Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,474
17,815


Apple will be among several U.S. tech giants to attend a meeting at the White House today to discuss cybersecurity and possible security threats posed by open-source software, Reuters reports.

apple-logo-us-flag-smooth.jpg

The meeting will be held by U.S. National Security Advisor Jake Sullivan and will focus on "concerns around the security of open-source software and how it can be improved." The meeting was prompted by concerns around a security vulnerability found in open-source software Log4j.

The vulnerability, which posed a threat to organizations that use Log4j around the world, allowed hackers to control a system and remotely execute malicious code.

According to Sullivan, open-source software such as Log4j presents a "key national security concern" as it is often used and maintained by volunteers. Google, IBM, Meta, Microsoft, and Oracle are also expected to attend the meeting.

Article Link: Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software
 
Last edited:

bbeagle

macrumors 68040
Oct 19, 2010
3,460
2,809
Buffalo, NY
I'm waiting for all the rabbid open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look at. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.
 
Last edited:

Kuckuckstein

macrumors regular
Mar 10, 2020
114
227
The entire Linux community is open source, and yet this is a much more secure platform than Windows has been. And Mac OS and their browsers have heavily benefited from the give and take between Unix and Linux (macOS building on a Unix rather than Linux kernel )

I am almost certain that there have been more security faults in proprietary systems than well maintained open source projects, because the drive behind open source is a more idealistic than the industries “quick to market / milk them all”

With that being said, especially when it comes to web development and the package repositories I see there, I am more doubtful and careful with using and relying on them. I feel it often moves too fast and the community has a different background than e.g. hardcore Linux developers.
 
Last edited:

Tres

macrumors regular
Oct 8, 2007
180
121
I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.
Not a rabid open sores fan at all (except back in my teenage years when I went through a rebellious Linux phase ugh), but obscurity does not imply security.
 

Kuckuckstein

macrumors regular
Mar 10, 2020
114
227
I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.
Agree - to me the fact that it is open for digging around has always been my main concern.

Yet you don’t see an equivalent count of threats. It seems that the work done by the community is very solid and that even though all is in plain sight it is difficult to exploit in running systems.

There are pros and cons to both, but I hope that this discussion will not result in some handcuffs from the industry on the open source community.
 

azentropy

macrumors 68040
Jul 19, 2002
3,011
2,701
Surprise
I'm waiting for all the rabbit open-source fans to tell us open-source is much safer than closed-source.

It's not that simple. open-source CAN be safer, it can also be less safe. In open-source, the exact code is out there for anyone to look. This means anyone could see any flaws and fix them. It also means that anyone could see any flaws and exploit them.

In closed-source, you can't see the code. It's a much different process to exploit the code. Much harder. There are also less people who have access to the code to fix any flaws. So, flaws will stick around longer.

It's not simple.
Yep. Unfortunately there is more money to be made exploiting Open Source security flaws/bugs then there is fixing them. Maybe that is something that will be discussed, having these larger companies offer better bounties for finding and reporting bugs.
 

ian87w

macrumors 603
Feb 22, 2020
5,079
7,164
Indonesia
Ah, US government cherry picking things to "discuss" security threat of open source. Because they "know" better. :D

I think the US government should focus on telling their own politicians like AOC to wear masks. They don't seem to even understand what they were spitting from their own mouth.
 

jdb8167

macrumors 68030
Nov 17, 2008
2,666
2,009
The biggest problem with the Log4J debacle is that the logging library is used indiscriminately in other libraries—both open-source and proprietary. Anyone who is developing new software should be using SLF4J and java.util.logging but that doesn’t help much if a library still uses Log4J either because it is old or just from inertia in the project.

It’s a huge problem in this specific case. There aren’t that many ubiquitous libraries used like Log4J which the original version is over 20 years old. It’ll be interesting to see what comes from this discussion.
 

threesixty360

macrumors 6502
May 2, 2007
490
856
Maybe there could be a public body that ratifies many of the most popular core libraries. Some kind of governmental agency or non profit company. The issue is more that there are a certain amount of core libs that everyone has in their builds. I think now its the Wild West because its no one person/ orgs job to check any of these libs or certify them.

I suppose a bit like an https cert or something. If your build has a lib that hasn't been validated by this body it will throw up an alert. Use it at your own risk.

We are leaving for too many core components to be looked after by people for free with no incentive to make sure everything is ok.
 

jdb8167

macrumors 68030
Nov 17, 2008
2,666
2,009
The issue is more that there are a certain amount of core libs that everyone has in their builds. I think now its the Wild West because its no one person/ orgs job to check any of these libs or certify them.

We are leaving for too many core components to be looked after by people for free with no incentive to make sure everything is ok.
There is always an XKCD cartoon…

Dependency

1642081939440.png
 

killawat

macrumors 65816
Sep 11, 2014
1,491
2,380
Security Theater. The obvious answer is to fund OSS. Scores of backend technology powering MacRumors, Google, Amazon and yes even Apple are powered by the efforts of unpaid, overworked volunteers. Billions of dollars in revenue.
The only time an open source project is "adopted" is when a particular corporation wants to exert influence over the direction of the product, but most OSS never sees a dime. Enough is enough. Fund open source efforts right on the GitHub.

Why didn't OSS get this type of "attention" after the Equifax hack (apache struts)? Why focus on Log4j.
 

jdb8167

macrumors 68030
Nov 17, 2008
2,666
2,009
Why didn't OSS get this type of "attention" after the Equifax hack (apache struts)? Why focus on Log4j.
Struts is very similar to the problem with Log4J. No one who knows what they doing would start a project today or even in the last 10 years with Struts but there is so much legacy crap still in use that no one maintains that a major security flaw will get exploited even if a mitigation had been available for years.
 

huge_apple_fangirl

macrumors 6502
Aug 1, 2019
368
684
Security Theater. The obvious answer is to fund OSS. Scores of backend technology powering MacRumors, Google, Amazon and yes even Apple are powered by the efforts of unpaid, overworked volunteers. Billions of dollars in revenue.
A lot of the work on open source software is actually done by paid engineers at tech companies.
 

killawat

macrumors 65816
Sep 11, 2014
1,491
2,380
Some kind of governmental agency or non profit company. The issue is more that there are a certain amount of core libs that everyone has in their builds.
Funny that you mention that. OSS builds get more scrutiny in the government sector than many closed source builds because. OSS is scanned using off the shelf apps that scan for vulnerabilities. Closed source apps can also be scanned but in many cases, the vendors will simply refuse to have their code (their intellectual property) to be scanned. This particular Log4j vuln was found due to the efforts of Alibaba Cloud Security.

Regardless there are hundreds of these types of libs that you describe. Where does it end? Is it only for backend or does it extend to front end? No one, certainly the government has the capability to ensure the security of the literally hundreds of packages that make up a common stack.
 
  • Like
Reactions: CarlJ and kc9hzn
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.