EDN Senior Technical Editor Brian Dipert exposes, analyzes and
opines on diverse topics in technology. Follow the Brian's Brain Twitter feed at www.twitter.com/BrianzBrain.
Advertisement
Profile
RSS Feed
-
Add this blog to your RSS newsreader!
Recent Posts
- Google's Chrome O/S: A Fundamentally Flawed Idea That Gets Way Too Much Positive Press
- Google's Chrome O/S: Behold The Virtual Machine Bits
- 802.11n: Another Tangible Demonstration Of A Wireless Range Limitation
- Thick-Air ATSC: A Dearth Of Reception Leaves Me Feeling Uneasy
- Google's Chrome O/S Source: This Time I'm Serious
- Software Foibles: Once Again The Timestamp Causes Troubles
- Analyzing Nokia's Business: E71 Shortcomings And Unclear Next Steps
- Analyzing Nokia's Business: Past Performance Is No Guarantee Of Future Success
- Assessing Future Computing Needs: A Compelling Series
- iPhone Hacks And Security Risks: Whaddya Know, Apple Was Serious
Recent Comments
- tresevevy on Nintendo's Wii: Privily, Why So Rare Art Thee?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
- tresevevy on Nintendo's Wii: Privily, Why So Rare Art Thee?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
- tresevevy on Nintendo's Wii: A Long-Term Dust-Magnet 'Faddy'?
Most Commented On
- Sigma SD14 Dissatisfaction: Finally Believe Me, Foveon Fanboys? (119)
- Nintendo's Wii: Privily, Why So Rare Art Thee? (90)
- Canceling Sirius: So Frustrating, It's Making Me Delirious (84)
- Windows Vista: What's With The Negative Dogmata? (79)
- 2012: The Year Of Looming Solar Disaster, When Civilization Devolves? (60)
Archives
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
By Category
- Convergence (2)
- Digital ICs (1)
- ESC (1)
- Multimedia (2)
- Opinion/Analysis (1)
- Peripherals (1)
- Semiconductors (1)
- Show Daily Report (1)
Consumer Electronics Design Articles
- From magnetic to solid state, spin-free: What a long, strange storage trip it’s turning out to be
- EDN on Consumer Electronics: iPhone hacks and security risks
- EDN on Consumer Electronics: The Zune HD: more than an iPod touch wanna-be?
- The Zune HD: more than an iPod touch wanna-be?
- EDN on Consumer Electronics: Deep packet inspection optimizes mobile applications
- More...
Blog
Tuesday, March 13, 2007
Open Source: Keep It Current Or Suffer The Consequences
Mar 13 2007 3:12PM | Permalink |Comments (6) |
While traveling last week, I shared a meal with a friend whose company is considering incorporating open source code, both to improve his project's economics and its resultant quality. Our conversation reminded me of one of my more popular (and controversial) writeups of times past, a piece entitled 'Visibility = Vulnerability' that I was compelled to write after the out-of-date FTP client on my server appliance got cracked.
Judging from the feedback, a lot of people misunderstood the point of my past diatribe (or maybe there are just a lot of Linux fanboys out there). I wasn't, and I'm still not, against open source....quite the contrary, in fact. Open source development can create quite solid and impressive products, although I must say that both the industry studies I've perused and my personal experiences lead me to conclude that on average, open source projects are inherently no less buggy than closed source ones of similar complexity, and that open source bugs don't get fixed any faster than closed source ones.
But not every eyeball inspecting open source code for flaws has honourable intentions. Crackers are also searching for vulnerabilities, which they then exploit on unpatched systems such as my Toshiba SG10. Online tools such as Google's Code Search (here's a followup Slashdot post) not only simplify the means by which you find open source software applicable to your project, they also assist crackers in finding out how widely a surmountable piece of code has spread through cyberspace, thereby identifying more potential victims.
That was the point of my earlier writeup (which predated Google Code Search), and of this followup. Want to use open source? Fine. But keep it current, and employ an update distribution scheme that's straightforward for your customers to implement. The crack of my server appliance came about because its manufacturer had stopped maintaining the code base even though the company hadn't yet formally obsoleted the product, thereby leaving me with a false sense of its security.
Some respondees to my earlier writeup claimed the circumvention was my fault because I had dared to expose the FTP port to the Internet. That's a ridiculous deflection of the core issue, and a distortion of the fundamental point of a server appliance. Others claimed the upkeep of the SG10's code was my responsibility, an equally ludicrous stance....that is, unless open source advocates are content with their products only being used by a small cadre of power users who are capable of personally compiling and merging code patches into a larger software build.
When I as a consumer buy a product, I assume that I've also bought an assurance that noteworthy flaws in its software will be fixed by the manufacturer at least through its production lifetime (and hopefully for some time thereafter). And I assume that I'll be easily able to install those updates. Open source or closed source? I really don't care, particularly if the manufacturer has used open source as a means of bolstering its profit margin versus enabling it to lower the product price versus a closed source alternative. And if the closed source product is more maintainable (assuming, of course, that the product is inherently vulnerable to potential code flaws....a fair bet in this increasingly network-connected world of technology), I'll vote for closed source with my wallet.
Asbestos suit donned; flame away, open source fanboys!
Reader Comments
at 3/14/2007 10:19:29 AM, Duncanhr said:
as old Murphy says, if something can go wrong, it will go wrong. And Linux is free but not easy to cope with.
at 3/15/2007 4:06:57 AM, Alan Jones said:
Hi Brian,
I'm not sure if I missed the point, but it pretty much sounds to me like your issue isn't even related to open source - it's about vendor support?
How about naming and shaming the vendor who continues to sell a product which they no longer provide support and patches for? That way the rest of us can vote with our wallets too.
Cheers,
Alan.
at 3/15/2007 5:40:53 AM, John Lewis said:
Hi Brian,
Nice article, although I don''t think your as unbiased as the article makes out. You do seem to be erring towards proprietary software.
One of the things that attracted me most to Open Source (from a security point of view) is the transparency. A lot of proprietary vendors (Cisco and Microsoft spring to mind) have a habit of finding vulnerabilities and then not telling people about them for several months let alone fixing them.
This then skews your view that proprietary software has inherently the same amount of vulnerabilities. It actually has one or two more that we aren''t being told about because it would be bad for PR. There is nothing stopping a proprietary vendor from doing this and the public haven''t got much chance of finding out about the vulnerability unless somebody exploits it.
Yours,
An all round conspiracy theorist and Open Source zealot. (I hope the flames weren''t too strong for you).
Good luck!
at 3/15/2007 5:50:20 AM, phil said:
Hey Brian, I like products that work too. Unfortunately most vendors just want my money and don't really care about fixing problems. Having your appliance cracked is really annoying. Having your computer cracked on a regular basis is beyond annoying. I finally had to dump Windows. MacOS is like night and day over Windows.
Having been a programmer in proprietary companies and FOSS, I far perfer to use FOSS. Yes lots of people can examine the code and crack or fix it. With proprietary software the backdoors and obvious security holes exist for years until someone stumbles onto them. I have worked on many products that have secret accounts built in with well known passswords. No need to ask the customer for a password, just go in and fix his problem.
at 3/15/2007 6:24:45 AM, John said:
Hi Brian,
I must say after my experience with Microsoft Windows Ultimate, I like open source better. Open source gives you more freedom with your computer than close source like Microsoft. However, it seems to be more secure and harder to hack. I agree with Phil companies like Microsoft especially will not tell you about a flaw unless it is exploited. Open source is what it says open. There are no hidden issues, or conspiracies to keep flaws secret. And the best part of all, you do not have software telling what you can and cannot do with your computer.
at 6/6/2007 1:09:24 PM, Jose said:
I agree with others that your problem is with support (with the particular vendor). Some open source code bases simply get stale because people lose interest and go on to something else. In some cases, a good product stays behind (it got boring because there was little more to be added or fixed short of a full makeover.. which is probably someone else's more current and more popular project). In others, a product with "issues" got abandoned and those relying on it may have to deal with their own "issues" (like supporting themselves).
If this company used proprietary and because of higher costs had gone out of business (as opposed to have to tightened its budget), you would be left with an even bigger mess. You would have a vulnerable product that would never get fixed.
I agree that the initial problem is with the vendor. But how many vendors fail the end user? Tons. All fail, probably, at some point or another. Having product support for an extended period doesn't mean that the product will be perfect during all that time.. and certainly not thereafter. The quality of that support depends on the commercial entity.. well, for closed source anyway.
Depending on the economics or your skill level, you could hire someone else to maintain an abandoned *open source* product or you could do it yourself (or some other commercial entity may pick it up and run with it if providing that support seems commercially viable to them). With open source, you have that choice because you have transperency. This means you or someone else can make an honest (verifiable) analysis of the risks of staying with the product. You (or someone else) can restart the project, making it once again interesting as you add features (something only possible with open source). You also know where this code base ends and any other would begin. Would changing applications solve the problem? Or maybe you need to change the whole system because of many interlocking components (hardware, OS, and all). Or maybe you only need to tweak a configuration file (eg, to use some other library or to tighten a constraint).
Open source is (sort of) to chemistry what closed source is (sort of) to alchemy. The latter refers to secretive (ultimately broken) theories that sort of maybe perhaps worked some of the time but it wasn't really known why and could not be analyzed by the combined resources of the wider community. Guess which one is rotting away today without any hope of being maintained while the other is constantly being improved (ditching completely broken subcomponents)?
I also want to say that an earlier poster was probably underestimating greatly the number of vulnerabilities in closed source products that go unreported (not 1 or 2). Unreported problems are there and are possibly being exploited repeatedly. The more valuable the vulnerability, the greater the temptation for someone discovering it to keep it quiet and exploit it quietly. Well, for closed source products that it, where in fact, only a handful of people at most may ever know about it. Think about it. If 5 people over 5 years were able to discover a closed source bug, how many do you think would discover it if it was open source? A bunch would. Which means the odds of somone making a lot of noise (or failing to be completely quiet) goes up tremendously.
Eg, to remain effectively secret, *each* must keep it secret. If the odds of someone keeping a secret for fixed period of time is 1/2. Then five people keeping something secret for that period of time has odds 1/32. 20 people keeping it secret has odds 1/1048576. To put it another way. The secret is 32768 times less likely to be kept with the 20 people than with the 5. Even a secret just twice as likely to be shared is bad. And finally, if the odds of being able and willing to keep the secret are even less than .5, the numbers get out of sync exponentially quicker [Conversely, if they approach 1, then the numbers still diverge exponentially but are much closer to each other compared to the 1/2 case, and this may be good enough if the period of time we are talking about is say 20 years, meaning that the closed and open source odds, for this particular exploit, would not be all that different, in this assumed 20 year setting]. And I just described averages. Actually having a variation around such an average is worse. Eg, some particular person might virtually absolutely never be able to keep it secret, so if that person is one of the 20, it is game over for the rest. The odds of being in a select group of 20 in an open source context is larger than being in a select group of 5 for a closed product.
Of course, there are more factors that come into play. [BTW, the example can use work (I have given it only minutes of thought), but don't read it too litterally to get more milage out of it. For example, the odds of giving away a secret could factor in already the odds that someone will listen to the noise-maker/ that others will actually exploit it more or seek protection from it. And making noise/ revealing a secret doesn't have to be intentional or through words. It could simply be attempting to exploit it so that others see what is being done and take note.]
In conclusion, over particular cases (particular vendor, particular period of time, particular customer, particular product), FLOSS isn't necessarily better, but over averages over the long haul, FLOSS comes out ahead. Chemistry did.
Post a comment
About Us | Contact Us | Free Email Newsletters | Free Magazine Subscription | Advertising | 
RSS
©1997-2009 Reed Business Information, a division of Reed Elsevier Inc. All rights reserved.
Use of this Web site is subject to its Terms of Use | Privacy Policy