Every piece of electronics you own or use is full of software flaws. That means you have flaws in your phone, car, television, laptop, etc., and beyond. For most people, there isn't much to be done about it.
That's why it wasn't surprising to hear that new vulnerabilities were found in the Linux kernel, which powers (among many other things) your Android and Chrome OS devices. In fact, we see this all the time, and it's a good thing.
These bugs were found because of open-source software. Much of Android is under an open-source license and the Linux kernel is under a very strict and inescapable fully open license which means all the code is right there for people to see, use, and try to break in every way imaginable.
I wouldn't want it any other way, Neither should you.
These sorts of glaring exploits exist in all software, including closed-source software. While parts of Windows and iOS are open-source, the core of those systems is not. This doesn't make them better or worse; open-source definitely does not mean better by any measurement. It just means that nobody outside of those with access to the code — and the people who figured out how to exploit them — knows they are there.
I don't know about you, but this sounds troubling to my ears. Knowing that there are bugs that make your electronics vulnerable to people with bad intentions is bad. Knowing that they are being fixed isn't. Not knowing anything at all is terrible.
Let's demonstrate this with a fun and 100% hypothetical exercise. One evening while smoking too much grass, a fellow discovered a way to steal the password to your email. It works on Android, Windows, and iOS, and it's easy enough that anyone able to download some files from the internet can do it.
Most people who find exploitable bugs do the responsible thing, thankfully.
Now, this fellow may smoke too much grass, but he isn't an inherently evil person. He informs the people in charge of fixing these sorts of flaws about the situation, and after trying to collect some juicy bug bounty money, he goes and plays on his PlayStation. He has no desire to rob us all.
Companies patch their software on their own schedule and push the fixes out to end users like us. All is well, and lambs lay with lions and bunnies and so on.
But what if his roommate was a little bit evil and decided to try and rob us by hijacking all of our accounts? With access to our email, that'd be easy. We are mostly still at the mercy of the company that made our electronics to get us the proper fix, but if the software in question is open-source, two things happen:
- The bugs are filed in the open, and everyone knows about them. This causes internet blogs to write words about it, then you know about it, too.
- People who can fix it but don't work for one of the affected companies know about it, too. They can help find the fix and get it into our hands faster. Yes, this is a real thing, and some of the best software hackers (the good kind, not the Hollywood kind) aren't software engineers at a big tech company.
If the software isn't open-source, the bugs are kept a secret to users until a fix arrives and someone reads the patch notes. They aren't secret to people who frequent the internet spaces where exploits for this sort of bug are bought and sold, though. I know which situation I like better.
Of course, you are probably never going to recompile the kernel for your phone and fix any vulnerabilities yourself, even if you do have a fix for them. That means monthly security patches are extremely important and should be part of your buying decision for your next expensive phone. It's just nice to know what is going to be fixed because a company isn't trying to hide it from you.
In the end, while security issues are real and you should be happy to know that there are people who care about them, chances are you'll never be in a situation where they really matter to you. People wait months and months between updates for their iPhones and there hasn't ever been a mass security breach. Yet.
I just think it's awfully important to know how messed up things could get if the right (wrong) people exploit a bug in the right software.
