Open source and security (long term commitment, larger entities)

Ok I been asked the passed two years around to express a bit more about the area so I did. Taking a break from concept model: Organisation av människor: Komplexitet, Värdering och Språkets effektivitet. To amuse myself while providing industry quality value to the reader I also added a few jokes and cirucs acts both showing my heighten skill, width in skill and insights in dark areas filled with fogs. I feel that both will increase happiness so all readers can make a good national effort to heighten productivity, long term give some one to look up to and give you a few perspective you might get your self but probably would take for each perhaps a short time if you concentrated only on that but here a bunch with fun stuff to make it easy for you even. And for free cause I feel it is important and i doubt much good thought have been done here at all though to be honest I have not cared to read it updated for a year - but hi I followed it for long. A few pointers of a simple man close to the earth not caught up by prestige, know it all, and career - sharing for a common good is the answer for you.

Direct after university I had the opportunity to work in an early open source security project at Ericsson which also was the first open source they used. The value for Ericsson was though new at time time clear:
[Given credits to others. Checked - Debug remove]

• The entity at the time called RSA Security had bought SSLeay which was opensource.
• From that they made a commercial which was well the same more or less. For a few years I thought it had like a good book with it and stuff when I got a licens with the stuff with it and all in a service delivery and it was the same old files though done in PDF I think and plenty before pages with licenses and stuff partly not expressiven the history of i and the license of that.
• Given the GNU licens the OpenSSL project was started which was a lot cost intense. If you like all big corporations with as Ericsson at the time I think 110 000 people doing your bidding you are a a circus director dressed as good tasting food with five people singing while spreading coins before your feet. You do not think so - you think you are able buying but big always pays more (even if the cost is you hiring people to redo it cause they all see well herbivors to hunt and no risk for them going away wither).
• So they went för OpenSSL instead being smart (but hi I doubt it did cost more but I left 2000 for a consulting company and my argument here would be the knowledge you build being the value relative the cost of that and the insight you seek is not a one way answer - though if you big and healthy rich I can tell you stuff in personal though it might come with a few administrative fees for such but their you got one way answers).

I think OpenSSL both express the value and the risk of open source. The risk mostly being the same as not take out the full value which also have a negative side.

We can see it as:

• OpenSSL is as good as any such implementations come.
• It is a very fast and able general encryption library even. I have beside it used probably four to six and I would still say if your platform sever or client is not OS dependant it is more or less your only choose.

You got speed, ability and free. Sure you got to learn it and it is hell. And even learning and not touching it for a while it is solid hell like no other library done to give humankind or me at least a healthy chance to show much more willing we are to take pain. If you need functions below it rather the SSL once out in the front. And it change very very little over the years. Being first touching it young, having illusions and such I was like surprised: Oh my how could anyone write it like this. But being older and cynical: well SSL is slow, hardware was slow, so he wrote it fast and had a it of fun while doing it making a few like defines going towards 90 - 100 make like wards looking themself and shit. We was yong while we today would go like irritating and shit we thought - hi this is how people program so if some one ever will feel healthy pain like a gladitor spearing two lions, a goose and a scary tiger after very fast good I written - look dumb like nothing adding and splittings strings time after time while passing them between function - Well Perl and speed. My computer CPU as well people are limited. The stack better make it very clear and even so for Octave, Matlab and so on. Memcpy would be what is mimicked and size as well chocked the compiler always get without loosing ability to optimize. Hence.

90 MB per 4 S adding and cutting 8 times in mean per post running around never now less say 450 000 posts and expanding or adding now even more. Doing logic with such it sure go slower. First set up run might even take say 40 s if running a bunch of concurrent stretching a bit above 1/2 million. How much I am less sure of but say 1.4 million.

Others might do it other ways. Me I am a simple man. I like it working. I might brnach it a few times having anything working. I might redo. But when I believe in the algorithm. Not the code Nor the project method. But how you solve the problem? It is a coundrom many less able man died trying to figure out.

Given that one can usually quite easy and fast with an hour or two go from say CSV to SQl or to SQL to a directory service or importing from API cause such is just import or export. You rewrite it more or less each time. To sort and organize your data is of course an area neither touch and I must confess to having less ability in such. But hi I am quite sure if it would be very important and importance translated to funding you could hire some one for like make a database architecture.

Like I remember this hawiian I think though for sure got to have lived long in Sweden having less ability. Approximative as good as more or less all such I meet. But also in a way better. Why so? Cause he like had a few simple ideas. The expression of them had little to do with what he expressed as interpreted I think cause so few is like seeing a meaning in databases. But I mean if you got some one sitting and doing stuff with the database and express not strong ideas on how exactly do it hence open to project needs and so on but have a bit like moral ideas which is not even moral ideas (like would not go irritating on things doing it wrong cause it is all much more abstract - like oh Olap drilling is good cause it is everal dimensions well for a database-man it sounds important but for a man visiting the library reading books you got like 1000 dimensions and in some systems like 50 000 though u gotta go look it up and keep small notes and stuff).

Yeah Klas Ekwall. Had a fun little competence meeting on the side looking deeper in datastructures outside your normal SQL though not professional serious fun learning from some one having vision. He had that Norwegian working with him at the time. Of course with his accent and such it function less good while probably as practical skilles as take Örjan Rheinholdsen at ERicsson running the security team the later might been a solid good loost ability for Ericsson cause he could explain stuff to all people without having to express a lot. He probably had rather in such ability good project management general in the project (it was rather big I think relative me during the years at least with I think 5 or 8 with security and perhaps 100 or even at times perhaps a lot more. But you even so need to explain it to them so they get the value to use like big corporation know how to fix it. Cause open source for a corporation who have not used it before can require some legal formalia - and it is new and all like old media until just a few years back was sceptical and so on. It impressed me at the time and I had little to compare it to at the time so most likely very able.

But in that we also see the risk. We got quality and we got money. But do we? Not so. We got potential value.

It is relative value on the object of the other cost. Now how is the threat? Well commercial as well open-source get a lot of problems regular. Open-source tends to correct problems fast and fast is good.

The difference would be that open-source for an entity who can spend a lot extra time and resources (cause good people done more or less the same also with understanding of code coming with experience) looking for a bit more advanced security problems such in protocol handling of SSL as well communication general. Few things I for sure ever come to touch in life comes even close to the complexity of such. And errors always exist in them. They selling it for big bucks might talk about rup, formal methods and so on. But the errors seems to be more or less the same. Scaling. And if any open-source the last year for the old projects while new once younger than say five years as well commercial such one can not judge anything about. If you buy new the relative quality factors we meditate over here is not what is a problem for you anyway.

So how can we handle it? If it is an aspect? Well...

1. One road is how I solved several such problems at the time at Ericsson. It was suggested to me regarding a total other problem by a consultant who I do not remember the name of but was very skilled I felt at the time and from factors I can remember still would say was. I think he later started a mobile security company. A bit related perhaps but I think the technical area was his long before that. At RSA also.

So he suggested I encapsulated malloc cause malloc always cause problems. And it does. You do that you are between the stack and any other memory problem and can filter away more or less all such problems. The same concept of course holds for a lot of other problems.

It is run-time driven security filtering. Your program filter towards the OS.

2. Now 1 is very good. More or less nothing for a specific you can do is better because the filtering function runs in the process of the program so it do not break OS or other security handling outside. That is if you done an incorrect in it if you written your code so that filtering can't as much touch data as give say pointers to data which also is data that is pre-malloc reducing the risks of for a simple out of well OS assumed handling of memory (smashing the stack for fun and profit as an early paper put it perhaps 1996 I think).

But people do not like that. They are not put to like write a CA with OpenSSL early creating a solid cynical of all software mistrusting person. They think elegant tabbing of code solves problems and so on. So you do this in a stuff around it. Java would be a less elegant early example of such and if any of the original concept remains now when you got some stuff coming dumping down telling you a short story about some license issue regarding well some or another well known american IT corporation and install after at best click some thing OK pre on focus. But more important it is still today just as 2000 so slow it can't even on my for sure 4 year at least old computer but still having double CPU on each almost 2000 k cpu and rather lot ram. For sure say 30 - 40 times the speed I had 2000 at least. Still it is as slow.

A later example are Google's enterprise with Google Chrome. If it handle certain abilities separate I would not have any knowledge never cared to look at the code. But speaking here anyway a bit I would point to general handling compiler like view of pseudo language are complex. If you are an entity solid good into the relative - which for example anchor text value relative would be an example of - even if say putting a hard limit on five for recursive deep of such calls (and get that I judge from not looking so I can miss see) it is still easy to make in a general framework introduced problems. Very so. If certain parts can break security model as a built in it is a solid risk. But would it be less secure compared to say Mozilla? That i doubt. I think if we give it a time one can judge from they will either measure to about the same or one is dying as product and/or project. At the momvent my guess would be Mozilla being more secure if you update fast and Google Chrome if you don't if running Linux ubunto. And on Microsoft Windows Google Chrome for most people. A guess though (and I sort of feel even doing that the more likely alternative would be no practical difference having any real value for any but very few).

It sees the same value Sun Googled early on. And value is as real for both. The important is of course trust on delivery - and trust being I do not have to care (I want it is a solid promise) but work with out anything extra - coming with what i need to solve problems.

View it like this. I installed Chrome cause Mozilla got slow on spell checking. And also probably running hostile code since 6 months but not like irritating slowing shit down.

Did i ever install Java? Yeah say december last year even search to find it and stuff. Why so? Oh it is such elegant model and they was so right all the way with all these battles with Microsoft, Google, 3Com and all the other. I understand how good it had to be. So I installed and went out on the web searching for need for it.

Nah I had this irritating Spanish application some one with illusions at a university had done. I for sure it was useless but wanted to see if they had extracted data relations from a new source rather than say done it themself (no need cause I have ability, relevant personality and aspect expressed good enough in that set from good old Max Planck if not Wikipedia by it self would be enough or the general open data cult).

Sp I got scouting and stuff. Downloaded code and all that. Ooooooh so slow. OOOOmg. It took solid time even to start. And changing menus took time. And having installed it I even tried a few other serious application in data drilling - As old man Klas like to take about - and it is solid slow as client. I am pretty sure you own the competens and make products you control it measure as good as any but for client application it never hasd and never will have a future but for the brand name coming from being early and by showing a dispergens to Microsoft getting over expressed (of course delivering the same value server controlling competens would not suggest Java ever have nor will add any value which was not already existing and parallell building and probably bigger if people liked focused a bit rather thinking they all got like solid unique idea on how to express computer language which is so big and such they can't be expressed in solid known models - And do not compare to me cause I done known models for more than most people in years and more so than just about any one counting number of models regarding well my cognitive model and it our-perform but hi wtf do I care I wanted it to see in the dark and I see).

So hi it comes with a need you need well ok. If not. Well why should you?

But would not security be important. Well not so. Hence Mr Clark had to like do these big talks back around 11 September about using a personal firewall was like national soldering. I was like omg I am so tired from the SAD (and as I know to day have had narcoepilepsia since well a virus infection around 11 year but well u think u normal u compensate a lot) but I still think this is all dumb cause it cost and even if cheap it slows down your computer as good as most shit coming in and the rest shit is so obvious so you solve it anyway even if it like not needed being a new computer.

Good food though. Magnus at Microsoft I was with was very skilled I think in like expressing Microsoft very good. I had like no view at all at them before but left with an idea with like a view of individuals enterprising and making an effort.

3. So our third road. I understand I been boring here. But I just felt it might have some value to view to issue from all relevant sides rather like choosing once side go scouting find a solution and go out preaching about it wasting your own and others time. And that would be a general comment rather compared to targeted. Do not interpret is as individual for Clark cause relative the community at the time he was a slight beacon. Seemed able and skilled to me. And I think he picked up the tools he found which was usable. Much more this is an issue with persons selling and buying.

And now we comes to:

• Homeland Open Security Technology (HOST)

Yes but. What have we assumed all the way here? Understanding need, context and scope of function and risk.

Take now he leakage of DOD 2009. How did it leak? Mobile unit. How did DOD react. Well I would not say cause I do not feel I know cause I do not feel to look through the old blog posts here but I tracked the issue good at the time so time points for sayings are all here. Such as security policy change.

So context. Do it move. Is is constant. And so on. A one solve it all solution always seems attractive. And I agree, But the solution I feel must not be one product or one library but a view on how you work and the quality assurance you do. And in that I actually given the choose of terms mean less formal analyzing with strict meeting and much more of the aspect we see NSA express here:

• Security-Enhanced Linux
(And I for sure not tried it nor downloading it. Myself I want some thing like very easy and if best coming with candy it and good looking girls installing it for me but I doubt problems in it and perhaps I at least did check through a few years ago. But one good point here is knowledge and control is good and long term investment controlling knowledge of such is good. You invest in the idea and the solution - so you control knowledge. You bou it with product you define it and if you do not you also define and including method. )

Lets for OpenSSL I am pretty sure US government as well any Western, Islamic, African and Asian - perhaps even Australian - government use in a few forms we can see value as:

• Understanding possibilities.
• That is get you do not have to compile it as expressed to do but could recycle well files for a dummies or such - or make specials versions.
• Get you can compile it to debug versions very easy for test beds checking for expressions given data that indicate problems.

Take a very in concept simple but for most companies useful application as at the time a few years back looking over the area a bit for less skilled users very good choose as Retina (and though I have a done a few over say 8 years consulting services it was very small things for a few 1000 kr for a few articles and I tested and published a test in IDG Säkerhet & Sekretess probably a year or more likely 2 - 3 before that but it is still correct to express even if very small amount later and many years ago). It do finds security problems unknown. Not very advanced but enough at level at time both open source and commercial.

The thing though is that environment affect. Things can work perfect on this hardward done with this compiler but less on another. Testing is good. Retina show that and it got less with formals on which data to send in correct and what we expect as much as cheating the systems going out such rules.

Hence open source for sure can give an enormous values but that goes both ways. The only differences are:

• How much resources do you not spend for the project but concurrent over time investing knowledge as well increasing the general quality of the framework?
• For the later part of previous we also have the national issues Clark did see hte need for though I did not and do not agree with the personal firewall changing anything (how long have they existed? even free as good as others? Do we have problems? Yes. So hi do all users do it wrong when? If you think so do a Clark Mission and lecture it for say 50 - 60 persons from different big corporations or medias sitting eating a like bloody stake after some alcohol and you might not solve it or try national TV or news papers? Or which channel and message you feel was not already used back when and not tried after).

You trust not the product. Not the Software. Not the organization. Nor the framework or test bed.

But the combined expression of such. And the starting very very good level is having the competence to judge it for long term commitments.

You use OpenSSL. Sure you got value. No doubt. It is very good. Very good. But it is also complex code. All SSL implementation are.

OpenSSL probably sits in just about any telecom application today even if undocumented above other stuff hard compiled their no update of run times object files, dll or what ever the cool word for such are at the comment chnage any bit of code actualy running.

Is it free of security problem. No. It is a communication protocol quite advanced implemented in a few hundred defines besides page upon page of C-functions with globals all over. And it got a DER implementation. And handles ASN.1. And we all cheer. Why not. Would we implement DER or ASN.1 even for certificates? Well I done worse last month but I would not for that cause I did not feel engaged and most do not. Fuck most of might even notice errors and do not care to report it cause it is a lot with the training leaving in 20 minutes and so on. And wtf you corrected it anyway.

The point is such code always have errors. Open source and not. The value for a big entity such as DHS and similar is not free. Nor reading the code to change it. But the ability to build knowledge you control.

And knowledge you also can project to solve problems. Big entity such as DHS. Ok they might like over-hearing us with big all-mighty-tech doing magics (feel free to compare with how long time time it took to compile Google Ngram on the Yahoo CPU grid which is pretty big and when think a bit about how much data flows around and you got a general idea how good such are - relate also to all the years it took to land him Osama which if stuff functional good would have been dead in a few month) but they got security need and resources to deliver that.

Here they can save money and get more given such long term commitment. And given open-source no big problem for general society is very likely if at all. The big risk would be if they like found an error and used it to tap you. But when if you are a commercial corporation that is more like if you find out a chance to add in a big sum suing various american corporations who have similar products and given US law rather and than common in EU you got a solid big chance to win and hence they settle before. And if not. Well how likely is it they find anything worth anything they could use? I mean they got to have an access point to it after all. And I doubt DHS is anything near so short on cash they like oh lets order spy-see-in-the-dark-bimoleculars from china with these credit card numbers we found on this Swedish corporation web site. And hi free lunch for all four who worked over time among 3 to 12 this month at least 11 - 55 hours - and also a fruit going home to morrow if the credit cards still good at the time for all doing more. Great work all.

No not very likely. The Americans are rich. And solid good no matter lending a lot. They have a lot worth a lot so they can handle it. A good balanced view would be considering the first time they like even a bit with ambitious meditate on like sitting down over party lines to talk "open" (not talking this is the way and lets all do it like that - I am done call me when you signed - and remember global ECO that is lending and GOING INTO DEBT LIKE THE AMERICANS (all North America, almost all of the worlds biggest corporations, a solid around 250 million people, among the worlds largest natural resources counting land and water) for countries tend to balance on currency - only the dispergence of such is solid danger while other is just problems to come and go if you do not yourself show dispergence - that is countries even out and lender and lend giver would if so be in the same system - of course now we do have dispergens but less compared to before and hence we even though everyone claim it is waste CO going solid richer with a growth of if I did not calculate wrong taking out me own tests here in Uppsala 4.6% - seems good to me though a moment of course).

And open source problems existed either before or was added. Added I doubt ability cause it is more as compared to only tech. it is social communities. They notice stuff. And found well it existed before. So they can find it anyway.

Hence. Value for big entities. No doubt. But funny and "moral" in an odd way "correct" it is as big donating a bit back to society.

And I for sure are no like natural believer. I feel I always get cheated sharing any. And outside that I am a writer. That is how I share. It is similar but also very different cause you view are the value in a way. You deliver such anyone can tak eup as needed. To use to add in less compared to touching the project yourself but on the other hand more general.

Thats my view here. I was asked to express it and so I have. And in such I think projects should also be active asking not only on extra information on specifics to answer questions but also on how entities work with the framework, how they manage knowledge over time and so on outside individual projects and in an open positive way rather compared to say express like knowledge power to feel a bit like smarter give ideas on what they can do to get more value while at the same time deliver value back to the project.

GG
Hans

[DEBUG CODE NOTES - Can I finish with I have Spoken or do that seem a bit to much like SF or nerd? Nah GG is good. Seems like internet social. Like u been on the internet for ever. That is Gooooood. Perhaps a photo from below with me pointing towards problems. Maybe stimping with me right food on some incorrect dumb normal user. ]