It has been a bad month for security in the Open Source world. First was the Apache chunk handling bug, and now there's an OpenSSH root exploit just waiting exercised. Aren't we supposed to be immune to this?
Eric Raymond rose to fame in the midst of the great Internet boom as a visionary who saw into the future of Open Source and computing in general. One of his most famous saying, often cited as the reason that Open Source software is more secure than commercial software like Microsoft Windows, goes like this:
The reason I'm confident that the bazaar model, the open-source model, will continue to thrive and claim new territory, is because all of the other verification models have run out of steam. It's not that open sourcing is perfect, it's not that the many-eyeballs effect is in some theoretical sense necessarily the best possible way to do things, the problem is that we don't know anything that works as well. And the scale of problems with other methods of QA (quality assurance) is actually increasing in severity as the size of projects goes up. On the other hand, open-source development, open-source verification, the many-eyeballs effect, seems to scale pretty well. And in fact it works better as your development community gets larger. [ZDNet Interview]
He proposes that the availability of the source code means that thousands of eyes are looking over the code and are more likely to find bugs and security problems than the small Engineering and QA departments at most software companies.
I think he's full of it. Actually, I know he is. In theory it makes sense. It's a mathematical argument. Simple probability. You're also more likely to win the lottery if you buy more tickets. But the argument only makes sense on the surface.
There several assumptions built into Eric's claim that often go unchecked. They're questions that nobody seems to ask. Let's have a quick look at them.
How many Open Source developers actually read the code?
I'd wager that nearly all the so-called open source developers don't read the code that we've been led to believe. In fact, I'd wager that virtually all of them install their software the same way the rest of us do--using our distribution's packaging system (rpm, apt, etc.).
But surely some are reading the code, right? Of course they are.
Why are they reading the code?
So, let's think about the motivation of the folks who do read the code. Many of them are simply trying to figure out how it works, either so they can copy some of the functionality or ideas for their own purposes or to figure out how to add their favorite feature.
My experience has been that when someone is reading code they're not familiar with, they spend most of their time and mental energy simply trying to digest the code. They need to develop a mental model of how the data is stored, common flow, and so on. Once they finally "get it", they go back to solving their original problem. Few continue analyzing the code.
Even if a brave hacker communities to read the code, they're not terribly likely to spot one of the hard-to-spot problems. Why? Few open source hackers are security experts. That leads to the next question that nobody seems to ask.
How many experts are reading the code?
Few. Very few.
What makes me say that? There are simply very few folks in the world (open source or otherwise) who really know how to write secure code and how to spot insecure code when reading it. One of the most famous is Theo de Raadt of the OpenBSD project. Theo spends a lot of his time auditing OpenBSD's code, attempting to find and fix potential security holes. He's one of the best.
There aren't many others like Theo. Really good security skills takes time and experience to develop. Theo spends his life doing this. It often takes money. Many software companies send their engineers to security training.
Few open source hackers have the time, motivation, or money to invest in really learning how to write secure code. Have a look at the recent Bugtraq archives.
In the past few years, I've seen little evidence to support Eric's many-eyeballs theory. Have I just missed it? I'd be surprised. Even so, look at the sheer number of open source projects and compare it with the number of developers who are likely to find the bugs. The numbers are not that impressive.
Posted by jzawodn at June 25, 2002 11:32 PM