Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday August 08 2019, @10:01PM   Printer-friendly
from the many-eyes dept.

Networking equipment is one of the last bastions of technology where opaque, proprietary, closed-source hardware continues to thrive. This opacity—combined with networking equipment functioning as the backbone of enterprise computing—creates a fertile breeding ground for fear, uncertainty, and doubt to proliferate. As a result of this, Huawei has spent nearly a decade embattled by accusations of spying for the Chinese government, and since May, a blacklisting.

[...] There's an aphorism named "Linus's Law" which states "Given enough eyeballs, all bugs are shallow." This plausibly applies to Huawei's circumstances: Publishing the full source code to Huawei products is a simplistic—and maximalist—way of dealing with security vulnerabilities and undercut accusations of spying that have plagued Huawei for years.

Opening Huawei products to third-party scrutiny would—at a minimum—surface situations where third-party open-source libraries are not being properly updated, if not allow security researchers the ability to identify vulnerabilities in Huawei-developed code. Such an initiative could also be used to create a shared build platform, making security updates easier to deploy across different device models.

https://www.techrepublic.com/article/huawei-doesnt-see-open-source-as-the-fix-for-spying-accusations-but-they-should/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Friday August 09 2019, @03:32AM (1 child)

    by Anonymous Coward on Friday August 09 2019, @03:32AM (#877756)

    "Given enough eyeballs, all bugs are shallow."

    There aren't enough eyeballs and even if there were good luck spotting the critical security bug from the infinite number of crap typed out by the infinite number of monkeys.

    Basically you need enough competent eyeballs to spot security bugs.

    "Normal level" bugs can be spotted by normal users but even those too often get WONTFIX/WORKSFORME.

    Open Source software hasn't really been significantly more secure than closed source software. You can see security bugs in OSS that were present for many years without being spotted:

    https://wccftech.com/linux-security-bug-unnoticed-for-9-years/ [wccftech.com]

    Google researcher Kees Cook published a research last week showing that it takes an average of 5 years before a Linux bug is discovered and fixed. “The systems using a Linux kernel are right now running with security flaws. Those flaws are just not known to the developers yet, but they’re likely known to attackers,” Cook said.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Friday August 09 2019, @08:50AM

    by Anonymous Coward on Friday August 09 2019, @08:50AM (#877819)

    Merely hack the hackers, follow through on popular implementations of the flaw, to find the bugs faster than 5 years.