Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Attend White House Meeting to Discuss Security Risks of Open-Source Software
- Thread starter MacRumors
- Start date
- Sort by reaction score
Agree, but there is another component to this matter: trust.
With open-source you can see what the code does and it can be independently audited by everyone.
With closed-source you have to trust the company not doing bs. If Apple implements intentional exploits for them or the FBI etc. Open-source is much more of a security risk to companies and governments since it means obscure and hidden content becomes almost impossible.
Generally speaking: security by obscurity or security by hiding source code is almost never the best option imho
Last edited:
I find it hilarious that it seems like a significant number of people are freaking out about log4j and open source bad.
Printnightmare was a complete ? show and that was what a few months ago? Not open source.
Every vendor is losing their minds saying we aren’t vulnerable to log4j. Guess what most those vendors are saying that because they have log4j 1.x. Log4j was end of life 2015. There are CVEs against 1.x and guess what no one cares. If you download Microsoft Integration Runtime Dec 2021 version is has log4j 1.7. Install brand new SQL Server 2019 log4j 1.7 is provided. These aren’t on the radar in any shape or form to be updated/changed. I’ve seen VMware Cisco, etc all provide these bundles and they are all saying non-issue.
Guess what all of those are closed source so the only person that can fix them are the vendors themselves and guess what it’s not happening.
Security theatre all around folks. We are spending hours removing the Jar files hoping that it doesn’t break updates/flag corrupted installs. We have to update all build documentation to remove these files on new builds and set up monitoring to look for them returning on every patch. It’s all a joke.
Printnightmare was a complete ? show and that was what a few months ago? Not open source.
Every vendor is losing their minds saying we aren’t vulnerable to log4j. Guess what most those vendors are saying that because they have log4j 1.x. Log4j was end of life 2015. There are CVEs against 1.x and guess what no one cares. If you download Microsoft Integration Runtime Dec 2021 version is has log4j 1.7. Install brand new SQL Server 2019 log4j 1.7 is provided. These aren’t on the radar in any shape or form to be updated/changed. I’ve seen VMware Cisco, etc all provide these bundles and they are all saying non-issue.
Guess what all of those are closed source so the only person that can fix them are the vendors themselves and guess what it’s not happening.
Security theatre all around folks. We are spending hours removing the Jar files hoping that it doesn’t break updates/flag corrupted installs. We have to update all build documentation to remove these files on new builds and set up monitoring to look for them returning on every patch. It’s all a joke.
That doesn't make sense, Apple would continue to make the development tools for the Mac. Developers would just be locked down on what they could do just like iOS.
The White House is run by a bunch of old dudes that can barely turn on a computer. The fact that the stimulus checks were being organized on a system running Cobalt is very telling. Or the deer-in-headlights looks on everyone’s faces during the Zuckerberg hearings when you can clearly see their expressions of “what is … socia me…dia?”
Reminds me of The Office when Michael Scott asks it to be explained like he’s 5 years old. That’s probably what’s going to be happening here.
Reminds me of The Office when Michael Scott asks it to be explained like he’s 5 years old. That’s probably what’s going to be happening here.
Developers need more than just Xcode. Trust me on this. If Apple locked down the Mac like iPadOS, developers would just leave the platform. Just for reference take a look at
https://brew.sh
Almost all developer tools.
I'd think they'd want somebody from GNU or Apache Foundation (or similar) for this, too, but otherwise, this isn't a bad group to choose. All these companies' products have deep open-source roots now: Apple's OS was built on BSD and the company has open-sourced Swift, etc; IBM owns Red Hat; Meta sits on a throne of lies; Oracle owns Java and MySQL; and Microsoft owns Github.
I love the singling out of Meta/Facebook there. ?
Right, and Apple would just lock that out, just like iOS. I am not saying they are going to do it, but with the changes that Apple has been making to the Mac over the past few years, they have put the pieces in place to do it. Especially with Apple Silicon. Microsoft has been pushing it with Windows even after they failed a few years ago. And I agree, people would leave the Mac, including myself.
The age of Log4J didn't have much to do with the issue, though.
The issue was present in the newest versions of Log4J, and had only been introduced within the past 10 years. Old software which hadn't been updated in 10 years and so was using very old versions of Log4J weren't vulnerable.
In general, I think open source software is an excellent idea that has had an amazing impact on science and other fields. However, on open source projects, how are the credentials of people contributing code checked? That would seem to be a vulnerability, at least in theory. There is at least one instance of somebody deliberately corrupting code (see link).
Linux vs Windows isn’t really a great point of comparison. Windows has gotten considerably more secure than it was back in the days of Windows XP. Partially, it helps that Windows has become battle hardened, but Windows XP really was made in an environment that didn’t really value security. Just the introduction of UAC and better enforcement of not giving the default account admin privileges by default dramatically improved Windows’ security. (The point of comparison would be a Linux distro that doesn’t have sudo and encourages you to log in as root for day to day usage, which would put you in a position to get hosed by any remote code execution or privilege escalation exploit.)
Really, the problem is this: open source advocates talk a big talk about validation, about how having the source code be public allows for outside validation, while closed source cannot be validated as easily. That may be true enough, but it’s becoming increasingly obvious that this validation isn’t occurring, or isn’t occurring as frequently and thoroughly as it should be. Culturally, open source needs to put a greater emphasis on participation in open source projects in the form of validating existing sources and behaviors and catching these sorts of long-standing bugs.
Actually, the log4j situation is worse. Because any avenue that allows for the insertion of new code at runtime should be subject to strict scrutiny and should never be enabled by default. Consider python with built-in support for pickles vs python as it actually stands, where you need to explicitly import pickle. It’s the same problem as any “eval” function has. “Eval” behavior should not be exposed by default, especially when 99.9% of your users don’t use that behavior. Any code execution method that isn’t disabled by a compile time or configuration time switch (preferably the former) is one that’s really easily exploited.
Microsoft has been doing just the opposite. They’ve added their Linux compatibility layer WSL specifically because developers needed access to open-source command line tools that are mostly just Unix based.
Apple won’t lock down the Mac. They might abandon the platform at some point in the distant future once there is a suitable replacement but it wouldn’t make sense to lock out open-source tools even then.
Well, supply chain attacks on open source are more or less “deliberately corrupting code”. Validation is critical, and while open source is nominally easier to validate, it’s clear that this validation isn’t occurring, despite advocates using it as an argument in open source’s favor. Ability to validate doesn’t mean squat if that validation isn’t occurring.
Oh for goodness sakes, they control the freaking OS, efi, the whole kit and caboodle. When they were running intel nothing was stopping them from locking down the Mac iOS style.
This conspiracy theory that the Mac will get locked down has zero basis in reality, and is based on the notion that Apple is some snidely whiplash esque Saturday morning cartoon villain. Completely ignoring the fact that consumers have many options to buy machines, not just Macs.
This notion that the nefarious Tim Cook and the legion of doom are plotting, deep below the bowels of Apple HQ, to “trap” Mac users into the App Store doesn’t have basis in reality.
And yes, you would leave the platform. So would 99.99% of users. That’s what makes this theory fall apart, since now Apple is no longer selling any Macs, at all, period.
Which, even if we take this absurd scenario to its logical conclusion, what reason would Apple have to push the dastardly update onto the unsuspecting Mac user base, over just not making any more Macs? Just sell iOS devices, basically the same as a locked in Mac, and less costly than continuing to build computers with exactly the same functionality for zero people.
I agree completely, but I don't see an easy path forward. I develop Angular (npm) and Java (maven). The number of dependencies on open source code, either directly or indirectly, is certainly in the high hundreds or higher. Tons of small, open source projects contribute either directly or indirectly to my code.
Can you imagine some way to get the greater participation that you describe? Maybe there has to be the emerging tendency for larger projects, which get reviewed by more people, to try to avoid using the code from smaller projects, which might be hardly reviewed at all.
Right, exactly. I’ve done React development before, and it’s really the same boat as Angular. Each additional package is a potential vulnerability due to the orgy of dependencies that it might contain. Maven and NPM both make it easy to update packages from a central repository, but there’s no way to mark one version of, say, log4j as canonical and the one to be used by all dependencies (and making such a way would cause a different style of dependency hell, especially when the update makes semver changes). The increased validation isn’t easy, and, if there was an easy way to increase participation, we would have done it after Heartbleed.
I analyzed the situation carefully for my applications. The exposure was extreme. I assume you are thoroughly familiar with the details of the security risk, so it's surprising that you consider it a joke.
Every day I want to quote precise sentence, I am reminded how terrible safari is.
Give Linux 80% desktop OS marketshare, and after a few years, can you still say Linux is the safest system? macOS through its absolute obscurity still gets hacked and exploited here and there.
Only the ultimate power of the god will teach them the lesson they desperately need but refused to take. It’s kind of sad that we might not outlast them.Ah, US government cherry picking things to "discuss" security threat of open source. Because they "know" better.
I think the US government should focus on telling their own politicians like AOC to wear masks. They don't seem to even understand what they were spitting from their own mouth.
As if however many backdoors they have is not enough. How about making encryption illegal?