Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Security: Still A Myth

Posted by CmdrTaco on from the something-to-think-about dept.

jpkunst writes "John Viega (coauthor of a.o. Building Secure Software) argues in Open Source Securitey: Still A Myth at O'Reilly's onlamp.com that "open source software may currently be less secure than its commercial counterparts.". According to him, there may be "more eyeballs" looking at open source software, but he does not believe those eyeballs are looking for security problems in a structured way."

9 of 502 comments (clear)

  1. I have one word for you by spif · · Score: 4, Informative

    OpenBSD.

    Developers! Developers! Developers! Developers!

    --
    fnord.
  2. structure is the problem by Anonymous Coward · · Score: 2, Informative

    If you're looking for something in the woods and you only have a few people, you have to map out a plan, a structure for searching the woods. You assign people to certain areas, and in this process you make inherent assumptions about your target. You always have specific areas that are searched last, specific areas that are searched by the least skilled people, and specific areas that are searched by people who are skilled but have a specific mindset that colors their search (for instance, they might assume that the object is on the ground).

    The chaotic process of OSS is an advantage because it lacks these assumptions. The code is examined over and over again by different people with different skills and motivations.

    Line-by-line security auditing is certainly useful, and it's important for areas that need that sort of scrutiny. But for projects the size of Linux or Windows, it's not practical to use that for all code, and a scatter approach with many eyeballs might be better.

    It's still difficult to come up with meaningful science on this topic, so any strong statements should be taken with a grain of salt.

  3. Re:More Eyeballs by MikeMacK · · Score: 3, Informative

    Hmmm...I thought the point of the article was the Open Source security was a myth. I did read the article, by the way. I guess it should have been called, "Complex bugs not found right away, thus Open Source is not secure."

  4. John Viega and Mailman by waldoj · · Score: 5, Informative
    For those who are or would assail John Viega's credibility, I should remind you who he is.

    Most notable for the purpose of this discussion, Viega is the creator of Mailman, the fantastically-popular GPLd mailing list management software. All was good and well with his view of the many-eyeballs theory until, one day, he found a huge, glaring, holy-shit hole in Mailman a few years ago. He was so alarmed that nobody had ever spotted this that, after fixing it, he reflected on what he'd learned and turned it into a thoughtful article, The Myth of Open Source Security. As he wrote:
    "For three years, until March 2000, Mailman had a handful of glaring security problems in code that I wrote before I knew much about security. An attacker could use these security holes to gain access to the operating system on Linux computers running the program.

    "These were not obscure bugs: anyone armed with the Unix command grep and an iota of security knowledge could have found them in seconds. Even though Mailman was downloaded and installed thousands of times during that time period, no one reported a thing. I finally realized there were problems as I started to learn more about security. Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had."
    Again, Mailman was and is an extremely popular program -- this was not a problem of obscurity.

    So, the OnLamp.com article under discussion here is a follow-up to his original article, as he points out in the opening to the new article (but people apparently aren't reading.) As you can imagine, Viega is no rabid anti-OSS guy -- he's, in fact, the very model of what we want our developers to be. He writes good software, admits it when he writes bad software, and tells it like it is, even when we don't want to hear it.

    (Disclaimers, such as they are: Viega is an adjunct professor at Virginia Tech, where I attend school, and I was the earliest alpha-tester of Mailman, in the late 90s.)

    -Waldo Jaquith
  5. OpenBSD is a good example by harlows_monkeys · · Score: 4, Informative
    OpenBSD is probably the most secure free OS, yet it has fewer people looking at it than Linux or FreeBSD. Fewer eyeballs are looking at OpenBSD, but they are very good eyeballs.

    Another good example is Kerberos. It's been around a long time, looked at by researchers, students, open source developers, and closed source developers using it as a reference for implementing their versions. Yet, major flaws that weren't subtle have taken a long time to find.

  6. Re:More Eyeballs by Six+Nines · · Score: 4, Informative

    A couple of nits to pick...

    1) MSFT is about to celebrate its 30th anniversary (founded 1975, incorporated 1981).

    2) Windows has been around for 20 years (Windows 1.0 was beta tested in 1983-1984, released 1985).

    3) The Windows NT/2000/XP code base is almost 12 years old (NT 3.1 was released in 1993).

    4) Persistently buggy apps are found among both open- and closed-source software. There's no monoply on spaghetti code.

  7. eeye vulnerability in Windows, 123 days+ by puke76 · · Score: 2, Informative

    I refer you to this webpage, where Microsoft has not fixed a known vulnerability in 123 days and counting. The others were not fixed in a timely fashion either. Show me an OSS vulnerability of similar criticality where it has taken that long.

    --
    London's finest organic fairtrade coffee
  8. Re:Still... by digidave · · Score: 2, Informative

    That study, if it's the one I remember, used a flawed model for determining when to start the timer for bug fixes.

    OSS bugs were termed live once they were informed about it while MS' were live once MS acknowledged the bug, often months after they were informed about it. Check out some Eeye data:

    Upcoming advisories
    Published advisories (click to see time to fix)

    IBM is also bad, but Microsoft seems to be the worst, with most vulnerabilities taking well over 130 days to fix.

    --
    The global economy is a great thing until you feel it locally.
  9. Re:More Eyeballs by valkraider · · Score: 2, Informative

    First off, MS hasn't even been *around* for 25 years.

    Wrong.

    Microsoft was founded in 1975. That makes it 29 years old, by my math.

    Look for example, at Sendmail. It's 25 years old

    Wrong.

    Even your own link states that Sendmail shipped first in BSD 4.1c, which was not released until late 1982. Sendmail's PREDECESSOR - "delivermail" dates back to 1979.

    Not that this all matters - but I find it funny when in a discussion about quality control, people don't bother to get their facts at least kindof accurate...

    But to stay at least a little relevant to the discussion at hand - I would wager that the simple act of being 22 years old is one of Sendmail's problems. I mean geez, how much have computers, networks, and Unix itself changed in 22 years? Would I trust *any* 22 year old software to work in my current environment flawlessly? Poop no! Sure, some components and concepts can last - but it has already been stated that Sendmail was not designed with these uses in mind, and that we should stop trying to use a wrench to hammer in a nail. By this same logic I could say that Windows 3.1 / DOS is a buggy buggy web server. Sure - you *can* conceptually serve web content from it, but it is a little outdated to do so...