Remote Access Solutions

The High Cost of Free Software

How to close the holes created by Open Source

“Many critical open sources projects are being worked by one part-time volunteer,” said Jim Zemlin, Executive Director of the Linux Foundation in a recent interview. “It’s completely out of proportion to the role these projects play in society and the Internet.”

OpenSSL, OpenSSH, Bash and other open source projects survive on donations of less than $2,000 a year, and that makes them vulnerable, according to Zemlin. Money pays for “eyeballs” that find bugs before products are released. Open-source development groups don’t have any.

While open source can be used free of charge, the losses can be considerable. Heartbleed, the famous OpenSSL is estimated to have cost hundreds of millions of dollars in both loses due to theft and remediation expenses.  A Zero-Day exploit of OpenSSH could run even higher with all fingers pointing at the Linux OEMs.

It’s likely a majority of Linux OEMs have installed OpenSSH on nearly every one of their  products to facilitate remote support. That makes OEM systems a highly vulnerable entry point to the entire customer network.

Zemlin called Heartbleed “a wake-up call” for the entire open-source community. He said Heartbleed happened because, “OpenSSL is really just two guys named Steve and their dog, and the dog doesn’t do code reviews.”  OpenBSD, the developers of OpenSSH, recently made an appeal for donations to literally keep the power on for their servers.

One source for the money needed to improve the security of open-source can is increased donations. The other is commercialization.

Commercialization is a “hardening” process for open-source which makes it safer. Hardening can include testing, packaging, wrapping, patching, or simply supporting the open source technology — actions which Linux OEMs do in the course of developing and/or supporting their own products. OpenSSH and its various clients are not hardened. They are implemented after the fact, often in an ad hoc manner.  They live “in the open” where they are directly exposed to exploit.

The Linux OEMs that got caught by Heartbleed had no warning and no practical alternatives. The Linux OEMs that use OpenSSH have both.

iTivity is a Linux remote access and support solution that provides a protected environment for SSH to run in.  iTivity moves SSH out of the open, so it’s no longer exposed to attack. Unlike other remote support solutions, iTivity allows support techs to continue using their favorite SSH clients as well as other Linux utilities.

iTivity was first released in 2002 and has been deployed to support more than 200,000 Linux systems worldwide ranging from small engineered devices to massive servers.  To date, iTivity has not suffered a single reported security incident.

By eliminating security risk and increasing support tech efficiency, iTivity lowers the cost of using free SSH.

The dirty secret. Linux OEMs use SSH because it’s free even though it puts customers at risk.