Secret Bunker Revisited...

JR asks the following question on the Secret Bunker posting – When it is still easy to attack a system without access to the source, and we all know it is, why doesn't any advantage (like being able to patch the system directly yourself) become an instant positive advantage over closed source?

First, let me ask a question – did anyone find the Secret Bunker street sign amusing, or was that just me ?  

JR, that’s an interesting question – There’s a possibility this thread could run for a while… so, let’s dig in…

Having access to source *may* give you the ability to patch your own system but this requires that you understand the issue, are able to debug the problem and provide a patch to the system, and through regression testing make sure that the patch doesn’t cause problems to any other part of the system, or 3rd party applications or services that are running on the system. This may be fine for a small number of o/s level developers, but certainly isn’t the case for consumers running an operating system on their desktop PC or consumers of embedded systems – consumers want to know that a patch works, and doesn’t break anything.

Assume for a moment that you have a car parked in a public place with valuables in clear sight on the back seat of the vehicle – how long do you think it would be before a thief decides that your vehicle is a prime target for attack? – If your personal belongings are tucked up in the boot/trunk of the vehicle there’s less chance of a passer by thinking about breaking in – sure there’s a chance that someone might try the door handle to see if you’ve been careless and left the vehicle unlocked (wait for it, there’s a computer related thought coming up), but the chances of being broken into are greatly reduced.

Now assume that you’re building an embedded system, you’ve only included the o/s components needed by your system and you’ve only enabled code that’s included in your o/s image to run (you’ve locked the door and put your valuables in the boot/trunk) – in this case where is the attack going to come from?

Or, let's look at this from a slightly different angle - I'm using a product called BlogJet to write this, er, blog - I paid $40 for the product because it does exectly what I want, I can write blogs offline, add text, add images (which are uploaded to an FTP site) etc... Makes blogging extremely simple - what incentive is there for a software developer like BlogJet to open source their application ? - Once the source is out on the web anyone can download it and build the application, so how does the developer make any money from the product ?

– Mike