[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [Software Freedom Law Center paper] Killed by Code: Software Transparency in Implantable Medical Devices
- To: Shawn Merdinger <shawnmer@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] [Software Freedom Law Center paper] Killed by Code: Software Transparency in Implantable Medical Devices
- From: Paul Schmehl <pschmehl_lists@xxxxxxxxx>
- Date: Fri, 23 Jul 2010 13:10:59 -0500
--On Friday, July 23, 2010 10:37:03 -0400 Shawn Merdinger <shawnmer@xxxxxxxxx>
wrote:
> fyi, an interesting read imho.
>
> <snip>
>
> ....The FDA has issued 23 recalls of defective devices during the
> first half of 2010, all of which are categorized as “Class I,” meaning
> there is “reasonable probability that use of these products will cause
> serious adverse health consequences or death.” At least six of the
> recalls were likely caused by software defects...
>
> </snip>
>
> http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html
>
Thanks for sharing that. It was a very interesting article.
While I'm a proponent of open source software, there is a flaw in the security
argument that seems to go unnoticed by those who advocate for OSS.
Quoting from the article, "...keeping source code under lock-and-key is more
likely to hamstring 'defenders' by preventing them from finding and patching
bugs that could be exploited by potential attackers to gain entry into a given
code base, "
How are the defenders any more "hamstrung" than the attackers? They all have
access to the same binaries, the same attack and debugging tools and the same
theories. The problem with closed source software is not that the code is not
available for review. It's that those who have access to the code are not
motivated sufficiently to fix the problems.
The point of Eric's magnum opus "The Cathedral and The Bazaar" isn't that open
source is better because it's open. It's that open source is better because
"given enough eyeballs, all bugs are shallow". While you may think this is a
distinction without a difference, it is not.
If a commercial vendor of closed source software were to expose his source code
to the same number of people that a competing OSS product is exposed to, the
results would likely be quite similar. Because of his chosen business model
however, the closed source vendor cannot afford to do that. Thus he suffers
not from poorer coding practices necessarily but from a lack of resources to
find and fix the bugs.
So I think the argument that closed source software gives the attackers an
advantage is a non sequitur, and it weakens the best argument for open source -
many eyeballs make all bugs shallow.
In fact, OSS distributes the workload across the OSS world quite equitably.
The more popular (and therefore more implemented) a software application is,
the more likely it is to have maximum eyeballs perusing it. Obscure and
little-used software, OTOH, will have less eyeballs for the very reason that it
isn't used much. So those applications that are well written and serve a
useful purpose will prosper and consistently improve, while those applications
that are poorly written and address obscure uses will languish and die.
And that is as it should be, I think.
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/