next big thing (open source problems)

leblanc at almark.lamar.edu leblanc at almark.lamar.edu
Wed Feb 21 15:56:01 EST 2001


Aaron Dobbs wrote:

>I suspect open source is not the only source for bugs & complexities.
>Privacy & security holes are being discovered and exploited more frequently
>these days and the recend BIND (DNS) discovery will only multiply the
>problem.
>
>The more complex a system the more room for bugs (or undocumented features
>if you will)
>
>I feel the sentiment below is more pragmatic than fatalistic.  Accept that
>there will be problems and apply the fixes as they are developed.  There
>will always be something that can be improved.  And there will always be a
>way for someone to get where they aren't supposed to be.  The biological
>metaphor really does work for Technology.

I have to disagree with your basis for your, partial, attack on Open
Source software.  You assume that since there are security holes and
bugs in it, that it is less secure than non-Open Source software.  The
problem is that many security holes in non-Open Source projects are
often swept under the rug by those who know (the people who make it).

If you go to security and bug tracking sites, you will find as many
entries for non-Open Source software as you do for Open Source.  The
only difference between the two is that Open Source developers want
their software to be tested and the problems to be found and fixed
quickly.  Many non-Open Source developers (more importantly their
companies) do not want problems publicized at all, and work hard to keep
quite any problems that are found until they can release their next
version, which you will have to upgrade to because of all of the
security problems "they have just found."

I will not go as far as to say that Open Source is any more secure or
bug free as non-Open Source, but the problems are found quickly, and
fixes are available quickly.

As for the BIND (DNS) security problem, the problems that have arisen,
are already patched, and BIND 8.2.3 is available (note: 8.2.3-beta is
vulnerable, but the full version is not).  Although the problems
reported could allow a 'cracker' to gain root (i.e.: super user) access
to a system, this vulnerability does not mean that Open Source in
general, or BIND in particular, is in-secure.  The fact that most of
these vulnerabilities were found in "labs" where technicians, who
understand code far better than script kiddies or crackers, were able to
identify the vulnerability and send it on to the ISC so that they may
update BIND before these vulnerabilities showed up "in the wild."

It is because the source code is available, that smart programmers,
commonly calling themselves hackers, are able to identify
vulnerabilities and fix them, but with a turn-around rate for fixing the
vulnerability far greater than any major company could accomplish.

All I am saying, is don't knock Open Source just because.  It is not
necessarily less secure or introduces more bugs.  More often than not,
it turns out to be more secure and overall better designed software than
non-Open Source.

Thanks,

Christopher LeBlanc
Systems Office
Mary and John Gray Library
Lamar University
Beaumont, Texas


More information about the Web4lib mailing list