Linked by Thom Holwerda on Tue 14th Dec 2010 23:55 UTC, submitted by Oliver
OpenBSD Okay, this is potentially very big news that really needs all the exposure it can get. OpenBSD's Theo de Raadt has received an email in which it was revealed to him that ten years ago, the FBI paid several open source developers to implement hidden backdoors in OpenBSD's IPSEC stack. De Raadt decided to publish the email for all to see, so that the code in question can be reviewed. Insane stuff.
Thread beginning with comment 453736
To view parent comment, click here.
To read all comments associated with this story, please click here.
google_ninja
Member since:
2006-02-05

security audits are boring things. many aspects of writing code are pure fun, that is not one of them. I have added features I thought would be cool to open source projects many times before, I have fixed bugs I have run into many times before, but I have never done an audit of a codebase.

On the flip side, thats what I have been doing at work for the last few weeks. Boring as hell, and wouldn't do it if I wasn't getting paid.

Reply Parent Score: 3

cheemosabe Member since:
2009-11-29

Have you ever read Phrack? They've been publishing articles on security of open source software since the late 80's. There are entire crowds of people looking for vulnerabilities in the Linux kernel, for different reasons.

I worked at a software company for some time. It had many more features than the open source alternatives. When it came to security, everyone said it's important and security bugs were the most important, but (!), nobody ever did a security audit. As soon as a new feature worked it would never be looked at again until obvious behavioral bugs were detected. Or new related features were added in that area.

The code was quite a bit of a mess, there were few people who knew, more or less, what everything was supposed to do but only vaguely, parts of the program written by people who had left, many parts that many people wanted to rewrite but never, ever had the time to. Only new features would go in.

I also took a look at the source code of an open source alternative. It was like drinking water from a mountain spring after running on a marathon. Admittedly, the code was written (mainly) by one person. But it was so clean and so consistent.

One more thing, when you use C++ in a corporation it's a disaster in my opinion. Some people will write plain C. Some people will use templates (yuck). There are some many ways to do things in that language and it so many ways people use it. I've never seen a program written in C++ that would have pretty, consistent source code. I guess this is because C really forces you to be organized. But I digest...

I opensource not only the author(s) of the software can (and have the time to, and do it properly, because they're not constained) find security holes. Especially when they rewrite the software. Because they have time to rewrite it. Because they don't a deadline to push a new feature that is needed for more revenue. Also, the people who incorporate your software in some other software can find security holes. Also, the distributors can find security holes. Also, the people who use the software can look for security wholes (many times large companies who have at least a few qualified people).

Even I, while working at that company, found bugs in the alternative opensource software and filed them (admittedly not security related).

Reply Parent Score: 1

cheemosabe Member since:
2009-11-29

In my opinion, it's not the "many eyes" part that's important. It's being able to write just what's fun for you, look back at it and be proud of how beautiful it is, how consistent, rewrite any parts (probably several times) until it's consistent and(!) until you know the whole program really well. You're not constrained to write so many features that the software becomes difficult to maintain.

When someone wants more from your software they can add to it and, in turn, be proud of their part.

It's only people who program like this that are really good programmers and, yes, there are a few of those in big companies. I regret having met really smart programmers where I worked at that never had the time to do things their way, people who could have become great programmers but instead got headaches trying to maintain something that should have been refactored a long time ago.

Reply Parent Score: 1