Tuesday, May 08, 2012

cgi-php: Well, that just about wraps it up for open-source

15 years ago, when we started the industry of white-hat hackers finding vulns and reporting them, "everyone knew" that open-source was more secure than closed-source because of the "many eyeballs" theory that the many people looking at open-source would find/fix bugs faster than in closed-source products. This was analogous to cryptography, where the only trustworthy crypto algorithms were those widely published and analyzed, and that anybody attempting "security through obscurity" by hiding their crypto algorithm was inevitably found to have made a serious mistake.

But things never worked out this way. Open-source has failed to demonstrate any advantage in security.

The problem is that while many eyeballs can look at open-source, they don't. Open-source programmers just don't have the incentive. They want to write new code and add new cool features, not try to break old stuff.

Conversely, at Microsoft, many eyeballs do look at code. Microsoft pays them to, then pays other programers to attack the code with fuzzers and static analyzers. PHP may be more popular than Microsoft's ASP/.NET, but more eyeballs have looked at the Microsoft stuff.

The recent "cgi-php" vuln is definite proof that the "many eyeballs" theory doesn't work. PHP is one of the most popular bits of code on the web. The vuln was obvious to any eyeballs looking at the code. Yet it sat there undiscovered for 7 years.

I'm not saying Microsoft is any better, or that other factors don't exist that make open-source better than closed-source. I'm just saying that the "many eyeballs" theory has been proven false as much as any theory can be proven false. Things slip through the open-source development process that even a small number of "eyeballs" should've caught. The putative eyeballs haven't materialized. The days of open-source ideology is over, it's time we judged software on its individual merits, not its origin.

Update: On Twitter, Weev points out bug bounties. I think those are a winner. You can trust Google Chrome or Mozilla Firefox because they pay people to find bugs. This directs eyeballs their way. I trust Chrome over Internet Explorer not because it's open-source, but because they pay people to put eyeballs on it. Thus, the new axis is "bounties vs. no-bounties", not "open-source vs. close-source".

Update: On Twitter, people are pointing out that we ought to "crowd-source" bug-bounties. Is "crowd-sourced" the new "open-source"?

Update:On Twitter, Dan Kaminsky argues that it's not coder eyeballs that makes code secure, but user eyeballs.
#1 #2 #3 #4 #5 #6


Dan Kaminsky said...

I think it's rather important to point out that this is in code almost nobody runs.

Anonymous said...

I think the problem is about people misconstruing the situation. I'll still say that Open Source has the *potential* to be more secure, simply because it's more open. We could even call it more trusted, which is slightly different. At least with open source we *can* have people look at it and say it's not dumb or doing some not cool.

With closed source, we do have some blindness.

This issue hurts people who actively claim that open source *is* more secure, but doesn't mean closed source is more secure or that open source is insecure. It just affects the potential, based largely on your mentions of # of users and eyeballs and payment/incentives.

I agree with Dan's comment here, assuming he's correct and this code is not widely used at all.

Also, have you been waiting 7 years for this situation to pounce on this topic? :) Just askin!

Lastly, and this is tangential to the crux of your post, but I still "trust" IE more than Google; but that's a matter of business models and where they both make their money. I don't trust what Google does.


Unknown said...

Dan & Anonymous

Shodan says otherwise:


13,000 potentially vulnerable installations in the US/Canada alone...

I've been an open source advocate for a long time, but regarding security I really believe the 'eyeballs' theory depends a lot on the quality of your community and users, not their numbers...

David Maynor said...

13k... Wow, that takes care of that argument.

David Maynor said...

Rob: I thought crowd source and open source were pretty much the same thing. In crowd sourcing everybody gets a voice, in open source anybody can write a patch. Whats the difference?

this dialog is really annoying and my custom openid isn't recognized said...

PHP is probably one of the worst open source projects out there.

I've worked on many closed source projects and found security issues just by reading code for other purposes.

Did I fix them? Of course not. No time, not paid for that, etc.

Of course open source is not automatically secure, but your examples are pretty bad.

Actually, you prove nothing — Microsoft could open source their code, they would have their eyeballs and other eyeballs. Some open source projects are actively audited, some are not, and that's the same for closed source. The only change with open source, is that you have the potential for more audits.

Anonymous said...

This is a logical fallacy called "cherry picking". I could do the same thing with Microsoft - how about that huge Azure fail recently, where the whole cloud went down for a full day due to a friggin' leap year bug?