Ouch! Not even fixed yet? I've found this excerpt from OpenConnect main page relevant to all you've mentioned Jon, mainly the last point :
Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies:
- Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
- Lack of support for Linux platforms other than i386.
- Lack of integration with NetworkManager on the Linux desktop.
- Lack of proper (RPM/DEB) packaging for Linux distributions.
- "Stealth" use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed
- Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
- Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
- Inability to audit the source code for further such "Security 101" bugs.
Very interesting Jon. As someone who tried and gave up on Stack Overflow (and the ba-jillions of spawned stack hypenated sites, I find the problem fascinating. The problem with stack overflow is more complex than simple repuation and gaming the system. The ranking system becomes a self-perpetuating nightmare. Those who gamed to very high initial repuation became self-perpetuating 'gurus' who then anwered every single question, and the answer was immediately upvoted (whether the answer was good or bad) because of their reputation.
There's also an insidious underbelly to stack-X, and that is that many who gamed are somehow also "insiders". To put it very simply, never, EVER down-rank an answer by one of these gurus. You will be punished in very mysterious ways - certainly ways no ordinary user can accomplish.
The end problem is that only the "pro" answerers every answer stuff anymore. Amateurs can never gain enough reputation to have a "good" answer because the system rewards only the mighty. So for the most part very intellegent persons with real knowledge stop answering as they get tired of being downvoted simply because they are not "the gods".
It reminds me of an episode of South Park where the boys took down a MMORPG player who had so many points he could and did kill all the other. The sequences where they built up points for the final battle by gaming the system was quite funny. (if you are a south park viewer).
Jon,
I also find this veryinteresting.
It actually reminds me of the "shared" highlighting within the Kindle apps of various flavors. A colleague is an English educator and reported on how students reading on a Kindle viewed what was they found interesting a text being significantly influenced by what others had already highlighted.
Gerald
@Richard - indeed. Terry Anderson and I describe the social form of Stack Exchange as predominantly that of the set: it is about people clustering around shared interests, topics, etc, rather than becoming connected and, as long as it stays that way and the algorithms for collective intelligence are sound, it works pretty well. Unfortunately, networks form - people become known to others and, especially combined with the power you mention, the crowd is no longer so free of bias. In effect, they add more parts to the algorithm that work counter to the main one that drives it because, like all social media, it is a soft system composed of people and process. I wonder whether it would help to anonymize (randomly for each post, so you cannot track individuals) every reply? Individuals would still see their own name and there would still be accountability, badges, relative power, and all the rest - there would just be no external signs of a person's identity. Some people might self-identify, which could potentially mess things up again, but that would backfire if others impersonated those self-identified individuals in an attempt to boost their own karma, so I doubt that many would care to do so.
@Gerald - very true. Also true of the glosses, annotations, etc of traditional books but the effects are very limited, for the most part, to individual volumes in libraries. I am certainly influenced by those highlights, not just when reading but to the extent that it feels weird adding my own highlight to the same place and even weirder to add one that is nearby or that overlaps. A similar problem affects citation indexes - the best way to get cited is to get cited. Andrew Chiarella has done some fascinating work on using this effect with his CoRead system, which exploits collective highlighting in a big way. Like me in my own CoFIND system, he found it useful within a small, focused group with shared goals and surrounding pedagogical processes to drive it. The problem becomes bigger in larger crowds formed of networks and sets, where such group processes and norms are sparser or non-existent. Generically, it is an instance of the Matthew Effect - them that's got shall get, them that's not shall lose - which is one of a larger family of systems of preferential attachment. But there are lots of ways that complex adaptive systems in nature avoid that positive feedback trap to stay on the edge of chaos, including delay, parcellation, negative feedback loops, finite energy, etc. My first book (and a couple of papers derived from it) was in a large part a theoretically grounded attempt to come up with ways of designing social media for self-organized learning that utilize rather than suffer from such effects. I came up with a set of design principles that I really should get round to refining and revisiting some day. One or two of these ideas have found their way into the Landing, though not as many as I'd like.
Jon
One comment about anyone putting backdoors into products is that they don't just allow the intended persons access, they also create a significant weakness in any security the product might have had.
It is almost a guarantee now that if some agency has built a backdoor into a product (as with Juniper in this case), the black hat's have already found and exploited it.
Sadly, it was probably hacked within minutes of the product release.
Backdoors are TERRIBLE things. Proprietary software is in many ways worse, because the probability of the company secretly putting a backdoor into the product has pretty much reached "1.0" in the past few years.
This is bad news, although nothing surprising. I do applaud though that Juniper released the advisory. It comes at an interesting time as I was just looking at how GnuPG fundraising campaign was doing. And that was a really pleasant surprise :) It was in 1997 when Richard Stallman "urged the crowd to write their own version of PGP." according to the ProPublica article. To add some facts on security when it comes to closed vs proprietary according to SECPOINT the top 2 most secure operating systems are OpenBSD followed by Linux and in 3rd place the BSD based OSX.
Not surprisingly, the back door was at least known to both NSA and GCHQ for several years - http://flip.it/wVQ5C - crazy that we should trust proprietary systems like this.
The Landing is a social site for Athabasca University staff, students and invited guests. It is a space where they can share, communicate and connect with anyone or everyone.
Unless you are logged in, you will only be able to see the fraction of posts on the site that have been made public. Right now you are not logged in.
If you have an Athabasca University login ID, use your standard username and password to access this site.
We welcome comments on public posts from members of the public. Please note, however, that all comments made on public posts must be moderated by their owners before they become visible on the site. The owner of the post (and no one else) has to do that.
If you want the full range of features and you have a login ID, log in using the links at the top of the page or at https://landing.athabascau.ca/login (logins are secure and encrypted)
Posts made here are the responsibility of their owners and may not reflect the views of Athabasca University.
We block sites that track your web browsing without your permission. If a link is greyed out, click once to enable sharing, once more to share.