[kictanet] U.S.: Stop using Internet Explorer until security holes are fixed
Walubengo J
jwalu at yahoo.com
Wed Apr 30 08:42:58 EAT 2014
Well said Ngigi,
Being a supporter of Open-Source (eg Linux) does not mean you cannot use Closed-Source (e.g. Microsoft). As an academic, I actually use and teach both :-) However, the Open-source products tend to give students more freedom to "hack" in the sense that they can drill deeper into the software constructs/code - and hence be in a better position to create knew knowledge/customized solutions.
Put bluntly, one approach gives you a constant supply of "fish" while the other teaches you how to fish. In life, you probably need both, but it is always better to be able to fish since one day, the fish supplier may not show up :-)
walu.
--------------------------------------------
On Wed, 4/30/14, Ngigi Waithaka via kictanet <kictanet at lists.kictanet.or.ke> wrote:
Subject: Re: [kictanet] U.S.: Stop using Internet Explorer until security holes are fixed
To: jwalu at yahoo.com
Cc: "KICTAnet ICT Policy Discussions" <kictanet at lists.kictanet.or.ke>
Date: Wednesday, April 30, 2014, 12:26 AM
Mark, Dennis,
Seems that I am
answering to like minded listers here so I might as well
combine my answer on this.
I haven't said or even implied that
open source is the answer to all ills, but IMO, it helps a
lot in terms of code audit. Trying to audit software without
access to source code is akin to an account audit without
source documents.
Infact, auditing without source documents
is what we normally call forensic audit. You can finally get
at the truth, but everything will be that much harder.
Secondly. open source is
not a Religion! In technology and/or academia, you can be
both 'Christian' and/or 'Muslim' at the same
time. It doesn't mean because someone is a proponent of
open source that he/she is anathema to using other
technologies non open source technologies.
Finally, how someone chooses to make
a living, is a personal choice and I think we ought to
respectfully refrain from commenting on such and discuss
technology issues, which I believe is what this forum is
for.
Regards
On Tue,
Apr 29, 2014 at 10:14 PM, Mark Mwangi via kictanet <kictanet at lists.kictanet.or.ke>
wrote:
I also don't think open sourcing is
the solution to all our ills. I mean its nice if I can keep
tabs on the source code of all my apps but it doesn't
make it useful or effective. The US is the biggest spender
of technology as far as we know and if there is anyone with
the skill of resources to fully audit all the source code
running their systems its them.
They are however routinely
infiltrated by the Chinese or so they claim. China at some
point managed to redirect most of the webs traffic through
their servers.
My
point is having access to the source code doesn't
guarantee it will be audited and if audited that the flaws
will be found. Windows XP is still leaking with flaws 13
years on. I am sure if Ubuntu had the same install base it
would be hemorrhaging as well.
On Tue, Apr 29, 2014 at 9:31 PM,
Dennis Kioko via kictanet <kictanet at lists.kictanet.or.ke>
wrote:
The second point means that people
still rely on a number of closed source applications even on
open source systems. Google Chrome is a closed source
distribution based on the Chromium Open source app, same way
Android is based on the Android Open Source Project (which
excludes the apps you mostly use).
I have also seen a number of
advisories for open source users to verify the authenticity
of their installations after the Russians and others started
inserting compromised open source packages in distributions.
I doubt many verify what they download.
Then, those who use open
source solutions here, do you distribute open source
solutions to your customers too ie, if you wrote an app with
an open source language, do you supply it alongside source
code.
Again, if people want
anything from your computers, they will probably get it,
especially if you are online, see a related discussion
here http://www.quora.com/Anonymity/What-are-the-best-ways-to-leak-information-anonymously-on-the-Internet-today
Lastly, someone politely
pointed me to Mr. Ikua's LinkedIn profile which
indicates he is a consultant in the implementation of closed
sourced solutions for the government of Kenya. As taxpayers,
should we be worried, Mr. Ikua?
Conclusion. Any software
you use largely faces the same issues. In 2014, the Open
source versus Closed Source debate shouldn't be based on
Fear, Uncertainty and Doubt.
On
Tuesday, 29 April 2014, Ngigi Waithaka <ngigi at at.co.ke>
wrote:
On Tue, Apr 29, 2014 at 8:09 PM,
Dennis Kioko <dmbuvi at gmail.com> wrote:
What
stops the NSA from hiring independent devs to contribute to
open source code?
No one, they could hire any
developer to contribute to open source code, same way no one
would stop NSA from hiring a developer to go work at
Microsoft. At least if they hire someone to work on open
source code, I could always review their work if I deemed it
necessary.
But then
again, why hire the individual developer, when you can pay
off the whole company to put in back doors for
you?
Does open source run in a vacuum? No. We
still download closed sourced Chrome, Flash, Java etc to run
on our open source installations. Do these have backdoors?
I don't get the point of
this apart maybe from mentioning that Chrome & Java are
open source...
How many people actually take the time to
go through open source code looking for bugs and backdoors?
Well, how many engineers does
Google, Facebook, Twitter, Yahoo, WhatsApp have? Most of
these firms ran on open source stacks and are leading
contributors to open source technologies. Put IBM, Oracle
and recently Microsoft that has started to release open
source code to that list as well.
On Tue, Apr 29, 2014 at 16:52
PM, Ngigi Waithaka via kictanet <kictanet at lists.kictanet.or.ke>
wrote:
Mark,
What open source
gives you is the freedom and choice to check for yourself
whether the code is secure or not. While it is not a
guarantee, at least it puts the onus on you.
If we are to discuss
security & NSA there are very many commercial
cryptography applications that have long been suspected of
having backdoors that would be of use to certain
governments. Last I chceked NSA pays an annual retainer
running into hundreds of millions to ensure commercial
vendors introduce backdoors they can use. On top of that,
remember when US firms couldn't export cryptography that
used more than 1024 bits?
The problem with
closed source, you have no liberty to check for yourself.
You just hope!
Back
to OpenSSL; yes it had a serious bug for long, and I am sure
not the last one, but if you look at how the HeartBleed bug
came to be discovered and fixed, it was the openness that
made this possible.
Coming closer home,
and regarding our recently implemented PKI Infrastructure by
Koreans, how many would bet we have similar bugs in that
implementation? How many would bet that no security audit
was done based on the sources and that there is no guarantee
of a backdoor in the system?
Again, we can only
hope!
Regards
On Tue, Apr 29, 2014 at 4:21 PM,
Mark Mwangi via kictanet <kictanet at lists.kictanet.or.ke>
wrote:
Again as Dennis said,
there are loopholes even in open source software
and so that argument is moot. If governments
such as the Canadian one
with practically unlimited resources couldnt find the holes
then what
good is making the code open
source?
Open sourcing
doesn't make the code more secure by virtue of the
action.
On Tue, Apr 29,
2014 at 3:49 PM, Evans Ikua via kictanet
<kictanet at lists.kictanet.or.ke> wrote:
> Thats not the issue. There is no software
that is absolutely secure, open or
>
closed source. The issue is being able to get into the code
and find out if
> there are backdoors where someone else is snooping on
your systems and data,
> especially if
you are a Government.
>
>
> On Tue, Apr 29, 2014
at 3:20 PM, Dennis Kioko <dmbuvi at gmail.com> wrote:
>>
>> But Mr. Ikua,
>> The equally open source software known
as OpenSSL had a glaring hole for
>>
years, which some suspect the US government might have known
about too.
>>
>>
For as long as we have had software, so have we had software
bugs, be it
>> open, closed or ajar :-)
>>
>>
>> On Tuesday, 29 April 2014, Evans Ikua
via kictanet
>> <kictanet at lists.kictanet.or.ke> wrote:
>>>
>>> Well
put Walu. This is the strategic dilemma of using closed
source
>>> proprietary software. I am sure the lessons
that Russia learns from this
>>>
will inform other governments that you are only as free as
the technology
>>> that you use.
>>>
>>> Evans
>>>
>>>
>>> On
Mon, Apr 28, 2014 at 7:27 PM, Walubengo J via kictanet
>>> <kictanet at lists.kictanet.or.ke> wrote:
>>>>
>>>> ####snip#####
>>>>
>>>> The United
States Computer Emergency Readiness Team, a part of
Homeland
>>>> Security known as
US-CERT, said in an advisory released on Monday morning
>>>> that the vulnerability in
versions 6 to 11 of Internet Explorer could lead
>>>> to "the complete compromise" of
an affected system.
>>>>
>>>> read more
>>>>
>>>>
>>>> http://www.chicagotribune.com/business/technology/chi-microsoft-explorer-security-flaws-20140428,0,4797833.story
>>>>
>>>> ########snip#####
>>>>
>>>> Funny - I keep feeling that
the US Gov KNEW about this hole for many
--
Regards,
Waithaka
NgigiChief Executive Officer
| Alliance
Technologies | MCK Nairobi Synod
Building
T +
254 (0) 20 2333
471 |Office Mobile:
+254 786 28 28
28 | M + 254 737 811
000
www.at.co.ke
--
with Regards:
blog.denniskioko.com
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/mwangy%40gmail.com
The Kenya ICT Action Network (KICTANet) is a
multi-stakeholder platform for people and institutions
interested and involved in ICT policy and regulation. The
network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth
and development.
KICTANetiquette : Adhere to the same standards of acceptable
behaviors online that you follow in real life: respect
people's times and bandwidth, share knowledge, don't
flame or abuse or personalize, respect privacy, do not spam,
do not market your wares or qualifications.
--
Regards,
Mark
Mwangi
markmwangi.me.ke
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at https://lists.kictanet.or.ke/mailman/options/kictanet/ngigi%40at.co.ke
The Kenya ICT Action Network (KICTANet) is a
multi-stakeholder platform for people and institutions
interested and involved in ICT policy and regulation. The
network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth
and development.
KICTANetiquette : Adhere to the same standards of acceptable
behaviors online that you follow in real life: respect
people's times and bandwidth, share knowledge, don't
flame or abuse or personalize, respect privacy, do not spam,
do not market your wares or qualifications.
--
Regards,
Waithaka
NgigiChief Executive Officer
| Alliance
Technologies | MCK Nairobi Synod
Building
T +
254 (0) 20 2333
471 |Office Mobile:
+254 786 28 28 28 | M + 254 737 811
000
www.at.co.ke
-----Inline Attachment Follows-----
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your
options at https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
The Kenya ICT Action Network
(KICTANet) is a multi-stakeholder platform for people and
institutions interested and involved in ICT policy and
regulation. The network aims to act as a catalyst for reform
in the ICT sector in support of the national aim of ICT
enabled growth and development.
KICTANetiquette : Adhere to the same standards
of acceptable behaviors online that you follow in real life:
respect people's times and bandwidth, share knowledge,
don't flame or abuse or personalize, respect privacy, do
not spam, do not market your wares or
qualifications.
More information about the KICTANet
mailing list