Free Software security vulnerabilities: Heartbleed and other case studies?

J.B. Nicholson jbn at
Sun Jul 30 21:10:05 UTC 2017

Hugo Roy wrote:
> I'm looking for case studies on security and free software, in
> particular the differences in how the world can respond to the discovery
> of important vulnerabilities/exploits on free software vs. proprietary
> software.

Structurally speaking vulnerabilities in proprietary software can be kept 
hidden for a long time. For example, as Richard Stallman points out in, "Apple left a security hole in iTunes 
unfixed for 3 years after being informed about the problem. During that 
time, governments used that security hole to invade people's computers.".

You should read his series of webpages on both (links to other 
well-known proprietors can be found at the aforementioned URL) and which are filled with 
examples of proprietary software malware and the reactions by the relevant 

Typically the reactions from proprietors are not good until there's 
publicity about the insecurity. Embarrassment tends to push proprietors 
into acting to fix the problem (the word "problem" as viewed from a user's 
standpoint, of course). They've reacted by promoting "responsible 
disclosure": a way to get people to work on proprietors' behalf (as though 
the public works for the proprietor) by disclosing vulnerabilities 
(sometimes for rewards) and remaining silent about the vulnerabilities 
until the proprietor discloses the vulnerability. This is an entirely 
social pressure to conform -- one is under no obligation to work with a 
developer in this way. Free software hackers can take a different approach: 
they can illustrate the vulnerability with an exploit, publish a patch, and 
disclose all at the same time and do so in a timely manner. This different 
approach is possible precisely because users have the freedoms of free 

But there's always a chance that the security problem is not a bug (when 
viewed from the proprietor's standpoint). Some proprietors work with other 
agencies (both governmental and private) to ensure there are ways to 
remotely investigate or control what a user's computer is doing. In 
non-free software whether such a backdoor or service was intentional or 
accidental almost doesn't matter because either way (as is always the case 
with non-free software) users don't have the freedom to fix the issue, 
share the fix with others to help their community, and run the fixed 
software (even if they can identify the problem and fix it).

Cryptographically signed software is one way of effectively preventing 
users from running improved variants of copies of the software they already 
have, for example. This too plays a big role in your research because users 
can find themselves stuck with a huge vulnerability they can't do anything 
about besides picking another computer. As I understand it, Intel systems 
have a backdoor pitched as a sysadmin convenience (called "Intel Active 
Management Technology") which users can only use through Intel's interface. 
Users can't control Intel AMT or replace it because it is cryptographically 
signed proprietary software. The cryptographic signature is checked at 
every boot and if the check fails the system won't stay up and running for 
long. It wouldn't surprise me if AMD has something comparable to Intel's 
Active Management Technology with the same restrictions: proprietary 
software, cryptographically signed and checked on boot, users are 
disallowed from uninstalling AMD's key and installing their own (so only 
the user's code runs), and a signature failure result in a non-functional 

Most recently some tracker ("cell phone"/"mobile phone" names hardly do 
justice to properly express the situation) problems came to light regarding 
Android improperly restricting application access. As a result, according 
apps could:

     Record calls
     Record VOIP
     Record from the device microphone
     Monitor the device's location
     Take screenshots
     Take photos with the device camera(s)
     Fetch device information and files
     Fetch user information (contacts, call logs, SMS, application-specific 

and two other apps which "had received 100,000 to 500,000 downloads" also 
copied text messages and sent those copies to someplace without the text 
message author's approval or consent.

Finally, not that you said "intellectual property", but this is sure to 
come up in your research -- the limits imposed by patents, copyrights, and 
trademarks are all relevant but quite different (such as the reason people 
are upset with systemd, versus the problems with Mono, and the reason why 
Mozilla apps had different names in some GNU/Linux distributions). Lumping 
these and other laws together as "intellectual property" conveys ignorance 
of these differences. has 

More information about the Discussion mailing list