Random Open Source conversations out of the public space

I was helping to build some articles and blog posts this year around Open Source. The following information is a compilation of the different conversations that happened behind the curtain.

Get to Know Each Other

Tell us about your background.

I’ve been working in IT for almost 25 years, mainly related to development but also performing some other tasks like managing people or pre-sales. My history with Open Source has been evolving through the years, but I’ve been always involved with different projects and communities. I have also a solid experience in computer security. In fact, as a side activity, I’m teaching Cryptography and Cybersecurity in the University.

What are you working on right now? What projects or clients are most exciting to you?

Currently I’m Developer Evangelist in Hyland. My main goal is to provide the right tools, resources and experience for developers customizing and deploying our Open Source products, like Alfresco and Nuxeo. Bringing those Communities together and preparing this space for the new Hyland products that will be released next year is a huge challenge that requires most of my time these days. Designing a global strategy to align Community and Company goals is definitively the most exciting and challenging project I can think of.

Through the lens of your position, what are some trends you are seeing? How have these trends changed in the last few months and how do you anticipate they’ll evolve in 2022?

Despite Cloud deployment and Cloud Native development look like past trends, both are still key factors to transform the current IT landscape. Companies are still moving from on premise to Cloud, since it’s not that easy to be prepared for that. As managed services are consolidating the PaaS paradigm, consuming products and platforms as services is becoming the new normal. Not only for individuals, but also for the enterprise. With more and more companies living in the real Cloud, improving interoperability, observability, scalability and security is crucial to build a healthy digital world.

What emerging technologies are you the most excited about? Both internally and across the technology landscape in general?

Blockchain and NFT are still young and they are evolving fast. Both will be part of our immediate future, if they are able to consolidate the existing use cases and to discover new ways of adding value to the digital services. In the mid-term, we can expect that Metaverse offering will bring many people into a new 3D experience not only for shopping or consuming, but also for working or playing. If we look some more years ahead, we can expect that Quantum Computers and Quantum Cryptography change the security standards to provide stronger and improved security communications.

Can you talk us through what open source is and its benefits?

The real meaning of Open Source is Community. Building software (and even hardware) in a collaborative way has been there from the early stages of computers. There is a classic African proverb that is commonly used to describe the difference between proprietary and open-source software: “If you want to go fast, go alone; if you want to go far, go together”.

Many Open-Source products are supported not only by the Community, but also by companies that are investing lot of resources on it. The golden rule to keep in mind is that Open-Source is not only relying on freedom but also on openness. Using Open-Source products is not different from using proprietary ones in terms of warranty and support, but they provide wider collaboration, integration and experimental features to every company.

Why do people prefer using open source software? What are its most common use cases?

From a regular user point of view, there is no deliberate decision to use of Open Source. But even with that, for instance, millions and millions of people is using Android every day. And they are customizing the device often and installing external applications developed with Open Source technologies. Some of them are not moving to proprietary technologies (like Apple OS) because they love to be able to adapt device configuration to their needs. This may be one of the reasons to stay with Open-Source, even when not being able to notice it.

When moving to developer ecosystem, the main reason could be related with the ability to understand the software and to get support from others. Learning to code using a new product or framework may be a tough task, but identifying and solving runtime errors can be frustrating when dealing with proprietary software. However, reading the source code that provoked the error, learning from some other developer experiences and sharing your findings with the Community is a more natural approach to this stressing episodes.

Finally, a growing enthusiasts community is including only Open-Source software in their regular flow of work. Since this step requires a bit of knowledge and dedication, every day is becoming easier to adopt it.

What is the future for open source?

Open Source is the accepted model for cross-company collaboration. Even companies with a long proprietary development tradition like Microsoft are embracing this approach. This will lead to a more professional ecosystem, with large companies investing and evolving Open Source software to support their product deployments. Open Source will be still the core technology supporting end-user services, but the gradual transition to PaaS will consolidate the Open Source integration and interoperability ecosystem that allows developers to build complex services by combining existing building blocks. Official and De Facto standards will be especially relevant to ensure the success and the longevity of the ecosystem.

Open source played a role in the Log4J threat – how could that be avoided in the future?

Firstly, the bad news: hidden vulnerabilities are part of the software, both proprietary and Open Source. Avoiding completely this kind of attacks in the future is almost impossible. However, every company is using a number of security assurance tools in the development process and delivering security patches is a common practice in the industry. So we can be prepared for a quick reaction to new vulnerabilites, despite producing software without vulnerabilites is not a reachable goal.

By the way, do you remember the WannaCry ransomware that blocked some important companies to operate back in 2017? It was created by exploiting a vulnerability in Windows OS. Both proprietary and Open Source software are including vulnerabilities, the main difference is that many more people can help to patch quickly a vulnerability detected in Open Source software.

Are there other topics you feel passionate about speaking to?

Developer conferences (like FOSDEM, DockerCon, Hyland DevCon or JBCNConf) are the right place to be in touch with Open Source communities. I’d like to invite everyone to attend these events. And I encourage you not only listening to sessions, but to share your ideas, doubts and projects with the others. You’ll get payed back, trust me!

Going further

Can you be more specific about how people’s view of open-sourced software may have been impacted because of log4j?

Every time a security incident happens, industry tends to look for a culprit. In this case, since Apache Log4j is an Open-Source project, the natural reaction is to distrust Open-Source model. In addition, as every software product is built by using several building blocks (like Java libraries), it makes sense to argue that relying on Open-Source projects is risky.

Despite this is the naive approach, there is no relevant difference between Open Source and Proprietary building blocks when a zero-day vulnerability is raised. In both scenarios, patching process involves updating vulnerability databases, releasing a new version of the component, and promoting proactively the upgrade for every user or product relying on it.

Bringing back an analogy from the past (2017), the WannaCry ransomware exploited a Windows proprietary building block (SMB1) vulnerability. And Microsoft patching process was following the same steps described above.

You talked a lot about how Community is an important part of open-source. Can you talk about how the community played a part in the log4j incident?

CVE-2021-44228 vulnerability (log4shell) was published 12/10/2021. On the same day, more than 100 Open-Source related projects were available in GitHub. Those projects were providing scanning, reporting, and patching tools to help to mitigate the incident. In addition to the official channels, supported by Apache and other organizations relying on Log4j, these resources contributed several exploitation techniques, workarounds and documentation that improved greatly the ability of the Community to patch the problem.

This is a key advantage when using Open Source: not only the proprietary of the software is able to react quickly, but a wide Community of experts studying the source code and sharing their findings with others to improve the accuracy of the final solution.

Can you talk a little more about why open source might be more secure than people think? I know you talked about vulnerabilities existing everywhere, but we would like to add a few more points about why open source is secure, and correct misconceptions people may have about its security.

The main misconception related to computer security is that security should rely on secrecy. However, a simple look to our recent history will reveal this sentence as a false statement.

RC4, a stream cipher algorithm, was released as trade secret in 1987. From that time, RC4 was widely adopted to provide confidentiality in Wi-Fi protocols (like WEP and WPA) and Browser based communications (like SSL and TLS). Anyhow, the algorithm was leaked in 1994 and it was definitively cracked in 2003 (WEP keys could be recovered in seconds!).

In the meantime, NIST (National Institute of Standards and Technology) was concerned about the increasing number of attacks to RC4. The Institute announced a public competition to design an unclassified and publicly disclosed encryption algorithm in 1997. After some years of collaboration with the industry and the cryptographic community, Advanced Encryption Standard (AES) was released in 2000. AES is currently the most used encryption algorithm for almost every confidentiality requirement. At present, more than 20 years later, no known practical attack would allow someone to read data encrypted by AES.

Since then, every principle of modern-day security (integrity, confidentiality, authentication, and non-repudiation) is relying on Open-Source solutions.

When developers expose their code to the public, the product must be safe by itself. No hidden trap can be opened to exploit the code, as everyone is able to identify and block those traps.

Third Round

Is there any information or expert analysis you can provide here to give some context about this attack? Had it not been caught and patched by the OSS community, what would have happened? Have there been any larger consequences or complications in the OSS community since?

Log4Shell was a zero-day vulnerability affecting to a large number of Java Applications worldwide, since this library is a Java de facto standard for logging purposes. This article, from Nairuz Abulhul (Senior Security Analyst at Symantec), compiles pentesting techniques, mitigation controls and measures to prevent the exploitation of the vulnerability.

Log4j, the affected library, is supported by the Apache Foundation. In 2021, this organization had more than 8,000 active contributors. This is comparable to medium-large software development companies, so in this case “Community” means a large number of individuals committed to help when something like this arises. Hence, it’s hard to imagine this kind of vulnerabilities to be unpatched quickly.

Apache Foundation reacted to this attack encouraging downstream vendors to contribute to securing the open-source ecosystem: disclosing vulnerabilities, updating the products to use latest version of the libraries and helping to fix bugs.

Can you provide a short analysis/commentary on the conversations happening within the OSS community after this vulnerability? Are members more committed? Have they learned any lessons or are they making any changes? Additionally, are there any technical considerations that have changed because of this attack?

Jonathan Corbet, editor of the famous LWN.net site, analyzes the impact of the vulnerability for the Community in https://lwn.net/Articles/878570/

Dependency management is a recurrent headache in software development, since it’s not always technically possible upgrading to the latest version. Some products are still using old versions, that may include a number of known vulnerabilities and that may be also exposed as well to zero-day vulnerabilities. Adopting a continuous library upgrading process should be mandatory for those companies that are still ignoring the risk of staying outdated.

Another problem is the lack of development and maintenance support for common libraries. However, this problem is not specific to free software, it happens also in commercial software. At least, when using Open Source, the problem can be fixed without support from the creator of the library.

Can we talk a little more specifically in here about the specific skills and education it takes to excel when using OSS? I know it may not differ much, but what is the ideal skillset of someone working with OSS? Where can they find additional resources if they want to learn more?

The only skill required to use OSS is curiosity. Since OSS provides all the resources required to customize or extend the product, every developer is able to start reading code and creating their own version. Almost every commercial software has an Open Source product providing equivalent features, so the possibilities for specialization are almost the same existing in the commercial marketplace. Additionally, there are thousands of Open Source Communities, but The Linux Foundation may be the right place to start understanding how Open Source is developed and used in the industry.

Would we be able to give a few more technical examples of this kind of partnership? Are there any large enterprises doing this right? For people reading this that may want to create cross-collaboration opportunities, what do they need to know?

As introduced before, The Linux Foundation is a reference for cross-collaboration between the industry and the Open Source Communities. Large companies are supporting this organization to develop and maintain Open Source projects heavily used in the industry.

All these opinions are expressed on my own. They have no relationship with my current employers.

Published by angelborroy

Understanding software.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: