Every piece of electronics you own or use is riddled with software bugs. That means you have flaws in your phone, car, television, laptop, etc., and beyond. For most people there is not much that can be done.
Therefore, it was not surprising to learn that new vulnerabilities have been found in the Linux kernel, which (among other things) powers your Android and Chrome OS devices. In fact, we see this all the time, and it’s a good thing.
These bugs were found because of open source software. Much of Android is under an open source license, and the Linux kernel is under a very strict and inescapable fully open license, meaning all the code is there for people to see, use, and try to break in every way imaginable.
I wouldn’t want it any other way, and neither should you.
These kinds of blatant exploits exist in all software, including closed-source software. While parts of Windows and iOS are open source, the core of those systems is not. This doesn’t make them better or worse; open source definitely doesn’t mean better. It just means that no one outside of those who have access to the code — and the people who figured out how to exploit it — know they’re there.
I don’t know about you, but this sounds disturbing to me. It’s bad to know that there are bugs that leave your electronics vulnerable to people with bad intentions. Knowing that they are being fixed is not. Knowing nothing at all is terrible.
Let’s demonstrate this with a fun and 100% hypothetical exercise. One night while smoking too much grass, a guy discovered a way to steal your email password. It works on Android, Windows, and iOS, and it’s so simple that anyone who can download files from the Internet can do it.
Fortunately, most people who find exploitable bugs do the responsible thing.
This guy may smoke too much grass, but he’s not a bad person by nature. He informs the people responsible for fixing these kinds of flaws about the situation, and after trying to collect some juicy bug bounty money, he starts playing on his PlayStation. He has no desire to rob us all.
Companies patch their software on their own schedule and push the solutions to end users like us. All is well, and lambs lie with lions and bunnies and so on.
But what if his roommate was kind of bad and decided to rob us by hijacking all our accounts? With access to our email that would be easy. We’re usually still at the mercy of the company that made our electronics to give us the right solution, but if the software in question is open-source, two things happen:
- The bugs are publicly filed and everyone knows about them. This ensures that internet blogs write words about it, then you know it too.
- People who can fix it but don’t work for any of the affected companies know about it too. They can help find the solution and get it into our hands faster. Yes, this is real, and some of the best software hackers (the good kind, not the Hollywood kind) aren’t software engineers at a big tech company.
If the software is not open source, the bugs will be kept secret from users until a fix arrives and someone reads the patch notes. However, they are no secret to people who regularly visit the internet spaces where exploits for these types of bugs are bought and sold. I know which situation I prefer.
Of course, you will probably never recompile the kernel for your phone and fix any vulnerabilities yourself, even if you do have a fix for them. That means monthly security patches are extremely important and should be part of your purchasing decision for your next expensive phone. It’s just nice to know what’s going to be fixed, because a company isn’t trying to hide it from you.
Ultimately, while security concerns are real and you should be happy to know that there are people who care about them, chances are you’ll never be in a situation where they really matter to you. People wait months and months between updates to their iPhones and there has never been a massive security breach. Yet.
I just think it’s really important to know how screwed up things are could whether the right (wrong) people are exploiting a bug in the right software.