Dan Geer on Heartbleed and Software Monocultures
Good essay:
To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of innovation and rewarding corporate bigness) or that which is relied upon must be field upgradable (Real Politik). If the device is field upgradable, then it pays to regularly exercise that upgradability both to keep in fighting trim and to make the opponent suffer from the rapidity with which you change his target.
The whole thing is worth reading.
maxCohen • April 22, 2014 8:36 AM
“We would not know about it were it not open source (Good).”
I’m trying to understand this. How is that it being open source that we know about this problem? Couldn’t we have discovered it if it was closed source like so many other closed source exploits, through trial and error? Seems the advantage of it being open source is that it could be fixed by anyone.