Wow! Talk about case in point. And you thought running non-free software was okay. Good thing I made the stance when I did. Luckily for me, I’m running the open nv driver that ships with X. So I don’t have 3D acceleration. I also don’t have an exploited system.
I was chatting about this online with Steve Dibb, and we concluded a few things about non-free software and made a couple observations in general:
- Conclusion #1: Closed/proprietary/non-free/whatever-you-want-to-call-it software just can’t be trusted. You expose yourself, your box, and even the network your on to trouble. You’re taking a risk. This isn’t to say there isn’t good non-free software available, you just can’t be 100% what your getting.
- Conclusion #2: This case could’ve been 180 degrees different if the nVidia driver was open. Chances are good that the bug would be noticed and fixed. A patch would then released, and submitted to nVidia. Unfortunately, nVidia took a risk by leaving the driver closed, and taking a chance that their users could be exposed, thus finally taking a risk of losing customers to ATi.
- Observation #1: Although heavily stereotypical, and shoud be taken lightly, bought-and-paid-for (BPF) Windows developers/users don’t have security embedded in the front of their mind. I’m talking more than just writing secure code, I’m talking much broader. To illustrate, how many BPF Windows devs/users do you know who have a GPG key? Or know anything about SHA, blowfish, AES, SSH or MD5 etc? For example, when I visit a site to download software, I want to know that the software I am getting is what the developer intended. I want to see an MD5 hash sum at least. If they have a GPG key, then sign the program as well, and let me know you’re taking responsibility and credibility for your code.
- Observation #2: This is really closly related to the first observation, but have you noticed the trickle down effect? Because Microsoft develops applications a certain way, Windows devs follow the same pattern. Linux is the same way. So is Mac. This is nothing new, and certainly not bad. But because Microsoft doesn’t develop with security in mind (see the 1st observation), then as a whole, neither do their developers. Ever wonder why F/OSS is so rare on Win32 platform, yet freeware/shareware/demoware/etc is sooooo common? It’s because of the developing paradigm. They way they were brought up as users before becoming devs. Again though, looking at Linux, proprietary software is just as rare as F/OSS is is Windows. It’s all about the paradigm, or mental way of thinking. I always get the same reaction when I tell BPF Windows users about Linux. “You mean there is an alternative? I had no idea” I have heard all too often.
Again, I wouldn’t take the above too seriously. It’s heavily over-generalized, and very stereotyped. Not to mention my heavy opinion added in the mix. I know not every Windows dev is that way, and there are many Linux devs that don’t have a clue. But overall, as a whole, I don’t think those points are too far from the truth.
At any rate, I’m straying from the point. The point is, rather than wait for a press release to tell you that you have a exploit/hole in your non-free application, open it up, and see what happens when community gets involved. All of the sudden, rather than a few brains picking away at the code, you have countless numbers of grey matter chipping away at it. Bugs are bound to exist, but the code, and the way the application is handled, is more secure, and you can rest assured that you’re in good hands.