Slashdot Mirror

← Back to Stories (view on slashdot.org)

With So Many Eyeballs, Is Open Source Security Better? (esecurityplanet.com)

Posted by msmash on from the closer-look dept.

Sean Michael Kerner, writing for eSecurity Planet: Back in 1999, Eric Raymond coined the term "Linus' Law," which stipulates that given enough eyeballs, all bugs are shallow. Linus' Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus' Law isn't valid?

According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus' Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance. "I think that in every development model, security is always a challenge," Hohndel said. Hohndel said developers are typically motivated by innovation and figuring out how to make something work, and security isn't always the priority that it should be. "I think security is not something we should think of as an open source versus closed source concept, but as an industry," Hohndel said.

11 of 209 comments (clear)

  1. Q: Who's auditing the code? by Anonymous Coward · · Score: 5, Insightful

    A: Other people

    1. Re:Q: Who's auditing the code? by Anonymous Coward · · Score: 2, Insightful

      Once in a while when I'm bored at work, I'll just pick a random source file in the kernel and give it a good read. Reading other people's code can be a great learning experience, sometimes you may learn of techniques that you were unfamiliar with.

      A programmer who doesn't read other people's code is much like a writer who doesn't read other people's books. You don't NEED to do it, but it can be a good source of inspiration too.

  2. Visibility is always better than invisibility by Bruce+Perens · · Score: 5, Insightful

    When software doesn't have visible source code, the legitimate users have no assurances regarding what it's doing, other than those imposed by the operating system (which they might not have complete source for either).

    However, the bad guys still take the trouble to disassemble the code and find its vulnerabilities.

    With many eyes, you still might not find all bugs, but you can, and can do so without the unreasonable investment of disassembling the code and reading disassembly - which is not like reading the real source code.

    The larger issue is that we need publicly-disclosed source code for some things, to assure the public good, whether it is proprietary or Open Source. For example the emission control code in automobiles, which it turns out multiple manufacturers have defrauded.

    --
    Bruce Perens.
    1. Re:Visibility is always better than invisibility by angel'o'sphere · · Score: 3, Insightful

      Very true, I only read open source source code if there is a bug I need to maneauver around or fix.
      And most code is so bad, you don't really want to read it because of the night mares they induce, e.g. looking at https://lucene.apache.org/

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    2. Re: Visibility is always better than invisibility by Bruce+Perens · · Score: 3, Insightful

      While there is no guarantee that some eyes will not be malicious, I think your statement doesn't really fit the probabilities. Most people who look at code will be looking because they want to modify it, because they have questions that can be answered better by the source than by documentation, because they are looking for examples of how to do something, or because they are curious. Most of these people have good intentions and will even experience some emotional fulfillment from helping to eliminate a bug and thus help all of the other users. People like the public-benefit aspect of Open Source and want to help.

      --
      Bruce Perens.
    3. Re:Visibility is always better than invisibility by Bruce+Perens · · Score: 5, Insightful

      If you are thinking of bugs like Heartbleed, there are also economic issues. OpenSSL was issued under a gift-style license. Big companies that were making billions on desktop software used it, and almost never returned either work or money to the project. This one guy, Ben, had most of the load out of his personal time.

      Now, this is not something the OpenSSL guys might ever have considered, and I am not representing them. But what if OpenSSL had been dual-licensed? All the Free Software folks would have had it for free, and all of the commercial folks would have had to pay a reasonable fee. In fact everybody would be paying something, either by making more great Free Software or by paying money. There might have been fewer commercial users, but there might also have been an income stream for Ben or other developers, and they might have been able to devote more time to finding bugs. So, there might never have been a Heartbleed.

      --
      Bruce Perens.
    4. Re:Visibility is always better than invisibility by Solandri · · Score: 5, Insightful

      Whether the eyeballs are paid is irrelevant. One of the interesting findings from the investigation of the Space Shuttle Challenger disaster was that NASA triple-checked components. But it turned out the three (paid) inspectors often assumed the other two were doing their job, and regularly skipped inspections on more-difficult-to-access parts. Since all three were biased to skip the same parts, those parts frequently went uninspected before launch. So in that particular case, having more eyeballs actually led to less security, than having a single inspector who knew the entire burden of security was resting on his/her shoulders.

      People are lazy.

  3. You have to be looking first by sjbe · · Score: 3, Insightful

    Back in 1999, Eric Raymond coined the term "Linus' Law," which stipulates that given enough eyeballs, all bugs are shallow.

    That's only true if those eyeballs are actually looking for bugs and organized enough to do something about them. Even then it's more like a principle than an actual truth. Some bugs are much harder to find than others no matter how many people are looking.

  4. Re:Linus is right by geschbacher79 · · Score: 4, Insightful

    This is exactly right. It's not about open vs closed source, but eyeballs. For instance, take the HeartBleed / OpenSSL bugs from a few years ago. OpenSSL is used extremely often and all over the place, including by Google, Facebook, etc. But it had vulnerabilities in it that had existed for years and years, and it was because OpenSSL was really only being maintained by a handful of people.

    But I think even more so, some organizations just aren't dedicating people to finding problems. You can still exploit Android, even though it's powered by Google and Linux. Intel has issues with its processor designs. Apple had a bug a year or so ago where anyone could log in as root. And these are the companies that supposedly have the best developers and essentially unlimited resources.

  5. Exactly. Shallow, not non-existent. Personal examp by raymorris · · Score: 5, Insightful

    Exactly. ESR summed up Linus's thoughts as ".. all bugs are shallow", not "all bugs don't exist".

    Linus's exact words were:
    "Somebody finds the problem, and somebody else *understands* it."

    I'll share two examples from my own experience. Somebody found the shell shock bug and suggested a fix. Over the next few hours, hundreds of people looked at it. Some saw that the suggested fix wouldn't quite cover this variation or that variation, so they tweaked it. Florian Weimer, from Red Hat, said those tweaks would never cover all the variations, and suggested an entirely different fix, one that went to crux of the problem. Over the next few days, there was a lot of discussion. Eventually it became clear that Florian had been right. When he looked at the problem, he immediately understood it deeply. Well, it looked deep to us. To him, it was shallow.

    ""Somebody finds the problem, and somebody else *understands* it", Linus said. Stéphane Chazelas found shellshock, Florian understood it, fully, immediately.

    There was no need to release a patch to fix the patch for the patch as we often see from Microsoft, or as we've seen from Intel lately. With hundreds of people looking at it, somebody saw the right solution, easily.

    Here's another example from my personal experience with the Linux storage stack:
    https://slashdot.org/comments....

  6. Re:Linus is right by swillden · · Score: 3, Insightful

    You can still exploit Android

    Actually, it's pretty darned hard to do that on an up-to-date device (e.g. Pixel). There will always be vulnerabilities, but SELinux and other efforts have made Android a pretty hard target lately. Except, of course, for the fact that many device makers don't update.

    And these are the companies that supposedly have the best developers and essentially unlimited resources.

    Regarding Google, I think the developers are generally quite good, but resources are far from unlimited. I work on the Android platform security team, and we're always overstretched. That's partly because we set ambitious goals, but mostly because it's just really hard to find people. Part of that is location -- we currently only hire in Mountain View, Kirkland and London, so we can only hire people willing to live in one of those locations -- but most of it is because good software engineers who also know security are just hard to find.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.