Digg this story   Add to del.icio.us  
The Science of Happy Accidents
Jon Lasser, 2002-02-20

The Sardonix project aims to make open source software more rigorously secure. To succeed, it will have to recreate the spontaneous magic of community that gives the movement its spark.

There's a lot to be said for the happy accident.

The success of Linux is one such happy accident: a University student named Linus Torvalds announced his Minix clone more than ten years ago, never expecting it to be any more than a hobby, and never expecting it to run on hardware other than 386-based systems with IDE hard drives.

In September of 1997, a college student named Rob Malda started Chips and Dips, a Weblog dedicated to technology news and whatever else amused him. To keep it simple, Chips and Dips was a set of static HTML pages, edited by hand. Soon Malda, with the help of others, wrote Perl scripts to generate pages from a template, and Slashdot was born.

Today, Linux runs on well over ten million computers, from handhelds to mainframes, and Torvalds is as much of a superstar as any humble, self-effacing geek can be. Industry titan IBM has pounced on Linux as a tool for real business, and smaller companies such as Red Hat make money by building on top of Linux.

Today, Slashdot exists as part of OSDN, itself part of VA Software, and boasts tens of millions of page views per month as it promotes open source software and a wider geek culture.

But for security, happy accidents are not enough; most security accidents are distinctly unhappy, as flaws are found when code is used in unexpected ways. And most flaws are still detected by people who set out on the hard road of reading code and looking for them.

In the essays collected in his book The Cathedral and the Bazaar, Eric Raymond attempts to encapsulate the collective wisdom on how open source projects can be successful. His prescriptions include releasing a preliminary version first, and then gratefully accepting improvements to your not-entirely-sufficient original.

Can the immense popularity of open source culture, as demonstrated by Linux and Slashdot, be harnessed to improve security? Enter Sardonix, WireX's noble security experiment.

Headed up by security guru Crispin Cowan, part of the team that developed Immunix's products, including StackGuard, FormatGuard, and others, Sardonix will attempt to encourage security audits of open source software by building a Slashdot-like community site where users can submit audits of source code.

Users will be rated on the quantity of code audited, and on the quality of those audits, using a formula still to be determined. The elements of this formula were heavily debated on the Sardonix mailing list, and it remains to seen how Sardonix will work.

In an email interview, Cowan suggests that he will post his summary conclusions as early as this week. Next week, the Sardonix team will begin implementing the site code, and they will go live whenever the site is ready.

The Sardonix idea seems promising. Outside of the wisdom of opening up the idea to criticism before an implementation is available, it seems well thought-out and done very much in the spirit of the culture it is trying to harness: the project's name is an invocation of the cynical, angry Slashdot posters who can now have a chance to apply their cutting wit to poorly-written software.

Crispin Cowan admits that it's not entirely clear that the approach will be successful. "This is a research project," he writes, "'Will the people come?' is a primary research question. 'Will their efforts actually help security?' is another, and 'Will anyone listen?' is another."

Another question is why anyone would believe that the "First Post," do-nothing Slashdot posters could accomplish any worthy goals. There is, of course, interesting commentary posted on Slashdot; the challenge is in separating the wheat from the chaff.

Community Building
In fact, Slashdot's scoring system, which serves as part of the inspiration for Sardonix, was intended primarily as a filtering mechanism, to weed out the "Natalie Portman in Hot Gritz" and "First Post!" comments that would otherwise overwhelm useful, topical discussion.

It's an open question as to whether this sort of moderation system can be applied to both build interest in a community and to spur constructive individual participation in that community, but both Advogato and Everything2 suggest that such a thing might be possible.

Perhaps by framing Sardonix primarily as an experiment in virtual community, rather than as an experiment in computer security, Cowan and the rest of the Sardonix team can claim some measure of success. After all, building communities intentionally is more difficult than working communities that developed through happy accidents, like Linux or Slashdot.

In part, this is because it's easier to measure failure than it is to measure success. For each success of a Linux or a Slashdot, there are any number of sites and projects that fail to catch fire. But by not announcing their intention to grow without limits, they can avoid the charge of failing to live up to their lofty goals.

By not setting out to capture any particular segment of the population, Sardonix can claim any group of people converging on the project as a success.

Sardonix needs to gather together a small, specific slice of the open source community, and to convince them to work on less-exciting aspects of software development solely to gain the respect and admiration of their peers. This is a tall order for anyone.

In the end, however, an experiment is not successful because it produces a particular set of results, but when even in "failure" it adds to the general knowledge on the subject. There is no doubt that Sardonix can do this, and with any luck it can produce comprehensive audits of at least some open source packages as well.

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus