Open source =/= free from coercion, politics, and hidden "bugs". Heartbleed, weakening of RSA after NSA bribes, and the attempted bribery of Theo are prime examples that come to mind.
Actually I am involved in several open source projects. I assumed you weren't due to your dismissal of this topic and used the layman =/= rather than the programmatic !==
Why are you derailing? There is absolutely something to discuss re: open source software being compromised. It's as compromisable as any software.
Who reads every line of code? Who even remembers every line of their own code? Who knows all the bugs in their own code or can even poke enough holes? And what about compromised contributors? You don't think being a respected contributor to a piece of code used by every system ever isn't a person targeted for coercion? So, maybe they're totally ethical and awesome. They are going to say no to their intelligence services? Maybe. Maybe they will. Maybe they have. Maybe some have. Maybe some haven't. The point is, we don't really know - and there is plenty to discuss.
Derailing? You and OP have no idea how the open source community works.
Who even remembers every line of their own code?
That's the point of an open source community, people, like the mods here who are doing shit for free reviewing code (in mod sense, mod content) for the betterment of the community.
Are you in the dev business? Do you know what the hell you are talking about? I've been programming for the last 15 years and have been apart of the open source community. I've contributed, and talked to others on this matter. We do it because we believe in a way of life, free, community driven software. So... respectfully, piss off, if you have no idea what we are talking about.
I've worked years in the Open Source community and still do. Based on OP's comments and insight, I believe he/she has, too.
You can berate me all you want, I could care less. But hang around a few years and keep your eyes open, and you'll understand.
Also, can you actually stop derailing and actually read and address the other poster's points? Because they're valid as hell and understanding them will make you a much better and less naive contributor.
It's a thing you set that hearkens another thing you set.
I seriously misjudged you, man, I thought you were older than 23.
You can't argue shit, so you gotta quibble with people about whether they use bash syntax for != or whatever that guy used? Come on, man, you can be better, I know it. If you consider yourself a conspiracy theorist and you can't consider that software is pwned, I just don't understand.
And if you really are the "I can code! I can code!" guy you claim to be, you owe it to yourself to understand the field you're in. It's nice to think it's this happy disneyland of love, but it ain't, man. It's a fucking lucrative business and pwned by government the way anything else is. It's better than closed source, but don't lie to yourself about its boundaries and vulnerabilities.
It's a thing you set that hearkens another thing you set.
Yea, called a reference.
I thought you were older than 23
Yup, Def older than that.
There is an active campaign to make open source look compromised by big interest. Over the years, open source have been fighting a battle and people are starting to make the switch. I find OP's post, kind of tarnishing the fight we have been fighting as if we are in the same boat as MS or Apple. It's a community effort and if you try to smear it, the community will come to it's protection, they want that, because open source means free, no profit and everyone can download/alter/re-fork it.
Is open source software immune? No, it's not, but when I see shit posts like this discrediting a community ran OS, I'm going to question it. I'm a good conspiracy theorist in all right ;).
At the end of the day, the government does not run or own open source software and you can read the code yourself (as long as your not lazy). Review it, change it, compile it and run it.
open source means free, no profit and everyone can download/alter/re-fork it
This is the problem us anti-d types have. systemd does none of these things in any meaningful way. Free? It comes from the only distro you have to pay for. Alter? Good luck having a system that works with any GUI. Fork? Why would you want to fork an "init" system that is basically the Windows Registry?
discrediting a community ran OS
systemd is not an OS. It is an "init" system that by way of hard dependencies, has attached itself like a parasite to the software ecosystem of Linux, leaving little to no alternatives and mocking those who attempt to create them, such as in the case of eudev and OpenRC.
Look, if you can't see issues in something in order to fix it, you're responsible for its death.
Software has bugs. Period. Open Source is better because we can see it, but that's not a fail safe. Look at OpenSSL, look at Bitcoin, look at systemd, look at ANY piece of software. Shit has bugs and nation states pay mad money trying to find those vulnerabilities and to keep them under wraps. Denying vulnerability because you're worried about some political vulnerability is nonsense. I guaranfuckingtee you that OSS is not going away, so it doesn't need Redditor astroturfing. Governments depend on it, governments contribute to it. Denying the risk of a bug compromising a daemon that essentially touches everything makes zero sense when you look at the big picture.
Debating the pros and cons of strongly and weakly typed languages is highly irrelevant to the topic at hand, a discussion I've had many times at the workplace, and one that I'm tired of having. If you'd like to discuss systemd, please go rebuke my comment.
Debating the pros and cons of strongly and weakly typed languages is highly irrelevant to the topic at hand
I'm not debating that, I'm saying you said !== which is scripting language (ie. server/web), != is software programming, you know, c/c++ (which linux is written in). This shows me you have no idea what you are talking about in the software programming realm. Yea, shit can get over looked, but the open source community are more anarchist than capitalist like Microsoft and Apple. Normal people (me included) look over this code and find shit. If there is a bug, we alert the community and fixed it. If someone was bought out, that shit would be quickly discovered and fixed. You say you know about opensource projects (may have experience) but do you have experience within the Linux community? My guess is not.
I'm saying you said !== which is scripting language (ie. server/web), != is software programming, you know, c/c++ (which linux is written in
Yes, I'm employed in server/web. It pays more. I'm more used to writing !== than !=. Yes, I know how to write C/C++. Personally, I think the only time you should use C is for OS and firmware. It isn't a very safe language; managing your own pointers is a great way to ensure you have security holes.
Normal people (me included) look over this code and find shit. If there is a bug, we alert the community and fixed it.
How long did it take to find Heartbleed?
If someone was bought out, that shit would be quickly discovered and fixed.
How long before someone noticed the deliberate weakening of RSA algorithms?
do you have experience within the Linux community? My guess is not.
You're in the wrong state home fry. Average software programmer/dev makes 30K more than a web dev.
Key word bolded, home fry. I'm not writing tedious views for an enterprise DBMS, I write SaaS platforms which have millions of hits a day.
We are talking about something completely different here.
Actually, this is exactly what we are talking about here.
Cool, I'm the ambassador to Zimbabwe. Just send me your bank info, so I can get my money out and you will get a cut of my fortune.
You asked dude. And we have yet to do anything other than dick measure. Discuss the OP, refute my actual argument, and stop being such a pretentious autist.
Such hyperbole. systemd != Linux. You could use OpenRC+eudev, sysvinit+eudev, upstart+eudev, launchd+eudev.
Why do they all need eudev? Oh yea, because systemd absorbed udev and made systemd a dependency of udev. One of the major points I listed in my top-level that you still have yet to address. And still you are just dick measuring and sarcastically dismissing outright on the basis of "muh open source community can do no wrong"
the open source community are more anarchist than capitalist like Microsoft and Apple.
Duuuude. You have no idea. There are plenty companies built around open source. It's a real fucking business model. And don't think that government doesn't have its fingers in it. What the hell do you think government uses to secure their systems? Open source software....
Like, where were you for Heartbleed or any of the other zero days that weren't patched in a timely manner because someone needed them for something important?
What the hell do you think government uses to secure their systems?
Windows, lol.
Like, where were you for Heartbleed
A tired programmer wrote shitty code, Apple had the same problem and they are paid to review it and never found it. Also, MS is dealing with a decade old bug, because a shitty programmer wrote shitty code. I'm a conspiracy theorist, but do you really think that the gov paid this programmer to write shitty code to bypass security? Did they do the same with MS and Apple?
Yes, government agencies both run and develop Linux and Linux-based daemons and tools. You can do a little bit of Googling, or ask around, no? I can't even believe we're having this conversation, I surely did misjudge you. But such is Reddit, I guess! Tomorrow, you can delete your comments, I guess?
For kicks, can you tell me why systemd is totally awesome?
For kicks, can you tell me why systemd is totally awesome?
Can you tell me why it's bad/compromised?
I surely did misjudge you
Why are people saying this to me? Do I have a fan base or some shit? You are the 4th person to say something to this extent. I just speak my mind and talk about what I know.
Anything that touches everything is a prime target. If you're actually a software developer IRL, it behooves you to see if you can get some security training. The best kind is offensive, IMO, so that you can envision more lines of attack during development. There are very few true kernel hackers for a reason--it's scary. You have a bug and it can compromise so much.
Re:misjudged: You're a reg here and I'm pretty sure I've agreed with you and upvoted a lot. Your position and rudeness/obstinacy on this particular issue and the deflecting (you're still deflecting, btw) really threw me for a loop.
it behooves you to see if you can get some security training
Yeah, this is something I'm not 100% on par with. I'm no security expert, but I know code and how to write good/efficient/secure code to "my" best knowledge. There is always some one more clever/smarter than you.
Your position and rudeness/obstinacy on this particular issue and the deflecting (you're still deflecting, btw) really threw me for a loop.
My bad, and I probably shouldn't of commented tonight, lol, because Heineken is a hell of a drink (ie. I've had a wee bit too much). Cheers mate/matey. I think it may be time for bed time.
Go look at any DoD computing related job ad. You will find that 5+ years experience with Linux is a requirement. You think drones and smart munitions run the most bloated OS out there? You think the intelligence services keep classified data on the most insecure OS available? C'mon dude...
I can't figure out if you're being downvoted because people want to suppress the risk or being downvoted because people don't understand what you're asking. (But the fact that I upvoted and it went from 1 to 0 in seconds makes me think the former might be the case, strangely enough. But why? Most people don't even know what the heck systemd even is...so why bot-kill a vague self-post like this?)
All I'll say is, yes! Thoroughly fooked we all are, young Jedi, thanks for asking!
Becuase Linux is everywhere now. In you car, your refrigerator, your home entertainment system, you home security sytem, your phone/appendage-thingy,... the list goes on and on.
FOSS and Linux have seen dramatic increase in recent years. Many many young people are drawn to it for its 'anarchist' appeal, yet remain largely ignorant of the under the hood cancer that is spreading and killing the fundamental functions that have traditionally allowed that 'anarchist' landscape to live and thrive.
Systemd is/has spread across the Linux/Foss landscape, not like an awesome new free app some clever geek wrote, but like a cancer with ill intent pushed with extremely hostile and dubious ways and means.
Just because something is open source does not mean it is immune to backdoors. Remember the deliberate weakening of the RSA algorithms? How about Heartbleed? An unnoticed "bug" may be a backdoor purposefully planted and it may be designed to work with technology civilian researchers are unaware of. We have also seen the agencies attempt to bribe our most trusted open source security experts into ignoring or even creating these bugs, such as with Theo of the OpenBSD project.
With this in mind, let's see why many suspect systemd of less-than-benevolent intentions. First, in layman's terms:
Ignoring for the moment the various technical problems with systemd, I have my suspicions that its provenance and scope are cause for alarm.
Systemd comes from Red Hat. Red Hat, in the Linux world, is the company with the largest ties to the US government and the various state security organizations around the world–including NSA. The US government (DoD) is Red Hat’s number one customer. Red Hat also happens to be Lennart Poettering’s employer.
The Linux kernel, I believe, is clean. As long as Linus lives, you’re not going to subvert the kernel. Let’s just assume that is true for the sake of argument. If you can’t get into the kernel, what is your next option? You need something low level (PID 1?), ubiquitous, and vast in scope and complexity.
This describes systemd perfectly. It was almost like it was designed to touch as much of a Linux system as possible. It has hooks into some many different subsystems and APIs that it’s almost impossible to build a modern distro with current software without pulling in systemd as a dependency. This happened almost overnight, and I think there are malicious forces at work here.
We must remember Heart Bleed. Heart Bleed appeared to be an innocent mistake, and it was a tiny typo in one line of a C program. If it’s possible to do that much damage with a tiny little error, imagine when you have an attack surface as wide as systemd, written in a language like C that is almost designed to produce security holes when not written absolutely perfectly–and humans are not absolutely perfect programmers.
Systemd is dangerous. It’s too big to be audited as quickly as its developed. It’s complexity adds as much attack surface to a Linux system as the kernel itself. We can’t get away from these facts. Shitfighting about init systems is a waste of our time. Sytemd is horrible because of where it comes from and how complex it is. Backdoors will be hidden in it.
systemd flies in the face of the Unix philosophy: "do one thing and do it well," representing a complex collection of dozens of tightly coupled binaries. Its responsibilities grossly exceed that of an init system, as it goes on to handle power management, device management, mount points, cron, disk encryption, socket API/inetd, syslog, network configuration, login/session management, readahead, GPT partition discovery, container registration, hostname/locale/time management, and other things. Keep it simple, stupid.
systemd's journal files (handled by journald) are stored in a complicated binary format, and must be queried using journalctl. This makes journal logs potentially corruptible, as they do not have ACID-compliant transactions. You typically don't want that to happen to your syslogs. The advice of the systemd developers? Ignore it. No, seriously. Oh, and there's embedded HTTP server integration (libmicrohttpd). QR codes are served, as well, through libqrencode.
systemd's team is noticeably chauvinistic and anti-Unix, due to their open disregard for non-Linux software and subsequent systemd incompatibility with all non-Linux systems. Since systemd is very tightly welded with the Linux kernel API, this also makes different systemd versions incompatible with different kernel versions. This is an isolationist policy that essentially binds the Linux ecosystem into its own cage, and serves as an obstacle to software portability.
udev and dbus are forced dependencies. In fact, udev merged with systemd a long time ago. The integration of the device node manager that was once part of the Linux kernel is not a decision that is to be taken lightly. The political implications of it are high, and it makes a lot of packages dependent on udev, in turn dependent on systemd, despite the existence of forks, such as eudev. Starting with systemd-209, the developers now have their own, non-standard and sparsely documented sd-bus API that replaces much of libdbus's job, and further decreases transparency.
By default, systemd saves core dumps to the journal, instead of the file system. Core dumps must be explicitly queried using coredumpctl. Besides going against all reason, it also creates complications in multi-user environments (good luck running gdb on your program's core dump if it's dumped to the journal and you don't have root access), since systemd requires root to control. It assumes that users and admins are dumb, but more critically, the fundamentally corruptible nature of journal logs makes this a severe impediment.
systemd's size makes it a single point of failure. As of this writing, systemd has had 9 CVE reports, since its inception in March 2010. So far, this may not seem like that much, but its essential and overbearing nature will make it a juicy target for crackers, as it is far smaller in breadth than the Linux kernel itself, yet seemingly just as critical.
systemd is viral by its very nature. Its scope in functionality and creeping in as a dependency to lots of packages means that distro maintainers will have to necessitate a conversion, or suffer a drift. As an example, the GNOME environment has adopted systemd as a hard dependency since 3.8 for various utilities, including gdm, gnome-shell and gnome-extra-apps. This means GNOME versions >=3.8 are incompatible with non-Linux systems, and due to GNOME's popularity, it will help tilt a lot of maintainers to add systemd. The rapid rise in adoption by distros such as Debian, Arch Linux, Ubuntu, Fedora, openSUSE and others shows that many are jumping onto the bandwagon, with or without justification. It's also worth noting that systemd will refuse to start as a user instance, unless the system boots with it as well - blatant coercion.
systemd clusters itself into PID 1. Due to it controlling lots of different components, this means that there are tons of scenarios in which it can crash and bring down the whole system. But in addition, this means that plenty of non-kernel system upgrades will now require a reboot. Enjoy your new Windows 9 Linux system! In fairness, systemd does provide a mechanism to reserialize and reexecute systemctl in real time. If this fails, of course, the system goes down. There are several ways that this can occur. This happens to be another example of SPOF.
systemd is designed with glibc in mind, and doesn't take kindly to supporting other libcs all that much. In general, the systemd developers' idea of a standard libc is one that has bug-for-bug compatibility with glibc.
systemd's complicated nature makes it harder to extend and step outside its boundaries. While you can more or less trivially start shell scripts from unit files, it's more difficult to write behavior that goes outside the box, what with all the feature bloat. Many users will likely need to write more complicated programs that directly interact with the systemd API, or even patch systemd directly. One also needs to worry about a much higher multitude of code paths and behaviors in a system-critical program, including the possibility of systemd not synchronizing with the message bus queue on boot, and thus freezing. This is as opposed to a conventional init, which is deterministic and predictable in nature, mostly just execing scripts.
Ultimately, systemd's parasitism is symbolic of something more than systemd itself. It shows a radical shift in thinking by the Linux community. Not necessarily a positive one, either. One that is vehemently postmodern, monolithic, heavily desktop-oriented, choice-limiting, isolationist, reinvents the flat tire, and just a huge anti-pattern in general. If your goal is to pander to the lowest common denominator, so be it. We will look for alternatives, however.
systemd doesn't even know what the fuck it wants to be. It is variously referred to as a "system daemon" or a "basic userspace building block to make an OS from", both of which are highly ambiguous. It engulfs functionality that variously belonged to util-linux, wireless tools, syslog and other projects. It has no clear direction, other than the whims of the developers themselves. Ironically, despite aiming to standardize Linux distributions, it itself has no clear standard, and is perpetually rolling.
tl;dr: Don't place ultimate trust in software just because it is open source or because your favorite distro or security researcher sees no problem with it. systemd as a software and as an organization is doing some seriously shady shit.
Remember the deliberate weakening of the RSA algorithms?
The NSA did not weaken RSA. Instead, RSA Security adopted Dual Elliptic Curve and Random Extended. Dual Elliptic Curve has a NSA backdoor. DEC is a random number generator. Meanwhile, Random Extended is an extension for secure sites the NSA can use to break keys generated by DEC.
They are not the same thing as the RSA encryption or decryption algorithm. Dual Elliptic Curve can be used to generate the keys to be used in the encryption & decryption algorithms. However, RSA can be used without Dual Elliptic Curve and Random Extended. In fact, RSA was used for decades before DEC and Random Extended were developed.
Definitely agree. It just wasn't relevant to OP beyond showing that compromises of open source software/algorithms have happened without notice in the past. Though why anyone would use a single source RNG for entropy generation in the first place is beyond me...
there are implementations of RSA that do not use DEC
And, conversely, there are some that do, due to the standards set forth by the RSA body. I'm not trying to be disingenious, I'm trying to point out that subversion has happened to a supposedly trusted open-source entity. If you'd care to suggest a revised statement for my OP, I'll edit it to be more correct.
I'm not trying to be disingenious, I'm trying to point out that subversion has happened to a supposedly trusted open-source entity.
Coincidentally, a fine example of subversion is to claim, "RSA adopted an algorithm that was deliberately weakened" when there are still strong implementations of RSA that do not use DEC and Random Extended.
there are still strong implementations of it that do not use DEC and Random Extended.
Have I ever claimed otherwise? All I did is state that something, which did indeed happen, happened. And used that as grounds for an argument to not just implicitly trust open source software on the basis of being open source. Same as I did with pointing out heartbleed.
Can you list them? Because that would help the discussion. The ad hominems don't move the discussion forward in any way, but a point by point refutation would actually be worthwhile. Most people know to read past/discount ad hominem like you've been posting here, so, if instead of ad hominem, you listed your issues, your arguments might be taken serious by readers and thought about a bit.
I heard your tl;dr as "Don't place faith in human beings. Human beings are unreliable things."
Funny that this is a dead thread, and when I came in here, it was 0 at 43%. Then you posted something, and now it's 0 at 33%.
I mean, it's reddit, and most people don't even know what systemd even is or its import, what's with this thread getting pegged to zed? Like, a systemd thread more shitkicked than a GMO or vaccine thread? God bless.
Good luck, there are a lot of really naive people on Reddit. I've had this argument with folks before, "But the code is open!" "Did you read it?" "No, but others can!" "Uh, okay, do you know the developers personally?" "No, but others do! It's OSS! I can code!" "But did you read the code?" "No! It's open source! It's open! People can read it!" "But have they? Have you?" "No, it's open! Open Source!"
It breaks my freaking brain and makes me sad. It's better that it's open than closed, for sure, but it's like people who know plenty about fucked up shit hidden in plain sight have their common sense arrested when it comes to software...
This is the same classic logic that let's all other conspiracies thrive. "Someone else must have confirmed it". If everyone believed that we will be all believing an unfortunate lie. And worst, like you said, its hidden in plain sight!
It's a thing you set that hearkens another thing you set.
Yea, called a reference.
I thought you were older than 23
Yup, Def older than that.
There is an active campaign to make open source look compromised by big interest. Over the years, open source have been fighting a battle and people are starting to make the switch. I find OP's post, kind of tarnishing the fight we have been fighting as if we are in the same boat as MS or Apple. It's a community effort and if you try to smear it, the community will come to it's protection, they want that, because open source means free, no profit and everyone can download/alter/re-fork it.
Is open source software immune? No, it's not, but when I see shit posts like this discrediting a community ran OS, I'm going to question it. I'm a good conspiracy theorist in all right ;).
At the end of the day, the government does not run or own open source software and you can read the code yourself (as long as your not lazy). Review it, change it, compile it and run it.
For kicks, can you tell me why systemd is totally awesome?
Can you tell me why it's bad/compromised?
I surely did misjudge you
Why are people saying this to me? Do I have a fan base or some shit? You are the 4th person to say something to this extent. I just speak my mind and talk about what I know.
there are implementations of RSA that do not use DEC
And, conversely, there are some that do, due to the standards set forth by the RSA body. I'm not trying to be disingenious, I'm trying to point out that subversion has happened to a supposedly trusted open-source entity. If you'd care to suggest a revised statement for my OP, I'll edit it to be more correct.
58 comments
3 [deleted] 2015-06-08
[deleted]
1 trashcan86 2015-06-08
he's a systemd hating troll
/u/registereduser2, go to /dev/null
2 PutmeinKoch 2015-06-08
Not a big deal.
It's still free.
-1 obiwanjacobi 2015-06-08
FOSS =/= immunity from malicious state actors or other APTs.
2 [deleted] 2015-06-08
[deleted]
2 obiwanjacobi 2015-06-08
I'm implying that dismissing valid critiques of software and their representative organizations because "it's still free" is a cancerous mindset.
2 Putin_loves_cats 2015-06-08
What is there to discuss about open source software?
1 obiwanjacobi 2015-06-08
Open source =/= free from coercion, politics, and hidden "bugs". Heartbleed, weakening of RSA after NSA bribes, and the attempted bribery of Theo are prime examples that come to mind.
6 Putin_loves_cats 2015-06-08
Yea, not buying it. Also, if you knew anything about the development of such code, you'd use !=. Let's pack us guys and all go to windows 10 /s
0 obiwanjacobi 2015-06-08
Actually I am involved in several open source projects. I assumed you weren't due to your dismissal of this topic and used the layman =/= rather than the programmatic !==
5 Putin_loves_cats 2015-06-08
!== is PHP/scripting languages, brah, != is all software programming languages (C based), but Java too.
edit: a word or two.
1 dejenerate 2015-06-08
Why are you derailing? There is absolutely something to discuss re: open source software being compromised. It's as compromisable as any software.
Who reads every line of code? Who even remembers every line of their own code? Who knows all the bugs in their own code or can even poke enough holes? And what about compromised contributors? You don't think being a respected contributor to a piece of code used by every system ever isn't a person targeted for coercion? So, maybe they're totally ethical and awesome. They are going to say no to their intelligence services? Maybe. Maybe they will. Maybe they have. Maybe some have. Maybe some haven't. The point is, we don't really know - and there is plenty to discuss.
2 Putin_loves_cats 2015-06-08
Derailing? You and OP have no idea how the open source community works.
That's the point of an open source community, people, like the mods here who are doing shit for free reviewing code (in mod sense, mod content) for the betterment of the community.
Are you in the dev business? Do you know what the hell you are talking about? I've been programming for the last 15 years and have been apart of the open source community. I've contributed, and talked to others on this matter. We do it because we believe in a way of life, free, community driven software. So... respectfully, piss off, if you have no idea what we are talking about.
0 dejenerate 2015-06-08
I've worked years in the Open Source community and still do. Based on OP's comments and insight, I believe he/she has, too.
You can berate me all you want, I could care less. But hang around a few years and keep your eyes open, and you'll understand.
Also, can you actually stop derailing and actually read and address the other poster's points? Because they're valid as hell and understanding them will make you a much better and less naive contributor.
2 metabolix 2015-06-08
As a coder, I always wondered about this. You have a valid point and anyone who tells you otherwise is a fool.
1 Putin_loves_cats 2015-06-08
In your own words, what's a pointer?
1 dejenerate 2015-06-08
It's a thing you set that hearkens another thing you set.
I seriously misjudged you, man, I thought you were older than 23.
You can't argue shit, so you gotta quibble with people about whether they use bash syntax for != or whatever that guy used? Come on, man, you can be better, I know it. If you consider yourself a conspiracy theorist and you can't consider that software is pwned, I just don't understand.
And if you really are the "I can code! I can code!" guy you claim to be, you owe it to yourself to understand the field you're in. It's nice to think it's this happy disneyland of love, but it ain't, man. It's a fucking lucrative business and pwned by government the way anything else is. It's better than closed source, but don't lie to yourself about its boundaries and vulnerabilities.
1 Putin_loves_cats 2015-06-08
Yea, called a reference.
Yup, Def older than that.
There is an active campaign to make open source look compromised by big interest. Over the years, open source have been fighting a battle and people are starting to make the switch. I find OP's post, kind of tarnishing the fight we have been fighting as if we are in the same boat as MS or Apple. It's a community effort and if you try to smear it, the community will come to it's protection, they want that, because open source means free, no profit and everyone can download/alter/re-fork it.
Is open source software immune? No, it's not, but when I see shit posts like this discrediting a community ran OS, I'm going to question it. I'm a good conspiracy theorist in all right ;).
At the end of the day, the government does not run or own open source software and you can read the code yourself (as long as your not lazy). Review it, change it, compile it and run it.
2 obiwanjacobi 2015-06-08
This is the problem us anti-d types have. systemd does none of these things in any meaningful way. Free? It comes from the only distro you have to pay for. Alter? Good luck having a system that works with any GUI. Fork? Why would you want to fork an "init" system that is basically the Windows Registry?
systemd is not an OS. It is an "init" system that by way of hard dependencies, has attached itself like a parasite to the software ecosystem of Linux, leaving little to no alternatives and mocking those who attempt to create them, such as in the case of eudev and OpenRC.
1 registereduser2 2015-06-08
Me thinks he/she has revealed his/her wishes. The RH_Systemd_binary_OS.
1 dejenerate 2015-06-08
Look, if you can't see issues in something in order to fix it, you're responsible for its death.
Software has bugs. Period. Open Source is better because we can see it, but that's not a fail safe. Look at OpenSSL, look at Bitcoin, look at systemd, look at ANY piece of software. Shit has bugs and nation states pay mad money trying to find those vulnerabilities and to keep them under wraps. Denying vulnerability because you're worried about some political vulnerability is nonsense. I guaranfuckingtee you that OSS is not going away, so it doesn't need Redditor astroturfing. Governments depend on it, governments contribute to it. Denying the risk of a bug compromising a daemon that essentially touches everything makes zero sense when you look at the big picture.
1 registereduser2 2015-06-08
Freudian slip?
1 metabolix 2015-06-08
Lol
1 Putin_loves_cats 2015-06-08
lulz
0 obiwanjacobi 2015-06-08
Debating the pros and cons of strongly and weakly typed languages is highly irrelevant to the topic at hand, a discussion I've had many times at the workplace, and one that I'm tired of having. If you'd like to discuss systemd, please go rebuke my comment.
2 Putin_loves_cats 2015-06-08
I'm not debating that, I'm saying you said !== which is scripting language (ie. server/web), != is software programming, you know, c/c++ (which linux is written in). This shows me you have no idea what you are talking about in the software programming realm. Yea, shit can get over looked, but the open source community are more anarchist than capitalist like Microsoft and Apple. Normal people (me included) look over this code and find shit. If there is a bug, we alert the community and fixed it. If someone was bought out, that shit would be quickly discovered and fixed. You say you know about opensource projects (may have experience) but do you have experience within the Linux community? My guess is not.
2 obiwanjacobi 2015-06-08
Yes, I'm employed in server/web. It pays more. I'm more used to writing !== than !=. Yes, I know how to write C/C++. Personally, I think the only time you should use C is for OS and firmware. It isn't a very safe language; managing your own pointers is a great way to ensure you have security holes.
How long did it take to find Heartbleed?
How long before someone noticed the deliberate weakening of RSA algorithms?
I am a repository maintainer for Gentoo
1 Putin_loves_cats 2015-06-08
You're in the wrong state home fry. Average software programmer/dev makes 30K more than a web dev.
No language is safe, because the program is only as good as the programmer writing it, and there will always be some one smarter than you.
We are talking about something completely different here.
Cool, I'm the ambassador to Zimbabwe. Just send me your bank info, so I can get my money out and you will get a cut of my fortune.
1 obiwanjacobi 2015-06-08
Key word bolded, home fry. I'm not writing tedious views for an enterprise DBMS, I write SaaS platforms which have millions of hits a day.
Actually, this is exactly what we are talking about here.
You asked dude. And we have yet to do anything other than dick measure. Discuss the OP, refute my actual argument, and stop being such a pretentious autist.
1 Putin_loves_cats 2015-06-08
I'm drunk, you're right. I'm gonna wipe my computer and install windows on my macbook. Good by dual booting (Linux/OSX). Windows here I cum......
1 obiwanjacobi 2015-06-08
Such hyperbole. systemd != Linux. You could use OpenRC+eudev, sysvinit+eudev, upstart+eudev, launchd+eudev.
Why do they all need eudev? Oh yea, because systemd absorbed udev and made systemd a dependency of udev. One of the major points I listed in my top-level that you still have yet to address. And still you are just dick measuring and sarcastically dismissing outright on the basis of "muh open source community can do no wrong"
1 registereduser2 2015-06-08
...
Actually that is exactly what this thread is about, the intentional weakening of Linux based OSes.
1 dejenerate 2015-06-08
Duuuude. You have no idea. There are plenty companies built around open source. It's a real fucking business model. And don't think that government doesn't have its fingers in it. What the hell do you think government uses to secure their systems? Open source software....
Like, where were you for Heartbleed or any of the other zero days that weren't patched in a timely manner because someone needed them for something important?
1 Putin_loves_cats 2015-06-08
Windows, lol.
A tired programmer wrote shitty code, Apple had the same problem and they are paid to review it and never found it. Also, MS is dealing with a decade old bug, because a shitty programmer wrote shitty code. I'm a conspiracy theorist, but do you really think that the gov paid this programmer to write shitty code to bypass security? Did they do the same with MS and Apple?
1 dejenerate 2015-06-08
They do not fucking use Windows. Stop showing your hand. :( I hope to deity you've got some good QA on your team cause holy mackerel...
0 Putin_loves_cats 2015-06-08
What do they use then? Linux, lulz. You are cute.......
1 dejenerate 2015-06-08
Yes, government agencies both run and develop Linux and Linux-based daemons and tools. You can do a little bit of Googling, or ask around, no? I can't even believe we're having this conversation, I surely did misjudge you. But such is Reddit, I guess! Tomorrow, you can delete your comments, I guess?
For kicks, can you tell me why systemd is totally awesome?
1 Putin_loves_cats 2015-06-08
Can you tell me why it's bad/compromised?
Why are people saying this to me? Do I have a fan base or some shit? You are the 4th person to say something to this extent. I just speak my mind and talk about what I know.
2 dejenerate 2015-06-08
Anything that touches everything is a prime target. If you're actually a software developer IRL, it behooves you to see if you can get some security training. The best kind is offensive, IMO, so that you can envision more lines of attack during development. There are very few true kernel hackers for a reason--it's scary. You have a bug and it can compromise so much.
Re:misjudged: You're a reg here and I'm pretty sure I've agreed with you and upvoted a lot. Your position and rudeness/obstinacy on this particular issue and the deflecting (you're still deflecting, btw) really threw me for a loop.
1 Putin_loves_cats 2015-06-08
Yeah, this is something I'm not 100% on par with. I'm no security expert, but I know code and how to write good/efficient/secure code to "my" best knowledge. There is always some one more clever/smarter than you.
My bad, and I probably shouldn't of commented tonight, lol, because Heineken is a hell of a drink (ie. I've had a wee bit too much). Cheers mate/matey. I think it may be time for bed time.
1 obiwanjacobi 2015-06-08
Go look at any DoD computing related job ad. You will find that 5+ years experience with Linux is a requirement. You think drones and smart munitions run the most bloated OS out there? You think the intelligence services keep classified data on the most insecure OS available? C'mon dude...
1 dejenerate 2015-06-08
You forgot your /s /s /s/s/l here.
1 dejenerate 2015-06-08
I can't figure out if you're being downvoted because people want to suppress the risk or being downvoted because people don't understand what you're asking. (But the fact that I upvoted and it went from 1 to 0 in seconds makes me think the former might be the case, strangely enough. But why? Most people don't even know what the heck systemd even is...so why bot-kill a vague self-post like this?)
All I'll say is, yes! Thoroughly fooked we all are, young Jedi, thanks for asking!
2 registereduser2 2015-06-08
Becuase Linux is everywhere now. In you car, your refrigerator, your home entertainment system, you home security sytem, your phone/appendage-thingy,... the list goes on and on.
FOSS and Linux have seen dramatic increase in recent years. Many many young people are drawn to it for its 'anarchist' appeal, yet remain largely ignorant of the under the hood cancer that is spreading and killing the fundamental functions that have traditionally allowed that 'anarchist' landscape to live and thrive.
Systemd is/has spread across the Linux/Foss landscape, not like an awesome new free app some clever geek wrote, but like a cancer with ill intent pushed with extremely hostile and dubious ways and means.
1 obiwanjacobi 2015-06-08
Just because something is open source does not mean it is immune to backdoors. Remember the deliberate weakening of the RSA algorithms? How about Heartbleed? An unnoticed "bug" may be a backdoor purposefully planted and it may be designed to work with technology civilian researchers are unaware of. We have also seen the agencies attempt to bribe our most trusted open source security experts into ignoring or even creating these bugs, such as with Theo of the OpenBSD project.
With this in mind, let's see why many suspect systemd of less-than-benevolent intentions. First, in layman's terms:
-https://muchweb.me/systemd-nsa-attempt/
And technical reasons:
-https://web.archive.org/web/20140920005913/http://boycottsystemd.org
tl;dr: Don't place ultimate trust in software just because it is open source or because your favorite distro or security researcher sees no problem with it. systemd as a software and as an organization is doing some seriously shady shit.
3 FortHouston 2015-06-08
The NSA did not weaken RSA. Instead, RSA Security adopted Dual Elliptic Curve and Random Extended. Dual Elliptic Curve has a NSA backdoor. DEC is a random number generator. Meanwhile, Random Extended is an extension for secure sites the NSA can use to break keys generated by DEC.
They are not the same thing as the RSA encryption or decryption algorithm. Dual Elliptic Curve can be used to generate the keys to be used in the encryption & decryption algorithms. However, RSA can be used without Dual Elliptic Curve and Random Extended. In fact, RSA was used for decades before DEC and Random Extended were developed.
http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331
http://en.wikipedia.org/wiki/Dual_EC_DRBG
http://en.wikipedia.org/wiki/RSA_(cryptosystem)#Encryption
1 obiwanjacobi 2015-06-08
Pedantics, but yes you are correct. RSA adopted an algorithm that was deliberately weakened.
1 dejenerate 2015-06-08
Random number generator compromise is probably as important a discussion as systemd compromise, if not moreso.
1 obiwanjacobi 2015-06-08
Definitely agree. It just wasn't relevant to OP beyond showing that compromises of open source software/algorithms have happened without notice in the past. Though why anyone would use a single source RNG for entropy generation in the first place is beyond me...
1 FortHouston 2015-06-08
Facts !== Pedantics
That statement is deliberately disingenuous because there are implementations of RSA that do not use DEC and Random Extended.
1 obiwanjacobi 2015-06-08
And, conversely, there are some that do, due to the standards set forth by the RSA body. I'm not trying to be disingenious, I'm trying to point out that subversion has happened to a supposedly trusted open-source entity. If you'd care to suggest a revised statement for my OP, I'll edit it to be more correct.
1 FortHouston 2015-06-08
Coincidentally, a fine example of subversion is to claim, "RSA adopted an algorithm that was deliberately weakened" when there are still strong implementations of RSA that do not use DEC and Random Extended.
1 obiwanjacobi 2015-06-08
Have I ever claimed otherwise? All I did is state that something, which did indeed happen, happened. And used that as grounds for an argument to not just implicitly trust open source software on the basis of being open source. Same as I did with pointing out heartbleed.
2 [deleted] 2015-06-08
[deleted]
2 dejenerate 2015-06-08
Can you list them? Because that would help the discussion. The ad hominems don't move the discussion forward in any way, but a point by point refutation would actually be worthwhile. Most people know to read past/discount ad hominem like you've been posting here, so, if instead of ad hominem, you listed your issues, your arguments might be taken serious by readers and thought about a bit.
1 registereduser2 2015-06-08
Feel free to take as many points as you like and explain in plain English why they are lies.
I'll be eagerly awaiting your authoritive and informative 'corrections'.
Enlighten me!!!
0 obiwanjacobi 2015-06-08
Care to enumerate those lies?
1 dejenerate 2015-06-08
I heard your tl;dr as "Don't place faith in human beings. Human beings are unreliable things."
Funny that this is a dead thread, and when I came in here, it was 0 at 43%. Then you posted something, and now it's 0 at 33%.
I mean, it's reddit, and most people don't even know what systemd even is or its import, what's with this thread getting pegged to zed? Like, a systemd thread more shitkicked than a GMO or vaccine thread? God bless.
0 obiwanjacobi 2015-06-08
It actually went down to 33% after I upvoted, which seemed pretty odd. This is a topic in desperate need of visibility.
1 dejenerate 2015-06-08
Good luck, there are a lot of really naive people on Reddit. I've had this argument with folks before, "But the code is open!" "Did you read it?" "No, but others can!" "Uh, okay, do you know the developers personally?" "No, but others do! It's OSS! I can code!" "But did you read the code?" "No! It's open source! It's open! People can read it!" "But have they? Have you?" "No, it's open! Open Source!"
It breaks my freaking brain and makes me sad. It's better that it's open than closed, for sure, but it's like people who know plenty about fucked up shit hidden in plain sight have their common sense arrested when it comes to software...
2 metabolix 2015-06-08
This is the same classic logic that let's all other conspiracies thrive. "Someone else must have confirmed it". If everyone believed that we will be all believing an unfortunate lie. And worst, like you said, its hidden in plain sight!
0 obiwanjacobi 2015-06-08
It actually went down to 33% after I upvoted, which seemed pretty odd. This is a topic in desperate need of visibility.
1 Putin_loves_cats 2015-06-08
Yea, called a reference.
Yup, Def older than that.
There is an active campaign to make open source look compromised by big interest. Over the years, open source have been fighting a battle and people are starting to make the switch. I find OP's post, kind of tarnishing the fight we have been fighting as if we are in the same boat as MS or Apple. It's a community effort and if you try to smear it, the community will come to it's protection, they want that, because open source means free, no profit and everyone can download/alter/re-fork it.
Is open source software immune? No, it's not, but when I see shit posts like this discrediting a community ran OS, I'm going to question it. I'm a good conspiracy theorist in all right ;).
At the end of the day, the government does not run or own open source software and you can read the code yourself (as long as your not lazy). Review it, change it, compile it and run it.
1 Putin_loves_cats 2015-06-08
Can you tell me why it's bad/compromised?
Why are people saying this to me? Do I have a fan base or some shit? You are the 4th person to say something to this extent. I just speak my mind and talk about what I know.
1 obiwanjacobi 2015-06-08
And, conversely, there are some that do, due to the standards set forth by the RSA body. I'm not trying to be disingenious, I'm trying to point out that subversion has happened to a supposedly trusted open-source entity. If you'd care to suggest a revised statement for my OP, I'll edit it to be more correct.