Free Software Foundation
#WannaCry shows the frailty of a global system dependent on a single proprietary point of failure--@Windows. https://u.fsf.org/27f
May 15, 2017 at 8:08pmWeb
Show threadMike GerwitzMay 18, 2017
@fsf I caution against that argument, as it hinges entirely on a legitimate (bug) security vulnerability---it could have happened with GNU/Linux systems as well. It made use of ETERNALBLUE which exploits a Samba flaw (now known as CVE-2017-0144). It's unfortunate, but the conversation would naturally degrade to Linus's Law, which itself is a faulty open source argument---one could use Heartbleed and Shellshock to counter (where the single points of failure are two of the most widely used free software projects in the world).

Microsoft had even released a fix, but people didn't upgrade. That's a problem regardless of whether software is free.

While it's tempting to poke holes in our enemies, I can't find a good excuse to attack Windows for being exploited by ETERNALBLUE or WannaCry. But I'd be more than happy to attack it for many of the other points your link mentions (https://www.fsf.org/windows). One big difference between exploiting Windows vs. GNU/Linux is that Windows already is a virus---it didn't need WannaCry to hold its users for ransom. ;)
Show threadChris Bowdon 🇬🇧🇪🇺May 18, 2017
@mikegerwitz @fsf True, but MS didn't release a fix for XP until after the attack. XP users had no chance.
Show threadHedgeMageMay 18, 2017

While I agree with most of your points, @mikegerwitz , I disagree on Heartbleed/Shellshock being examples of failure in Linus's law. In fact, they demonstrate the obverse of Linus's Law, thus being a mark in favor of Linus's Law.

The obverse of Linus's Law is: If no one's looking, all bugs are impossible to find.

There's clearly a spectrum between "no eyeballs" and "enough eyeballs", but both openssl and bash suffered from not enough eyeballs.

cc @fsf

Show threadMike GerwitzMay 18, 2017
@hedgemage @fsf Just to clarify: I don't believe in security without free software. My caution was because I felt it would degrade to the open source argument that free software is technically superior, which can fall apart quickly. Especially with those seasoned in attacking the free software community.

With regards to Linus's Law: OpenSSL and Bash had many eyeballs over the years. Humans miss things, or the right eyeballs aren't looking. But they're still eyeballs. Free software allows _anyone_ to audit the software, but whether the right people do is another story. But it's still essential that this be an option.

@fsf
Show threadHedgeMageMay 18, 2017

@mikegerwitz @fsf

FLOSS licensing *allows* anyone to audit the software, but it doesn't ensure that anyone looks at it, let alone does any kind of in-depth audit. Most FLOSS developers I know don't even know what "security audit" means.

Both openssl and bash were developed *for years* by small, under-resourced teams and not given any in-depth security review. People just assumed they were reliable because they "always had been".

Show threadSamuele (surveyor3) MIGRATEDMay 18, 2017
@mikegerwitz @[email protected]