Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453697
To view parent comment, click here.
To read all comments associated with this story, please click here.
TheGZeus
Member since:
2010-05-19

o_O?

So open source hackers don't get paid to write code? That would explain why Linus Torvalds is so poor, and Red Hat went out of business.

Oh, wait.

Reply Parent Score: 1

_txf_ Member since:
2008-03-17

Did you actually read what he wrote instead of imagining what he didn't write?

He did not say that open source developers don't get paid. Just that Closed source companies have incentives to improve their code.

Red Hat has incentives to make sure that the code they ship is good. The difference is that the burden on maintaining and fixing the code isn't solely Red Hats responsibility.

A closed source company has sole responsibility for their code, theoretically they should be more paranoid therefore paying people to ship and check good software.

Where Red hat has to build trust and in turn trust the community for the software it supports, the closed source company has to put developers/money on the code to fix/maintain.

Both can be better or worse. in OSS less popular software has fewer eyeballs checking the source, In closed source a company has to put competent people because they can't make up the diversity and volume of eyballs that a OSS project has.

Reply Parent Score: 3

TheGZeus Member since:
2010-05-19

Did you actually read what he wrote instead of imagining what he didn't write?

From the original post: "In open source, nobody has that incentive."

So, back atcha.

Reply Parent Score: 2

google_ninja Member since:
2006-02-05

security audits are boring things. many aspects of writing code are pure fun, that is not one of them. I have added features I thought would be cool to open source projects many times before, I have fixed bugs I have run into many times before, but I have never done an audit of a codebase.

On the flip side, thats what I have been doing at work for the last few weeks. Boring as hell, and wouldn't do it if I wasn't getting paid.

Reply Parent Score: 3

cheemosabe Member since:
2009-11-29

Have you ever read Phrack? They've been publishing articles on security of open source software since the late 80's. There are entire crowds of people looking for vulnerabilities in the Linux kernel, for different reasons.

I worked at a software company for some time. It had many more features than the open source alternatives. When it came to security, everyone said it's important and security bugs were the most important, but (!), nobody ever did a security audit. As soon as a new feature worked it would never be looked at again until obvious behavioral bugs were detected. Or new related features were added in that area.

The code was quite a bit of a mess, there were few people who knew, more or less, what everything was supposed to do but only vaguely, parts of the program written by people who had left, many parts that many people wanted to rewrite but never, ever had the time to. Only new features would go in.

I also took a look at the source code of an open source alternative. It was like drinking water from a mountain spring after running on a marathon. Admittedly, the code was written (mainly) by one person. But it was so clean and so consistent.

One more thing, when you use C++ in a corporation it's a disaster in my opinion. Some people will write plain C. Some people will use templates (yuck). There are some many ways to do things in that language and it so many ways people use it. I've never seen a program written in C++ that would have pretty, consistent source code. I guess this is because C really forces you to be organized. But I digest...

I opensource not only the author(s) of the software can (and have the time to, and do it properly, because they're not constained) find security holes. Especially when they rewrite the software. Because they have time to rewrite it. Because they don't a deadline to push a new feature that is needed for more revenue. Also, the people who incorporate your software in some other software can find security holes. Also, the distributors can find security holes. Also, the people who use the software can look for security wholes (many times large companies who have at least a few qualified people).

Even I, while working at that company, found bugs in the alternative opensource software and filed them (admittedly not security related).

Reply Parent Score: 1

google_ninja Member since:
2006-02-05

The amount of people paid to work on open source code is absolutely minuscule compared to the amount of open source code that exists.

Reply Parent Score: 2

cheemosabe Member since:
2009-11-29

I don't know what to say about that... Do you have any figures?

I seem to remember statistics about the Linux kernel and Open Office saying the opposite.

Reply Parent Score: 1