Does the Heartbleed bug refute Linus’s Law?
The Heartbleed bug made the Washington Post. And that means it’s time for the reminder about things seen versus things unseen that I have to re-issue every couple of years.
Actually, this time around I answered it in advance, in an Ask Me Anything on Slashdot just about exactly a month ago. The following is a lightly edited and somewhat expanded version of that answer.
I actually chuckled when I read rumor that the few anti-open-source advocates still standing were crowing about the Hearbeat bug, because I’ve seen this movie before after every serious security flap in an open-source tool. The script, which includes a bunch of people indignantly exclaiming that many-eyeballs is useless because bug X lurked in a dusty corner for Y months, is so predictable that I can anticipate a lot of the lines.
The mistake being made here is a classic example of Frederic Bastiat’s “things seen versus things unseen”. Critics of Linus’s Law overweight the bug they can see and underweight the high probability that equivalently positioned closed-source security flaws they can’t see are actually far worse, just so far undiscovered.
That’s how it seems to go whenever we get a hint of the defect rate inside closed-source blobs, anyway. As a very pertinent example, in the last couple months I’ve learned some things about the security-defect density in proprietary firmware on residential and small business Internet routers that would absolutely curl your hair. It’s far, far worse than most people understand out there.
Friends don’t let friends run factory firmware. You really do not want to be relying on anything less audited than OpenWRT or one of its kindred (DDWRT, or CeroWRT for the bleeding edge). And yet the next time any security flaw turns up in one of those open-source projects, we’ll see a replay of the movie with yet another round of squawking about open source not working.
Ironically enough this will happen precisely because the open-source process is working … while, elsewhere, bugs that are far worse lurk in closed-source router firmware. Things seen vs. things unseen…
Returning to Heartbleed, one thing conspicuously missing from the downshouting against OpenSSL is any pointer to a closed-source implementation that is known to have a lower defect rate over time. This is for the very good reason that no such empirically-better implementation is known to exist. What is the defect history on proprietary SSL/TLS blobs out there? We don’t know; the vendors aren’t saying. And we can’t even estimate the quality of their code, because we can’t audit it.
The response to the Heartbleed bug illustrates another huge advantage of open source: how rapidly we can push fixes. The repair for my Linux systems was a push-one-button fix less than two days after the bug hit the news. Proprietary-software customers will be lucky to see a fix within two months, and all too many of them will never see a fix patch.
The reason for this is that the business models for closed-source software pretty much require software updates to be an expensive, high-friction process hedged about with fees, approval requirements, and legal restrictions. Not like open-source-land, where we can ship a fix minutes after it’s compiled and tested because nobody is trying to collect rent on it.
Sunlight remains the best disinfectant. Open source is no guarantee of perfect results, but every controlled comparison that has been tried has shown that closed source is generally worse.
Finally and in 2014 perhaps most tellingly…if the source of the code you rely on is closed, how do you know your vendor hasn’t colluded with some spy shop to install a back door?