also just wanted to have the main developer (Micheal Chief) on boat.

So yes Apple didn't decently invest back to open-source upstream derived packages, their investments had other reasons, mainly Embrace, Extend, Extinguish.

Timeline wise, looks like we are now between Extend...Extinguish.

 

[canadianreader]

Maybe there could be a public body that ratifies many of the most popular core libraries. Some kind of governmental agency or non profit company. The issue is more that there are a certain amount of core libs that everyone has in their builds. I think now its the Wild West because its no one person/ orgs job to check any of these libs or certify them.

I suppose a bit like an https cert or something. If your build has a lib that hasn't been validated by this body it will throw up an alert. Use it at your own risk.

We are leaving for too many core components to be looked after by people for free with no incentive to make sure everything is ok.

Some non profit linked to Microsoft or Apple to ban some competition like Linux or other distros under the guise of national security.

 

[Stromos]

I analyzed the situation carefully for my applications. The exposure was extreme. I assume you are thoroughly familiar with the details of the security risk, so it's surprising that you consider it a joke.

You misunderstand me. The big guys saying open source bad (Microsoft, VMware, Cisco) are saying its a non-issue because they are using 1.x. That's the joke. We are spending hours mitigating things ourselves because these closed source applications are ignoring the problem and are saying bundling packages that were EOL in 2015 is business as usual.

 

[_Spinn_]

Software today has so many dependencies it will be very difficult to audit everything to make sure it is secure. Even if the libraries your software directly depends on is secure there could easily be a dependency further down that has issues.

Not to mention there have been cases where malicious actors have deliberately "poisoned" popular packages in NPM.

 

[jdb8167]

So yes Apple didn't decently invest back to open-source upstream derived packages, their investments had other reasons, mainly Embrace, Extend, Extinguish.

Just kept all their changes to themselves and didn’t share anything back. How evil!

 

[LawJolla]

The web is incredibly insecure.

A modern web app uses thousands of open source packages that could include malicious code.

Here's my web app's dependencies. Any one of these could sniff my customer's logins, credit card numbers, etc.

Sneak malicious code into the right package used by a large percentage of sites and you'll have the biggest security mess, ever.

 

[jimbobb24]

Wait.....software can have bugs?

Open source software is one of the most amazing innovations of the computer era and though imperfect....the software of trillion dollar companies is also filled with bugs. Per dollar spent open source has been an amazingly secure innovation.

 

[Wildkraut]

They should better discuss about monopoly and duopoly market competition risks.

 

[JMacHack]

The first step on the security side. Nothing to do with the political or rights side of the equation. Lock the front door. China and Russia are doing just that. They developed a good lock on the front door. Access to the internet through their portal only. Been to China, it works very well. I know we all have rights, etc. Want to make our systems hardened, especially key industries, lock the front door. To prove my point, how are we doing with security today. Not well at all. The bottom line, open access because we all have rights, weak security the cost of doing business. Cannot have it both ways.

NATO-aligned countries having their own intranet is exactly what I expect the future to be.

 

[metapunk2077fail]

Lots of responsible open source devs are angry that there is a fringe of software engineers who use open source to evade sanctions, launch pyramid schemes to raise money for extremists, launder money for hostile regimes. One Ethereum dev even went to North Korea to assist them and got his ass arrested when he came back.

 

[JMacHack]

The Mac makes up about 10% of sales, Apple could kill the Mac, put its resources in services or somewhere else and still come out on top.

That’s exactly what makes the “lock in” scenario implausible. It’s easier, cheaper, and less stupid to just stop making Macs than it is to lock in the App Store.

Apple has been putting things in place like gatekeeper and the notarizing of macOS software and pushing the Mac App Store. Again, I am not saying that they will do it, I am just saying that I bet it is on more than one brainstorming boards at the Apple campus.

No, you pretty much said they were gonna do it:

Someday, that is the key word. I didn't say it was happening tomorrow.

And you are wrong.