[This was originally published on attrition.org. This is a rebuttal piece to Small Office, Big [Software/eHealth] Problems (2010-11-18) by @wh1t3rabbit (Rafal Los).]
I’m not saying that open source sofware [sic] has more issues than commercial, closed-source code …but I don’t think I’ll find anyone to argue against that it’s more difficult to find corporate-level accountability with open-source software especially if you’re a business.
Two words: Red Hat. Being a security pro, you are surely familiar with Red Hat right? You familiar with their effort to handle security issues? Red Hat’s team, and in particular Kurt Seifried and Mark J Cox have been outstanding in managing vulnerability response, quickly assigning CVE identifiers, and responding to questions about vulnerabilities. Cox also serves on the CVE Editorial board, and Red Hat is a CNA that has issued a significant number of identifiers to better organize and manage vulnerability disclosures.
Let’s just say I’ve managed to review some of those packages and can tell you for a fact that you can drive a Mack truck through every single one I’ve evaluated. There’s a good, long, list of some of them on the Wikipedia here.
So you have evaluated open source medical packages, yourself, and found significant vulnerabilities in them. How many have you disclosed to the vendors? Which vendors? Surely one of them have resulted in a bug report, mail list post, changelog, or vendor advisory that credits you. Yes? Please, show your readers these links please. If you can’t show me a link to a vendor or VDB that credits you for a vulnerability being fixed in this software, I call bullshit. Meaning, if you can’t back this claim, you are flat out LYING. Put up or shut up here Rafal. Any excuse about not disclosing these “mack truck-wide holes” will be met with instant derision. You posted this two years ago; at least one of these vulnerabilities will have seen the light of day.
Obviously to protect those who are using these platforms I’m not about to tell you which ones are “hole-y” and how bad… but the situation is dire.
This is pure charlatan at work. You won’t tell your readers, fine, I get that. Two years Rafal, you damn sure have better told the vendor so they could patch it. Please show me at least one vendor that acknowledges your vulnerabilities. And let me emphasize, your vulnerabilities. Not the HP web app testing team, not HP in general, but you by name. If you can’t, that means you are sitting on potential vulnerabilities that could have been patched. Instead of working with a vendor to get these vulnerabilities fixed, you used them as silly blog fodder to boost your own image, if you really found any. If that is the case, let’s make it very clear to the rest of the world, researchers in particular; Rafal has set an example, and demonstrated that vulnerabilities are not to be shared with the vendor. They are to be used to pimp themselves and their company, to boost sales and corporate image.
Please Rafal, prove me wrong. I manage a VDB with more vulnerabilities than any other in the world. I deal with vulnerabilities by the hundreds a week. I personally scour changelogs, bug trackers, advisory archives, and reach out to vendors to make sure OSVDB has as many vulnerabilities as possible. The odds of me not running into your name are slim. Then consider that I spent weeks combing medical security papers to find additional vulnerabilities, focused on medical vendors, and even searched the FDA database looking for product recalls based on software vulnerabilities. What are the odds that you discovered vulnerabilities and had them fixed, and I wouldn’t run into your name? Slim. So please, prove me wrong. Show me any vulnerability you found in 2010 for a medical related software package, and show me the corresponding changelog, advisory, or disclosure. If you found that many vulnerabilities and sat on them, without disclosing, then you rank up there with the more unethical charlatans I spent years exposing.
… therefore when you use one of these poorly written open source platforms you probably won’t be testing the security of what you’re implementing. As a result of this – you’re putting your practice and your patients in huge risk!
What do you have to say about the closed-source, commercial offerings, that have just as many vulnerabilities? How about the fact that many are exposing patients to life-threatening conditions because of vulnerabilities? There are at least 63 documented public vulnerabilities in medical software or hardware, none have your name attached. Kevin Fu, Barnaby Jack, and others show up frequently. Why no ‘Los’ in the creditees? At the very least, you should be able to show me some vulnerabilities in OpenEMR, the low-hanging fruit of the medical software world.
I’d like to urge you to take a look at your practice and if youre using an eHealth or eMedical platform that you’re not 100% sure is reasonably secure – send me a note. I don’t often blatantly advertise “Come talk to us” but your patients are depending on you to do the right thing and keep their privacy and security in mind.
The bold in that quote is your emphasis. Are you really pandering to companies that use open source medical software, suggesting that they should retain HP’s help in fixing security issues, lest their patients experience breaches and other “security” issues? Are you doing this on the back of claiming to evaluate medical software, yet having zero disclosures of medical-related vulnerabilities?
Rafal ends the blog with a warning to his readers; “Go test your eHealth applications… before you get a “free” test from someone who won’t likely share the results, and will keep the data.“
This goes well beyond sleezy sales, and beyond what some documented charlatans do. This is downright disgusting. HP should be ashamed.
[Follow-up: Alan Shimel at Network World had some of the same concerns I did, and wrote a rebuttal of his own in which he calls out Rafal on several points. In it, he specifically asks “Is this just FUD being spread by a company that offers commercial E med packages or are open source apps really less secure than their commercial counterparts?” and then states “So, I know Rafal and know that if he is writing that these open source apps have some holes, he has found them and they are there.” Great! That means Rafal providing proof of these claims should be no problem.]