[marcus_holmes]

seeing this more and more... open source projects pulled in as dependencies without auditing, and causing a security issue.

I predict this is going to become more and more of an issue over the next couple of years, and provoke some drastic changes to the way we do open-source software. What those changes are, I don't know...

[yjftsjthsd-h]

> years, and provoke some drastic changes to the way we do open-source software.

I object to this phrasing because it makes it sounds like the FOSS software is at fault. The problem is that companies are pulling random code off the internet and sticking it in products without auditing or understanding it, so the only solution needed is for companies to actually pay attention to what they're using/shipping (possibly by holding them liable when people are paying for their products, but that could have side effects). In particular, pretty much every FOSS license I've ever seen explicitly says that the software is offered without any claim that it's good/usable/safe, and you can't limit that limitation of liability without seriously screwing up the whole FOSS ecosystem.

[marcus_holmes]

I totally understand and agree with that. But we don't live in a perfect world where people do the things they're supposed to do. And there are lots of developers out there who will pull in a malign FOSS library, then blame everyone else when it does exactly what the code said it would do.

Just like every other avenue of life, we're going to have to dumb down what we do so that idiots don't hurt themselves.

[elmo2you]

While that observation might be true (I doubt it will change Open Source, nor is it a new problem), what's the security issue in this particular case?

Cisco adding an already compromised (it's on GitHub) private key to their firmware, which sure isn't a smart thing to do. But the only security issue I could see here is that somebody could use it to create a "secure" outbound connection from a Cisco device, that just isn't secure at all (because anyone has access to the private key).

[marcus_holmes]

yes, in this instance it turned out to be "not an actual issue".

But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.

And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).