## Wednesday, April 09, 2014 ... /////

### Lessons of the heartbleed bug for open source software, $P=NP$

Two days ago, Neel Mehta of Google’s security team as well as a team of security engineers at Codenomicon have found a dangerous vulnerability of versions of OpenSSL – 1.0.1 and 1.0.2 beta – called the Heartbleed bug that allows the attacker to read pretty much any information from the vulnerable server (keys to encrypt and the actual user passwords and data) in 64-kilobyte packages. See Google News.

It means that the safe "HTTPS" actually makes things more insecure than the ordinary "HTTP".

About 17% servers allowing encryption are running the bad versions of OpenSSL. The most publicized server whose users should surely try to change the passwords as soon as possible (probably in the past) is Tumblr (owned by Yahoo, so probably Yahoo passwords may also be in danger). I really hope that it is really true that Dropbox, Gmail, Facebook etc. are unaffected; try this tool or this one to check the security of particular servers; Jesus Christ, it says that onedrive.live.com is vulnerable.

Just to be sure, "OpenSSL" means that it is an open-source (i.e. communist style or programming) implementation of the SSL protocol. Only the particular implementation of the SSL is at risk, not the paradigm of SSL itself.

SSL is the predecessor of TLS and sometimes, we talk about SSL/TLS. In practice, it's the layer that allows the exchange of information via the HTTPS protocol (HyperText Transfer Protocol Secure). This exchange is encrypted using (both public and symmetric) keys that are only known to the two sides of the communication, and the fancy technology based on hard-to-decrypt hypotheses in computational complexity (RSA...) preserves our belief that it can't be easily hacked.

I think that two groups of people should notice this dangerous bug: those who say that $P=NP$ would make the world an entirely different place; and those who sell open-source software as a cure for all software illnesses.

The possibility that the cryptographic software may be hacked is the most visible "practical" implication of the scenario that $P=NP$ – or stronger statements. It's widely believed that those encryption algorithms cannot be hacked in a reasonable time but there's really no proof. Well, even if the fast algorithms exist mathematically (i.e. if the likes of Scott Aaronson are completely wrong), it is very plausible that people won't find them for decades or centuries – or never. But if those methods would be hacked, people would be informed about the bug in a similar way as they are informed about the Heartbleed bug. The reasons would be fundamentally more interesting mathematically but the practical consequences would be similar as those today. A patch switching to a different kind of encoding would be issued and people would be invited to change their passwords etc. The percentage of servers affected would be closer to 99% than to 17% but the difference between 17 and 99 isn't really "qualitative".

Because the implementation of cool mathematical algorithms isn't guaranteed to be perfect, vulnerabilities exist even in the world where $P\neq NP$ might hold. There are simply many easier tricks in the messy real world for hackers to illegally find some information than to prove (by direct aggressive action) that $P=NP$, and perhaps stronger statements.

The second group that should notice is the movement defending the open-source software. We are often told that the open-source software must be so safe and secure because the source is, well, open and everyone can have a look and check things. But if everyone can look, it doesn't mean that everyone will look, and even if everyone looked, most people would be completely incapable of finding the vulnerability.

I actually think that the open-source software that doesn't have any particular "responsible people" is less secure than proprietary (closer source) software. The relationship between these two kinds of software is similar to the comparison of products produced by professional companies on one side; and do-it-yourself products on the other side. The second group may often be doing "pretty much the same thing" as the first group and be cheaper for the consumer. However, safety and security is likely to suffer because the non-professional creators spend a greater fraction of their working time by making sure that "it works at all" and a smaller fraction of their time by making sure that "it works flawlessly and securely".

At the end, the percentages of the software that is produced in the open-source and closed-source paradigms are given. We are not drowning in the sea of open-source software that would completely eliminate all closed-source software. And a smaller percentage of the work on open-source software is actually focusing on "checking things" because people are not as responsible for the problems and bugs as they are in commercial software companies producing proprietary software.

So I think that if the proprietary software has been a more frequent victim of attacks by hackers etc., it's just because many or most of these hacker attacks are done by leftists who prefer to attack software corporations over attacking open-source software. But if one looked at the intrinsic vulnerabilities – which are relevant for the hackers who actually want to harm others and help themselves, regardless of the author of the software they attack – the open-source software would probably end up being less secure than the proprietary one.

#### snail feedback (42) :

> I actually think that the open-source software that doesn't have any
particular "responsible people" is less secure than proprietary (closer
source) software.

I dont think there is any such simple
relationship between *unintentional* bugs and openness. Proper code
auditing, rather than openness/closeness of the code makes for less
bugs. Some open-source projects (the large ones or ones with dedicated
coder base) could indeed be better audited than professionaly developed
software. Some smaller projects could be worse off.

How many
longstanding bugs of similar magnitude as the one in OpenSSL were
quietly fixed by closed source devs in their software? We wont hear
about that when it happens, but I am sure it does happen. Security through obscurity does not work anyway.

However,
the main selling point of open source software is lack of *intentional*
"bugs". No one can guarantee you that Windows or Internet Explorer does
not contain a NSA backdoor, or respects the privacy of your data. A
famous example is BitLocker drive encryption:
https://en.wikipedia.org/wiki/BitLocker_Drive_Encryption
"The
lack of any backdoor has been a concern to the UK Home Office,[22]
which tried entering into talks with Microsoft to get one introduced,
although Microsoft developer Niels Ferguson and other Microsoft
spokesmen state that they will not grant the wish to have one added.[23]
Microsoft engineers have said that FBI
agents also put pressure on them in numerous meetings in order to add a
back door, although no formal, written request was ever made; Microsoft
engineers eventually suggested to the FBI that agents should look for
the hard-copy of the key that the BitLocker program suggests its users to make.

In
a world where such government pressures on professional developers
exist, and in light of recent NSA spying revelations, I think the
argument about open source vs. closed source shifts from trying to
prevent unintentional bugs (where they very well could be on equal
footing) to trying to prevent intentional violations of user privacy.
And in this arena closed source simply does not have a leg to stand on
compared to open source.

> So I think that if the proprietary software has been a more frequent
victim of attacks by hackers etc., it's just because many or most of
these hacker attacks are done by leftists who prefer to attack software
corporations over attacking open-source software.

I dont think so. Most hacking today is done for monetary gain, not ideological reasons.
Proprietary software is a more frequent target simply because its more
viruses targeting it.

Technically speaking, actors are props. If there's a script, the writer, is the one primarily responsible for the content of a film, which includes documentaries. Some actors go ahead and read the script etc., being props with minds (sometimes educated, sometimes not.) But a good many actors are more or less aware of their status in many projects, so they just count lines, All they really know is their lines. A narrator may not even grasp the lines, but merely read them. So, it is entirely possible the only fact about this documentary familiar to Mulgrew was the size of the paycheck.

On an episode of the newly rebooted (and horribly fact-checked) Cosmos here in the States, narrator Neil deGrasse states that wherever you are in the universe, you are at the center of it, because of the way light travels. But I find it hard to believe that with billions of "known" galaxies, each containing trillions of suns, and each of those suns surrounded by planets, that we are the only form of life (sentient or otherwise).

He should have said "observable" universe, which is trivally correct. But the show is bad on many levels, and this error is minor

the best part is when he flies his dreamship into a black hole, explaining that if you jump into a black hole you "may" emerge anywhere in the universe, violating the lightspeed barrier.

It is possible to make a science show for laypeople. You can talk vaguely about the history instead of doing calculations in a way that would enable smart people to understand :). But, that's not what Cosmos does.

scoring points for modern leftists and insulting Christianity.

Same thing for Dr. Neil DeGrasse Tyson, the episode about relativity sounded like it was written by a high school student and whoever signed off on his physics PhD should be ashamed of themself.

Brilliant strategy, Kate. First wait until the check clears and then speak out.

Thinking of operating systems rather than security for a moment, proprietary ones - Microsoft and Apple - have the advantage that it is much easier to enforce standardization on them. So, in some sense, they are the communist model - everyone gets the same style of the product, and that's that. Linux, on the other hand, has suffered from fragmentation into a zillion distributions, to the point where it may be on its last legs as a desktop OS, at least according to some claims I've seen.

As for security, it must be easier for computer science researchers to seek holes in open source software, so it probably does get looked at. The potential problem is that their findings seem more readily publicized before a fix is applied or even available than would be the case with proprietary software, so perhaps that does reduce the security somewhat for a period of time.

i suspect it depends more on whether some folks have a good reason to attack - various governments want to, say, bypass security at your office. Heck, they can hire people to infiltrate - whether it is private or open-source.
My view is to keep your code away from anything connected to the internet - but it does not stop in-house spies.

Man, if this keeps up and I am going back to snail mail, at least I don't need a password there.

What difference does these types of bugs mean today. Hell, between the government and the private corporations spying on US citizens today, they need nothing else. Corporations are working hand and hand with the government
and military today to spy on our every action or movement.

Dear Lubos,
to think about properitary and open software in this simple either or patterns is a big oversimplification I think. There are less and less material products or properitary software solutions which run completely free of any open source software. This often means you often get the best of both worlds, a product with somebody responsible for and the added possibilities of open source. Incidently why are so many Windows patches needed for years now if properitary software works so great? Don't get me wrong. I am producing commercial software myself and I prefer to get paid for it. Why do I have the feeling that your attitude towards open source is impacted by some prejudices related to your (rightly) negative feelings towards communism. A university is providing the knowledge it produces to the whole world too. Is it therefore also a communist organization?

Well, I think you will have to agree that a university, while perhaps being a communist organization, is something wonderful, too. All the papers from Lubos Motl, Ed Witten and David Gross etc.free to be downloaded by everybody and to by enjoyed like a Mozart symphony or like watching the Prague castle.

Dear Mikael,
it's wonderful, indeed. ;-)

The papers' being freely available has nothing much to do with the other communist aspects of universities.

It's sensible for the papers to be free for a simple reason: there are almost no genuine "consumers" who would be buying lots of these papers for "their real money".

When some publishers were selling their journals for huge prices (and they still are, but are perhaps getting extinct), it was a consequence of the government's distortion of the markets, too. Almost all the "consumers" were really universities themselves, usually paid from the taxpayer money.

If someone wants basic research to be done, and it may be an individual like Milner, Kavli, or Lazaridis, or a group, or a nation represented by a government, he or they want it because they like to see the product. Their exclusive knowledge of the product is pretty much worthless, so they make the product free, anyway.

I don't know whether the "market" (involving money) with the basic-research insights has ever existed or may exist at all. But I know that the software market does exist, has existed, and it is natural for it to exist. So I think that some active bans and disruption are needed to eliminate it.

Of course, the dynamics of the software market is subtle. Very cheap or free alternatives may emerge, or may be offered in order to cripple the competition. So Microsoft was just forced to make Windows free for phones and tablets up to 9 inches. But that doesn't mean that Microsoft is out of business. This "free Windows" is just a small investment meant to protect their OS from extinction in the competitive market.

Apple has a different funding strategy, and the funding of the creators of iOS and Android and WP apps is different, too. There are many strategies but pretty much each of them requires some restricted access to *something* in order for the company to earn money.

"It does *not* mean that the open-source software needs no such patches.
It's much more likely that these vulnerabilities are not found at all or
they are ignored."

Is it so? Open source software has the advantage of more people looking at the code, so they may be even more likely to discover vulnerabilities (faster than in proprietary software). And why exactly would they ignore them once discovered? The Heartbleed bug was fixed in Linux OpenSSL just a few hours after discovery. Thats certainly faster than Tuesday every month like Microsoft does it.

Dear Dream Chaser, I can't believe you can't add two and two here.

The vulnerability may be easily fixed within hours but it hasn't been discovered for something like two years.

So your remark that "more people look into it so it's safer" obviously didn't work for OpenSSL, did it?

Monopolies had been created and in a way while one might try and defend an organization in terms of its software, all other people, are communist? What about infrastructure and hard ware? Increase competitiveness creates more opportunities?

1.Competition and Concentration: In 2000, the big three wireless providers — Bell, Rogers and Telus — accounted for just over 87% of the industry. Today, they account for just over 93%. The “big three” control more of the sector than ever, and besides that Rogers and Bell now
straddle every other significant segment of the telecom-media-internet industries. What they do in any one of these areas affects the developments elsewhere, and broadband wireless services in particular.Ask the Wrong Questions and . . . : the CRTC’s Review of Wireless Competition

That is part of seeing past who Lubos is for me, as this science writer and truth sharing, and then, to know that an ideology had transformed him because of his history.

For the time being, however, the stronger tendency amongst defenders of the status quo is to deny reality, even when incontrovertible evidence stares them in the face. This is symptomatic
of a bigger problem, namely that in Canada the circles involved in discussing wireless issues are exceedingly small and they like to hear the sound of one another’s voices all too much. Their members do not look kindly on those who might rock the tight oligopoly that has ruled the industry from the get-go.

Key word there is "oligopoly?"

So you work within the system to say the capitalistic movement is not communistic? So that is where "monopolies" for me come in. While one might defend such a institution(capitalistic plan) then all other forms of opinion coming out of a communistic system like the university is somehow controlled as to see that each student and teacher is somehow seen and treated as a equal, and can't think for them self?

Innovation, can still exist in face of a controlled structure "like a capitalistic system?" Google, in recognition of Spectrum and Whitespace, still see a benefit from using advertising, that while significant in it's asset development, agrees that an open internet is a good one? So what does that mean in terms of a communistic system?

:)

Best,

That's right, and is the reason why there are many more potential exploits hiding in commercial, proprietary software than in open source (at least for those open source projects with a large number of users).

The journal publishers may not be going extinct - they sell bundled subscriptions to universities. There is even an article by Andrew Odlyzko, "Are Libraries and Open Access Becoming Irrelevant" in the April 2014 issue of Notices of the American Mathematical Society (http://www.ams.org/notices/201404/).

Back on the topic of software, I think characterizing open source as just people wanting everything to be free is a bit dated - the views on this have evolved to be more nuanced and realistic, based on real-world experiences with both free and commercial software.

A couple of comments on open source...

Back when I was a hacker (late '60s), having access to the OS source was crucial. So open source has a benefit to hackers. But it is also visible to the good guys, as others have noted.

As to its "communist nature" - it's true that Stallman has collectivist views, he's just one part of open source. Open source is also a place for hobbyists. It's a place for learning.

But importantly, it's also a place where a whole lot of professionals work. One capitalist reason for this is the accrual of reputation - I know people who have advanced (or even started) their careers as a result of open source involvement. Also, companies put a lot of money into open source, which is obviously out of capitalist motives. In that sense, they are willing to subsidize code which will be available to all, because it is in their best interest.

A lot of open source code - especially critical stuff like OS internals, frameworks, etc, is frankly superior to commercial products. I don't normally use Linux directly, but I would trust Linux over Windows any day of the week. Notice that Linux is the operating system used by Android. Also note that the US National Security Agency has contributed *open* code to the Linux project to create more secure kernel options.

Where open source often falls down is in the user interface. A lot of open source products are hard to use, and poorly documented. This is due to its fast moving pace - the state of the art of software technology is almost always in open source.

I have worked at companies that paid big bucks to Oracle (closed source) but used open source for many other purposes.

Such anecdotal evidence is no evidence at all when it comes to
statistical claims. I can equally point to February Apple goto fail SSL
bug (which was in the software since version 6.0) and derive from that
that financial motivation obviously isnt working. And I would be wrong,
too. Unless you analyze many open-source and proprietary programs and do
a comparative safety analysis, you have no evidence either way.

Whether you are joking or not :D , that \$200/citation idea of yours is pretty good for compensating good scientists in a more meaningful fashion (but what would Witten or Weinberg do with more millions? open casinos?) and for raising the overall quality of papers and reducing the number of non-serious/frivolous papers. There might be many problems that need to be sorted out, but it could work. What do you think?

Dear Dream Chaser,

the iOS6 has been around only since Sept 2012, not late 2011 like OpenSSL 1.0.1, and the Apple bug depended on a man in the middle so it is less serious, so I still win.

Cheers
LM

I'd take the money, but I'd eye-blink "Eppur si muove" in Morse code. :-)

I think you're severely overestimating the difficulty of establishing a man in the middle in the case of the Apple bug. And the risk there was complete disclosure of communications rather than opportunistic information leakage.

String Theorists better hope that P = NP so the landscape can yield something useful because 10^500 is so ridiculous that not even quantum computers will be of much use.

How ridiculous? Well, let's say I tell you I have a theory. A normal theory for this example will be a painting. We then take a look at the painting and see if it corresponds to reality. Instead of presenting you with a painting I say my theory consists of every color permutated with every shape.

Don't be silly - I haven't thought about string theory for a second when I was talking about P=NP, and there is no correlation between being a string theorist on one side and opinions about P=NP on the other side.

I have nothing against proprietary Software, it's superior in many cases.

But I don't see too many drawbacks with the code being open source in this case. Even if you know how the program works, you can't crack the encryption, if it is correctly done.

The public availability actually adds a layer of security. Everyone can review the code. It's more likely that an exploit will be found by a security company, like in this case, than that it is found by hackers. And the moment an exploit circulates among the hacker community, it would be soon known to the public as well.

In fact, even the name of the programmer that made the mistake is known by now. I would guess the danger of discovery is a serious deterrent against implanting backdoors and further incentive to not make mistakes.

Kaku, Krauss, and

"The Principle" would make a great Broadway musical, Gordon. They could use rubber balls and bungee cords for the planets, and a big paper mache sun held together with scotch tape. And Copernicus could be played by a bad, bad monkey.

And it's my hope that Krauss gets a very large check because he just gave up everything he worked so hard for. He went from a prominent scientist to a just another pseudo huckster. Maybe he can start selling products claiming to cure male pattern baldness.

Hi there!
here's something you guys might appreciate. :-)

http://www.populartechnology.net/2007/01/windows-xp-more-secure-than-linux.html

The key here (as Lubos already noted) is to really have someone responsible for writing any software.

Also, with a higher budget it should be no surprise that it is easier to write higher quality software. There is no good reason a priori why open software should be of better quality and it indeed is not the case.

Lubos, what do you think? Does this prove or disprove Tegmarks MUH.

http://www.qsa.netne.net/a.htm

Who cares. What's Witten working on these days?

Another good thing about Open Source is that it bypasses the stultifying credentialing process of modern American higher "education," and the buzz-word, degree oriented employee selection processes.

A whole lot of software engineering requires smarts, but not degrees. Open Source provides an alternate path were the commercial worth of individuals can be tested without reference to resume.

To be sure, some areas of the field require advanced mathematics, which is more often acquired at University.

Back in the day when I used to write a lot of C and C++, the first thing you did if you were reviewing code for security is to look for the memcpy() functions and all of its cousins to make sure that they were nailed down. Mostly because they tended to overwrite memory and cause crashes, but this is pretty bad too. When I first heard that somebody had discovered this weakness, I was amazed at their capability, then I saw it was memcopy() and it all made sense. It is surprising that this did not show up earlier.

Apple would be the communist model of their were no MS, and vice verse, but as it is, they are just far more successful than Linux in the free marketplace. I know a lot about computer science, managing to scratch out more than a meager living by it, but I just don't have the time to get Ubantu, or whatever, working on my PC, therefore, I pay people to do it for me.

Nearly every individual company that is successful, would be considered "authoritarian" were it a govt, what makes it different is that if they fail, the rest of the economy just moves on with one of their competitors.

There's a good article in the Wall Street Journal that shows the extent to which Open Source projects can be short on resources.

http://online.wsj.com/news/articles/SB10001424052702303873604579495362672447986

It would seem that critical open source software does need additional outside testing, and the Heartbleed episode may well lead to the needed changes.

As software developer(proprietary and open source software) I just can say your statements are bullshit and biased by your political views.
For security reasons i should not matter if you open source the code or not, as the saftey lies in the key NOT in the algorithm, which you should be able to publish,without interferring with the security of your system, if not it is not securtiy it is obscurity(eg, DVD-Rip )
You think open/free source is just some leftist hobby while you ignore that Microsoft, Google or Mozilla are NOT welfare organisations and are supporting Open/Free Source for a reason and this reason is not some good will it is actually money they can earn with it.
So stay with your string theory, that's what you can do and stay out of Software Development, if you have no clue about it.

Don't be silly. If a company "supports" some activity, the people doing this activity are simply a form of employees. The companies "support" the free software simply because they need it - it's part of the products they sell - and if they support something that they don't need in their products, it's because they want to undermine their competitors. Indeed, they are not welfare organizations and they shouldn't be; that's really my point. They are supporting whatever is good for their business, and not supporting what is not good for their business.

I would bet a lot of money that you are not a pro-business conservative and this failure of yours is what led you to write this aggressive comment - your last one here, by the way.

Linking the open source concept with Communism is just rediculous

This shows why Phd should not be writing software. They are smart but do stupid things.

This bug was just a heartbeat packet with a small payload of data. This should have been limited to 16 bytes. Instead they allowed 64K and took the length from the wrong place.
A simple LEN &15 would fixed this.

The problem was that the 4 programmers did not use a software review process or have a test plan. Or have a hacker review the code.

Then the WHOLE industry picked it up since it was free.
If they had paid for a tested and reviewed copy this problem would not have been there. Proof is that other SLL packages did not have these problems.

Even Revenue Canada was using this and were stung by a bright engineering student.

Other code practices is to put the packet buffers in a different segment from the general internal data segments.
And to zero the buffer after used before free-ing them.

Basically they locked the 10 ton from door really well but

forgot about the barn door in the back of the building.

Free software is great. You can make lots of money fixing it.