It is a common knowledge that, usually, Open Source projects are successful because of the developers scratching their personal itch. It often starts with a group of disgruntled developers frustrated with a proprietary software because it fails to satisfy their needs. The very fact that they are left helpless due to the absence of source code pushes their efforts in the direction of Open Source Projects. The same can be said about the forking of existing open source projects too. This scratching of personal itch leading to successful open source projects is similar to a self organizing system and the emergent behavior is the final open source software (Unlike what the proprietary vendors and Stallman buddies want you to believe, this is an example of true free market behavior).
Yawn, what’s the security thing you are revisiting in this article?
One of the biggest advantages of Open Source is the possibility to have a better security. As many of the open source evangelists proudly claim
With enough eyeballs, bugs are shallow
It actually means that with the availability of source code and the resulting increase in the chances for more and more people to check out the source code, bugs can be easily identified and quashed. The very availability of source code ensures that the bugs are noticed very fast and it gets patched almost immediately. However, proprietary vendors and people whose thinking are fine tuned by proprietary mindset, get easily excited by such spotting of bugs and resort to FUD. Two of the most often used spins are
- Whenever an open source project releases the source code and the developers spot bugs and other vulnerabilities in the code, these proprietary “kids” tend to yell “Look mama, this open source software is so buggy. I am proud that we are not seeing so many bugs in the proprietary software after the release”. These “kids” either fail to understand or tend to ignore the fact that such visibility of bugs happens only because the source code and the process around the code are all out in the open and not locked up inside a centralized building as it usually happens in the communist structures
- The other funny spin is that even though bugs get squashed with more eyeballs, many open source projects doesn’t get so many eyeballs. The people who make such statements fail to grasp the very concept of open source and freedom. Yes, there are literally thousands of open source projects which fail to get enough eyeballs. Yes, the bugs stay put in these projects. But, what open source offers is an opportunity for literally unlimited eyeballs when other parameters like user interest, usefulness of the software, etc. are optimal. It is this opportunity that differentiates open source from the proprietary software. The very availability of source code in public offers such an opportunity. Those who excitedly point out to this lack of eyeballs in thousands of open source projects, fail to understand that there are millions of proprietary software where even if people want to “offer their eyeballs”, they can’t do it. This lack of opportunity leads to many bugs and vulnerabilities easily slipping into these software. Developers and software companies who cannot hire an army of thousands to check for bugs are missing out the opportunity to have these eyeballs look into their code because of their proprietary philosophy. At times, I get completely flabbergasted by people’s inherent difficulty in grasping this straightforward concept
Ok, I get it. Why now?
Yesterday, Disaspora Project announced the release of source code to the community. To put it in perspective, this is a pre-alpha release which was meant to be used by other volunteer developers with necessary technical expertise to further develop and solidify the project.
Today, we are releasing the source code for Diaspora. This is now a community project and development is open to anyone with the technical expertise who shares the vision of a social network that puts users in control. From now on, we will be working closely with the community on improving and solidifying Diaspora.
Today, The Register has an article on how hackers had found quite a bit of flaws in the Diaspora code which could lead to some severe security compromises. The article also quotes an owner of a software company who predicts a doomsday scenario
“The bottom line is currently there is nothing that you cannot do to someone’s Diaspora account, absolutely nothing,” said Patrick McKenzie, owner of Bingo Card Creator, a software company in Ogaki, Japan.
“About the only thing I haven’t been able to do yet is to compromise the security of the server that Diaspora is installed on. That’s not because that isn’t possible. If a professional security researcher goes after this, I have every confidence that they will be able to do that.”
Neither the article nor the software developer imply any FUD and they even point out to the Diaspora team’s announcement about the very early nature of the code. But the article could be easily construed as a warning to anyone interested in using Diaspora.
This is where I want to correlate the points I have highlighted in the first section of this post. The very fact that the source code of Diaspora was made available to public is the reason why so many bugs were identified fast. This is a perfect example of the idea that with many eyeballs, the bugs are shallow. With the freely available source code in hand, hackers, security gurus and developers have found out many vulnerabilities which, otherwise, could have slipped through the vetting process of a small team developing a proprietary service.
Contrast this scenario with the hundreds of social networks which many of us access in our daily lives. We are not only using many different social networks, we also using hundreds of services in their ecosystem. We trust our identities and data with these services without even bothering about their security. In fact, in the absence of source code, there is no way to even say if they are secure or not unless security gurus or hackers do penetration testing/attacks on these services. It is a common knowledge to many of the security gurus that many of these services are severely vulnerable. In fact, a year or two back, one security guru pointed out, through a tweet, the presence of vulnerabilities in one of the social networking/collaboration service targeted towards enterprises. We should realize that we have absolutely no idea on what is awaiting us on many of these social networking sites and other web service platforms.
Just take a moment and think about it. What is better? Identification of, possibly, hundreds of bugs in the pre-alpha version of a service due to the availability of source code or a major exploit on a web service that has gained popularity leading to the loss of users confidential data just because the company/startup couldn’t afford enough eyeballs to thoroughly audit the code.
Conclusion
Stop the FUD. The public visibility of bugs in Open Source Software is a feature and not a bug. Good night and good luck.
Related articles by Zemanta
- How Diaspora killed itself before it even launched (jarinheit.posterous.com)
- Code for open-source Facebook riddled with landmines (theregister.co.uk)
- Open Source Facebook Contender Releases Code to Public (wired.com)
- Open-Source, User-Controlled Social Network Project Diaspora Releases Developer Code [Social Networks] (lifehacker.com)
- Diaspora Revealed: Sparse, But Clean; Source Code Released (techcrunch.com)
- The anti-Facebook open source social networking software Disapora source code released (gizmag.com)
- Open source, open Facebook “killer” Diaspora code is out (currentbuzz.org)
[...] Open Source Security Revisited – With Enough Eyeballs, All Bugs Are Shallow (cloudave.com) [...]
Agreed. It’s not even at the point of a theoretical “Open beta.” Give them time.