| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Jul 2010 13:10:59 -0500 From: Paul Schmehl <pschmehl_lists@...rr.com> To: Shawn Merdinger <shawnmer@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: [Software Freedom Law Center paper] Killed by Code: Software Transparency in Implantable Medical Devices --On Friday, July 23, 2010 10:37:03 -0400 Shawn Merdinger <shawnmer@...il.com> wrote: > fyi, an interesting read imho. > > <snip> > > ....The FDA has issued 23 recalls of defective devices during the > first half of 2010, all of which are categorized as “Class I,” meaning > there is “reasonable probability that use of these products will cause > serious adverse health consequences or death.” At least six of the > recalls were likely caused by software defects... > > </snip> > > http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html > Thanks for sharing that. It was a very interesting article. While I'm a proponent of open source software, there is a flaw in the security argument that seems to go unnoticed by those who advocate for OSS. Quoting from the article, "...keeping source code under lock-and-key is more likely to hamstring 'defenders' by preventing them from finding and patching bugs that could be exploited by potential attackers to gain entry into a given code base, " How are the defenders any more "hamstrung" than the attackers? They all have access to the same binaries, the same attack and debugging tools and the same theories. The problem with closed source software is not that the code is not available for review. It's that those who have access to the code are not motivated sufficiently to fix the problems. The point of Eric's magnum opus "The Cathedral and The Bazaar" isn't that open source is better because it's open. It's that open source is better because "given enough eyeballs, all bugs are shallow". While you may think this is a distinction without a difference, it is not. If a commercial vendor of closed source software were to expose his source code to the same number of people that a competing OSS product is exposed to, the results would likely be quite similar. Because of his chosen business model however, the closed source vendor cannot afford to do that. Thus he suffers not from poorer coding practices necessarily but from a lack of resources to find and fix the bugs. So I think the argument that closed source software gives the attackers an advantage is a non sequitur, and it weakens the best argument for open source - many eyeballs make all bugs shallow. In fact, OSS distributes the workload across the OSS world quite equitably. The more popular (and therefore more implemented) a software application is, the more likely it is to have maximum eyeballs perusing it. Obscure and little-used software, OTOH, will have less eyeballs for the very reason that it isn't used much. So those applications that are well written and serve a useful purpose will prosper and consistently improve, while those applications that are poorly written and address obscure uses will languish and die. And that is as it should be, I think. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists