This would be a continuation of sharing of issues related to technology and security in technology
I would first like to explain some of the security issues/bugs that were found out. In life as an in software, an attacker usually looks for entrance where there is not much activity or is/and obscure. The same applies in software as well. Software developers are always stuck in a classic dilemma when they are developing software whether they should be removing a feature or not. It is pretty easy to get flak if you remove backward compatibility in your code. Your direct and in-direct users (depending upon whether its an application software or a library) are going to scream ‘blue murder’ so the easy way out is more often than not to let that code be as it is. And more often than not, when the new code has enough acceptance in the community, you will continue developing and testing the features that are commonly used while those that aren’t being used will become bit-rotted as in the developer will more often than not test what is being used.
Do not mis-understand what I wrote above, whether the developer is being paid or doing it for free, more often than not the money or fame is more towards ‘new features’ while ‘maintenance’ is boring. That is why for most system-administrators Debian is boring because it just works.
Coming back to the point though, this happens whether it is proprietary software or free software. In proprietary software these issues are probably much more but because the code-bases are not open, it is just not known. ‘Security by obscurity’ is the mantra there and people are neither knowledgeable nor want to know these things. Maybe culture also plays some part in this.
Let’s take the hearbleed bug as an example. Leaving aside the fact that it is for a cryptographic library which is used in most websites, bank, e-commerce sites etc. and has many moving parts, one of those parts had an heartbeat extension. The heartbeat extension was polling/checking every few seconds if some new activity took place. This is normal behavior which can be seen in almost all computing. You see it in most websites where there is lot of user-generated content (like Diaspora, Facebook and many others). This is also how the kernel checks the state of the system in probably every Operating System on the earth. Now what happened was it was able to read areas of memory when talking to other systems that it shouldn’t have been allowed to. It is called as ‘bounds checking‘ in computing. A potential attacker would and could probably access information that s/he shouldn’t be able to.
Would it have been possible to have a similar defect in closed-source/proprietary software?
Would it have been this easy to report, analyze and fix it?
While a security researcher from Google, Neel Mehta reported it, most of the gains of the bug went to a Finnish firm named Codenomicon who coined the name and made the logo and all of it. Great PR and great benefits to them but which also resulted in OpenSSL being given money for maintenance because of it. A short summary about the people who made it what it is can be seen here.
Let’s go on the second bug ‘Shellshock’. The bash shell is or rather was one of the most basic interpretor whenever the system used to wake up. It is/was used to bring up the inittab, the various service levels, bring up the hostname and essentially bring the system to a state where the user could login to the system and do whatever the user needed to do. Why bash was both used as a command and script interpretor is a matter of historical study and record. One of the things that bash does is that for each running program it created its list of ‘environment variables’. If we were to make replace bash to an architect for making a house, when an architect makes a house, he knows it would need a bath room and a toilet and they would need taps for water, a door which links to a passage-way which will link it to the rest of the house, the plumbing and whatever else is needed.
Similarly, bash would do the same for each program, creating an environment for it and these would be using some ‘functions’ many of them built-in. ‘Functions’ could be thought of as rules defined and named which help in setting the environment right. For e.g. if we are the architect of our house as an example we could make up a function/rule saying that if the house is going to have four people all water pipes need to be half inch or something like that. Now the bug that was unearthed was actually there was almost 20+ years. Now all of those functions and environment variables were not coded or created with security in mind. To put it simply, an attacker could use certain functions and environment variables to gain access into another person’s system. This is more or less a danger if you are connected, either on a LAN where an attacker who knows that vulnerability or on the Internet/ World Wide Web. Since the discovery, it has been patched but there could be lot of machines (things like ATMS, routers, coffee-machine to the web) where the code cannot be updated which suffer from either of the vulnerabilities shared above. This is not just for shellshock but also heartbleed as well.
And if people think proprietary tools are better or safer, there are enough tools both in free software as well as proprietary world which can be used to disassemble programs and find vulnerabilities in the system. The only question is, does it make sense to report a vulnerability for few thousand dollars which reporting a security vulnerability will entitle me or make a million or more dollars while lying low and stealing all and any information.
If I were an attacker, I would probably do the latter. In open-source because the code is itself, the attacker would realize that sooner or later it would be known so the benefits are not as large as they are in proprietary software for him or her.
While the above were about fully open-source programs and you could almost sympathize with the actors therein, the third ‘bug’ is by a company everybody loves or hates or loves to hate (depending on where you stand.)
The third ‘bug’ is Google’s insertion of a feature called ‘hotword’ into Chromium. Now let’s see what the bug is/was. Now Debian trusted chromium (the open-source port of Google Chrome) to be a good citizen of the FOSS world. By being a good citizen it means not doing anything that the user doesn’t want. The simplest example would be the update/upgrade policy in any GNU/Linux distribution. As a user it is within my right if I want to make updates a monthly, weekly, daily or never affair depending on what I, as a user wants to do. Debian or any other GNU/Linux distribution will not make any calls or do anything on my behalf unless I explicitly order the system to go out and look for updates or/and upgrades.
Now what chromium did with the recent ‘hotword’ module was that it used to be downloaded at run-time without giving the user an opt-in. The ‘hotword’ module is not free-software or open-source. By their own admission, the module looks for the word ‘OK Google’ and then starts searching. This is supposed to be somewhat similar to what Siri does in MAC OS. As I’m not familiar with Siri so cannot comment on that functionality.
On Google Chromium’s hotword module it does raise suspicions because it is/was theoretically possible for Google or other interested parties to spy on people as the module is ‘always listening’. Nothing prevents Google or any other party, carrier, government body or bodies from hearing it. Especially in the newer smart-phones it it is almost next to impossible for most users to know even if their data package was consumed as to where it got consumed and what if those conversations and downloads and uploads were free, the user would probably never even come to know of it unless s/he were really looking for it.
How dangerous the above is can be known from a simple fact. Just couple days back, I was talking with a friend/acquaintance of mine bitching about life in general, governments whatever, all sorts of things. Over period of 2-3 hours somehow the discussion veered over this particular bug. Nonchalantly he took out the phone and said ‘yes I use/have this particular feature’ and started to demonstrate that. I was at a loss as to how to explain him that this ‘feature’ is/was extremely unhelpful. What probably most people don’t realize that even if you turn it off, it’s a software switch and because the code is non-free you cannot know if there is a software over-ride and it may be doing the same thing. While some people would probably say that heat, cpu cycles, net consumption should give it away, it probably won’t as there would be more applications running and it wouldn’t take much for a dumb guy like me to do a store-and-forward approach in software, the algorithm, the techniques all are there. If I were a bad man, it wouldn’t take much to do that on the software end. Also, as most people realize or not, the hardware too is not documented so with that combo it is one powerful recorder and transmitter for the powers-that-be. It was always so, this just makes it that much more obvious.
Look forward to know what people think.