June 25, 2002

Open Source Security -- A Bad Month

It has been a bad month for security in the Open Source world. First was the Apache chunk handling bug, and now there's an OpenSSH root exploit just waiting exercised. Aren't we supposed to be immune to this?

Eric Raymond rose to fame in the midst of the great Internet boom as a visionary who saw into the future of Open Source and computing in general. One of his most famous saying, often cited as the reason that Open Source software is more secure than commercial software like Microsoft Windows, goes like this:

The reason I'm confident that the bazaar model, the open-source model, will continue to thrive and claim new territory, is because all of the other verification models have run out of steam. It's not that open sourcing is perfect, it's not that the many-eyeballs effect is in some theoretical sense necessarily the best possible way to do things, the problem is that we don't know anything that works as well. And the scale of problems with other methods of QA (quality assurance) is actually increasing in severity as the size of projects goes up. On the other hand, open-source development, open-source verification, the many-eyeballs effect, seems to scale pretty well. And in fact it works better as your development community gets larger. [ZDNet Interview]

He proposes that the availability of the source code means that thousands of eyes are looking over the code and are more likely to find bugs and security problems than the small Engineering and QA departments at most software companies.

I think he's full of it. Actually, I know he is. In theory it makes sense. It's a mathematical argument. Simple probability. You're also more likely to win the lottery if you buy more tickets. But the argument only makes sense on the surface.

There several assumptions built into Eric's claim that often go unchecked. They're questions that nobody seems to ask. Let's have a quick look at them.

How many Open Source developers actually read the code?

I'd wager that nearly all the so-called open source developers don't read the code that we've been led to believe. In fact, I'd wager that virtually all of them install their software the same way the rest of us do--using our distribution's packaging system (rpm, apt, etc.).

But surely some are reading the code, right? Of course they are.

Why are they reading the code?

So, let's think about the motivation of the folks who do read the code. Many of them are simply trying to figure out how it works, either so they can copy some of the functionality or ideas for their own purposes or to figure out how to add their favorite feature.

My experience has been that when someone is reading code they're not familiar with, they spend most of their time and mental energy simply trying to digest the code. They need to develop a mental model of how the data is stored, common flow, and so on. Once they finally "get it", they go back to solving their original problem. Few continue analyzing the code.

Even if a brave hacker communities to read the code, they're not terribly likely to spot one of the hard-to-spot problems. Why? Few open source hackers are security experts. That leads to the next question that nobody seems to ask.

How many experts are reading the code?

Few. Very few.

What makes me say that? There are simply very few folks in the world (open source or otherwise) who really know how to write secure code and how to spot insecure code when reading it. One of the most famous is Theo de Raadt of the OpenBSD project. Theo spends a lot of his time auditing OpenBSD's code, attempting to find and fix potential security holes. He's one of the best.

There aren't many others like Theo. Really good security skills takes time and experience to develop. Theo spends his life doing this. It often takes money. Many software companies send their engineers to security training.

Few open source hackers have the time, motivation, or money to invest in really learning how to write secure code. Have a look at the recent Bugtraq archives.

In the past few years, I've seen little evidence to support Eric's many-eyeballs theory. Have I just missed it? I'd be surprised. Even so, look at the sheer number of open source projects and compare it with the number of developers who are likely to find the bugs. The numbers are not that impressive.

Posted by jzawodn at 11:32 PM

I was right, Yahoo was wrong

According to this article on CNet's news.com site:

Yahoo on Tuesday said it is shutting down several broadcast services, including its financial news program Finance Vision and Yahoo Radio. The closures will result in fewer than 30 layoffs, said Henry Sohn, Yahoo's vice president and general manager for network services.

Yahoo has been refocusing its businesses after an early growth spurt that featured a string of pricey acquisitions, including a $5 billion stock purchase of Broadcast.com in 1999 that thrust the company into streaming services. That industry has suffered as harsh a downturn as many with the burst of the dot-com bubble, thanks to high expenses and a tough advertising market.

I was right. Back when Yahoo launched Finance Vision, I said it was stupid idea--a large void into which we (well, Yahoo as a company) would pour buckets of cash, seeing little return.

We were told that it was important to be the first in the on-line streaming space. If we produced original content back in 2000, then when broadband became ubiquitous users would turn do us. The argument made sense, but the assumptions behind it were terribly flawed. A few people listened to me, but mostly folks just drank the Kool-Aid.

The biggest problem is that the adoption rate of broadband technology wasn't anywhere near the predictions that folks were citing. It was clear to me that broadband was going to take at least 5 years to become popular enough for it to be a money-making business. Of course, Yahoo had money to burn at the time (and still does), but that didn't mean it was right.

Then, when the first round of layoffs hit in early 2001, some of us expected Finance Vision and similar services to vanish. Why? They never made us a dime. The infrastructure was expensive to build and maintain. There was no sign of it becoming profitable. And we didn't have many viewers. But they kept it going.

When the second round of layoffs hit, I was certain that Finance Vision would be axed. It was not.

Oh, well. It's good to see the right folks finally coming to their senses. Better late than never. I just hope they learned the lesson. We cannot afford to repeat it.

Posted by jzawodn at 09:15 PM


Chcek out this picture. You may laugh too.

Posted by jzawodn at 07:19 PM

Office 11: Will Grok XML

According to this article at news.com, Office version 11:

will include better support for XML (Extensible Markup Language), an industry standard for data description and exchange and a key technology behind Microsoft's .Net Web services plan.

Amusingly, they're playing catch-up again. A lot of Office alternatives already gork XML.

Posted by jzawodn at 12:50 PM

Must Resist Blogs

I need to get to bed before 3 or 4am for a change. So I'm going to not go surfing other weblogs tonight. Instead I'm going to try and be like a normal person and sleep. Let's see if it actually works.

Posted by jzawodn at 01:38 AM