Million eyes


Do a million eyes make all bugs shallow?

That is the promise of the transparency ethos underpinning ‘Open Source’ approaches in software development which is a great example of Open Secrets. Jesse Emery, as a part of his piece on “How to Keep Your Software Awesome,” advocated an Open Source approach as one of his main prescriptions.

A fundamental and philosophical debate rages about the most secure way to build a software system. One question about security architecture asks “Is it better to try to hide weaknesses from the bad guys or try to expose weaknesses to the good guys?”

In essence, all security ‘holes’ are a race between the bad guys finding and exploiting them and the good guys finding and securing them. Think of the now constant battle between aspiring plane hijackers and airline security. When someone figures out that a shoe or shampoo bottle is a way to smuggle a hazardous item onto an airplane, then the security system has to adapt before the criminals exploit. So, do you focus on slowing the bad guys or boosting the good guys?

Taking the former stance, commercial and ‘proprietary’ developers argue that keeping things hidden and locked away increases the difficulty for bad guys to find weaknesses. Taking the latter stance are the Open Source community (like Linux) who argue that by exposing the system openly makes it easiest for people to spot…and fix weaknesses quickly before the bad guys can get to them. As it happens, I make for a pretty unbiased commentator having moved from a career at Microsoft to a company based on the Linux platform.

One might think that a blog on embracing failure would be a strong advocate of the ‘Open’ approach. The ‘Open’ approach seems to embrace and share the ‘failures’ (ie. bugs, security holes). But, my actual position is a bit more complex than that. I think you have to look at the ‘system’ not just in the frame of the particular piece of software (like Linux or Apache or whatever you are working on), but in the broader context of the Internet. Do you really have a ‘million eyes’ looking at one thing? Or do you have each eye on the Internet looking at a million things?

Now we get onto another type of failure that I have written about before – complexity. In this chaotic context where stuff to look at starts to outnumber the amount of lookers, it’s the scrutiny and discernment becomes diluted and shallow. In the early days of the Internet, the lookers outnumbered the looked-at. But now, a decade later, balance has flipped. The looked-at material clearly outnumbers the number of people to look at it. The adage of “The Internet is a million teenagers writing poetry and a few people reading it.” From this broader perspective, ‘Open Source’ does not benefit from a ‘million eyes’ and the bugs are no longer ‘shallow’. It is the scrutiny that is shallow.

Part of the shift from many to fewer eyes is economic. The early days present a ‘Gold Rush’ hype which draws in a high number of ‘eyes’ looking for the gold. The miner-49ers certainly made all of the easy gold ‘shallow’ in the California gold rush. But eventually, the promises of wealth dissipated as the gold available was considerably less than those looking for it. A similar phenomenon happens in Online Communities. A number of people bring their ‘eyes’ with the motivation of making money. They hope to turn their expertise and exposure into lucrative consulting. As that space gets more and more crowded and those contracts become less and less available, they take their eyes elsewhere. Admittedly, the truly passionate hobbyists persist, but that is a finite number for what is a endless growing set of things to loo at.

While the concept of a ‘million eyes make all bugs shallow’ is valid, the practical reality is that, especially after the gold rush surge, longer term ‘a million bugs make all eyes shallow.’