pulsewave

Last spring, I took a security course. In one of the lectures, the professor put forth a strikingly similar argument. Open-source advocates belittle proprietary code as “security by obscurity,” but before you shout “oh yes!” consider the following two issues.

• Interesting open-source software is huge, and requires a lot of effort to read and understand. Security-critical components like servers, kernels, device drivers, and crypto packages are difficult to figure out even when you do have the source code available. A majority of programmers would be hard-pressed to even understand what is going on in that code, let alone find and fix bugs in it. This is all before acknowledging the fact that most users aren’t even programmers to begin with. It’s not hard to see why “open source == more eyeballs” might not be as true as we think.
• If bad guys find bugs, where’s the incentive to report them? Zero-day exploits like those used in Aurora are prized possessions and can be sold for money within the hacker underground. In fact, it’s not that far-fetched believe that these “black hats” have greater motivation to pick through open source software for bugs than white hats. It may well be that of the few external entities auditing the code, most of them are doing so for exploitation.