Slashdot Mirror


How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

jammag writes: "Heartbleed has dealt a blow to the image of free and open source software. In the self-mythology of FOSS, bugs like Heartbleed aren't supposed to happen when the source code is freely available and being worked with daily. As Eric Raymond famously said, 'given enough eyeballs, all bugs are shallow.' Many users of proprietary software, tired of FOSS's continual claims of superior security, welcome the idea that Heartbleed has punctured FOSS's pretensions. But is that what has happened?"

6 of 582 comments (clear)

  1. Leaked by codenomicon by symbolset · · Score: 4, Interesting

    Which is run by a former Microsoft executive who was in charge of security. I guess he can gloat about being personally responsible.

    --
    Help stamp out iliturcy.
    1. Re:Leaked by codenomicon by Thiarna · · Score: 5, Interesting

      I had to dig for direct connections between Codenomicon and Microsoft, but the chairman of the board seems a fairly strong link. The way Codenomicon have behaved in this has seemed reckless, I've never seen a bug so heavily marketed. The stats floating around initially seem to be way off the mark - to begin with quotes were of 66% of web servers being affected, later revised to 17% running affected versions. Both these numbers look too round to be anything other than made up.

  2. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  3. Re:Wat? by tysonedwards · · Score: 5, Interesting

    It is a double edged sword. Because one can see the code, there is visibility into the process. Because OpenSSL is such a common tool and is arguably vital to the function of the Internet as we know it, this sort of a bug really is one of those "worst case scenarios" PR wise, as opposed to being cleanly swept under the rug as is possible in the case of many Closed Source 0-day vulnerabilities.

    The problem here is that people have been using the argument that Open Source is better because these issues can't happen "because" of the visibility. And the argument "Open Source is inherently safer" has been very heavily damaged by Heartbleed and now ranks up there with "Macs don't get viruses" and "Women are worse drivers".

    If this happened in Microsoft, Adobe or Oracle Land this would be "yet another 0-day" and largely ignored by the public. Because it is in an area with such a vocal group of people spouting "Impenetrable" for decades, it all of the sudden becomes quite newsworthy in a way that "yet-another-remote-code-execution-with-privilege-escalation-in-Acrobat-Reader" vulnerability doesn't.

    And if you doubt any of this for a moment, have you ever heard the name of the developer who was at fault for introducing a bug into Flash on the local news? Now did you hear the name "Robin Seggelmann" in connection to Heartbleed?

    --
    Thirty four characters live here.
  4. Re:Open source was never safer by erroneus · · Score: 5, Interesting

    Closed source is hazardous in many ways. Along with being more frequently targeted, the NSA revelations showed that Microsoft worked with the NSA when deciding how quickly to close some holes. Another hazard is the threat of being attacked and/or sued by companies whose products were found to have problems.

    No question the heartbleed thing is a huge and embarassing problem. But you know? It's actually kind of hard to count the number of high-profile vulnerabilities in F/OSS software as not a whole lot come to mind. On the other hand, the list is enormous for closed source from large companies... also hard to count but for another reason.

    It does highlight one important thing about F/OSS, though. Just because a project has enjoyed a long, stable and wide deployment, code auditing and other security practices are pretty important and just because it's a very mature project doesn't mean something hasn't been there a long time and had simply gone unnoticed for a long, long time. People need wakeup calls from time to time and F/OSS developers can be among the worst when it comes to their attitudes about their territories and kingdoms. (I can't ever pass up the opportunity to complain about GIMP and GNOME... jackasses, the lot of them.)

  5. Why is Raymond's claim theoretically sound? by Anonymous+Brave+Guy · · Score: 5, Interesting

    Raymond's proposition is theoretically sound

    No, it isn't. It's nonsense and it always has been.

    There is plenty of evidence for the effectiveness of good code reviews, but most of it shows rapidly diminishing returns with the number of reviewers. You get much of the benefit from having even one or two additional people read over something. By the time you've had more than four or five people take a look, the difference in effectiveness from adding more barely even registers, unless one of the additional reviewers has some sort of unique perspective or expertise that makes them not like the others.

    Given that almost every major FOSS system software project has had its share of security bugs, there is really very little evidence to support Raymond's claim at all. It's not like it has ever been taken seriously outside the FOSS fan club, but there are a lot of FOSS fans on Slashdot, and so plenty of comments (and positive moderations) reinforce the groupthink as though it's some inherent truth.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.