Nat Torkington started off on today about why “Web 2.0 Is From Mars, Enterprise Is Up Uranus” recasting oft quoted “laws” of the Internet into their alter ego “enterprise” versions. This one laughed me up… I’ve heard it before myself:

• Torvald’s Law: Given enough eyeballs, all bugs are shallow.
• Torvald’s Enterprise Law: Given enough eyeballs, all bugs are exploited.

The quote is actually from Eric S. Raymond who, I presume, stated what he thought Linus would say if Linus were predisposed to statements of that sort.

Yup… I’ve heard prospective adopters of open source software cite as their chief concern the fact that it was open. If only somehow they could buy open source software that no one else has seen… that would make it better. Where do we download that?

That reminds me of something…

A few years ago a prominent military program even pressed for MontaVista to make an exhaustive review of the community codebase our product is built upon in order to identify subversive code. If you’ve not thought of this before there is, of course, the possibility that rogue agents of foreign powers could insert subversve code into popular open source projects with the intent of later exploiting that code.

Think it can’t happen?

The US did it to the Soviets back in 1982. The CIA inserted subversive code into natural gas pipeline control software that was being procured by the Soviets. When the subversive artifice was triggered “The result was the most monumental non-nuclear explosion and fire ever seen from space” according to the author of “At the Abyss: An Insider’s History of the Cold War.” We in fact corrupted a whole slew of technologies that were on an espionage shopping list the KGDB maintained.

So do many eyeballs make all bugs shallow? The answer has to be “no” if you read that statement to mean that all of the defects have been removed by the community’s inspection. If you read it to mean that even difficult defects can quickly be surmounted then I’d think you’ve read it correctly and I agree.

So does proprietary software have a better possibility of avoiding the insertion of subversive artifices? I don’t think so. Back in 1980 Philip A. Meyer’s graduate thesis for the Naval Postgraduate School gave a review of the problem. “Subversion: The Neglected Aspect of Computer Security” is a great read on this subject. It is old enough the PDF is a scan so my quotes are actually clippings:

Yeah… I’ve seen that, too.

The Meyers paper goes on to discuss what is now a commonly held assertion security kernels are the right tool to use to protect against subversive code.

Security kernels, are, still vulnerable:

I am, frankly, not enough of an expert to tell you what the route to security nirvana is… or even what nirvana is for your particular project. […and Meyers says some great things about vendors and their claims.] There is no one right answer that suits everyone. The world of open source (including the Linux kernel) gets a lot of attention from various security minded groups yet it still has its own collection of screw-ups.

I guess I just really want to say that software is software. When it comes to security the license it is distributed under isn’t a primary factor to consider. Other factors are more important.

Brad

ShareThis

Recently exposed in the NY Times and picked up on by good folks such as Bruce Schneier (read his whole post… it is a great summary) is an alarming study conducted by the Medical Devices Security Center identifying a host of privacy and integrity attacks that can be implemented by exploiting the wireless interface between a pacemaker and the external control unit.

Wow… being pwned never seemed like such a direct threat to human life.

The above is a snippit from the paper describing the kinds of attacks they were successful in demonstrating in vitro.The paper is fascinating. Part of their attack tooling was the Free GNU Radio project. GNU Radio and some radio interface boards created to be compatible with GNU Radio were used to both analyze the over the air communications and generate the transmissions used for the active attack.

What gets me is that while this is clearly a complex attack I’ve seen the genesis of these assaults first hand. I recently viewed a multi-page requirements document for an innovative device. Thousands of man hours of labor were implied by the requirements. There was a line item that simply stated one requirement:

• Security

That’s it. A single bullet.

I’ve seen much better from other folks. I’ve actually been in security reviews with customers, discussed the risks and security objectives of their designs. I’ve met folks who had that security mindset that can at once be confounding yet stimulating. Most, however, just see security as something that is bundled in a package (like the great OpenSSH) or is the result of installing all the updates.

There is more to it. Read some Ross Anderson. Read some Bruce Schneier. I’m just a security engineering wannabe but I still learned a lot.

Use your vendors, too. No one wants to see their product implicated as part of the next great security failing. MontaVista has people who can help you to understand your risk profile. If technologies are the right answer we can help you get the most out of Open Source to address those security risks.

But we don’t, and never have, sold security by the kilogram. Sorry.

ShareThis