April 23, 2014
While I believe that in many cases having multiple sets of eyes work on a problem is a good way to develop optimized solutions, sometimes it seems that while everyone was looking to the right, someone should have been looking left. I think the current kerfuffle regarding the Heartbleed bug is a prime example of this phenomenon. While the concept of open source code is admirable—it’s always nice to share—it has its drawbacks, with the primary one being that the desire to share your work with others is only as good as the work itself. In other words, just like the spread of a communicable disease, no wants to perpetuate something bad, but if proper precaution isn’t used, a lot of people are going to be very unhappy. And isn’t this the inherent problem in the whole open source movement?
Apparently, this Heartbleed bug is a pretty serious faux pas. Its presence can lead to the theft of things like private server keys, user session cookies and passwords. This is some pretty non-trivial stuff. A writer for Forbes Magazine even went so far as to describe it as “potentially the worst vulnerability found since commercial traffic began to flow on the internet”. While usually I would consider this to be hyperbolic, everyone agrees that this is a serious issue, with companies like Cisco and Juniper indicating that it may have affected every one of their routers. For those of you keeping score at home, you can put that into the “pretty darn big” problem column.
What makes the whole thing particularly dicey is that the problem has been around for a while and no one is sure who might have known about it, and used it, for nefarious purposes. Rumor has it that the NSA—who have now officially replaced the Illuminati and the Tri-Lateral Commission as the unforeseen force of evil for the black helicopter crowd—has known about the problem for a long time but chose not to tell anyone so they could exploit it for their own national security means. While this may or may not be true, the fact remains that due to a lack of sufficient scrutiny, a well-meaning “open sourcer” unwittingly unleashed a major bug on an epic scale. While this 21st century “Typhoid Mary” is justifiably aggrieved by his mistake, the bigger issue lies in the inherent vulnerabilities of any “open” platform.
I once played football for a coach who used to say, “Practice didn’t make perfect, perfect practice did”. This adage best describes the single biggest drawback to the open source concept—with no formal mode of guaranteeing accuracy the door is always open, albeit slightly, for imperfection to proliferate. This by no means should be interpreted as a condemnation of the open source concept, but it does mean that use of universally available tools, like code, should be subject to your own internal system of scrutiny and verification.
There are no panaceas in life and anything presented as such should be viewed with somewhat of a wary eye. As experience has proven, code developed in an open environment often benefit from the good will and intentions of the multitudes who view these endeavors as the unifying agents that accelerate the technical improvements that will benefit us all. Unfortunately, good intentions do not always equate to error free code as the Heartbleed bug clearly illustrates. To use an old cliché, perhaps the best approach to using open source materials can be summarized as, “Trust but verify”. As the Heartbleed situation demonstrates, sometimes even the most selfless actions must be evaluated from a selfish perspective.