Hackers shake open source idealism
Hackers have shaken the free- software movement that once symbolized the Web's idealism.
Several high-profile attacks in recent months exploited security flaws found in the "open-source" software created by volunteers collaborating online, building off one another's work.
First developed in the 1980s, open-source software has become so pervasive that it now powers global stock exchanges, the International Space Station and, according to researcher International Data, appears on about 95 per cent of computers and servers.
Attacks this year using flaws nicknamed Heartbleed and Shellshock have some programmers suggesting that corporations or even the US government should provide more money or programing help. That idea doesn't go over easily among grass-roots developers who want to remain true to the ideals of a do-it- yourself movement.
"It's going to be a wake-up call for a lot of people to understand why we aren't auditing this software better," said Greg Martin, founder and chief technology officer of Threat Stream, a cybersecurity company based in Redwood City, California. "Everybody's been scratching their heads and saying,'How could we miss this?' "
Open-source advocates say their programming code is more secure than proprietary software because developers are constantly fixing flaws found by users. Critics say the open nature of the software leaves it vulnerable to hackers because the programing flaws are out in the open for all to see.
In either case, some say the fix should come from the companies that build products off the free software.
Technology companies such as Yahoo, Facebook and Google "are saving huge amounts of money using open-source, and they should invest much more money in trying to secure these systems," said Jaime Blasco, director of labs for AlienVault, a San Mateo, California-based security company.
Facebook, based in Menlo Park, California, said in a statement it "is a leading and committed contributor to the open-source community," having started projects to secure Google Android and Apple devices. It pledged US$300,000 over three years to an initiative of the Linux Foundation, a San Francisco-based nonprofit that supports open-source use.
"Google has released hundreds of millions of lines of open-source code and we fund many major organizations like the Linux, Apache and Python software foundations," Chris DiBona, director of open source for the Mountain View, California-based company, said in an e-mail.
Linux, a popular open-source operating system developed in the 1990's, is now used in millions of smartphones, global stock exchanges such as the Nasdaq, and 92 per cent of the world's supercomputers, said Jim Zemlin, executive director of the Linux Foundation.
"Open source is the coal and steel of the Internet but it ain't owned by the Carnegies," he said. "It's owned by all of us."
The Linux Foundation started an initiative in April to improve security by providing grant funding and research help to open-source developers. That was after the discovery of Heartbleed, a flaw in a program called Open SSL that went undetected for two years. It can expose information people give to websites, such as passwords and credit card numbers.
Twenty companies have pledged US$6 million over three years to the Linux Foundation effort, including Bloomberg LP, the owner of Bloomberg News.
Zemlin wants to expand the number of corporate participants, including large financial institutions that benefit from open-source code.
The financial industry is aware of the importance of finding bugs in open-source software, although hasn't agreed on the best method, said John Carlson, a vice president with the Financial Services Roundtable, a banking lobby in Washington.
"We certainly recognize we're all part of an interconnected chain," Carlson said. "Is the most effective way to fund the Linux Foundation and other groups? That's a question that needs to be researched and debated."
Another option may be to seek grants from the Homeland Security Department or other US agencies, Carlson said.
The National Security Agency already contributes to open- source projects, including adding security features to Google's Android mobile operating system. The arrangement was motivated by what an NSA document described as a desire to boost the data- protections of commodity mobile devices and "improve our understanding of Android security," a claim that drew scepticism because of the intelligence community's own surveillance activities.
US financial regulators urged banks on September 26 to address the Shellshock flaw because of "the pervasive use" of Bash, the program it targets. Shellshock was publicly disclosed in September after being undetected for two decades.
The most notable attack traced to Heartbleed was on Community Health Systems, in which hackers stole data on 4.5 million patients.
A study published in April by testing company Coverity found that, in a scan of 750 million lines of open-source software code, the rate of defects was lower than proprietary software for the first time since it started the study in 2006.
Other studies have found open-source rife with flaws.
Risk I/O, a Chicago-based Internet security company, found in its database of more than 70 million bugs that, of the 10 most serious types, 11 percent are from proprietary software. The rest are from open-source projects, the company said in a statement.
"We are seeing more occurrences of open-source vulnerabilities in the wild," said Michael Roytman, a data scientist with Risk I/O. Shellshock and Heartbleed were "such big deals" because "they affect targets of huge opportunity."
Flaws in open-source software can have a cascading effect across the Internet. Amazon.com and Rackspace Hosting both had to reboot some servers for their cloud-computing services, temporarily knocking customers offline in the past two weeks. The cause was a vulnerability discovered in a widely used piece of open-source technology called the Xen hypervisor, which can allow hackers to crash the machines or steal data.
Rackspace Chief Executive Officer Taylor Rhodes issued a public apology for the short notice given to impacted users, which included about 50,000 of their 200,000 customers.
Jeff Barr, chief evangelist for Amazon Web Services, said the company took "fast action" and the reboot affected less than 10 percent of Amazon's Elastic Cloud Compute, or EC2, service for businesses and Web developers.
Using open-source software without additional controls can expose valuable data to risk, said Chase Cunningham, threat intelligence lead for cloud-computing company FireHost.
"It's like going and buying a safe that a million people have been able to use for the last five years," he said. "I guarantee at least two or three of them will have figured out how to crack the safe."
Simon Phipps, president of the nonprofit Open Source Initiative, said he doesn't believe distributing money to groups of programmers is the answer - and, besides, it goes against the movement's principles of not picking winners or losers. He said companies should demand that vendors supplying them with technology based on open source contribute help back to the developer community.
"What's needed is for corporations that are commercially using open-source code to take on their responsibility to collaborate with the community," Phipps said.
Companies that have historically been big contributors to open-source projects include IBM, Intel, Google, Hewlett-Packard, Oracle and Red Hat, he said.
Heartbleed and Shellshock can be viewed as a vindication of the open-source model, said Jason Trost, director of labs for ThreatStream.
"If these systems were based on proprietary software, these vulnerabilities would likely stick around a lot longer," Trost said. "They may not be found ever, and if they were found, they would be found by high-end hackers or nation states."