Network security and the federated social web
I woke up this morning to news of the onMouseOver XSS attack that was running through Twitter at the time. Users of StatusNet should be happy to note that the bug does not seem to affect our software -- even for notices imported from Twitter. I wanted to take this opportunity to discuss security issues in a federation context.
Firstly, kudos to Twitter engineers for identifying the problem, fixing it, and rolling out new code so quickly. An exploited security flaw in a production Web environment is extremely hard to deal with, and it's impressive that they handled it so well. Bob Lord's blog post covers it in detail.
It's easy to criticize Twitter for having the exploitable bug in the first place; it's also unfair. Anyone can see a bug after it's been revealed and exploited. Identifying latent bugs in an existing codebase is a maddeningly difficult effort. Making bug-free, secure code is a process, not a final goal -- there's always one more thing to fix, one more test to run, one more complex conjunction of different factors that results in an error.
There's nothing magical about Free and Open Source software to keep these kinds of problems from popping up. Linus's law ("given enough eyeballs, all bugs are shallow") does seem to cut down on the severity of problems, and there's a great advantage in letting security analysts see affected code so they provide fixes as well as reports of problems. But I don't think any project should claim security benefits just because their software is open source.
At StatusNet, we've had several security alerts; we've tried to be pro-active about known issues and get them fixed before they become problems. I can't commit to never having bugs; no one can. But I can commit to a culture of continuous improvement, responsiveness to reports from security experts, and transparency about problems with the software. Our record so far has been good and our reputation and relationship with security pros seems strong; I'm committed to continuing to earn them both.
One advantage that we do have over Twitter, in this regard, is a heterogeneous network. Just as disease-causing microorganisms rarely attack more than one host species, networks of mixed codebases and databases are more resistant (but not perfectly resistant!) to attacks by digital worms and viruses.
Using the standards in the OStatus suite, users of StatusNet can follow other users on Google Buzz, Posterous, Tumblr, WordPress, as well as the tens of thousands of sites on the status.net cloud service and the thousands of public StatusNet sites on the Internet. Simply put, it is exponentially harder to make and propagate malware that attacks many different platforms, with many different account databases, all at the same time. A single compromised site poses limited danger to the rest of the network.
As federated social web technologies and software continue to roll out, I hope that security issues play a part in the public discussion of their advantages. The more important social software becomes to our work and personal lives, the more dangerous the kind of attack seen today becomes.