One of the common things you will hear me say is that the most interesting aspects of software can only be understood when using a political science, law or other social science lens rather than a physics or other natural science lens. My experience with the recent kernel bug known as CVE-2008-0600 is offered as an example.
I first read about the bug early Monday morning from an alert I received via SlashDot. I investigated if I was vulnerable using the same exploit code, and I was. Since the machines I manage for customers or my own machines run either RedHat Enterprise Linux (RHEL) or Fedora, so I went to RedHat’s Bugzilla to see if a bug had been filed and they were: General, Fedora 8 and Fedora 8 xen.
Now that the bug has been fixed, and updates sent out, a Security Advisory errata was sent out. I am posting this article now that I have updated all the machines that I administrate that were affected by the bug.
As someone that authors software, I know that there will always be bugs in software. Software isn’t a final product, but the output of an ongoing process. As an outsider to the kernel development process I was able to monitor many of the conversations going on, and I had a patch available to me I could apply to my own kernel by the time I was made aware of the flaw. Since I don’t have untrustworthy users running on my servers that would abuse this exploit, I instead waited to receive official updates via the distributions. I was able to watch the progress of RedHat staff building and testing the updated kernels, and could easily estimate from this when they would be available to me.
There are only a few proprietary packages I use, so I don’t have a lot of first hand experience with how that closed process works in practice. I have installed Skype, Guizmo, Adobe’s Flash player and Adobe’s Acrobat reader (to access some broken Government of Canada documents that aren’t proper PDF files). Whenever there is a bug with these programs I find out about them very late in the process, and have no way of looking into the process to see how well they are handling problems. I would have to blindly trust this process as it has neither transparency nor accountability, and even after a patch is released I have no way of knowing who in each of these companies worked on the fix. I have heard from third parties that bugs as serious in other operating system kernels sometimes wait months before they are patched, at best waiting until the next ‘patch Tuesday’ to be dealt with. Until the bug is fixed and documented in an update, there is no way to know how the process is going.
I sit here with CPAC on in the background. This being Wednesday we are able to see some of the committee work live, and in this case I can hear Marc Lalonde as a witness before the Standing Committee on Access to Information, Privacy and Ethics with their ongoing study of the Mulroney Airbus settlement.
While many people don’t bother looking into how governments make decisions, and who inside governments make those decisions, there is security in those interested having the ability to look inside. This is in fact a core aspect of being a democratic government that citizens and the media have access to much of the internal processes within government.
I only have a few government files I watch closely: technology law (copyright, patents), competition, and procurement. I similarly only have a few software projects I watch closely. But we are all able to get better code (software or public policy, in Lessig’s code is law style) and be more secure because some people choose to monitor these processes closely.
How secure would you feel if governments just announced decisions that impacted you, but that you had no way to find out who or how those decisions are made? These governments can claim to be making these decisions on your behalf, but how do you or anyone else concerned find out? Nearly every dictatorship claims to be making their decisions on behalf of their “citizens”. If we wouldn’t trust a government that lacked transparency and accountability, why should we offer blind trust to a software vendor?