[kictanet] U.S.: Stop using Internet Explorer until security holes are fixed
Rad!
conradakunga at gmail.com
Wed Apr 30 10:59:00 EAT 2014
@Walubengo mwalimu, here is a postulate that you can give your students to
research.
*Given enough time, any software discussion eventually degenerates into
> an open source vs closed source argument*
On Wed, Apr 30, 2014 at 8:42 AM, Walubengo J via kictanet <
kictanet at lists.kictanet.or.ke> wrote:
> Well said Ngigi,
>
> Being a supporter of Open-Source (eg Linux) does not mean you cannot use
> Closed-Source (e.g. Microsoft). As an academic, I actually use and teach
> both :-) However, the Open-source products tend to give students more
> freedom to "hack" in the sense that they can drill deeper into the software
> constructs/code - and hence be in a better position to create knew
> knowledge/customized solutions.
>
> Put bluntly, one approach gives you a constant supply of "fish" while the
> other teaches you how to fish. In life, you probably need both, but it is
> always better to be able to fish since one day, the fish supplier may not
> show up :-)
>
> walu.
>
> --------------------------------------------
> On Wed, 4/30/14, Ngigi Waithaka via kictanet <
> kictanet at lists.kictanet.or.ke> wrote:
>
> Subject: Re: [kictanet] U.S.: Stop using Internet Explorer until security
> holes are fixed
> To: jwalu at yahoo.com
> Cc: "KICTAnet ICT Policy Discussions" <kictanet at lists.kictanet.or.ke>
> Date: Wednesday, April 30, 2014, 12:26 AM
>
> Mark, Dennis,
>
> Seems that I am
> answering to like minded listers here so I might as well
> combine my answer on this.
>
> I haven't said or even implied that
> open source is the answer to all ills, but IMO, it helps a
> lot in terms of code audit. Trying to audit software without
> access to source code is akin to an account audit without
> source documents.
>
>
>
> Infact, auditing without source documents
> is what we normally call forensic audit. You can finally get
> at the truth, but everything will be that much harder.
>
> Secondly. open source is
> not a Religion! In technology and/or academia, you can be
> both 'Christian' and/or 'Muslim' at the same
> time. It doesn't mean because someone is a proponent of
> open source that he/she is anathema to using other
> technologies non open source technologies.
>
>
>
> Finally, how someone chooses to make
> a living, is a personal choice and I think we ought to
> respectfully refrain from commenting on such and discuss
> technology issues, which I believe is what this forum is
> for.
>
>
>
> Regards
>
>
>
> On Tue,
> Apr 29, 2014 at 10:14 PM, Mark Mwangi via kictanet <
> kictanet at lists.kictanet.or.ke>
> wrote:
>
>
> I also don't think open sourcing is
> the solution to all our ills. I mean its nice if I can keep
> tabs on the source code of all my apps but it doesn't
> make it useful or effective. The US is the biggest spender
> of technology as far as we know and if there is anyone with
> the skill of resources to fully audit all the source code
> running their systems its them.
>
>
>
>
>
> They are however routinely
> infiltrated by the Chinese or so they claim. China at some
> point managed to redirect most of the webs traffic through
> their servers.
>
> My
> point is having access to the source code doesn't
> guarantee it will be audited and if audited that the flaws
> will be found. Windows XP is still leaking with flaws 13
> years on. I am sure if Ubuntu had the same install base it
> would be hemorrhaging as well.
>
>
>
>
>
>
>
> On Tue, Apr 29, 2014 at 9:31 PM,
> Dennis Kioko via kictanet <kictanet at lists.kictanet.or.ke>
> wrote:
>
>
>
>
> The second point means that people
> still rely on a number of closed source applications even on
> open source systems. Google Chrome is a closed source
> distribution based on the Chromium Open source app, same way
> Android is based on the Android Open Source Project (which
> excludes the apps you mostly use).
>
>
>
>
>
> I have also seen a number of
> advisories for open source users to verify the authenticity
> of their installations after the Russians and others started
> inserting compromised open source packages in distributions.
> I doubt many verify what they download.
>
>
>
>
>
> Then, those who use open
> source solutions here, do you distribute open source
> solutions to your customers too ie, if you wrote an app with
> an open source language, do you supply it alongside source
> code.
>
>
>
>
>
> Again, if people want
> anything from your computers, they will probably get it,
> especially if you are online, see a related discussion
> here
> http://www.quora.com/Anonymity/What-are-the-best-ways-to-leak-information-anonymously-on-the-Internet-today
>
>
>
>
>
>
> Lastly, someone politely
> pointed me to Mr. Ikua's LinkedIn profile which
> indicates he is a consultant in the implementation of closed
> sourced solutions for the government of Kenya. As taxpayers,
> should we be worried, Mr. Ikua?
>
>
>
>
>
> Conclusion. Any software
> you use largely faces the same issues. In 2014, the Open
> source versus Closed Source debate shouldn't be based on
> Fear, Uncertainty and Doubt.
>
>
>
>
>
>
>
>
> On
> Tuesday, 29 April 2014, Ngigi Waithaka <ngigi at at.co.ke>
> wrote:
>
>
>
>
>
> On Tue, Apr 29, 2014 at 8:09 PM,
> Dennis Kioko <dmbuvi at gmail.com> wrote:
>
>
>
> What
> stops the NSA from hiring independent devs to contribute to
> open source code?
> No one, they could hire any
> developer to contribute to open source code, same way no one
> would stop NSA from hiring a developer to go work at
> Microsoft. At least if they hire someone to work on open
> source code, I could always review their work if I deemed it
> necessary.
>
>
>
>
>
>
>
> But then
> again, why hire the individual developer, when you can pay
> off the whole company to put in back doors for
> you?
>
>
>
>
>
>
>
>
> Does open source run in a vacuum? No. We
> still download closed sourced Chrome, Flash, Java etc to run
> on our open source installations. Do these have backdoors?
>
> I don't get the point of
> this apart maybe from mentioning that Chrome & Java are
> open source...
>
>
>
>
>
>
>
>
>
> How many people actually take the time to
> go through open source code looking for bugs and backdoors?
>
> Well, how many engineers does
> Google, Facebook, Twitter, Yahoo, WhatsApp have? Most of
> these firms ran on open source stacks and are leading
> contributors to open source technologies. Put IBM, Oracle
> and recently Microsoft that has started to release open
> source code to that list as well.
>
>
>
>
>
>
>
>
>
> On Tue, Apr 29, 2014 at 16:52
> PM, Ngigi Waithaka via kictanet <kictanet at lists.kictanet.or.ke>
> wrote:
>
>
>
>
>
>
>
>
>
>
> Mark,
>
> What open source
> gives you is the freedom and choice to check for yourself
> whether the code is secure or not. While it is not a
> guarantee, at least it puts the onus on you.
>
>
>
> If we are to discuss
> security & NSA there are very many commercial
> cryptography applications that have long been suspected of
> having backdoors that would be of use to certain
> governments. Last I chceked NSA pays an annual retainer
> running into hundreds of millions to ensure commercial
> vendors introduce backdoors they can use. On top of that,
> remember when US firms couldn't export cryptography that
> used more than 1024 bits?
>
>
>
>
>
>
>
>
>
>
> The problem with
> closed source, you have no liberty to check for yourself.
> You just hope!
>
> Back
> to OpenSSL; yes it had a serious bug for long, and I am sure
> not the last one, but if you look at how the HeartBleed bug
> came to be discovered and fixed, it was the openness that
> made this possible.
>
>
>
>
>
>
>
>
>
>
> Coming closer home,
> and regarding our recently implemented PKI Infrastructure by
> Koreans, how many would bet we have similar bugs in that
> implementation? How many would bet that no security audit
> was done based on the sources and that there is no guarantee
> of a backdoor in the system?
>
>
>
>
>
>
>
>
>
>
> Again, we can only
> hope!
>
> Regards
>
>
> On Tue, Apr 29, 2014 at 4:21 PM,
> Mark Mwangi via kictanet <kictanet at lists.kictanet.or.ke>
> wrote:
>
>
>
>
>
>
>
>
>
> Again as Dennis said,
> there are loopholes even in open source software
> and so that argument is moot. If governments
> such as the Canadian one
>
>
>
>
>
>
>
>
> with practically unlimited resources couldnt find the holes
> then what
> good is making the code open
> source?
>
> Open sourcing
> doesn't make the code more secure by virtue of the
> action.
>
> On Tue, Apr 29,
> 2014 at 3:49 PM, Evans Ikua via kictanet
>
>
>
>
>
>
>
>
> <kictanet at lists.kictanet.or.ke> wrote:
> > Thats not the issue. There is no software
> that is absolutely secure, open or
> >
> closed source. The issue is being able to get into the code
> and find out if
>
>
>
>
>
>
>
>
> > there are backdoors where someone else is snooping on
> your systems and data,
> > especially if
> you are a Government.
> >
> >
> > On Tue, Apr 29, 2014
> at 3:20 PM, Dennis Kioko <dmbuvi at gmail.com> wrote:
>
>
>
>
>
>
>
>
> >>
> >> But Mr. Ikua,
> >> The equally open source software known
> as OpenSSL had a glaring hole for
> >>
> years, which some suspect the US government might have known
> about too.
> >>
> >>
> For as long as we have had software, so have we had software
> bugs, be it
>
>
>
>
>
>
>
>
> >> open, closed or ajar :-)
> >>
> >>
> >> On Tuesday, 29 April 2014, Evans Ikua
> via kictanet
> >> <kictanet at lists.kictanet.or.ke> wrote:
> >>>
> >>> Well
> put Walu. This is the strategic dilemma of using closed
> source
>
>
>
>
>
>
>
>
> >>> proprietary software. I am sure the lessons
> that Russia learns from this
> >>>
> will inform other governments that you are only as free as
> the technology
> >>> that you use.
> >>>
>
>
>
>
>
>
>
>
> >>> Evans
> >>>
> >>>
> >>> On
> Mon, Apr 28, 2014 at 7:27 PM, Walubengo J via kictanet
> >>> <kictanet at lists.kictanet.or.ke> wrote:
> >>>>
> >>>> ####snip#####
>
>
>
>
>
>
>
>
> >>>>
> >>>> The United
> States Computer Emergency Readiness Team, a part of
> Homeland
> >>>> Security known as
> US-CERT, said in an advisory released on Monday morning
> >>>> that the vulnerability in
> versions 6 to 11 of Internet Explorer could lead
>
>
>
>
>
>
>
>
> >>>> to "the complete compromise" of
> an affected system.
> >>>>
> >>>> read more
> >>>>
> >>>>
> >>>>
> http://www.chicagotribune.com/business/technology/chi-microsoft-explorer-security-flaws-20140428,0,4797833.story
>
>
>
>
>
>
>
>
>
>
> >>>>
> >>>> ########snip#####
> >>>>
> >>>> Funny - I keep feeling that
> the US Gov KNEW about this hole for many
>
>
>
>
>
>
>
>
> --
>
>
> Regards,
>
>
>
> Waithaka
> NgigiChief Executive Officer
> | Alliance
> Technologies | MCK Nairobi Synod
> Building
>
>
>
>
>
>
> T +
> 254 (0) 20 2333
> 471 |Office Mobile:
> +254 786 28 28
> 28 | M + 254 737 811
> 000
>
>
>
>
>
>
>
> www.at.co.ke
>
>
>
>
>
>
>
>
>
>
>
>
> --
> with Regards:
> blog.denniskioko.com
>
>
>
>
>
> _______________________________________________
>
> kictanet mailing list
>
> kictanet at lists.kictanet.or.ke
>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
>
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/mwangy%40gmail.com
>
>
>
>
>
> The Kenya ICT Action Network (KICTANet) is a
> multi-stakeholder platform for people and institutions
> interested and involved in ICT policy and regulation. The
> network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth
> and development.
>
>
>
>
>
>
>
> KICTANetiquette : Adhere to the same standards of acceptable
> behaviors online that you follow in real life: respect
> people's times and bandwidth, share knowledge, don't
> flame or abuse or personalize, respect privacy, do not spam,
> do not market your wares or qualifications.
>
>
>
>
>
>
>
> --
> Regards,
>
> Mark
> Mwangi
>
> markmwangi.me.ke
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> kictanet mailing list
>
> kictanet at lists.kictanet.or.ke
>
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
>
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/ngigi%40at.co.ke
>
>
>
> The Kenya ICT Action Network (KICTANet) is a
> multi-stakeholder platform for people and institutions
> interested and involved in ICT policy and regulation. The
> network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth
> and development.
>
>
>
>
>
> KICTANetiquette : Adhere to the same standards of acceptable
> behaviors online that you follow in real life: respect
> people's times and bandwidth, share knowledge, don't
> flame or abuse or personalize, respect privacy, do not spam,
> do not market your wares or qualifications.
>
>
>
>
>
> --
> Regards,
>
>
> Waithaka
> NgigiChief Executive Officer
> | Alliance
> Technologies | MCK Nairobi Synod
> Building
>
> T +
> 254 (0) 20 2333
> 471 |Office Mobile:
> +254 786 28 28 28 | M + 254 737 811
> 000
>
>
> www.at.co.ke
>
>
>
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your
> options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/jwalu%40yahoo.com
>
> The Kenya ICT Action Network
> (KICTANet) is a multi-stakeholder platform for people and
> institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform
> in the ICT sector in support of the national aim of ICT
> enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards
> of acceptable behaviors online that you follow in real life:
> respect people's times and bandwidth, share knowledge,
> don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or
> qualifications.
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/conradakunga%40gmail.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20140430/bae44d9b/attachment.htm>
More information about the KICTANet
mailing list