On 04/25/2014 03:16 PM, Louis Suárez-Potts wrote:
On 25 Apr 2014, at 14:21, Jonathan Wilkes <[email protected]> wrote:
On 04/23/2014 10:04 AM, Louis Suárez-Potts wrote:
On 23 Apr 2014, at 08:38, Nick <[email protected]> wrote:
I took the liberty of changing the subject line to something that
hopefully somewhat summarises your email.
Quoth Arnaud Legout:
As polemical as it can be, deeply-held belief such as "I will always
go for open source code because its security will
be much higher than any closed source counter parts" should be
seriously reconsidered
when there is not a strong community of developers working on code
maintenance.
There is a lot of shitty code around. That has always been the case,
and will always be so. Anyone who has used the OpenSSL codebase or
looked at it even briefly has seen that it's shitty years ago, and
probably won't have been too surprised by the recent heartbleed bug.
Strong code can and does come out of small teams, including those of
one or two people. I would recommend rather than judging a the
quality of a project by whether there is a "strong community of
developers" or how the project is financially backed, you take a few
minutes to look at the state of the source code. That isn't a deep
audit, of course, but can give you a sense for the tastes and cares
of the people behind the code. Needless to say proprietary code
which forbids such examination should be avoided, for this and other
good reasons.
When I was "leading" OpenOffice.org I proposed that students, mentored by
employed experts and who would probably be project committers (and who might be in fact
instructors at colleges and universities), learn about open source collaboration and also
programming by working on outstanding bugs and other issues brought to their attention by
their teachers and relevant project members. Other large open source projects had people
with similar ideas and some, as we did, acted on it.
The idea is not to exploit student labour; and I am aware that a lot of
important work actually demands the attention of experts, not students. I am
also aware that many professors and teachers are indeed moving to use open
source projects' code for their classes. But more could probably be done both
to uncover and even fix flawed and hoary code and also teach students open
source collaboration techniques. (I also would mean for this to be a global
effort, not particular to any one country or region.) Thus, one element of a
solution could well be the promotion of known or suspected problem code and
architecture for student investigation. Any proposed bug fixes would have to go
through the usual (or even more than usual) protocols before inclusion into the
accepted codebases.
It sounds like you want to foster a learning environment that has the added
benefit of improving security software. But in reality I think your proposal
would create an environment for rationalizing insecurity.
Okay; fair enough, though of course that's hardly what I or anyone else (who's
like me) would want! Judging from your response, I think I wasn't very clear in
my summary and proposal.
I understand the impetus. It's a set of extraordinary circumstances,
however. Imagine if a handful of people had been warning scientists for
the past decade about the need to defend the general population from
aliens. Imagine that the scientific consensus was that it's too costly
to plan for the off chance that nefarious aliens even exist.
Then a rogue alien breaks off and tells the population that not only has
there been an ongoing attack, but the aliens have infiltrated and
weakened the scant protections put in place by the few scientists who
cared to build and maintain them.
In that case, it doesn't make much sense for the scientific community to
start a worldwide campaign to teach non-specialists how to detect and
fix shoddy defenses. It makes sense for the scientific community to
come together, study what the rogue alien had to say, and come up and
_follow_ more scientific procedures to better defend against alien
attacks. Until that point, there isn't sufficient expertise to guide a
large-scale (or even federated) education campaign.
When you combine that with inadequate funding, I don't see how you end
up with anything except security theater like the TSA. And while the
TSA is better than nothing, I don't think it's the best use of already
scant resources.
-Jonathan
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
