The Equifax attack has struck millions and stolen from millions. It’s an international disaster that’s (almost) as bad as Heartbleed or WannaCry. And it proves something about open source software. It’s not invincible.
Quick quiz question here. Imagine yourself strolling through the office when you hear two colleagues chatting. One says to the other, “And so now I have to work late because there was a security flaw in my presentation app and I spent three hours trying to get rid of the virus I got because of it.” As a user of open source software, do you:
- Think Oh dear. I’d better make sure the same thing doesn’t happen to me. Full antivirus scans all roubd!
- Ignore them
- Quietly but smugly, hum “I Am Invincible” to yourself.
- Go over, do an I-couldn’t-help-but-overhear and attempt to convert them to open source.
- Swagger over and brag about how you don’t have to do this because your apps have no flaws.
If you answered 4, I must commend you on your activisim, but it isn’t what you should have done. Or rather, it isn’t the only thing you should have done. After your conversion attempt, you should go and perform 1.
Why? you may be thinking. Since my software is open source, there’s no way anyone’s gonna get in. Er, no. They might be able to and they certainly will.
You know the Equifax attack? No? Okay, basically a credit bereau, the middle man between your bank and the government, has been hacked and stuff is on the Interweb. You know what that was caused by? Open source software.
You see, Equifax, like many companies, use the open source Apache software to run their servers. Apache is basically one of those open source apps, like Blender and VLC, that proves open source ain’t rubbish. Heck, one of the most popular open surce licenses, the Apache licsence, was actually created for this! And yet, the flaw in it that allowed the attack had been in there for eight years. Since 2008! And that flaw was only discovered this month.
The thing is, most people think that open source software is invulnrable because so many people can look at and change the code. But you can’t consider yourself protected. Even in a project as big as Apache, a critical security function took 8 years to find! Just think about that wallpaper changer you have which is developed by one guy!
So now you know. It’s not enough to have open source stuff; you need a good antivirus and, if your system supports it, Malwarebytes is always advised.
Are you being more secure with your stuff now? Or do you think it’s a whole load of rubbish? Please let us know in the comments!