Tag Archives: Open Source

The overlooked importance of open source

Leave a reply

A Swiss security engineer develops high-security systems for free after work. A handful of people run a free certificate authority. How can that be?

For the fact that Gary Gregory has had to work through the past few days, even though he is actually on holiday, he is in a surprisingly good mood. The developer is one of the main people responsible for Log4j, the software component in which a serious security vulnerability was recently found. When the warning message reached him, it was immediately clear to him that he and his handful of colleagues were in for some sleepless nights.

Meanwhile, an older vignette has been revived on the internet: it shows an adventurous construction of blocks resting at the base on a fragile pillar. The construction represents “the whole modern digital infrastructure”, the narrow column “a project that someone in Nebraska has been maintaining since 2003 without thanks”.
(source: XKCD Comic / CC 2.5)

True, Gary Gregory lives in Florida and has maintained the Log4j component for “only” nine years. Apart from these details, the picture fits the current situation perfectly. Because the free piece of software, developed and maintained by volunteers, is in applications from the iCloud to the Tesla.

In a survey conducted by the CH-Open association among companies and public authorities with at least one IT manager in Switzerland, 97 per cent said they use open source software (OSS); about half even in more than 15 application areas. The picture shows how this number growed between 2015 and 2021.

Open Source is used in all kinds of areas: Programming languages such as Java and Python, web server and database programmes, desktop applications such as Firefox and Libre Office are just a few examples. So, such software is in computer systems at all levels.

Open source is software whose source code is publicly accessible. With a licence, the authors grant users the right to use the software and the source code for any purpose; they may also distribute it or adapt it for their own use. Because the entire code is transparent, users can find and solve problems themselves. Ideally, there is an exchange that makes the software as a whole better and better, similar to how it works with the online encyclopaedia Wikipedia.

Often, the code is not simply published on random websites, but under the umbrella of foundations that have rules and processes that are supposed to guarantee the quality of the software. Enough money to pay for all the volunteer work the foundations don’t have – as CAcert.

Gary Gregory works an average of about ten hours a week on open source projects. He says, “With a full-time job and three kids, it’s not easy.” He is passionate about it and enjoys it. Compared to his job, he can be more creative. Instead of the ideas of business clients, his own ideas take centre stage, which he likes.

Gregory is lucky. Because his employer supports his commitment and allows him to occasionally work on his open source project during working hours. “My company realises that it benefits from open source and it’s only fair to give something back once in a while.”

This is rather the exception. In the survey of Swiss users cited earlier, less than a quarter of organisations say that employees are allowed to contribute to open source developments during working hours. Donations to volunteers or to organisations behind the code are also quite rare.
Some user companies contribute to open source software (OSS), the picture above shows the different modes of support.

Security engineer Christian Folini knows the situation first-hand. He is one of two leaders of the “Modsecurity Core Rule Set” of the open source foundation Owasp, which specialises in security. The “Modsecurity Core Rule Set” is a set of hard-to-read rules designed to detect and defend against malicious attacks. Such a rule set is part of the infrastructure of security-sensitive applications, such as online banking or the cloud.

Microsoft, Google, AWS, Yahoo, Cloudfare: all integrate and distribute Folini’s rule set. Of those mentioned, only Google supports the project with donations. Folini has been able to recruit smaller companies as sponsors. With the money, the group finances, for example, that a person is available around the clock to answer questions. If there were more money, the quality of the software, i.e. the safety of the users, could be further increased. But this awareness is usually lacking.

If you can help with CAcert as a volunteer or supporter, please contact the secretary at secretary (at no spam) cacert (dot) org

CAcert @ OpenRheinRuhr, Oberhausen, NRW, DE

Leave a reply

Die OpenRheinRuhr in Oberhausen öffnet am Wochenende 4./5. November 2017 wieder ihre Tore für freie Software. Die Veranstaltung im Rheinischen Industriemuseum ist perfekt erreichbar direkt am Hauptbahnhof in Oberhausen.

CAcert ist natürlich dabei und informiert vor Ort über Risiken im Internet und Möglichkeiten, die Sicherheit deutlich zu erhöhen. Jeder Interessierte kann sich am Stand von CAcert über kostenfreien Zertifikate, darunter SSL-Serverzertifikate und Client-Zertifikate für sichere E-Mail-Kommunikation informieren. Dazu gibt es wieder spannende Gespräche über die Aktivitäten von CAcert und die Ausblicke für die Zukunft. Aktive Mitglieder sind gerne gesehen, Fragen werden sehr gerne beantwortet.

https://wiki.cacert.org/Events/OpenRheinRuhr2017

Nederlands:

De OpenRheinRuhr in Oberhausen (nabij Eindhoven) opent in het weekend van 4/5 november 2017 opnieuw zijn deuren voor vrije software. Het evenement in het Rheinisches Industriemuseum is perfect gelegen direct aan het hoofdstation in Oberhausen.

CAcert is uiteraard aanwezig en informeert de deelnemers over risico’s op internet en mogelijkheden om de veiligheid te verhogen. Iedereen die geïnteresseerd is in gratis certificaten, waaronder SSL-servercertificaten en cliëntcertificaten voor veilige e-mailcommunicatie, kan zich bij CAcert’s stand informeren. Er zullen spannende discussies worden gevoerd over de activiteiten van CAcert en de toekomstperspectieven. Actieve leden zijn welkom, vragen worden graag beantwoord.

Français:

L’expo OpenRheinRuhr à Oberhausen en Rhénanie-du-Nord-Westphalie voisine ouvrira de nouveau ses portes au logiciel libre le week-end des 4 et 5 novembre 2017. L’événement au Musé de l’industrie de la Rhénanie est situé directement à la gare centrale d’Oberhausen.

CAcert est bien sûr présent et informe les participants sur les risques sur Internet et les possibilités d’augmenter la sécurité. Toute personne intéressée peut en savoir plus sur les certificats gratuits, y compris les certificats de serveurs SSL et les certificats clients pour une communication sécurisée par courriel sur le stand CAcert. Il y aura des discussions passionnantes sur les activités de CAcert et les perspectives d’avenir. Les membres actifs sont les bienvenus, les questions seront répondues avec grand plaisir.

English:

On the week-end November, 4th and 5th, the OpenRheinRuhr in Oberhausen open its doors. It is an ideal platform to get informed about free software – and of course CAcert will attend. The fair takes place in the Rheinisches Industriemuseum directly located at the central station of Oberhausen.

CAcert informs about risks on the internet and shows opportunities to increase safety considerably. Who wants to get informed about free certificates, e.g. SSL-Server certificates, or client certificates for secure e-mail communication is invited to meet CAcert staff for discussion on CAcerts’ OpenRheinRuhr booth. Additionally we are expecting exciting talks about the activities of CAcert and future prospects. Active members are welcome, questions will be answered gladly.

CAcert root certificates included in the Replicant (Android) distribution

Leave a reply

The Android distribution Replicant has recently decided to include the CAcert root certificates in default installations.

Replicant logo

Replicant was started as a pragmatic way to achieve software freedom on mobile devices, providing a fully free version of Android. Over the years, support for a dozen of different mainstream devices was added.
However, most of these devices are severely flawed when it comes to software freedom, privacy and security. Thus, it was decided to focus the development effort of Replicant for a few specific devices that perform better regarding those aspects, instead of trying to catch up with the latest mainstream devices. Replicant is sponsored and supported by the Free Software Foundation.

For further details on the inclusion status of CAcert’s root certificates in other OS distributions see wiki.cacert.org/InclusionStatus

CAcert at FOSDEM in Brussels, BE

Leave a reply

CAcert joins the open source event FOSDEM at ULB Brussels, Belgium on weekend February 4th/5th. Our stand is located in the K building on the ground floor. Our staff will happily answer your questions regarding CAcert and its certificates and perform assurances with you. Also for the CAcert fans of you we will bring our polo shirts for purchase.

If you come to the FOSDEM there are two important meetings you shouldn’t miss:

Saturday 16:00 room H.2214 talk “Trust – the root of evil?!”
One of our active members Benedikt Heintel is going to have a talk about trust: In a highly connected world like ours is trust one of the most important assets. But what if the root to trust is not trustworthy? This talk enlightens why most commercial CAs are not trustworthy by default, what we can learn from 2011’s cases like dutch DigiNotar and Malaysian DigiCert, what makes CAcert different, why CAcert is not in the browsers by default and what we do to make it happen.

Sunday 12:00 noon room Ferrer assurance party
Like previous years, participants can get assurances for their CAcert account to issue certificates valid for two years. For the assurance you will need at least one piece of official government-issued photo identification. Please register beforehand on the CAcert website and download the CAcert Certificate Assurance Programme (CAP) form. It is recommended to bring at least ten printed forms with you.