Re: [Software Freedom Law Center paper] Killed by Code: Software Transparency in Implantable Medical Devices

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On Friday, July 23, 2010 10:37:03 -0400 Shawn Merdinger <shawnmer () gmail com> 
wrote:

> fyi, an interesting read imho.
>
> <snip>
>
> ....The FDA has issued 23 recalls of defective devices during the
> first half of 2010, all of which are categorized as “Class I,” meaning
> there is “reasonable probability that use of these products will cause
> serious adverse health consequences or death.” At least six of the
> recalls were likely caused by software defects...
>
> </snip>
>
> http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html

Thanks for sharing that.  It was a very interesting article.

While I'm a proponent of open source software, there is a flaw in the security 
argument that seems to go unnoticed by those who advocate for OSS.

Quoting from the article, "...keeping source code under lock-and-key is more 
likely to hamstring 'defenders' by preventing them from finding and patching 
bugs that could be exploited by potential attackers to gain entry into a given 
code base, "

How are the defenders any more "hamstrung" than the attackers?  They all have 
access to the same binaries, the same attack and debugging tools and the same 
theories.  The problem with closed source software is not that the code is not 
available for review.  It's that those who have access to the code are not 
motivated sufficiently to fix the problems.

The point of Eric's magnum opus "The Cathedral and The Bazaar" isn't that open 
source is better because it's open.  It's that open source is better because 
"given enough eyeballs, all bugs are shallow".  While you may think this is a 
distinction without a difference, it is not.

If a commercial vendor of closed source software were to expose his source code 
to the same number of people that a competing OSS product is exposed to, the 
results would likely be quite similar.  Because of his chosen business model 
however, the closed source vendor cannot afford to do that.  Thus he suffers 
not from poorer coding practices necessarily but from a lack of resources to 
find and fix the bugs.

So I think the argument that closed source software gives the attackers an 
advantage is a non sequitur, and it weakens the best argument for open source - 
many eyeballs make all bugs shallow.

In fact, OSS distributes the workload across the OSS world quite equitably. 
The more popular (and therefore more implemented) a software application is, 
the more likely it is to have maximum eyeballs perusing it.  Obscure and 
little-used software, OTOH, will have less eyeballs for the very reason that it 
isn't used much.  So those applications that are well written and serve a 
useful purpose will prosper and consistently improve, while those applications 
that are poorly written and address obscure uses will languish and die.

And that is as it should be, I think.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/