Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Permalink for comment 453745
To read all comments associated with this story, please click here.
Member since:

Have you ever read Phrack? They've been publishing articles on security of open source software since the late 80's. There are entire crowds of people looking for vulnerabilities in the Linux kernel, for different reasons.

I worked at a software company for some time. It had many more features than the open source alternatives. When it came to security, everyone said it's important and security bugs were the most important, but (!), nobody ever did a security audit. As soon as a new feature worked it would never be looked at again until obvious behavioral bugs were detected. Or new related features were added in that area.

The code was quite a bit of a mess, there were few people who knew, more or less, what everything was supposed to do but only vaguely, parts of the program written by people who had left, many parts that many people wanted to rewrite but never, ever had the time to. Only new features would go in.

I also took a look at the source code of an open source alternative. It was like drinking water from a mountain spring after running on a marathon. Admittedly, the code was written (mainly) by one person. But it was so clean and so consistent.

One more thing, when you use C++ in a corporation it's a disaster in my opinion. Some people will write plain C. Some people will use templates (yuck). There are some many ways to do things in that language and it so many ways people use it. I've never seen a program written in C++ that would have pretty, consistent source code. I guess this is because C really forces you to be organized. But I digest...

I opensource not only the author(s) of the software can (and have the time to, and do it properly, because they're not constained) find security holes. Especially when they rewrite the software. Because they have time to rewrite it. Because they don't a deadline to push a new feature that is needed for more revenue. Also, the people who incorporate your software in some other software can find security holes. Also, the distributors can find security holes. Also, the people who use the software can look for security wholes (many times large companies who have at least a few qualified people).

Even I, while working at that company, found bugs in the alternative opensource software and filed them (admittedly not security related).

Reply Parent Score: 1