[kictanet] U.S.: Stop using Internet Explorer until security holes are fixed
Dennis Kioko
dmbuvi at gmail.com
Tue Apr 29 21:31:52 EAT 2014
The second point means that people still rely on a number of closed source
applications even on open source systems. Google Chrome is a closed source
distribution based on the Chromium Open source app, same way Android is
based on the Android Open Source Project (which excludes the apps you
mostly use).
I have also seen a number of advisories for open source users to verify the
authenticity of their installations after the Russians and others started
inserting compromised open source packages in distributions. I doubt many
verify what they download.
Then, those who use open source solutions here, do you distribute open
source solutions to your customers too ie, if you wrote an app with an open
source language, do you supply it alongside source code.
Again, if people want anything from your computers, they will probably get
it, especially if you are online, see a related discussion here
http://www.quora.com/Anonymity/What-are-the-best-ways-to-leak-information-anonymously-on-the-Internet-today
Lastly, someone politely pointed me to Mr. Ikua's LinkedIn profile which
indicates he is a consultant in the implementation of closed sourced
solutions for the government of Kenya. As taxpayers, should we be worried,
Mr. Ikua?
Conclusion. Any software you use largely faces the same issues. In 2014,
the Open source versus Closed Source debate shouldn't be based on Fear,
Uncertainty and Doubt.
On Tuesday, 29 April 2014, Ngigi Waithaka <ngigi at at.co.ke> wrote:
> On Tue, Apr 29, 2014 at 8:09 PM, Dennis Kioko <dmbuvi at gmail.com<javascript:_e(%7B%7D,'cvml','dmbuvi at gmail.com');>
> > wrote:
>
>> What stops the NSA from hiring independent devs to contribute to open
>> source code?
>>
> No one, they could hire any developer to contribute to open source code,
> same way no one would stop NSA from hiring a developer to go work at
> Microsoft. At least if they hire someone to work on open source code, I
> could always review their work if I deemed it necessary.
> But then again, why hire the individual developer, when you can pay off
> the whole company to put in back doors for you?
>
>>
>> Does open source run in a vacuum? No. We still download closed sourced
>> Chrome, Flash, Java etc to run on our open source installations. Do these
>> have backdoors?
>>
> I don't get the point of this apart maybe from mentioning that Chrome &
> Java are open source...
>
>>
>> How many people actually take the time to go through open source code
>> looking for bugs and backdoors?
>>
> Well, how many engineers does Google, Facebook, Twitter, Yahoo, WhatsApp
> have? Most of these firms ran on open source stacks and are leading
> contributors to open source technologies. Put IBM, Oracle and recently
> Microsoft that has started to release open source code to that list as well.
>
>
>
> On Tue, Apr 29, 2014 at 16:52 PM, Ngigi Waithaka via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
> Mark,
>
> What open source gives you is the freedom and choice to check for yourself
> whether the code is secure or not. While it is not a guarantee, at least it
> puts the onus on you.
>
>
> If we are to discuss security & NSA there are very many commercial
> cryptography applications that have long been suspected of having backdoors
> that would be of use to certain governments. Last I chceked NSA pays an
> annual retainer running into hundreds of millions to ensure commercial
> vendors introduce backdoors they can use. On top of that, remember when US
> firms couldn't export cryptography that used more than 1024 bits?
>
>
> The problem with closed source, you have no liberty to check for yourself.
> You just hope!
>
> Back to OpenSSL; yes it had a serious bug for long, and I am sure not the
> last one, but if you look at how the HeartBleed bug came to be discovered
> and fixed, it was the openness that made this possible.
>
>
> Coming closer home, and regarding our recently implemented PKI
> Infrastructure by Koreans, how many would bet we have similar bugs in that
> implementation? How many would bet that no security audit was done based on
> the sources and that there is no guarantee of a backdoor in the system?
>
>
> Again, we can only hope!
>
> Regards
>
>
> On Tue, Apr 29, 2014 at 4:21 PM, Mark Mwangi via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
> Again as Dennis said, there are loopholes even in open source software
> and so that argument is moot. If governments such as the Canadian one
> with practically unlimited resources couldnt find the holes then what
> good is making the code open source?
>
> Open sourcing doesn't make the code more secure by virtue of the action.
>
> On Tue, Apr 29, 2014 at 3:49 PM, Evans Ikua via kictanet
> <kictanet at lists.kictanet.or.ke> wrote:
> > Thats not the issue. There is no software that is absolutely secure,
> open or
> > closed source. The issue is being able to get into the code and find out
> if
> > there are backdoors where someone else is snooping on your systems and
> data,
> > especially if you are a Government.
> >
> >
> > On Tue, Apr 29, 2014 at 3:20 PM, Dennis Kioko <dmbuvi at gmail.com> wrote:
> >>
> >> But Mr. Ikua,
> >> The equally open source software known as OpenSSL had a glaring hole for
> >> years, which some suspect the US government might have known about too.
> >>
> >> For as long as we have had software, so have we had software bugs, be it
> >> open, closed or ajar :-)
> >>
> >>
> >> On Tuesday, 29 April 2014, Evans Ikua via kictanet
> >> <kictanet at lists.kictanet.or.ke> wrote:
> >>>
> >>> Well put Walu. This is the strategic dilemma of using closed source
> >>> proprietary software. I am sure the lessons that Russia learns from
> this
> >>> will inform other governments that you are only as free as the
> technology
> >>> that you use.
> >>>
> >>> Evans
> >>>
> >>>
> >>> On Mon, Apr 28, 2014 at 7:27 PM, Walubengo J via kictanet
> >>> <kictanet at lists.kictanet.or.ke> wrote:
> >>>>
> >>>> ####snip#####
> >>>>
> >>>> The United States Computer Emergency Readiness Team, a part of
> Homeland
> >>>> Security known as US-CERT, said in an advisory released on Monday
> morning
> >>>> that the vulnerability in versions 6 to 11 of Internet Explorer could
> lead
> >>>> to "the complete compromise" of an affected system.
> >>>>
> >>>> read more
> >>>>
> >>>>
> >>>>
> http://www.chicagotribune.com/business/technology/chi-microsoft-explorer-security-flaws-20140428,0,4797833.story
>
>
> >>>>
> >>>> ########snip#####
> >>>>
> >>>> Funny - I keep feeling that the US Gov KNEW about this hole for many
>
>
>
>
> --
> *Regards,*
>
> *Wait**haka Ngigi*
> Chief Executive Officer | Alliance Technologies | MCK Nairobi Synod
> Building
> T + 254 (0) 20 2333 471 |Office Mobile: +254 786 28 28 28 | M + 254 737
> 811 000
> www.at.co.ke
>
>
>
--
with Regards:
blog.denniskioko.com <http://www.denniskioko.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20140429/f84440b2/attachment.htm>
More information about the KICTANet
mailing list