I do not claim to bring any (more) sanity to the open source debate regarding how much or to what extent "openness" makes software more secure. I, in fact, do not believe open source makes software intrinsically more secure. Open source software deserves at least as much suspicion as closed-source software.
In short, because open source software can be more secure than closed-source software (which is possible) does not mean it will be more secure (which is the reality). Apple is learning this in spades as well as many others even within the heart of the open source movement itself.
More importantly however (and more carefully to sidestep the inevitable haranguing I will get for my last sentence) open source and closed-source software are equivalent to me from a legal perspective. Open source software comes with the same highly insular contract disclaimers and lack of warranty assurances as does closed-source proprietary software like Microsoft, Cisco, and Oracle. Neither type of software maker meaningfully stands behind their product nor does either type of software maker bear the social consequences when their statements about how "secure" they might actually be are shown to be false. In short, you can make any claim or assertion you want when you bear no legal or financial accountability to consumers for being wrong.
As case in point, consider the latest brouhaha in the open source world. Recently, Slashdot covered, well, an Open Source cover-up:
Linux’s Security Through Obscurity
Roughly put, members within the Open Source community are aghast that Linus Torvalds, the father of the open-source flagship GNU/Linux operating system, would advocate against fully disclosing vulnerabilities found within the Linux operating system itself (the kernel). In the open source community, this is anathema.
Linus’ argument is actually quite rational:
“If it's not a very public security issue already, I don't want a simple "git log + grep" to help find it.”
In other words, unless a vulnerability has been alreadly publicly disclosed, Linus argues that discovering the equivalent of zero day vulnerabilities in the kernel should not be as simple as searching through the change logs to find, as Brad Spengler put it, “the myriad silently fixed vulnerabilities in Linux.” [my emphasis]
Brad goes on to state:
They [Linux kernel developers] seem to have the impression that people who find and exploit kernel vulnerabilities rely on the commit messages fixing the vulnerability including some mention of security…this is far from reality. The people who *do* rely on these messages and announcements however are the smaller distributions and individual users. Yet Linus et al believe they're helping you by pulling the wool over your eyes regarding the exploitable vulnerabilities in their OS.
In the back-and-forth of this debate, Linus (et al) feels that some level of obscurity regarding reporting vulnerabilities helps protect people. This seems like a reasonable position. No sense in making it easier for attackers to find weak spots in the operating system.
On the other hand, others argue no; only full disclosure of vulnerabilities truly protects people and that obscurity actually hurts the very people Linus is trying to protect. This also seems like a reasonable position. How can you protect yourself if you don’t know what weak points need fixing?
This is a difficult debate. Which one is more correct?
As it turn out, neither. They are both wrong.
The "wool over the eyes" in this scenario actually has little to do with the degree of “openness” and everything to do with the lack of software assurance and accountability. In other words, at best openness is a distraction...a technologists’ argument to and for other technologists. At worst, it is a sales pitch...a feature, if you will, that is as easy to implement as sharing the source code itself.
In fact, neither open- nor closed-source software manufacturers produce code that can withstand highly foreseeable malicious acts “out of the box” and neither is held accountable legally or financially for this deficiency. That is the point to focus upon.
We, as consumers, are crash test dummies for all types of software manufacturers. We, as consumers, are somehow supposed to console ourselves that one type of software manufacturer might produce patches faster than the other type of software manufacturer. But consumers should not have to patch systems nearly as much as they do in the first place. Hackers and security researchers are simply discovering what software manufacturers failed to detect themselves. The open source folks can work themselves into a froth all they want about what degree and detail vulnerabilities should be reported, but frankly, transparency without accountability is vacuous.
The assertion of the open source community is that openness will make software more secure...but only after the software is released, used and employed by an untold number of people in an untold number of systems in an untold number of circumstances, and hopefully, hopefully, under the many eyes theory, vulnerabilities will be discovered and fixed before anything “bad” happens. If this sounds suspicious to you. It is. It is completely reactionary.
Consider this: A recent study on open source software by Fortify Software highlights the lack of security in open source projects.
Open source projects fall short on security
To quote:
Enterprises often rely on open source software to save development time and money, but they shouldn't rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices…the study found that open source developers need to pay more serious attention to security, and enterprises should treat open source with healthy skepticism as they integrate it into their businesses.
No doubt this report will create a flurry of explanations, counterclaims, clarifications, and outright attempts at debunking. Let me short circuit the whole process by saying this: In the end, openness may indeed make open source "more secure" than closed-source. I will concede this point even in light of evidence against it. So by all means, be as open as you like. But openness by itself does not promote avoidance of vulnerabilities or proactive protection of consumers. Accountability does.
Nothing quite motivates a manufacturer to do what they should before releasing a product as when the manufacturer must fairly bear the burdens once unfairly expected of the consumer.
One final note. Lest I appear bias against Open Source, let me be clear: I am. I am equally biased against closed-source manufacturers however. In fact, I am biased against all types of manufacturers whose products potentially impact the health, welfare, and safety of hundreds of millions of people and who fail to recognize such responsibility legally and financially.
Brad's final thought in his post is this:
If you remain complacent about the state of affairs, you're only enabling them to continue their current misguided foolishness.
Indeed. So let's report vulnerabilities in all the hairy detail we like, but make the manufacturer's of all stripes accountable. Stop the foolishness of the software market.
Comments