Secret Bunker Revisited…

JR asks the following question on the Secret Bunker posting – When it is still easy to attack a system without access to the source, and we all know it is, why doesn’t any advantage (like being able to patch the system directly yourself) become an instant positive advantage over closed source?

First, let me ask a question – did anyone find the Secret Bunker street sign amusing, or was that just me ?  

JR, that’s an interesting question – There’s a possibility this thread could run for a while… so, let’s dig in…

Having access to source *may* give you the ability to patch your own system but this requires that you understand the issue, are able to debug the problem and provide a patch to the system, and through regression testing make sure that the patch doesn’t cause problems to any other part of the system, or 3rd party applications or services that are running on the system. This may be fine for a small number of o/s level developers, but certainly isn’t the case for consumers running an operating system on their desktop PC or consumers of embedded systems – consumers want to know that a patch works, and doesn’t break anything.

Assume for a moment that you have a car parked in a public place with valuables in clear sight on the back seat of the vehicle – how long do you think it would be before a thief decides that your vehicle is a prime target for attack? – If your personal belongings are tucked up in the boot/trunk of the vehicle there’s less chance of a passer by thinking about breaking in – sure there’s a chance that someone might try the door handle to see if you’ve been careless and left the vehicle unlocked (wait for it, there’s a computer related thought coming up), but the chances of being broken into are greatly reduced.

Now assume that you’re building an embedded system, you’ve only included the o/s components needed by your system and you’ve only enabled code that’s included in your o/s image to run (you’ve locked the door and put your valuables in the boot/trunk) – in this case where is the attack going to come from?

Or, let’s look at this from a slightly different angle – I’m using a product called BlogJet to write this, er, blog – I paid $40 for the product because it does exectly what I want, I can write blogs offline, add text, add images (which are uploaded to an FTP site) etc… Makes blogging extremely simple – what incentive is there for a software developer like BlogJet to open source their application ? – Once the source is out on the web anyone can download it and build the application, so how does the developer make any money from the product ?

– Mike

Comments (7)

  1. Loved the sign, Mike. 😉

  2. Having access to source is about more than fixing bugs, it’s about learning. One of the largest reasons I really enjoy Delphi is that they provide full source code for the entire class library. This is a tremendous learning opportunity that has made me a better programmer.

    While I enjoy using Microsoft products I can’t say that they have made me a better programmer.

    I have written freeware open source products and contributed to open source projects that others lead. I didn’t do it to make any money, yet you seemingly dismiss me and my like out of hand.

    To consider another example of open source versus closed source, take a car engine. With a "closed source" engine you’re not allowed to open the hood and you have to take it to the dealer to get anything fixed and they can have their way with you with their price since you have no choice in the matter. With "open source" engines we have the current system where I can take my car to any mechanic and they can fix it. You’re not the only one who can toss around bad analogies with cars and open source.

  3. Mike says:


    If you use eMbedded Visual C++, or Visual Studio .NET you get full source for MFC and ATL – MFC is a set of wrapper classes for the underlying Win32 API, I’ve walked through MFC source a number of times to understand how the class library works.

    I’m curious to find out whether you develop code for a living, if so, you probably work for a company that (hopefully) makes money, and therefore pays you for your work.

    It’s true that you can make a good living from consulting and providing services for existing products, but if you’re in the business of writing applications which are then in turn sold to customers I don’t see how you would make money if the application sources are freely available. It’s like a band putting MP3 files for their new album online so anyone can download them for free, how does the band make a living?

    – Mike

  4. Mike says:

    Wanted to add, I think shared/open source can be a good thing for certain projects – take OpenNETCF’s implementation of class library extensions for the .NET Compact Framework – this is a great example of community collaboration around a project, and I’m sure there are a ton of other great examples.

    At some point an individual or company that writes software for a living needs to make money, open source doesn’t appear to be the avenue to make this happen.

    – Mike

  5. I agree with you about the sign, it’s funny.

    I think that the comparison between the valuables inside a car and open-closed source software is not correct.

    On a computer system the "valuables" are made of data and having open or closed source software does not enable you to know the value and the amount of data stored (and how safely they are stored).

    I agree that you don’t need the source of your blogging tool, but things are a bit different if a software product (like an OS) is going to be an important part of YOUR product (an embedded device).

    I think that having access to the source (or to a large amount of source, like in Windows CE) give a big advantage.

    In this case (OS) code is reviewed by competent people and having access to it enhance your debugging capabilities and the reliability of the whole system.

    This morning I was trying to understand why my ISAPI dll was not loaded by CE’s HTTPD.

    I see the error message in Platform Builder debug output, go to the source, put a breakpoint and (in a couple of minutes) find out that I mispelled the name of one of the functions.

    I would like to have the same kind of control and the same amount of information when debugging under Windows XP! 🙂

    I’m not a linux/GPL/open source advocate, I use both open and close source software and I do most of my development on microsoft’s platforms (Windows CE most).

    Publishing source is not the same thing as giving away it for free.

    I prefer to use libraries and third party tools that provide source, even if I’m not allowed to redistibute it.

    Sometimes you have to sign an NDA, I’ve no problems in doing that.

    I think that this is a "fair" way (both for developer and for vendors) to release source without losing control of it.

    Microsoft distibute a large amount of code, both for Windows CE and for libraries like MFC, ATL, WTL and I think that this is a very good idea.

    An end user don’t need access to the source (and many people using linux wait until they have a binary only package ready for their distibution before they install new applications), but it could be useful for a developer.

    From an hacker point of view, having the source _could_ help. Having a copy of a working system where you can try your attacks can be even more valuable (and you can do this with both open and closed source).

    It’s like having the mechanical drawings of the car door lock (open source) or having a "copy" of the car that you can use for your experiments, without risking of being caught by the police.

    Code reviewing led, for example, to the discovery of a backdoor username/password in interbase.

    This backdoor has been inside the software for 7 years and was discovered when it has been published as open source.

    Having access to source is also good for "post mortem" debugging.

    If your system failed (or was hacked) you can try to understand why it failed (I’m not asying that it’s a simple thing to do) and maybe fix it.

    Without the source you may understand what failed but you’ve no other way to prevent further failures but sending the information to the vendor and hope that he will fix it.

    I don’t think that you need the code of any software you use, but having access to the code (or part of the code) of the components of the software/device you made is a good thing, IMHO.

    I think that having access to Windows CE shared source increased both my knowledge of the system and my productivity.

    As you can understand from this message, I’m not an english mother tongue, I hope that my long and boring message is understandable for all the people that had the patience to read it 🙂


  6. JR says:


    Thanks for answering my initial question 😉 I can’t honestly say I agree with you, but I like that. It is part of the reason I find myself reading peoples blogs their obviously biased views drive _my_ thought process to places it might not have gone.

    As for desktop consumers even with open source solutions like Linux based distributions they have this, users are not required to understand or even try to understand how a piece of software works they can just grab updates from their vendor the same way you do with XP. The truth of the matter is even the though the company I work is mostly highly technical users we still farm out all the general run of the mill services to an external vendor. That to me, my biased view this time, makes my original point again — it is just another advantage on top.

    I’m curious about the "where is an attack going to come from" point, the amount of time I’ve personally spent playing around with the non-serviceable software on my mobile phone makes me personally aware of the fact you just look harder and/or in different places for points of entry. And I’m sure there are other cases closer to you, I think it hard to believe that Xbox was ever supposed to be running another OS 😉

    I was going to write a really long reply(yes I realise this is already long), but I think I agree mostly with Valter. I personally prefer source to /most/ of the software I run, but right now I’m using closed source Opera to write this comment so I wouldn’t go as far as to say I’m a crazed open source fanatic. Another example for me would be my graphics card, because I do a lot of Linux development at work I needed an open source graphics driver. The driver I’m using was developed under NDA, almost the best of both worlds 😉

    I’ve never liked the term Shared Source it seems to imply something to me which isn’t true, but in retrospect that would probably have been a good approximation for my original definition of the mixed source/binary stuff I sometimes work on.

    I too believe the availability of some source with some current MS products has increased productivity no end.

    PS. Please don’t take the "obviously biased" as a slight against you it isn’t meant that way, it is about the fact that people when given some freedom are going to express views that are important to them which often tends to mean heavy bias.