ZDNet UK / News and Analysis / Business of IT / IT Strategy

Too much trust in open source?

By Adrian Mello, ZDNet US, 22 March, 2002 11:59

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Linux, Open source, Security

ANALYSIS
While Microsoft has concentrated on reviewing its flagship Windows source code as part of a new focus on security, Internet watchdogs have released the details of three widespread flaws in open-source applications usually shipped with the Linux operating system. The flaws could compromise the security of computers on which the applications are installed, prompting some developers to urge the open-source community to take another look at popular code. But most fear the majority of members won't bother. "No one is doing auditing," said Crispin Cowan, chief scientist at Linux maker WireX Communications, one of several companies selling a version of the OS with additional security options. Cowan is the founder of Sardonix, a Web site aimed at organizing groups of people who want to review major open-source software. "Reviewing old code is tedious and boring and no one wants to do it," Cowan said. With Microsoft launching a major security initiative in response to recent criticism, some fear that Linux and open-source developers have become complacent in the commonly held belief that open-source programs are more secure. This year offered several reasons to question that belief. In February, a flaw found in the popular scripting language PHP left as many as 9 million Web sites vulnerable to attack. Though the number of vulnerable sites could be as low as 100,000 and the flaw is hard to exploit, the software bug resembles the Web software slipup that left Microsoft servers vulnerable to the Code Red virus. In March, another flaw, in the omnipresent Zlib compression library, left Linux systems potentially vulnerable to attack, though no program exploiting the hole has surfaced. And in mid-March, a bug in the OpenSSH communications encryption program, commonly used to secure communications to and from Linux computers, left many of those machines open to attack. The spate of flaws has not gone unnoticed by the open-source community's more vocal members. "I see a lot of bad software being done," said Theo de Raadt, founder and project leader for the open-source Unix variant OpenBSD. "There is a lot of politics and inaction causing people not to make changes that makes their software better." The "many eyes" theory Open-source software's main claim to security is that because anyone can view the source code, developers can constantly look for bugs and fix them. And with a broad cross-section of expertise in the developer community, programmers with specific strengths can look for hard-to-understand, "deep," bugs and fix what others might miss. In his essay on the open-source movement, "The Cathedral and the Bazaar," developer Eric Raymond wrote, "Given enough eyeballs, all bugs are shallow." De Raadt led a team of OpenBSD developers on just such a review, cleaning up the source code for the Unix-like operating system and replacing functions that were known to be insecure with more robust substitutes. Yet, the "many eyes" theory, as it is known in the open-source world, doesn't work so well in reality, said WireX's Cowan. "It does not assure that many eyes are actually looking at the code," Cowan said. "In fact, it is likely that 'rock star' code that is hip to work on gets adequate attention, while the other 90 percent languishes, in many cases never even seen by anyone but the code's authors." And much of this unsexy code forms the foundation of Linux. Cowan hopes his Sardonix site will become a central registration point for auditing efforts, but for now, Linux and open-source software must rely on developers feeling obligated enough to commit to the drudgery of vetting source code for software bugs. After security researchers found the flaw in the Web scripting language PHP, a group of programmers decided to start auditing that popular project's code. "It's difficult to introduce new features and review the existing code at the same time," said Frank Denis, a part-time systems administrator for a French Internet service provider and leader of the PHP code-auditing project. "It's why we are trying to give a hand on that point. We won't introduce any new features, but we will fix potentially dangerous code." A central process to find bugs, such as Microsoft's Trustworthy Computing initiative, will never catch all flaws in open-source software, Denis added. "To break into your server, script kiddies will try totally unconventional tricks that have no chance of being part of any initial validation procedure," Denis said, referring to the class of online vandals who are not as technically adept. "The result of (our) different approaches will give a more extensive audit than any strict guidelines. That is the strength of free software: Everyone can put his own brick in the wall." Polishing the software Despite the security problem with his own project's code, Jean-loup Gailly, chief software architect for Vision IQ and the co-creator of the Zlib compression library, stressed that Linux's development process still creates more secure code. "Open-source programs are subject to much more scrutiny and, in case of problems, fixed much more quickly than closed-source programs," Gailly said. "Apache is not more popular than Microsoft IIS (Internet Information Server) by accident; one of the reasons is that it is more secure." An additional layer of polish is put on the source code by companies and organizations such as Red Hat and Debian, which package their own Linux distributions, Gailly added. Linus Torvalds, a senior engineer at chipmaker Transmeta and the creator of the Linux kernel, thinks the open-source development style works well. "Most (code review) by far is simply people looking at code, often for some other reason that had nothing to do with formal auditing," Torvalds said. "I personally like it that way, and it's proven to work pretty well in practice." Moreover, rather than seeing a threat from Microsoft's new focus on security, Torvalds believes the move shows how weak the company's security used to be. Microsoft wouldn't provide an executive for comment on the issue. "Let's face it," Torvalds said. "Microsoft did their initiative because they've been so bad at security in general. They fix bugs when somebody drives a truck through them and they get embarrassed enough. Get embarrassed (often) enough, and you start creating 'initiatives'--whether in politics or in commercial software." He continued: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet."
Have your say instantly, and see what others have said. Go to the Tech Update forum. Let the editors know what you think in the Mailroom.

Related stories

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Talkback

you are morons. you aren't qualified to even discuss this topic.

via Facebook 9 July, 2005 13:02
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

Paul Fezziwig

Keep the crap apps out?! How will they compete with Android and Apple's claim to fame of having so many life changing apps? I wonder if the media...

2 hours ago by Paul Fezziwig via Facebook on RIM: BlackBerry will keep 'garbage' apps out of store
Aigars Mahinovs

It has been shown time after time that if there is an author store that sells the songs at even 1$ per song and gives you a high-quality digital...

2 hours ago by Aigars Mahinovs via Facebook on Copyright isn't working, says European Commission
EvaBrian

This is a great start to leverage virtualization and standardized deployments, however even a well-managed virtualization solution has its...

3 hours ago by EvaBrian on AWS CloudFormation automates cloud app deployment
EvaBrian

that's a great news for android users! The cloud is set as the battleground that will decide the fate of Google’s Android and Apple’s iOS as...

4 hours ago by EvaBrian on Google's 'Bouncer' scans Android apps for malware
EvaBrian

Google knows that the only way that Android is going to survive is by a superiority of numbers. By doing that, it is playing a completely different...

4 hours ago by EvaBrian on Apple vs Google: Cloud concepts that clash
awbMaven

""As a result of Butyka's alleged conduct, researchers were unable to use the computers for more than two months while NASA removed the malicious...

5 hours ago by awbMaven on US indicts Romanian over NASA climate change hack
subhorup

It simultaneously worries me and uplifts me that a self-proclaimed group of internet activists name themselves after Indian mythical figures....

13 hours ago by subhorup on Anonymous activists release PCAnywhere source code
naviathan

It's actually far easier to work anonymously on the internet than you think. With tools like Tor bouncing your traffic around the world before...

16 hours ago by naviathan on Anonymous activists release PCAnywhere source code
Agnostic_OS

1000272134 and bluedalmatian with you both there but then I'm still in 10.04 land (and happy with it)

16 hours ago by Agnostic_OS on Ten factors that make Ubuntu 11.10 a hit
apexwm

Interesting article and definitely see your points on the products mentioned. One of the top products for our Help Desk (approximately 20% of all...

1 day ago by apexwm on Ten flawed products that derail productivity
Paul Hutchinson

Absolutely - this should obviously not be handled my isp - but handled by their hosting operator. What's been suggested here is that my isp police...

1 day ago by Paul Hutchinson via Facebook on MPs urge ISPs to take down terrorist material
Techs UK

Looks like a great phone. I don't notice any deficiencies in WP7. used IOS before, that's pretty good. I don't spend much time in Apps, all i need...

1 day ago by Techs UK on Nokia pins US 're-entry' hopes on Lumia 900
Larry Bloggy

Now with the help of these apps you are always synced with MS outlook while on the move. Just download apps like xobni or outlookreflex and get...

1 day ago by Larry Bloggy via Facebook on Outlook Social Connector beta 2 and the LinkedIn connector
mike40g123

Your details are wrong. The version currently being made is the one with 2 USB ports, 256MB RAM and a network port. This is the Model B. The...

1 day ago by mike40g123 on Raspberry Pi boards set to go on sale
Moley

The thing that has been puzzling me for quite a while is how Anonymous can remain anonymous whilst not only being active on the Internet but also...

2 days ago by Moley on Anonymous activists release PCAnywhere source code
Don Dilly

If what Semantec is saying is rue, that is even worse and shows a complete disregard for thier users. If what Anonymous claims is true and the...

2 days ago by Don Dilly via Facebook on Anonymous activists release PCAnywhere source code
MattChurchy

Didn't seem particularly biased to me either. Oh though you might have mentioned some other competitors with free search and email services...

2 days ago by MattChurchy on Time for an evil umpire: Google, Microsoft & privacy
Simon Bisson and Mary Branscombe

James - exactly as much as anyone paid you for your comment; I don't feel that I need to say that I'm independant and unbiased, but just for you...

2 days ago by Simon Bisson and Mary Branscombe on Time for an evil umpire: Google, Microsoft & privacy
Carl White

Once they realise symantec are willing to pay real money, they will simply keep extorting, unless of course symantec/authorities can use the...

2 days ago by Carl White via Facebook on Symantec offered hackers $50k in source code sting
Jonathan Hassell

You can find more information on BS 8878 by Jonathan Hassell its lead-author at http://www.hassellinclusion.com/bs8878/ The page includes a...

3 days ago by Jonathan Hassell on BSI publishes first British web accessibility standard

Latest in IT Strategy

Heart of England NHS begins massive digitisation plan

Hard-drive woes hit PC shipments in fourth quarter

Featured white papers

The Relevance of Cloud Infrastructure to Enterprise Challenges

SAVVIS

The Relevance of Cloud Infrastructure to Enterprise Challenges

This white paper reviews the evolution of data center outsourcing, and introduces cloud offerings within this historical... Read more

Testing: NetScaler 2048-bit SSL performance

Citrix

Testing: NetScaler 2048-bit SSL performance

This paper details the SSL performance on current shipping MPX... Read more

Key trends driving global business resilience and risk

IBM

Key trends driving global business resilience and risk

This IBM research paper looks at how businesses are thinking more about business resilience by improving the ability to adapt to a continuously changing business... Read more

Inside ZDNet UK

BlackBerry Bold 9790

BlackBerry Bold 9790

Sponsor a Colossus valve to help Museum of Computing

Sponsor a Colossus valve to help Museum of Computing

2012 Olympics: Is your business prepared?

2012 Olympics: Is your business prepared?

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault

How fast is your broadband?

How fast is your broadband?