Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Security: Still A Myth

Posted by CmdrTaco on from the something-to-think-about dept.

jpkunst writes "John Viega (coauthor of a.o. Building Secure Software) argues in Open Source Securitey: Still A Myth at O'Reilly's onlamp.com that "open source software may currently be less secure than its commercial counterparts.". According to him, there may be "more eyeballs" looking at open source software, but he does not believe those eyeballs are looking for security problems in a structured way."

14 of 502 comments (clear)

  1. I have one word for you by spif · · Score: 4, Informative

    OpenBSD.

    Developers! Developers! Developers! Developers!

    --
    fnord.
  2. Oh and Microsoft is??? by Anonymous Coward · · Score: 1, Informative

    Please! The internal groups in MS barely talk to each other during dev cycles, I KNOW they are not coordinating security efforts or we'd see fewer patches coming down. They're weekly right now for crying out loud! Nice structure there.

  3. structure is the problem by Anonymous Coward · · Score: 2, Informative

    If you're looking for something in the woods and you only have a few people, you have to map out a plan, a structure for searching the woods. You assign people to certain areas, and in this process you make inherent assumptions about your target. You always have specific areas that are searched last, specific areas that are searched by the least skilled people, and specific areas that are searched by people who are skilled but have a specific mindset that colors their search (for instance, they might assume that the object is on the ground).

    The chaotic process of OSS is an advantage because it lacks these assumptions. The code is examined over and over again by different people with different skills and motivations.

    Line-by-line security auditing is certainly useful, and it's important for areas that need that sort of scrutiny. But for projects the size of Linux or Windows, it's not practical to use that for all code, and a scatter approach with many eyeballs might be better.

    It's still difficult to come up with meaningful science on this topic, so any strong statements should be taken with a grain of salt.

  4. Re:More Eyeballs by Zak3056 · · Score: 1, Informative

    W2K is generally considered quite stable, and relatively secure (again, with all of its patches in place)

    That must explain that when I'm reviewig the patches on my SUS server that so damn many of them have descriptions that state things like "A security issue has been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it." The number of root level exploits that those patches fix is positively stunning, as is the fact that they have to keep re-releasing the same patches and then issue even more patches to fix the same security issue and the bugs introduced by the previous patch.

    You're also ignoring the security nightmare that is IE.

    Agree with you about sendmail, though. Try Postfix instead--unlike sendmail, it was designed with security in mind.

    --
    What part of "shall not be infringed" is so hard to understand?
  5. Not only eyeballs but automated tool finding flaws by Anonymous Coward · · Score: 1, Informative

    I remember some previous kernel flaws. It was not found by eyeballs but automated flaw finding tools send out by a couple of Linux distribution publishers. This is reality that open source is more secure.

  6. Re:More Eyeballs by MikeMacK · · Score: 3, Informative

    Hmmm...I thought the point of the article was the Open Source security was a myth. I did read the article, by the way. I guess it should have been called, "Complex bugs not found right away, thus Open Source is not secure."

  7. John Viega and Mailman by waldoj · · Score: 5, Informative
    For those who are or would assail John Viega's credibility, I should remind you who he is.

    Most notable for the purpose of this discussion, Viega is the creator of Mailman, the fantastically-popular GPLd mailing list management software. All was good and well with his view of the many-eyeballs theory until, one day, he found a huge, glaring, holy-shit hole in Mailman a few years ago. He was so alarmed that nobody had ever spotted this that, after fixing it, he reflected on what he'd learned and turned it into a thoughtful article, The Myth of Open Source Security. As he wrote:
    "For three years, until March 2000, Mailman had a handful of glaring security problems in code that I wrote before I knew much about security. An attacker could use these security holes to gain access to the operating system on Linux computers running the program.

    "These were not obscure bugs: anyone armed with the Unix command grep and an iota of security knowledge could have found them in seconds. Even though Mailman was downloaded and installed thousands of times during that time period, no one reported a thing. I finally realized there were problems as I started to learn more about security. Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had."
    Again, Mailman was and is an extremely popular program -- this was not a problem of obscurity.

    So, the OnLamp.com article under discussion here is a follow-up to his original article, as he points out in the opening to the new article (but people apparently aren't reading.) As you can imagine, Viega is no rabid anti-OSS guy -- he's, in fact, the very model of what we want our developers to be. He writes good software, admits it when he writes bad software, and tells it like it is, even when we don't want to hear it.

    (Disclaimers, such as they are: Viega is an adjunct professor at Virginia Tech, where I attend school, and I was the earliest alpha-tester of Mailman, in the late 90s.)

    -Waldo Jaquith
  8. OpenBSD is a good example by harlows_monkeys · · Score: 4, Informative
    OpenBSD is probably the most secure free OS, yet it has fewer people looking at it than Linux or FreeBSD. Fewer eyeballs are looking at OpenBSD, but they are very good eyeballs.

    Another good example is Kerberos. It's been around a long time, looked at by researchers, students, open source developers, and closed source developers using it as a reference for implementing their versions. Yet, major flaws that weren't subtle have taken a long time to find.

  9. Re:More Eyeballs by Six+Nines · · Score: 4, Informative

    A couple of nits to pick...

    1) MSFT is about to celebrate its 30th anniversary (founded 1975, incorporated 1981).

    2) Windows has been around for 20 years (Windows 1.0 was beta tested in 1983-1984, released 1985).

    3) The Windows NT/2000/XP code base is almost 12 years old (NT 3.1 was released in 1993).

    4) Persistently buggy apps are found among both open- and closed-source software. There's no monoply on spaghetti code.

  10. What about marketing? by Anonymous Coward · · Score: 1, Informative

    (First of all, I should say that I've spent my career building bespoke systems for blue chip companies in the UK. I haven't been involved in the shrink wrapped product part of the industry.)

    The author doesn't discuss the impact that sales, marketing and other corporate baggage has on software.

    In every company that I've worked for, senior management work hard to prevent information that could embarrass the company from making it into the public domain. In other words, they tend to deny that they have any security problems unless they are forced to admit it.

    Secondly, I'm always under pressure to short change the projects that I work on. Documentation, design, testing, security and reliability always take second place to creating and fixing the features that are most obvious to the end users.

    Generally speaking, our customers are not prepared to pay for security and reliability. They seem to think that it's some sort of god given right that comes without any effort. We're almost always forced to bury the cost of these "extras" in the bowels of the project where the customer can't see it.

    It seems to me that developers on OSS projects are not usually under the same pressure to hide the real cost of development.

  11. Commercial Software is almost the same as OSS by slave+6742 · · Score: 1, Informative
    Having worked for one of those commercial companies as a Test Engineer, that make software. I have seen too many times where bugs were known and went out to the customers anyway. Yeah, it was tested, but a rush test job occurs once in a while as well .... actually quite often.

    So, as Penn and Teller would say, I call "BS".

    --
    HGTTG: "I knew that there was something fundementally wrong with the Universe."
  12. eeye vulnerability in Windows, 123 days+ by puke76 · · Score: 2, Informative

    I refer you to this webpage, where Microsoft has not fixed a known vulnerability in 123 days and counting. The others were not fixed in a timely fashion either. Show me an OSS vulnerability of similar criticality where it has taken that long.

    --
    London's finest organic fairtrade coffee
  13. Re:Still... by digidave · · Score: 2, Informative

    That study, if it's the one I remember, used a flawed model for determining when to start the timer for bug fixes.

    OSS bugs were termed live once they were informed about it while MS' were live once MS acknowledged the bug, often months after they were informed about it. Check out some Eeye data:

    Upcoming advisories
    Published advisories (click to see time to fix)

    IBM is also bad, but Microsoft seems to be the worst, with most vulnerabilities taking well over 130 days to fix.

    --
    The global economy is a great thing until you feel it locally.
  14. Re:More Eyeballs by valkraider · · Score: 2, Informative

    First off, MS hasn't even been *around* for 25 years.

    Wrong.

    Microsoft was founded in 1975. That makes it 29 years old, by my math.

    Look for example, at Sendmail. It's 25 years old

    Wrong.

    Even your own link states that Sendmail shipped first in BSD 4.1c, which was not released until late 1982. Sendmail's PREDECESSOR - "delivermail" dates back to 1979.

    Not that this all matters - but I find it funny when in a discussion about quality control, people don't bother to get their facts at least kindof accurate...

    But to stay at least a little relevant to the discussion at hand - I would wager that the simple act of being 22 years old is one of Sendmail's problems. I mean geez, how much have computers, networks, and Unix itself changed in 22 years? Would I trust *any* 22 year old software to work in my current environment flawlessly? Poop no! Sure, some components and concepts can last - but it has already been stated that Sendmail was not designed with these uses in mind, and that we should stop trying to use a wrench to hammer in a nail. By this same logic I could say that Windows 3.1 / DOS is a buggy buggy web server. Sure - you *can* conceptually serve web content from it, but it is a little outdated to do so...