One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 374386 |
| Date de publication | 2017-06-15 00:04:55 (vue: 2017-06-15 00:04:55) |
| Titre | Notes on open-sourcing abandoned code |
| Texte | Some people want a law that compels companies to release their source code for "abandoned software", in the name of cybersecurity, so that customers who bought it can continue to patch bugs long after the seller has stopped supporting the product. This is a bad policy, for a number of reasons.Code is SpeechFirst of all, code is speech. That was the argument why Phil Zimmerman could print the source code to PGP in a book, ship it overseas, and then have somebody scan the code back into a computer. Compelled speech is a violation of free speech. That was one of the arguments in the Apple vs. FBI case, where the FBI demanded that Apple write code for them, compelling speech.Compelling the opening of previously closed source is compelled speech. Sure, demanding new products come with source would be one thing, but going backwards demanding source for products sold before 2017 is quite another thing.For most people, "rights" are something that only their own side deserves. Whether something deserves the protection of "free speech" depends upon whether the speaker is "us" or the speaker is "them". If it's "them", then you'll find all sorts of reasons why their speech is a special case, and what it doesn't deserve protection.That's what's happening here. Open-source advocates have one idea of "code is speech" when it applies to them, and have another idea when applying to same principle to hated closed-source companies like Microsoft.Define abandonedWhat, precisely, does 'abandoned' mean? Consider Windows 3.1. Microsoft hasn't sold it for decades. Yet, it's not precisely abandoned either, because they still sell modern versions of Windows. Being forced to show even 30 year old source code would give competitors a significant advantage in creating Windows-compatible code like WINE.When code is truly abandoned, such as when the vendor has gone out of business, chances are good they don't have the original source code anyway. Thus, in order for this policy to have any effect, you'd have to force vendors to give a third-party escrow service a copy of their code whenever they release a new version of their product.All the source codeAnd that is surprisingly hard and costly. Most companies do not precisely know what source code their products are based upon. Yes, technically, all the code is in that ZIP file they gave to the escrow service, but it doesn't build. Essential build steps are missing, so that source code won't compile. It's like the dependency hell that many open-source products experience, such as downloading and installing two different versions of Python at different times during the build. Except, it's a hundred times worse.Often times building closed-source requires itself an obscure version of a closed-source tool that itself has been abandoned by its original vendor. You often times can't even define which is the source code. For example, engine control units (ECUs) are Matlab code that compiles down to C, which is then integrated with other C code, all of which is (using a special compiler) is translated to C. Unless you have all these closed source products, some of which are no longer sold, the source-code to the ECU will not help you in patch bugs.For small startups running fast, such as off Kickstarter, forcing them to escrow code that actually builds would force upon them an undue burden, harming innovation.Binary patch and reversingThen there is the issue of why you need the source code in the first place. Here's the deal with binary exploits like buffer-overflows: if you know enough to exploit it, you know enough to patch it. Just add some binary code onto the end of the function the program that verifies the input, then replace where the vulnerability happens to a jump instruction to the new code.I know this is possible and fairly trivi |
| Envoyé | Oui |
| Condensat | 2017 abandoned abandonedwhat abandoning able achieve actually add advantage advocacy advocates aforementioned after all almost already another any anyway apple applies applying are argument arguments around back backwards bad based because been before being benefit binary bonus: book both bought buffer bugs build building builds burden business but can case chances change checking closed code codeand come community companies compatible compelled compelling compels competitors compile compiler compiles components computer conclusionso consider continue control copies copy costly costs could creating customers cybersecurity deal decades decide decided define demanded demanding dependency depends deserve deserves different difficulties does doesn dollars don done down downloading drive during easier ecu ecus effect either end engine engineering enough escrow essential eula even exactly example examples except exist exists experience exploit exploits fairly fast fbi features file find first fix fixed fixes flaws floating force forced forcing free function fundamentally gave getting give given gladly goal going gone good got happen happening happens hard harming has hasn hated have hell help here higher hundred hundreds idea indeed innovation input installing instead instruction integrated intent involved involves issue its itself jump just kernel kickstarter know law least let license like live long longer lot many matlab mean microsoft micrsoft missing modern moral more most myself name need new not notes number obscure off often old one only onto open opening option order original other out overflows: overseas own part parties party patch patching paying people permanently pgp phil place policy possible practically precisely previously principle print product products program proponents proposal protection python quite reason reasons rebuilding release replace requires reverse reversingthen rid riddled rights running same say scan security see sell seller serious service ship show side signed significant small smbv1 software sold some somebody something sorts source sourcing speaker special specifically speech speechfirst startups steps stomp stopped such sued support supporting sure surprisingly systems technically that them then these thing think third thus time times tired tool translated trivial truly trying two undue units unless upon use using vendor vendors verifies version versions violation vulnerabilities vulnerability want way what when whenever where whereas whether which who why will win10 window windows wine winxp won worse would write year yet you your zimmerman zip |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.