Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source Code Isn't a Warranty (opensource.com)

Posted by timothy on from the you-get-to-keep-and-fix-both-pieces dept.

An anonymous reader writes: Automotive software issues such as the Jeep hack and Volkswagen cheating on emissions tests have made headlines this year, which means the public is thinking about software in cars like never before. Some experts have argued that mandating that such software be open source is a solution to the problem. In an article on Opensource.com, Ben Cotton writes that although there are definite benefits to public scrutiny of the software, code visibility alone is no guarantee. It's an important thing to bear in mind, because "Open, therefore secure" is an easy straw man to knock down.

9 of 214 comments (clear)

  1. Guarantee by KatchooNJ · · Score: 3, Insightful

    I think the better word choice is "guarantee" instead of "warranty" for the headline.

    --
    "Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
    1. Re:Guarantee by ShanghaiBill · · Score: 4, Insightful

      I think the better word choice is "guarantee" instead of "warranty" for the headline.

      Also, "visible source" would be better than "open source". Unless they actually mean that anyone should be able to copy, modify, fork, and redistribute.

    2. Re:guarantee by bobbied · · Score: 3, Insightful

      And there is no such thing as security in closed source software.

      I'm not so sure you can claim that. Where I will admit that closed source software has less people scrutinizing it and generally more eyes the better, I will not admit that makes it less secure. If security is important enough to the developer of a closed solution, important enough to actually cause the right things to happen during development and test to catch security issues before a solution is released, it can be as secure as any software out there. If you have the right people looking at it, looking for the right things, you can produce secure solutions that are closed source.

      You see, open source just allows more folks to look at the details, it doesn't mean that the right kind of people actually do look at it. With closed source, you can get secure by demanding it from your development team and giving them the resources to accomplish it.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:Guarantee by Capt.Albatross · · Score: 3, Insightful

      Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.

      It's a Hobson's choice for me, as I don't have the time or resources to verify the software of my car, let alone those that I rent.

    4. Re:Guarantee by ShanghaiBill · · Score: 3, Insightful

      I don't have the time or resources to verify the software of my car

      I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.

    5. Re:Guarantee by Capt.Albatross · · Score: 4, Insightful

      I don't have the time or resources to verify the software of my car

      I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.

      Many of the things you use are welded shut - integrated circuits, for example.

  2. Re:"Open == Secure"? by SecurityGuy · · Score: 3, Insightful

    They're both wrong.

    Open == You can audit it if you want. It's absolutely no guarantee that anyone ever has.

  3. -1 Stupid by Grishnakh · · Score: 1, Insightful

    This software absolutely should be open-source. The OpenSSL issue is an example of why open source is superior, even though it's obviously no guarantee you'll have no problems: when the vulnerability was discovered, it was fixed very quickly.

    The problem with proprietary software is that there's no way to actually fix it, unless the vendor wants to. When the OpenSSL problem was found, a fix was made and rolled out, and everyone was able to install it.

    When a vulnerability is found on your 5-year-old Jeep and publicized, what do you do when Jeep decides they don't feel like fixing it for you? Guess what, you're screwed! Now hackers can take control of your vehicle and drive you off a cliff, and there's nothing you can do about it because the vendor doesn't care and there's no way to upgrade the software yourself.

    This kind of thing shows exactly why Stallman had the right idea about "TiVOization". Not only is it important that you can have access to the source code for your device so that you can modify or fix the code, but it's equally important that you can actually get the fix *onto* the device so you can use it. Otherwise you're at the vendor's mercy.

    Luckily cars are so heavily regulated that my Jeep scenario above is unlikely, simply because of government regulation and also lawsuits, but this isn't true of other places where physical safety isn't a factor. With the current "IoT" push to connect every little device to the internet, having the firmware open-source is more important than ever because of the security issues, combined with the **proven** tendency of vendors to abandon support after a few months.

  4. Duh... by gweihir · · Score: 4, Insightful

    Another stupid comment by people that do not understand the difference between a "necessary condition" and a "sufficient condition".

    Open-sourcing the software/firmware in question is a necessary thing. That means it must be done. It is not a sufficient condition. That means it is not enough. It still must be done, but other things must be done in addition to get the desired outcome.

    It is almost as if people do not understand basic logic anymore. No surprise so many things in the IT space get screwed up badly these days.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.