Summary: Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL.

The ugly episode of Heartbleed has put OpenSSL under more scrutiny than any open source software project ever. At a certain level of scrutiny perhaps any program will look bad, but OpenSSL's on the hot seat because it's OpenSSL that failed in its mission. It's hard to construe these matters in a way that makes OpenSSL or the open source nature of it look good.

But who is this "OpenSSL"? When something goes wrong with a product people want to know who is responsible. Many will be shocked to learn that it's all run by a small group of developers,most volunteers and all but one part-time. Huge parts of the Internet, multi-zillion dollar businesses, implicitly trust the work these people do. Why?

Let's stipulate that OpenSSL has a good reputation, perhaps even that it deserves that reputation (although this is not the first highly-critical vulnerability in OpenSSL). I would argue that the reputation is based largely on wishful thinking and open source mythology.

Before the word "mythology" gets me into too much trouble, I ought to say, as Nixon might have put it, "we're all open source activists now." For some purposes, open source is a good thing, or a necessary thing, or both. I agree, at least in part, with those who say that cryptography code needs to be open source, because it requires a high level of trust.

Ultimately, the logic of that last statement presumes that there are people analyzing the open source code of OpenSSL in order to confirm that it is deserving of trust. This isthe "many eyeballs" effect described in The Cathedral and the Bazaar, by Eric Raymond, one of the early gospels in the theology of open source. The idea is that if enough people have access to source code then someone will notice the bugs.

This is, in fact, what has happened with Heartbleed... sort of. Heartbleed was discovered byNeel Mehta, a security researcher at Google. If you look at the vulnerability disclosures coming out of other companies, Apple and Microsoft for example, you can see that Google spends a lot of time scrutinizing other people's programs. They're like no other group in this regard.

But it took Google two yearsto find it. In the meantime, Google finds lots of security problems in Apple and Microsoft products for which they have no source code. This is because in the time since the formation of the "many eyeballs" hypothesis, there have been huge improvements in testing and debugging tools. Some computer time with a marginal cost of $0 is worth thousands of very expensive eyeballs.

I'd go so far as to suspect that the availability of source makes developers and users discount the necessity of testing that is common on commercial software. I wouldn't be surprised if a static source code analyzer would have found the Heartbleed bug, flagging it for possible buffer over/underrun issues. Heartbleed might also have been found by a good round of fuzzing.

As I said recently, some programs are so critical to society at large thatsomeone needs to step in and make sure they are properly secured. Obviously the problem is money. So why, when this program is so critical, is itbeing run like it's public TV? Yes,like Blanche DuBois, OpenSSL has always depended on the kindness of strangers.

Follow this link:
Did open source matter for Heartbleed?

A city-based open source software development company has designed and developed a broad based portal to help the students plan their career effectively with the support of the colleges and their parents.

The portal http://www.altocarrera.com is designed to bridge the knowledge gap between the requirements of the industry and the available resources, CEO of NeelSys India Pvt Ltd, Srinivas Balasadi said in a telecon from the USA. The companies can look at the macro metrics of the academic performance of the colleges and its students. The big data analysis of the performance of students across different disciplines and colleges would help the industry also design its training programmes. On the other hand the colleges and students can look at the industry requirements and select a career path dynamically. The colleges would be able to fine tune their courses to suit the need of the industry, he explained.

The company has chosen to develop the platform using open source technologies to leverage the advantages of the solutions available in the public domain apart from enabling a comprehensive customisation, Mohan of NeelSys India explained. Further, using open source ensures that the portal remains free for all the users, he added. This makes NeelSys one of the few software companies in the city that are into product development.

See original here:
Portal designed to help students plan career

Many businesses are realising the benefits of open source. According to a recent report, up to a third of IT professionals are already using the technology and this figure will grow.

Open source is often cheaper, more flexible and easier to manage than its licensed counterparts. If you've got some technical ability, the basics are easy to implement yourself, with a multitude of 'DIY' guides available online.

So where is the best place to start? The most well known form of open source is Linux: this could suit SMBs new to the technology, experts agree.

And it is possible for SMBs to open source their entire IT environment. Back up, firewall, and security information and event management are ideal areas to open source, according to Dominique Karg, Chief Hacking Officer and Co Founder of AlienVault.

"Those are the areas where the cost difference between 'closed' and open source is biggest, and where open source has matured the most," he says.

If you have some expertise, implementing open source can be done in house. According to Karg, a skilled SMB CEO could put in basic open source without much technical knowledge. "If you're skilled, set two or three machines aside, along with some backup disks," Karg advises. "Read the manuals, apply the suggested guidelines and learn as much as possible."

This approach won't cost anything, Karg says. "What's great about open source is that you can take a peek at the source code to truly understand what it really does; how it works; how it was designed and whether its design matches its intention," he says.

But if you don't have the software expertise, you will need a software vendor or consultant to help implement the technology. In this case, Karg advises firms to hire a skilled 'geek' to implement open source tools, "rather than to pay licenses and rely on the commercial support teams".

Less confident SMBs should start by getting a consultant, advises CEO of Omnis Systems Paolo Vecchi. This kind of expertise is required because open source software is managed differently to Windows. For example, Vecchi says: "You would never connect a Windows server to the internet - but you would with Linux".

Even so, once they are up and running, keeping Linux systems secure is comparatively easier than with Windows. According to Steve Nice, CTO of open source software specialist Reconnix: "While Linux malware does exist, it's only a tiny fraction of what currently affects Windows, so there is much less risk on a day-to-day basis of a system suffering an exploit."

See the article here:
Open source software: a guide for SMBs

What Is Open Source Software?
Scott Aurnou (http://www.thesecurityadvocate.com/) - Computer Security Tip of the Week: Open source software is free and its underlying source code is available to the public to analyze, use...

By: The Security Advocate

Original post:
What Is Open Source Software? - Video

18 hours ago Apr. 11, 2014 - 8:38 AM PDT

One of the benefits often cited for the use of open-source software is that because it is so widely available and open to review by developers, anysecurity flaws will be caught sooner than with closed, proprietary systems. This weeks near-panicaround the Heartbleed flaw in OpenSSL open-source encryption software, calls that contention into question. When you have internet security czars tell people to stay off the internet,theres a problem.

The vulnerability, which afflicted popular web sites andnetworkinggear from Cisco and Juniper, has been around for more than two years but was brought to light by researchers at Google and Codenomiconearly this week. Thats a long time.

But the German programmerwho claimed responsibility for contributingthe flawed code in late 2011 told The Guardianthat he, not the open source model is to blame. Robin Seggelemann said his update did what it was supposed to do enable theHeartbeat feature in OpenSSL but also accidentally created the vulnerability that caused all the hubbub.

Seggelemann said hewrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.

So why didthe resulting vulnerabilitystayunder the radar forso long? Because, in his view, OpenSSL, while widely deployed, is also under-funded.OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project, he told the Guardian.

And that brings us back to the question of whether open-source software is always best compared to company-funded-and-supported commercial (paid) software. Its good to debate the issue, but given the traction that Linux, Apache and perhaps OpenStack have gotten, this horse may haveleft the barn. And remember, commercial software companies havent exactly covered themselvesin glory with regards to security. Most notably,security giant RSAreportedly shipped encryptionsoftware witha known backdoor.

Subscriber Content

Subscriber content comes from Gigaom Research, bridging the gap between breaking news and long-tail research. Visit any of our reports to learn more and subscribe.

Read this article:
Open source software is more secure, right? So what happened with OpenSSL?

By now you've likely heard about the Heartbleed bug, a critical vulnerability that exposes potentially millions of passwords to attack and undermines the very security of the Internet. Because the flaw exists in OpenSSLwhich is an open source implementation of SSL encryptionmany will question whether the nature of open source development is in some way at fault. I touched based with security experts to get their thoughts.

First, lets explain the distinction between closed source and open source. Source refers to the source code of a programthe actual text commands that make the application do whatever it does.

Closed source applications dont share the source code with the general public. It is unique, proprietary code created and maintained by internal developers. Commercial, off-the-shelf software like Microsoft Office and Adobe Photoshop are examples of closed source.

Open source does not necessarily mean open season for hackers.

Open source, on the other hand, refers to software where the source code is available to the public. Open source projects are generally collaborative efforts because any developer is free to review the code, edit or enhance it, or add features. Popular examples of open source software include Linux, the Apache Web server, and OpenSSL.

When anyone is free to view the source code, and any developer can submit changes to the open source project, there are potential security concerns. Without properly vetting the developers, there is no way to know whatif anysecure development practices are being used, and the possibility exists for a malicious developer to intentionally introduce a vulnerability like Heartbleed for the express purpose of exposing the software to attack.

Does that mean that open source tools are inherently insecure, or less secure, than their closed source cousins?

An argument could be made that the collaborative nature of open source software development compounds the challenge of ensuring security is considered throughout the software life cycle, David Shearer, CISSP, PMP, and Chief Operating Officer of (ISC)2, said in a statement sent to PCWorld.

The security implications of what should be a simple diagnostic capability in OpenSSL is a prime example. According to Shearer, One could go as far as to say that we may be heading toward a time where some of the key security architecture components that are available as open source software may need to be more closely managed and monitored.

But while it's true that there are some security concerns unique to the collaborative nature of open source and to having the source code open to the general public, there are also ways that open source strengthens security.

Read more here:
Is open source to blame for the Heartbleed bug?

(PRWEB) April 10, 2014

With learning analytics poised to become a mainstream technology, higher education leaders from around the world came together following the Learning Analytics and Knowledge (LAK) 2014 conference in Indianapolis, Indiana for an Open Learning Analytics (OLA) Summit. The Summit, supported by the Society for Learning Analytics Research (SoLAR), Marist College, and the University of Wisconsin-Madison, was organized to bring together representatives from the learning analytics and open source software development fields as a means to explore the intersection of learning analytics and open learning, open technologies, and open research.

The Summit, facilitated by George Siemens, Executive Director of the LINK Research Lab at The University of Texas at Arlington; Josh Baron, Senior Academic Technology Officer at Marist College; and Kimberly Arnold, Evaluation Consultant, University of Wisconsin-Madison, spanned two days and focused on open system architectures and how source communities can accelerate the full potential of learning analytics to provide powerful new tools for understanding learning and improving the learning experience and teaching practice.

Building on prior work in the area of OLA by both SoLAR and Apereo, the open-source foundation formed through the merger of Sakai and Jasig in 2012, participants from both communities, as well as others, worked to identify projects to further the field and move toward producing a range of open-source learning analytics services and products.

Having helped to draft, along with many other colleagues, an initial concept paper on open learning analytics in 2011, it was exciting to see leading researchers in the field come together with those who have more than a decade of experience working on open-source software higher education projects, said George Siemens, My sense is that we will see some rather concrete projects emerge from the summit which could have a significant impact on both the field of learning analytics and higher education as a whole.

One of the major outcomes of the Summit was the identification of a number of domains for the OLA community in which future work would be conducted. These OLA domains included: open research (e.g. open datasets, open predictive models, etc.), institutional strategy and policy issues, and learning sciences/learning design and open standards/open-source software. Leads for these domains will be working to document the findings from the Summit as well as developing implementation plans. For example, the open standards/open-source software group are now defining the scope and technical details of an open learning analytics architecture, which will be platform-agnostic, as well as identifying and reaching out to additional research and corporate partners. At the same time, representatives from both SoLAR and Apereo will collaborate on updating the prior Open Learning Analytics concept paper from 2011 to incorporate the Summit outcomes.

The launch of the Apereo Learning Analytics Initiative a few months ago demonstrates the level of strategic interest in learning analytics that exists within the Apereo ecosystem, said Josh Baron, who is currently serving on the Apereo Foundation Board of Directors, which will be significantly enhanced by our collaboration with world renowned researchers and practitioners from the SoLAR community.

Building on the success of this first OLA Summit, the organizers are also planning for future face-to-face gatherings which will include informal meetings at the 2014 Open Apereo conference in Miami, Florida (June 1 - 4) as well as other venues. In Europe, the Learning Analytics Community Exchange (LACE) project is organizing a series of community events in schools, universities, and the commercial sector that will emphasize the importance of the OLA objectives within the European LA community. The group is planning to hold another major OLA Summit at the 2015 Learning Analytics and Knowledge Conference, which will be hosted by Marist College in Poughkeepsie, New York (March 16 - 20).

We are extremely excited to be hosting the 2015 LAK conference on our campus, said Dr. Dennis J. Murray, President of Marist College, not only because of the strategic importance that Marist places on the emerging field of Learning Analytics but also because of the role we believe this field will play in transforming higher education over the coming decade. With this in mind, I would like to extend a personal invitation to institutional leaders from around the world to be part of this important event and join us in New Yorks Hudson River Valley in 2015.

For organizations and individuals that would like to get involved in the OLA initiative, please contact gsiemens (at) gmail (dot) com.

Read this article:
Leaders in Learning Analytics and Open Source Software Hold Open Learning Analytics Summit; Marist College to Host ...

Apr 09, 2014, 05:00 (0 Talkback[s])

It's not hard to come up with a dozen different reasons why the rise of open source development has been a watershed event in both the software and hardware industries. All of us can build new web applications faster with our feet firmly planted on the shoulders of jQuery, Bootstrap, and Apache. Languages like Ruby, PHP, and Python power the Internet, and operating systems like Linux and FreeBSD provide the foundation for thousands of companies and services.

But open source isn't just about the free tools we have access to, it's also about the community of developers that will help support crazy new ideas and give them a chance to thrive, grow, and change the world; ideas that would never see the light of day in a closed source world.

Complete Story

Related Stories:

Read more:
How Git redefined open source software development

While the subject of open source used to be confined much more to software than to electronics and hardware, several changes over the past years have made it more universal. The advent of the 3D printer and other open source hardware projects along with Kickstarter as a vehicle for funding have made it much easier to bring a project to the open market than ever before.

Open source software/hardware learning and development projects like Arduino, BeagleBone, and Raspberry Pi have opened up resources for the masses that were previously cost prohibitive. An older version of this was seen in robotics in schools, but the vehicle to commercialize or rapidly spread the information was not always understood. I feel this is good news for the world of engineering. It helps evangelize the engineering and invention mindset and emphasize a long-term career path in a field that is challenging and often reinventing itself.

One of the issues in the software world that held back the open source movement for some time was the lack of support for not only the software itself but also the build libraries and applications. Many of these problems were solved with the Linux movement many years ago and SourceForge, which enables developers to create and store source and various builds in a readily available location under a more uniform licensing agreement. Another issue is how do we make money from open-source software code? The answer is not always clear, nor in many cases is it actually sought after.

The Red Pitaya open source instrumentation system.

Many open-source projects are there to help solve a problem that may in turn make it easier to perform our jobs on a daily basis. The ability to add to and improve existing code that may be of limited commercial use is the reason many of us turn to open source. It makes little sense to pour unlimited resources into code that is not core to your business or of significant commercial value. We are presently looking at several projects we want to open up to a larger development world for just this reason.

Companies like Redhat with Linux, and Google with Android have made good business models by opening up their software, but it takes vision and time. Meanwhile Apple, Microsoft, and Oracle make effective use of the proprietary model. These companies have and will continue to generate trillions for the economy and enrich the lives of their employees. There should always be a place for both types of business models as having value to our society.

On the hardware side, while I believe that Kickstarter is more of a funding vehicle than a central repository of projects, many of the projects do release full schematics, drawings, and code as part of participation. In this way it acts as a limited resource for this information. Many of these projects have no limitation on how you use the information, and encourage you to spread the word.

The use of FPGA and HDL is one of the most prevalent examples of hardware which takes advantage of an open-source hardware model. While it seems there are a number of sites attempting to be the equivalent to SourceForge, they have not gotten the traction and de-facto support from the hardware community. There are also still a number of competing licensing schemes to try and deal with patent issues.

As a company, Evans Analytical Group will continue to use open source projects to both accelerate our own knowledge and help us solve problems. We find it beneficial to enhance our internal solutions with the help of the vast amount of resources just a keyboard away. It is unlikely we as a company would open up any of our non-software-related projects.

At this time it doesnt appear there is a universally accepted license agreement to keep someone else from patenting or claiming your IP and preventing you from using your own creation. On an individual basis I continue to support a number of projects like Red Pitaya and Parallela, which originate out of Kickstarter. While these are mainly hobbies, they do lead to an increase in knowledge and possibilities that can benefit both company and individuals.

Follow this link:
When Should We Go Open Source?

Why should you use open source software? The fact that its usually free can be an attractive selling point, but thats not the reason most companies choose to use it. Instead, security and quality are the most commonly cited reasons, according to new research.

In fact, a full 72 percent of respondents to the eighth annual Future of Open Source Survey said that they use open source because it provides stronger security than proprietary software does. A full 80 percent reported choosing opensource because of its quality over proprietary alternatives.

Surprisingly, the fact that it's often free is not the main reason most businesses choose open source software.

Sixty-eight percent of respondents said that open source helped improve efficiency and lower costs, while 55 percent also indicated that the software helped create new products and services. A full 50 percent of respondents reported openly contributing to and adopting open source.

Results of the survey, conducted by Black Duck Software and North Bridge Venture Partners, were released Thursday and paint an even rosier picture for open source than did last years results. A record-breaking 1,240 industry influencers took part in this years survey, answering questions about open source trends, opportunities, adoption drivers, community engagement, and the business problems open source solves.

We are witnessing a sea change in the way enterprises organize their infrastructure, throwing out proprietary brands in favor of highly efficient and cost-effective open platforms, said Mark Shuttleworth, founder of Ubuntu and Canonical, which participated in the survey.

I had a chance earlier this week to speak with Lou Shipley, Black Ducks CEO, along with Michael Skok, general partner at North Bridge, about what the results mean for those in SMBs.

Smaller companies are driven by cost, like everybody, Shipley told me. The use of open source lets you drive your costs down. It also helps you to recruit the best employees.

Organizations must understand that its about more than just cost-cutting or any of the traditional reasons to use open source software; its about participating and managing the logistical challenges to gain competitive advantage, attract top talent and influence project direction.

Overall, small firms can have a competitive advantage by standardizing on open source, he said.

The rest is here:
Security and quality top companies' reasons for using open source