Open Source Sucks
Yeah. I have a real love/hate thing with open source.
Oh, not the idea of it, that I unequivocally love. But the reality of it can sometimes be another matter.
I use open source, don't get me wrong. I've released stuff into open source. And like the internet itself, when it's used for good... it's great. When it's used for evil... it's EVIL.
This site, for example, runs on Drupal. And Drupal is open source, and it has vulnerabilities. These get patched, but the act of patching sets of this nice little cascade:
1. Drupal announces patches to fix security problems
2. Hacks look at what was fixed (readme + diff of source) and figure out exploits with little effort required
3. Software scans Google looking for Drupal sites and then auto-hacks each one it finds
This all happens moments after a security patch is released. And before poor site operators can react to it. This site was one to get hit, and not only was a phishing exploit installed on it, but Google detected it and (helpfully or not) blacklisted Critical Thought Games as a phishing site.
Sigh.
Naturally I've corrected the problem, and requested they remove me from their list... but I have no idea how long that'll take. In the meantime, anyone coming to my site will be told I'm a big fat security risk. In the sense I use Drupal (or anything like it), I guess tht would be generally true.
But it's only true because of open source. The argument is that Open Source projects would be more secure because you have more eyes looking at the code. That theory is not backed up by the realities on the ground. The realities on the ground is that Open Source platforms get used a lot, and that means that a single exploit can be leveraged into hacking hell of a lot of sites in one go. Whereas a site that is all proprietary code means that exploiting it is probably a one-shot deal for the hacker. The laws of economics are at work here. Unless that one site is big, like a Amazon or something, it's not worth messing the effort relative to a sweeping hack of all one-rev behind Drupal, Joomla or whatever sites.
Open Source, in practice, can sometimes really suck. But since I knew this was a possibility going in, I can't claim it was anyone's fault by my own.
- nsxdavid's blog
- Login or register to post comments
Recent comments
- Mirrors!
10 hours 33 min ago - How Big?
11 hours 29 min ago - Im also very interested. I
3 days 12 hours ago - Still no upgrades
5 days 12 hours ago - Beat it. Definately outside
1 week 2 days ago - I got through it on the
1 week 3 days ago - Level designer
1 week 5 days ago - Hi all, I can't play
2 weeks 18 hours ago - iOS 4 problem
2 weeks 1 day ago - Use Tunezip.com to get access to the US store...
2 weeks 3 days ago
You should follow me on twitter here!
Subscribe to Blog
Comments
I feel your pain. It's the
I feel your pain. It's the same with Wordpress and other popular open source CMS and blog engines.
Some days ago I've read a blog post explaining step by step how some smart geek was able to scan for vulnerabilities related to the installed versions of Wordpress and PhpBB of an UK celebrity's website, and succsessfuly gaining access to write and run anything on the webserver (wich was a linux machine running apache) AND his Twitter account password (from a Twitter widget in the website).
My thought on the matter is that open sourced software needs at least twice the same thinkering over security then closed source stuff. Of course NOTHING these days is REALLY secure, but some common mistakes being pushed on new versions really angers me.
The scene as it is now values features and shiny widgets over security, and that is where the sin lies.
What pains me more, tho, is the other option: security from secrecy (is this the correct term?) sounds so...cheap...
I think what you're talking
I think what you're talking about is not a factor of open versus closed source software. It's a factor of popular software. Do you think windows security patches don't see the same type of exploit within hours of their release?
And you've obviously not gone to this extreme, but rolling your own CMS -- even if you know what you're doing!!! -- is almost never as secure. You just won't see the holes in your code until you're a target for someone. But the minute you are... forget about it. You'll be installing some open source CMS hours later (assuming you're lucky enough not to have taken your host down with you).
Remember: "Every program has at least one bug and can be shortened by at least one line. Therefore, every program can be reduced to one line which does not work."
Google seems to have accepted you.
FWIW, I got to your site today (Feb 5) via Google, and there was no mention of a security threat, so you're probably in the clear now.
P.S. I am undecided about the iPad, but if you make a GeoDefense Swam-like game for it using all that screen real estate, I will absolutely have to buy one.
Google
Yeah, it cleared up. But it only takes a momentary breach of security and you are Google-banded once again. :)
-- David
iPad version
Ditto the iPad comment. GD Swarm would be awesome on an iPad (I bet).
Try an alternate CMS
I think Leo Laporte (TWiT) is moving from Drupal to SquareSpace so he (his team) doesn't have to manage their installation. Several prolific bloggers have rolled their Wordpress blog under Wordpress.com control because the patches are applied ASAP. Anytime you have to manage something like this yourself, you have to stay on top of it 24/7. It's easier to have someone else do it for you, in this case, so you spend time making awesome games instead of patching your site. My 2 cents. Good luck, whatever you do.
Alternate CMS
I'm starting to agree. It's a major, major pain.
-- David