Squishing Bugs

    It's Saturday morning and I just finished doing my weekly chores around the house. While I wait to swap the wash, I'm updating SSH on my Debian servers. It seems the random number generator within the application was broken, so that when the RSA keys are generated they may not be so “unique”. The fix was very simple; one command in a terminal and the application is updated, new keys generated, and the SSH daemon restarted. For those not comfortable in the shell, most GUI package managers either automatically updated the system or notified the user that an update was available. A simple click and you're safe once again.

    Why do I feel compelled to share this with you? Well, this recent vulnerability with SSH reinforces the fact that even those of us that choose not to use Windows must remain vigilant and keep our systems updated. More importantly, it points out a major difference between FOSS (free and open source software) and proprietary software; there is a marked difference in the way vulnerabilities are handled.

    Open source software is frequently criticized by its pundits as insecure and dangerous due to the very fact that the source code is freely available. The argument is that “since the source code is available, it's very easy for the bad guys to find the flaws”. The counter-argument by the FOSS folks is that “since the source code is available, it's very easy for the community to review and find flaws”. Basically, the code is reviewed by a large number of people on a regular basis which should result in an inherently safer product. Case in point: the vulnerability with the random number generator within SSH was discovered and announced on May 13. Within hours, the open source community had resolved the issue and had an updated version of the software available.

    Lets look at the other side now. Proprietary software does not make the source code available. It is up to the manufacturer of the software to review it for vulnerabilities and patch as necessary. We are left at the mercy of said manufacturers and must assume that the software has been tested and is safe to use. What happens when a user finds a security issue? While there is much debate on how this should be properly handled, the standard procedure is for the discoverer of the bug to notify the manufacturer. At this point the manufacturer will determine if there really is an issue, what (if anything) they are going to do about it, whether they should go public with the disclosure, etc. There is always the possibility that the manufacturer will never let the public know about the vulnerability, not issue a patch, and simply hope no one else discovers the flaw. A more common scenario is that the manufacturer releases an announcement of the flaw in conjunction with a patch, months (sometimes years) after they were initially notified or simply waits until the release of the next version to fix the flaw. This puts users of the software at risk for the whole period between the initial notification by the discovering party and the release of a patch.

    So, which do you prefer, FOSS or proprietary? I'll stick with the stuff that has nothing to hide, thanks.