I also dislike the 'bug bounty platforms'. Why can't I simply report it upstream, and if accepted, claim my price? Each of the projects should have CVE protocols and procedures. The idea probably is to curb the zero-day vulnerability leaks, but I assume that if you're able to find a CVE, you're capable of finding a CVE procedure.
Overall, though, this is great of course.
Filezilla, Notepad++ and 7-zip aren't in themselves mission-critical, but they're hugely popular products. If you can pwn an office computer or a developer workstation, you've made a crucial step towards pwning something properly sensitive. Think about the IT guy in a typical medium-sized business or a government department - what are the first things he's going to install on his own work computer? After Microsoft Office and his browser, what programs will he most often use to open untrusted files from the internet? What happens to the department if a trojan on his machine starts feeding his passwords to the FSB or the PLA?
The decision making process was a survey . The two criteria used were (1) usage of software inside and outside the EU and (2) critical nature of the software for institutions and users.
A nation-state adversary with a VLC RCE 0day could do some serious damage; if they also have an 0day for a popular model of CCTV DVR, they've got the keys to the kingdom. Those DVRs will never get patched and a nation-state adversary could dream up all sorts of ways to induce a police officer or an intelligence agent to play a media file, but at least we can harden VLC.
I'd never considered that an excellent media playback program would be a vector for nation state and entities with nation state capabilities.
> I can't see how VLC can be as mission critical as Kafka.
VLC can run on public screens
My guess is that the main objective is to address user-visible bugs. While a glibc bug is certainly impactful, it is usually solvable before it gets too widespread.
(And as I much as it's "not the right way", higher level apps work around it before it is fixed)
The EU (Brussels offices, etc) actually using them?
We have a mountain of C code running in the wild parsing binary formats that's in real need of some fuzzing or ideally replacement by safer languages.
What's more, getting into one's backend servers/gaining some kind of access to DB, config files of the machine, etc. is, in my mind, just infinitely worse than gaining access to a computer of a person/uploading some ransomware/something similar.
We're just probably working with different SW, so we both see the thing that touches us the most as the problem... :))
If this is the case you have much bigger problems that a bug bounty won't fix.
> in my mind, just infinitely worse than gaining access to a computer of a person/uploading some ransomware/something similar
That depends heavily on what the backend server is. There are plenty of databases where a hack is irrelevant because the data is public and there are backups. Meanwhile most people have poor backups and a hack can be incredibly damaging.
>we both see the thing that touches us the most as the problem
I think you're heavily discounting the risk that all these code bases in general usage pose. I've fuzzed C++ binary parsing code on just a laptop and was amazed at how many crashing bugs I was able to find in a short amount of time. Many of those were probably easily exploitable.
In an ideal world that's what would happen but even if there where the will and the money it would take decades to replace all of this stuff in practice.
Sometimes when I'm feeling pessimistic I don't think we can ever truly secure (to a reasonable standard) anything.
In a previous discussion here someone pointed out you could actually compile C with hardening for out of bounds accesses for example. So maybe we need to isolate those input paths in programs and harden them.
>Sometimes when I'm feeling pessimistic I don't think we can ever truly secure (to a reasonable standard) anything.
I don't think we can either. In part it's just economics, the cost/value of the exploits is just too high for low-value targets. But it's yet another of the reasons I don't see how cryptocurrency ecosystems can really work. The security of the end-points is just way too low for me to trust that kind of thing.
For those who wish to get credit for them, those bug country sites help too.
I've got a CS degree, have used Linux since 1998, used and developed for several commercial unices, and have used Open Office since it was Sun's. I still prefer MS Office.
I only use it for collaborative editing of docx and xlsx.
Because I don't know about German specifically, but with some languages, Libre office is very buggy.
( star office -> open office -> libre office )
And it's not even that expensive. £8/month/person. Slack is £5/month/person and that's just for chat.
Considering an average employee probably costs at least £3000/month it's a bit silly to worry about these small expenses.
Does MS Office have real competitors? Google Docs is very casual compared to MS Office. LibreOffice needs a lot of work.
My money was on Corel Office for Linux (with solid products like Wordperfect and Quattro Pro), but Microsoft bought a large share of Corel and it was mysteriously discontinued.
It's quite surprising given how relatively simple it is.
Cost accumulates at scale.
Take a computer that used to run Windows 2000 and install KDE on it, it's no wonder people got pissed and they had to revert their decision.
It's not quite as as snappy as XFCE, or probably MATE, but it's still easily good enough to get the job done.
On CentOS, being a stable platform, KDE itself is also really stable. (important to me, as I have better things to do that screwing around just keeping a desktop updated)
For strict accuracy, MATE is not a fork of GTK2, but of GNOME 2. MATE did originally use GTK2, though without forking it, and it has since switched to GTK3 (while still keeping the GNOME 2 "look").
I'm not going to say that the project failed entirely because of technical reasons, but at first glance it really looks like they took bad decisions. It's hard to defend a move where you end up with worse software and a worse experience for users, no matter how much money you save.
Whilst KDE is a much bigger project that is actively developed.
Second, you haven't given us any arguments for your "indications of quality" regarding MATE and KDE.
Third, like Gnome, KDE has a huge legacy in FOSS, and is a great project in itself based on a top notch GUI backend. Some of its code even went on and become the basis of the modern web (KHTML -> Webkit -> Blink -> Node -> now also Edge), other tools like KDevelop, Krita, etc are among the best in class in what they do.
What are you, some teenage Linux nerd, with a "favorite" desktop to promote in flame wars?
out of a museum, or a skip perhaps
>and install KDE on it
Then put Windows 10 on it, or any other fully featured modern GUI OS. And we have proved what? Computers from 18 years ago don't run modern OS's very well, but can run ok with an OS specifically pitched as 'lightweight'.
On the other hand I have a PC right here on my lap that is 10 years old that is running Kubuntu problem free.
Surely most of the problems with the opensource tools they were using could have been resolved by helping the opensource projects fix bugs.
Actually LiMux did that. From an external PoV, I saw quite a number of commits coming from LiMux sponsored people in a few FOSS projects I follow.
They way the decision came into play is crazy however. Just around the elections Microsoft moved their German headquarters from outside the city into the city and the next elected deputy mayor from the conservative party was disappointed that it took much time to get an official mobile phone from the IT department and setting up mail on that device was complicated ... not idea how that's related to desktops, but that triggered the debate ...
Thats a very one-sided portrayal of the situation. There were problems regarding usability, the resulting low user acceptance and issues with external MS Office files due to compatibility bugs.
If anything, funding the project for so long was a symptom of putting ideological and political considerations before user needs.
I find it very weird how even most software developers prefer MBPs with MS Office on them, but some poor souls elsewhere are supposed to do their daily work on a sub-standard platform. I mean we're still joking about the "Year of the Linux Desktop".
The resulting standard was 6,546 pages long (in comparison, ODF is just 867 pages long), and Microsoft Office was not fully compliant with it, making the entire process a waste of time. 10 years later situation is the same.
It is reasonable to believe that interoperability and standardization were not in the best interest of Microsoft. They have the largest market share and they have not much to win by giving opportunities to competitors.
You can read more here: https://en.wikipedia.org/wiki/Standardization_of_Office_Open...
FYI a lot of european government offices run LibreOffice.
Seems kind of bizarre the EU would encourage such practises.
Think that through. The malware that comes with FileZilla is often reported to be pretty bad.
Agreed, potential a 0 day (especially when targeted) could also have a really bad effect.
But Filezilla's malware isn't theoretical, so could really be the bigger problem.
And there is also the consideration that governments will continue to use Filezilla even if there isn't EU funding to make it more secure -- malware and all.
I process was open tender from which the software projects were chosen.
It's not a very interesting target (most of these are not), but it's safe to say it's a valid target.
It isn't about promoting open source products. It's about defending against open source products that are already being used. Likely heavily used within the EU institution itself.
The answer is yes. The value of these bug bounty programs is directly tied to the amount of use the software gets (and most of these get used a ton, including Putty, regardless of alternatives).
Funding bug bounty programs kind of fail its objectives if they don't.
Regardless of whether they get updated, these are still a net benefit for new installs.
So given that pretty much every government/company probably has some incidental security exposure to Putty it is a smart investment to make sure it's bug free.
It's a good initiative and needs a better selection / qualification process
However, such a limitation is rather easy to workaround. Which means now, buggy commits are going to look suspicous.
WSO2 is Enterprise Service Bus that I used at another company (owned by government BTW) instead of one from whoever-makes-commercial-ESBs.
I hate the language as much as anyone (probably more since I had to work with it extensively), but that doesn't change the above fact.
From Wordpress and Drupal to countless custom websites and apps built with Laravel or Symfony, this is a very worthwhile area to invest this money in.
Regardless of how much you don't like PHP.
PHP isn't "complete", it could still need better support for multithreading and async operations, but that is also a part of what makes PHP so nice to work with.
It's fantastic for the live request-response situations.
Its all the tiny businesses restaurants, schools, fan sites. Sites with 5 visitors a day. Probably like 50% of web is this.
You can hate PHP all you want but there is no tech that does this better (maybe serverless one day). And PHP cmses are in completely different league compared to anything else unfortunately. Things like Craft, Kirby, Bolt or even Wordpress nothing unfortunately compares.
Of course people here are gonna hate on it and i hate PHP as much as anyone but when you are living from making websites for 500eur and you need to make 3 a month then it is hard to beat.
In the end PHP is a tool. And despite the constant whining, it has created a great many projects people want to use and use (by choice).
When you create an as good alternative for people's actual needs (and not what you consider people's needs to be, like "elegant code") we can see if we can get them to switch to that.
Professionals use tools. Whiners and amateurs complain about ideals.
>I cannot think of PHP companies as something else than a no-innovation, no-research, no-interest & no change since 2000's.
Is this supposed to be satire?
>Now please tell me what I can do with PHP, I want to see newcomers read what options you have by learning PHP.
You get access to a turn-key, widely supported, language and ecosystem, that powers close to 80% of the web. Including extremely popular CMS options. Plus, access to some of the cheapest hosting you can find. You can also write all kinds of backend and cli stuff in it if you want.
And you can always use ANOTHER TOOL for a different job, if PHP is not suitable. What a concept huh? Who would have thought.
I wouldn't voluntarily start any new project in PHP, but that doesn't change the massive amounts of existing PHP code that can benefit from an investment in security.
PHP is (sadly) not going anywhere for a long time.
Also, as others mentioned, it's just so easy to host PHP based solutions like WP etc that you can't reasonably recommend anything else to a non-technical user.
Even someone clueless can figure out how to host something with PHP on cheap shared hosting with a little internet research.
Good luck doing the same thing with Python or Ruby or even Rust.
For bigger companies which host their own sites, other languages may be better choices.
The fact that it’s often used by morons doesn’t make the language terrible (though most morons are now migrating to node.js).
Also, I'm sure most of this has been fixed, but it sure sounds like a terrible language...
There’s better solutions to almost all of those issues now though.
The idea per se is good, though. We need to ensure that foundational infrastructure is properly maintained.
Is that a good solution to drive economic advancement?
Each country funds the EU, it creates laws and also has programmes across the member countries.
Each country elects Members of the European Parliament.
No country in the EU is a direct democracy where the public vote on every decision. They elect a politician to make those decisions for them.
Do you complain when your local government builds a road to someone you don't want to go?
Can you give some examples please?
But as a team, the only way to really pull this off involves inserting such vulnerabilities intentionally and out of sight, which means a closed dev process. Even if you orchestrate via some other medium - assuming you're using a VCS, the vulnerability will be publicly traceable to a core contributor - and if you do that regularly, you'll at the become known as a project that's a security nightmare; that might kill the project in the long run. And you might even raise suspicions purely base on the frequency and nature of vulnerabilities.
All in all: abusing this sounds like a fairly risky fraud.
If you look at the question, you can see that some people don't make the connection that the motivation behind code signing is figuring out who committed suspicious code. Code that has security bugs is one interest, another is code which the committer didn't have permission to commit, for example proprietary code.
What's the difference? It's a systemic flaw.
If there exists an incentive for finding vulnerabilities, there exists an incentive for introducing vulnerabilities. Bug bounties work great for closed source companies because there doesn't exist a misalignment of incentives. If Johnny keeps writing buggy code, he gets fired. If anonymous234 gets his buggy pull request approved, confederate anonymous456 gets to make a few bucks.
Follow up #2: For the skeptical downvoters, I'll put my money where my mouth is and attempt to capture the bounties using the method described above.
Eg. Im sure that Notepad++ has its share of bugs, but I doubt many are critical or security related.
By most measurements, PHP is used by a majority of sites on the internet. The worst part is how many of those still use PHP 5, which reaches end of life tomorrow...
eg Hugo does static websites, but obviously that doesn't meet the needs of everyone. :)
Or is there some general argument for why the EU funding open source software will lead to our demise? Does this round mark a specific point in the journey to free software being made illegal?
“Governments funding open source software is bad because reasons” isn’t really a useful post on Hacker News.