Opinion: TrueCrypt, the NSA, and the Myth of Open-Source Security

Posted on by

Several years ago, in a nod to Linux creator Linus Torvalds, software developer Eric S. Raymond coined a phrase that he called Linus's Law:

"Given enough eyeballs, all bugs are shallow."

So goes the standard argument in favor of open source that more "eyeballs" make for better quality control and better security. It has become the rallying cry for open-source enthusiasts, particularly in the aftermath of Edward Snowden's revelations last year about NSA spying and government infiltration of technology. Reports surfaced that Microsoft, Google, Yahoo, and other tech heavies were compromised. According to the open-source narrative, the Snowden documents proved that commercial software couldn't be trusted.

"There have long been rumors in the networking community about possible backdoors in major networking vendors' firmware and network stacks," Nicholas Merrill, executive director of The Calyx Institute, told Enterprise Networking Planet in an interview last year. "I would suggestthat people strongly consider open-source solutions since their source code is open for peer review and auditing."

Government snoops, however, apparently have no qualms about attempting to hide vulnerabilities in plain sight. For instance, during a keynote panel discussion at this year's LinuxCon, Linus Torvalds was asked if the federal government had ever asked him to insert a backdoor into the Linux kernel. Torvalds verbally told the audience "No" while nodding his head yes.

Additionally, among the Snowden leaks was confirmation that the NSA had inserted a self-serving vulnerability into a pseudorandom number generator and then worked to get it adopted as an international standard.

Certainly, although it has been confirmed that the US government pressures and works with commercial vendors to insert backdoors into their software, so too apparently do they participate in open-source efforts. After all, if open-source development is "open" to everyone, it's just as open to the government and others who wish to weaken software security.

Other factors demonstrate that Linus's Law is just plain false. In his 2003 book Facts and Fallacies of Software Engineering, Robert L. Glass levies numerous criticisms against the "law," writing that, according to research, the law of diminishing returns is at work when it comes to code review. Specifically, that having more than two to four code reviewers is not particularly useful.

"[W]e shouldn't think that a Mongolian horde of debuggers, no matter how well motivated they are, will produce an error-free software product," writes Glass, "any more than any of our other error removal approaches will."

Glass goes on to point out that no scientific evidence exists to show that open source is safer, more reliable, or less buggy. He also observes that the bugs found by the many "eyeballs" may not be the most serious. Other commentators have explicitly posited that security bugs are among the least likely to be found in open-source software because security review is more boring and more difficult than tending to features.

See more here:
Opinion: TrueCrypt, the NSA, and the Myth of Open-Source Security

Related Posts
This entry was posted in $1$s. Bookmark the permalink.