Why Open Source is not Magic Pixie Dust, Part 284


This is something that everyone in open source needs to remember. It is too easy to claim glibly that free software is a panacea, that by converting from closed to open code, all the problems go away. The difficult birth of Mozilla was perhaps the highest-profile demonstration of that, but it was by no means the last. Here's one from reddit, in an incident which took place very recently:

As many of you noticed last night, or heard this morning, we had a bug in reddit that allowed someone to start a comment bomb. Specifically, we had two bugs.

The bugs have been squashed, and it is perfectly safe to open your inboxes again.

It is important to point out here that as a site that gets all of its content from users, we take sanitization very seriously. We sanitize both input and output. In this particular case, our output sanitizer was broken in a non-obvious way. As a matter of fact, these bugs were only exploitable because we are open source. The worm author had to scour the source of our output filter to find these holes. We cannot hide behind security though obscurity, and we like it that way. We also rely on our users reporting security bugs in a responsible manner.

As this post candidly admits, “these bugs were only exploitable because we are open source”. Although many people (myself included) point out that security by obscurity is a false security – since determined crackers can always find weakness anyway – the corollary is not true: *lack* of obscurity does not mean the code is necessarily secure.

For open source code to be secure, people need to look at it carefully, and find the bugs before those wishing to exploit them do. Part of that involves users reporting bugs – again, as the post above rightly points out. For open code to realise its potential, its important that users – especially the more tech-savvy ones – do their bit, and help catch bugs that can cause problems. As Zawinksi might have put it, you can't take an insecure project, sprinkle it with the magic pixie dust of “open source,” and have everything magically work out.

Follow me @glynmoody on Twitter or identi.ca.

"Recommended For You"

Mozilla's Brendan Eich on JavaScript - and Microsoft Buying Netscape Open Source Business Does Not Scale