Remote Access SolutionsUnderstand the challenges OEMs face and how to solve them.
The High Cost of Free Software
How to close the holes created by Open Source
“Many critical open sources projects are being worked by one part-time volunteer,” said Jim Zemlin, Executive Director of the Linux Foundation in a recent interview. “It’s completely out of proportion to the role these projects play in society and the Internet.”
OpenSSL, OpenSSH, Bash and other open source projects survive on donations of less than $2,000 a year, and that makes them vulnerable, according to Zemlin. Money pays for “eyeballs” that find bugs before products are released. Open-source development groups don’t have any.
While open source can be used free of charge, the losses can be considerable. Heartbleed, the famous OpenSSL is estimated to have cost hundreds of millions of dollars in both loses due to theft and remediation expenses. A Zero-Day exploit of OpenSSH could run even higher with all fingers pointing at the Linux OEMs.
It’s likely a majority of Linux OEMs have installed OpenSSH on nearly every one of their products to facilitate remote support. That makes OEM systems a highly vulnerable entry point to the entire customer network.
Zemlin called Heartbleed “a wake-up call” for the entire open-source community. He said Heartbleed happened because, “OpenSSL is really just two guys named Steve and their dog, and the dog doesn’t do code reviews.” OpenBSD, the developers of OpenSSH, recently made an appeal for donations to literally keep the power on for their servers.
One source for the money needed to improve the security of open-source can is increased donations. The other is commercialization.
Commercialization is a “hardening” process for open-source which makes it safer. Hardening can include testing, packaging, wrapping, patching, or simply supporting the open source technology — actions which Linux OEMs do in the course of developing and/or supporting their own products. OpenSSH and its various clients are not hardened. They are implemented after the fact, often in an ad hoc manner. They live “in the open” where they are directly exposed to exploit.
The Linux OEMs that got caught by Heartbleed had no warning and no practical alternatives. The Linux OEMs that use OpenSSH have both.
iTivity is a Linux remote access and support solution that provides a protected environment for SSH to run in. iTivity moves SSH out of the open, so it’s no longer exposed to attack. Unlike other remote support solutions, iTivity allows support techs to continue using their favorite SSH clients as well as other Linux utilities.
iTivity was first released in 2002 and has been deployed to support more than 200,000 Linux systems worldwide ranging from small engineered devices to massive servers. To date, iTivity has not suffered a single reported security incident.
By eliminating security risk and increasing support tech efficiency, iTivity lowers the cost of using free SSH.
The dirty secret. Linux OEMs use SSH because it’s free even though it puts customers at risk.
The IoT Cybersecurity Improvement Act of 2017 is well on its way to becoming law. With support of several members in both the House and Senate, plus many technology lobbying groups regularly relied on by Congress, odds are good it will be law by the end of the next...
It's a horrible practice for IP-enabled device manufacturers to ship products with default passwords because users often don't change them. Yet, 44 of the top 50 CCTV manufacturers do exactly that. We're talking "root/root" and "admin/1234." Unbelievable? Here's the...
The average total cost to a company that suffers a data breach has risen to $3.79 million per instance — up 23 percent over last year — according to the latest study by IBM and the Ponemon Institute. Lost business resulting from reputation damage was cited as the most...
Spanish security researcher Jose Carlos Norte revealed in a blog post this week that he’d used the scanning software Shodan to find thousands of publicly exposed “telematics gateway units” or TGUs, small radio-enabled devices attached to industrial vehicles’ networks...