Slashdot Mirror
Is Open Source Fertile Ground for Foul Play?
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
I wish people would use any kind of proof with this type of article... but I suppose they can't.
:P
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
And of course there just CAN'T be any guard against the actual program being implemented differing from the publicly available source...
"I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
And when those holes are discovered, they aren't published at all. And the proprietary owner has a far more difficult time finding these existing holes themselves. And most of all, there's NOTHING STOPPING THE PROPRIETARY OWNER from implementing this same type of worst-case scenario the author of this piece describes, and an even smaller chance of discovery by outsiders. Sheesh.
'You get what you pay for'?
Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.
There might be security concerns with Open Source (he, most interestingly, doesn't go into security concerns with closed source or compare track-records); however, Russell is trying to pull a fast one as this is a different (and, I'd argue, wrongful) criticism of OS.
RD
Igniting flame war in 5...4...we have main engine start...3...2...ignition!...1...
I watched C-beams glitter in the dark near the Tannhauser gate.
The whole thread that will light-up in response to this old chestnut!
"Flyin' in just a sweet place,
Never been known to fail..."
I am a small business owner, we deal mostly with office supplies. Last week we fired our two software guys and switched to open source, which is free, and I don't have to pay a dime.
i disagree....if there is a security hole, those implementing the software would ideally know enough to pick up on it fairly quickly. i mean, they do have the source, after all...
xao
http://TheHillforum.hopto.org
Everything he claims can go wrong with open source can go wrong with closed source, but with closed source you have fewer people watching to catch malicious code additions before stable release.
Bosh. Open source project leaders - especially the leaders of popular projects - don't let just anyone have write access. Also, commits almost always go to a mailing list to be reviewed by the other committers and lurkers.
And of course, there's no way a commercial product could be infiltrated by someone who wants to inject harmful code. Impossible!
The Army reading list
1) Write bogus article that will enrage slashdotters. Slashdot, being knee-jerk as it is, posts it to the front page.
2) Get a bazillion hits.
3) PLOFIT!
Sounds familiar, I seem to remember someone else saying that...
"You get what you pay for after all." --
openbsd.
Releasing this kind of rhetoric just days after the latest MS security fiasco would be funny - if the reality wasn't so sad...
Closed source software, because of its very closedness, will inevitably lead to security concerns. This makes adoption of closed source software by governments particularly worrisome. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get if they fail to switch to open source software.
I doubt Microsoft will ever write software for Linux, but it's inevitable that that things like Lindows will forever strive to make Linux as easy as Windows because that's essential for Linux to take over the desktop market.
However, with that, some of the inherent security of Linux fails. Imagine an e-mail client that will execute a binary attachment with no questions asked because the user double-clicked on the pretty icon. That's how MyDoom spread on Windows, and basically, it's the fact that the current setup for Linux makes it hard to execute something new that makes people realize what they have before they run it...
As soon as we have pretty looking greeting card executables that run on Linux, the downfall will be what comes next...
Please cite some specific examples Mr. Jones.
I mean, there is a whole friggin lot of open-source out there, there's bound to be a few examples of the problem? Right? Right???
The ratio of people to cake is too big
When you rely on high cost Microsoft products, you often get the shaft, and that, in my opinion, is exactly what governments are getting.
Right, as opposed to what they've been getting with expensive Microsoft products.
Which is of course a quality and secure user experience which allows their IT staffs to concentrate on implementing the needs of the users rather than having to waste time running around and dealing with testing and implementing frequent patches and plugging security compromises and cleaning worms off of users' machines.
Right?
He might be right. If governments switch from Windows to open-source OS, they might open their computers to the possibility of being infected by worms, virii, and trojans.
Don't blame Durga. I voted for Centauri.
Netcraft says that his server (running IIS) has only been up for 2 days.
I wonder if he's getting what he paid for.
Wow, an insightful first post.
This day will go down in history.
All these great reply's, these reasons why Russell is wrong, will never be read by the public because they're stuck in /.
Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Do it doug.
after reading this article only one thing comes to mind... CRACK IS WHACK!
and what better way to draw techies to your website, write an article disparaging Open Source so Slashdot will pick it up!
No, Thursday's out. How about never - is never good for you?
You get what you pay for? Ok, if they think they NEED to pay for proven software, then they can pay Redhat for their Enterprise line of products. Pay or not, its 100% better than running windows in my opinion. Of course, the site that hosts my online banking runs Windows 2000 servers, and I haven't seen them have a problem yet, but I'm guessing if they did, they wouldn't let anyone know anytime soon. :-/
Can all fish swim?
..open source has always been a controversial issue.. here is an interesting article on the debate "GPL Good, Commercial Bad..." It cites GCC as an example of how destructive OS can be in that it removed the market for any other type of compiler. Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world? It is now almost an integral part of any distrib.
Thoughts?
Tim
tim
He's a genius! This is actually a clever critique of the very dangers of closed source software, just disguised as a moronic attack on open source.
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.
I mean, this can't actually be an argument that closed developed by a "core group" that "won't make the corrupted version public" is more trustworthy than open development where anyone can see the code. Right? Right?
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
This is simply the worst piece of FUD concerning Linux and OSS in general that I've ever read. And it's coming from the "Executive Editor" who should have taken a look for some actual examples of what he's talking about. The entire article is random speculation that "bad things can happen" with OSS because people can modify the source and he should be ashamed of having written it: unless of course he's being paid to write propaganda.
During a week when Microsoft admits it sat on the worst flaw ever for 6 months, and MyDoom and friends are rampaging around it's shameful to see an article written with so much fear and so little substance. He even manages to say that OSS might be used by terrorists against the US (although he doesn't use the word).
An absolutely disgusting piece of "journalism".
John.
From the article:
"Instead, the security breach will be placed into the open source software from inside, by someone working on the project."
That's just as likely to happen in a closed-source project as an open source project. It is, however, much more likely thatthis kind of activity will be discovered in an open-source product since anyone and everyone can look at the source to see it.
While the article mentions that the exact attacks that you say could happen in open source software could also happen in closed commercial software, I find the "barriers to implementing them are much higher" concept to be absurd. Just as the articles sasy the core Linux kernel is tightly monitored, so is the software from Microsoft. However, when it comes to smaller products, products that I have worked on, I would have to chuckle at the naive view that somehow closed source is "better protected". Most smaller companies that I have worked with are *far* more interested in getting a product to release than checking for backdoors. Testing is for failure modes, not for subtle pointer errors that open the code to obscure exploits.
In open source software, the maintainers vet patches by peer review before admitting them into the main product line. Likewise, closed source products are peer reviewed, but by a much smaller team, who probably have much more similar agendas than people flung across the globe. Either could be compromised. This exact same article could have been entitled "Software Is Fertile Ground for Foul Play". The concern that backdoors exist is the reason Asian countries have been suspicious of Microsoft's closed source software. To assuage those fears, Microsoft provided the source code for review. If this review is successful in showing that no backdoors exist (and I have no idea how they can tell that some unobtrusive code isn't deliberately flawed) then surely open source can be equally reviewed, if not suffer a more stringent review by opening the question to the open source community within the country in question.
The security that closed source promises by "protecting the source" is security through a promise by a potentially hostile vendor. The security open source promises is the vigilance of those who review the code. I don't see how one is better than the other, but I surely don't see how closed source is going to make a potential target feel better than if they could review the source.
Sig under construction since 1998.
This is the type of argument you get from a lawyer, a technophobe or someone with a vested interest in being anti-open source. Arguments generally center around "security" "support" and "accountability".
One, Microsoft software, the most popular "closed source" software in the world, is rife with security holes. While the most popular (arguably) open-source software in the world, Apache, doesn't strike me as being terribly buggy *or* full of security holes. For instance, I don't have to update my apache software once a week.
Two, often for popular open-source products there is plenty of free and timely support. Advantage is also to the qualified technophile, who can support his or her own software, and not rely on the timetables of vendors.
Three, accoutability. What has Microsoft *ever* been accountable for? Viruses? Bugs? Data loss?
I, for one, welcome our new open source overlords.
The problem with Open Source is that there are no controls as to what someone may program. You know I've seen WarGames I know what a back door is. Also a question of accountability. I hate to say it but for some things I am forced to trust Microsoft, not because of the quality of the work but for the accountability that they are held to. They have to make a semi-reliable and safe system or else they got out of business. This insures the proper cycle of software development and testing.
Mod story down (-1, troll).
Can we please stop letting people use slashdot to increase the hit rate on their articles in order to make themselves seem relevant to their bosses?
Fred moody, the infamous anti-Linux ABC News columnist, was doing the exact same thing four years ago. In fact, he was writing on pretty much the same subject, that Open Source is insecure and untrustworthy by its very nature.
Those who do not study history are doomed to repost it.
lynx --head www.devx.com
produces
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:07:24 GMT
Content-type: text/html
Page-Completion-Status: Normal
Page-Completion-Status: Normal
Page-Completion-Status: Normal
[Yes, that last bit repeated three times].
I can only wonder why they would write an article like this, oh, I know, they're full of shit MCSE "developers" getting pissed off at all the attention OSS has been getting lately.
Tom
Someday, I'll have a real sig.
Open Source Is Fertile Ground for Foul Play
The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.
by A. Russell Jones February 11, 2004
An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably hi
Quality, performance, value; you get only two, and you don't always get to pick.
Heh this is just plain FUD, nothing else to see here move along.
Yeah, OSS software is at risk of exploits, but he's neglecting the fact that once geeks realize that they can't compile the open source version to the binary, a red flag goes next to the binary. And if the binary starts doing malware things, then that binary goes down in flames, and the project will immediately fork with the last released source.
I wish people would use any kind of proof with this type of article... but I suppose they can't.
Who needs proof when you have FUD? See also SCO.
Besides that, Open source in government doesn't necessarily mean using the latest homebrew word editor from the guy down the street. It means governments can make their own applications, or their consultants can do so, and that source will be available to the government so that if they don't want the current consultant and want another group to come in, they can easily have the source code of the existing project available for the new team.
Certain aspects of Open Source just make sense for governments. If tax payers are paying for the development of systems, shouldn't the government (hence the taxpayers) own what's developed with their money? They shouldn't be under the yoke of some proprietary consultant firm or vendor.
Remember, open source doesn't always mean sharing the code with EVERYBODY.
I mod this article +1, Flamebait.
He argues that open source software, because of its very openness, will inevitably lead to security concerns.
Well, thankfully Windows is closed-source, or else there'd be security issues wi-- oh, hang on a sec.
devx.com
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:06:06 GMT
X-Powered-By: ASP.NET
In other news, the devx.com website was found lying in its own blood and excrement after being linked from Slashdot.ORG today.
it's called peer review. go read about it.
I believe every word of this article because A Russell Jones certainly has no vested interest in Microsoft based web solutions.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
it currently has a score of 2/5. Once the /. effect is done we should all create an account and rate it as low as it can go.
I seem to remember there was an easter egg flight sim program that got into Excel somehow.
If closed source is so safe, how could this have happened?
Further, if that happened, how do you know that other more dangerous items haven't also been included in the windows products??
It's just troll feed..
Why has this even been posted? It's been accepted for a long time that security through obscurity doesn't work, and this is effectively what he's arguing for. -1 Clueless.
If I seem short sighted, it is because I stand on the shoulders of midgets
I wonder just how much Microsoft and SCO paid him to write that article! :)
Once again, people are confusing obscurity with security.
Sigh.
Ben
"There are no such things as mutual fantasies. Yours bore us and ours offend you."
- Bill Maher
Aah, the sweet sweet tones of language in the hands of a master. What subtlety, what charm, what wit. Prithee kind sir, wherefore is thy prose, thy grasp upon the fundamentals comprising the very art of speech itself?
English Grade: C-, should learn not to use informal language when making a formal argument.
Cheers,
Ian
I read the headline and instantly thought of SCO arranging a hit on Linus...
"One, Microsoft software, the most popular "closed source" software in the world, is rife with security holes. While the most popular (arguably) open-source software in the world, Apache, doesn't strike me as being terribly buggy"
It all comes down to a choice between Apache and patchy, doesn't it?
Don't blame Durga. I voted for Centauri.
You may pay nothing for Linux (for example).
But you also pay $0 to MicroSoft to insure you against bad things happening to your computer/network.
The only thing you pay for with MS is basically that it will install an OS on your system. Read the EULA, they don't guarantee much else, and they certainly take no responsibility for things going wrong.
t
We shall see who has the last laugh.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be.
:-).
*Deletes 40 zillionth mydoom attachment in his inbox*, and I suppose other operating systems are more secure...what exactly are you suggesting we do about the lack of security in today's OS's? Linux, Windows, Unix even have all identified security flaws in their time...
What can we trust in code? You mention it right there Mr. Author, we can trust the latest and greatest stable Linux kernels, but if install a test kernel, or some hobbyist lil' app on the remote corners of the open source world on a production server, you get what you deserve. Incidentally the same goes for windows, WinXP latest Service pack is definitely more secure than any test versions of their OS's, or even the initial RTM builds of their operating systems. What gets deployed in a production environment...well duh....
The author says:
[Snip] Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
I suppose we trust Microsoft, SCO and IBM more? Puh-leez, if you need a totally secure OS, you're best off hiring your own programmers and starting from scratch, and hoping they're as secure as anyone else, oh wait can't trust them either...never mind just build an OS yourself then...
Ok I'm done ranting, everyone else's turn
...in bed
What the original article misses the incredible value of transparency. That anyone can examine the code for potential exploits makes open source far more secure.
Until the public can obtain a copy of the source of Windows, voting system software, etc. under FOIA (Freedom of Information Act), I suggest that governments (and others) consider the hidden insecurity of proprietary software. For closed source, it is too easy and too tempting for companies to attempt to hide exploits, bugs, and backdoors.
Two wrongs don't make a right, but three lefts do.
He's 100% correct.
I always put back doors in the commercial software I write... but never the open source... I don't want to get caught!
Anybody who knows how to crack a DLL can peel away all functionality and NOT having the docs actually helps.
You see what the people really wrote instead of what they neant to write.
His argument is old and worthless.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
A number of governmental institution have chosen Linux not because it is free, but because of another distinct advantage: because it is open-source, they know what they pay for.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
What an hilarious opinion. It brings up the point of who really pays for open source software... The concept behind it being, that everyone pitches in and does their part. The cost of these projects is TIME. People are spending time for minimal or no pay and with major distros, many many many more people put in time than any software company can afford to put out. Here's another cliche for you, "Time is money".
As for security concerns, yeah, malicious parties can view the source. But so can interested parties that are probably smarter than the script kiddies who can discover a bug and hammer away on it.
This article should be modd'ed "Flamebait"
This problem isn't new. In fact, it's far older than any computer technology.....You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves.
In other news, there is no news.
--AC
From the article: "IT Insiders could put their own malelovent code in the product and ship it." Well, that's not much of a concern right now. They just ship windows, and they don't have to worry about placing security holes. They come by default!
Anyone can modify an open-source project. That means I can modify it for my own needs, and even release that code. He fails to understand that that concept does NOT mean that everyone in the world has write-access to the project's CVS server. Sounds like a MS "unbiased survey" article.
The author completely ignores the storied history of exactly this kind of thing in closed source software -- only these backdoors are called 'features' or 'easter eggs.'
We need a new term for this kind of journalistic troll.
-- Cheers,
-- RLJ
Joe Barr, already has an article responding to this FUD. I personally feel these sorta FUD articles are outdated. With IBM, HP, and others already showing large profits from taking advantage of opensource, you would think they would come up with something that isn't drudging up arguments from 1998.
Awesome!
You're too late. You wasted your opportunity with your GNAA post. Because of the lost opportunity, your troll arrived long after "the flaming started". One troll at a time.
You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.
Is he implying that there is room up there for another shaft?
or with closed source, it really should be - you pay for what you get.
c'mon, this article has to be a joke.
closed source has all the problems of OS, and more, not vice-versa. you can at least review the code of a program before implementing it, and even if you don't know how to code, there's thousands of other users surveying the code as well for errors. the OS community wants OS to look good - sure there are some people in it that probably would/have coded a backdoor here and there, but that's few and far between - especially compared with the people writing exploits for commonly used closed source applications...
From the article, annotations added by me:
>Malevolent code can enter open source software at several levels.
1. >First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
Not likely indeed. Moving on.
2. >Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Organizations using Open Source Distributions generally purchase a vendor-supplied copy as well as a support contract.
As an aside, do you suppose non-US countries that use Microsoft products are concerned that Microsoft may not have their country's best interests at heart?
3. >Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines."
This isn't limited to Open Source itself. The same possibilities (and probabilities) exist for any company that uses customized software AT ALL -- at some point, you have to trust those doing the customizing, or get a third party to audit. I mean, after all, I can wreak havoc throughout an organization just by clever use of login scripts on Windows XP machines, and if everyone in the IT department is in on it, nobody else would be the wiser.
Now that I think of it, even if you're not customizing the software, you're trusting the people who make it. Does Microsoft have your best interests at heart? Does SCO? Does RedHat? Does anyone? That's why it's nice to be ABLE to scour the code -- the smartest, safest groups will obtain source code from those who write it, and have it audited by another group, and then again perhaps by another. Unless they're all in league with one another. [Insert tinfoil hat here]
So. Who's paying this guy?
1. Use open source products which you can modify if need-be. For example, you can have your tech support modify it to make it better fit your business needs (compared to trying to modify your business to fit around a microsoft software solution) or if a bug is doscovered you could either wait for the developement team that orginally made it to fix it or you could fix it yourself. Heck, you could even have your tech guys go through the code themsleves looking for security holes to fix.
2. Use closed source. If a bug appears, your at the mercy of Microsoft to fix it. That may mean months waiting while your system is vulnerable. No way to find the bugs, no way to fix them yourself. Your business could be relying on a time bomb and not even know it. And of course, with only the MS guys looking for holes, the chance they'll miss them is greater. More eyes scanning code usually means less bugs. And any time Microsoft could decide to drop the product or force you to upgrade or pay overcharged rates for licenses, all at Balmer's whims. Going with closed source is putting your business at the mercy of Microsoft (yes, I know closed source != just microsoft but what is easier: to type closed source or to simply type MS?)
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
You're Absolutley right. People going around trolling about open source without any plausible reason is a major detriment to the cause and the software. Companies/corps are going to pick whatever works best for them and adapt/change with it to their needs and Gov't should do the same. if the security was as bad as the article implies it to be, then why havent we seen any catastophic security failures on any of the open source systems currently being used by fortune 500 and Gov't. Hell, it couldn't be any worse than the MS systems in use.
I must bid you farewell....... "walks out amid the gunfire"
Whis is this guy at all relevant? Ask my grandmother if open source software is a Good Thing
You get what you pay for? Examples: SCO UNIXWARE, Windows, MS-DNS, IIS, bea weblogix, etc.. Realization: I paid for crap!!! You get MORE THAN what you pay for! Examples: Linux, *BSD's, BIND, Apache, gcc, etc. Realization: Why did I pay for that crap??? The code from Diebold was closed, and how secure was it? Windows code is closed and I had to install a server just to keep the hoard of daily patches up to date. I think that the key to secure code is not a debate of open v. closed it is about having a programmer/company that cares about security and knows what they are doing. Hell NetBSD is open and very secure (read:unusable). This guy is a moron.
His article and his opinions are also quite cheap. I guess we got what we paid for too :)
...but governments and organisations should be exercising a modicum of care over who they get their source and binaries from. Thats what MD5 checksums and trusted sources are there for.
Open source development is not truly open to everybody; it is normally open to everyone who you allow to contribute code to your project. They've normally proved themselves by offering bug fixes and mionor changes directly to you beforehand.
The barriers to inserting malicious code in closed source are lower, not higher. Many an engineer has inserted a backdoor in his code which he surrepticiously used to help customers who lose passwords or setup info. However, a backdoor is just another way for a cracker to break into the system. Also bored engineers often leave Easter eggs in their closed source, something hard to do when several thousand people may review your code to see what makes it tick. In mainstream projects like Linux kernel, the bar to being allowed to contribute code is quite high, and your initial attempts are likely to be looked on with scorn by other project members.
As for costing huge amounts of money, one wonders what cost MyDoom has been costing owners of that wonderful example of closed source software - Windows.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
His criticism reminds me of a speaker at a recent IEEE meeting at my school. She talked about the work environment, and some nuances of how to act or not to act.
One interesting thing about her contracting company she runs, is that if you charge more, you get more business. The thought here is that companies think that since this certain company costs more, it must be better. Obviously though, she did not get smarter by charging more, only richer.
That is the thinking that this fellow is using: chargine more must mean it's a better product. Sadly, he is in a large part of the population that does not understand the Open Source community, or business models. His view is outdated, and frankly, wrong.
Besides, what other companies besides M$ find a huge hole in all of their flagship products, but fail to patch it for close to a year?
Kinda like Kazaa huh?
Where exactly is the logic in this? In the open source world, at least there are "watchers", and you have the ability to "watch" yourself, or at least pay someone to review the code for you if you don't have the abilty. This isn't the case with almost all commercial software. This reeks of FUD and is poorly written.
you might remember from other high quality works, like...
.NET with VB .NET, Visual Basic Developer's Guide to Asp and IIS,
Mastering ASP
and...
How To Kill Penguins With Broken Shards of Windows.
*YAWN*
http://windows.scares.us
Move! Move! Move!
doing best voice impression of buddy from full metal jacket
The marginal cost of all software is almost $0, because it costs almost nothing to copy bits.
Just because Microsoft gouges you $X to do that copying doesn't mean that the bits are of any greater quality; Microsoft has poured loads of cash into developing its products, and the Free Software / Open Source folks have poured loads of volunteer time (and sometimes, cash) into developing their software. You might look at the amount of effort that has gone into creating each, and then try to apply the get-what-you-pay-for adage to that, but applying it to the price of the box on the shelf is ludicrous.
Quick, do an Amazon search for "A.Russel Jones" (the author of the devx article).
Visual Basic book, asp.net in C# book... looks like Mr.Jones is up to his ears in non-open source work. I hate having someone that has no background in something condeming it.
Its like someone who is an ASP developer condeming Java before even coding a lick of it.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Having read the full article, I have to say that this is one of the most annoying pieces of writing I've read in quite a while. The author of this paper is assuming some naive elitist position in a fantasy world where corporate interests can never be anti-government and where code produced by the masses is somehow 'dangerous' because it might be exploitable.
As several other comments have pointed out, there is absolutely nothing to the "foul play" argument presented in this article that could not also apply to a closed-source project. In my opinion, the major difference is that the closed-source project's flaws [and note that in this article the author is talking about deliberately introduced flaws - basically the idea that OSS projects might be converted into trojan horses], if they exist, might never be discovered at all. If I buy a copy of Windows, I have absolutely no clue whether or not any such flaws exist, but more importantly, I have no way to check because I can not examine the source code. At least with open source software, if I suspect misuse or even if I'm only paranoid, I can examine the source code myself or have someone knowledgable [whom I trust] do it for me
Overall, this seems to be a pretty blind and poorly thought-out attack. A pity that editors aren't more carefully edited. :-P
picpix image polls. create - share - vote. fun!
The old saying about getting what you pay was formulated as a result of experience with commercial enterprises. Of course you "get the shaft" with "free" commercial products -- commercial enterprises don't exist for the purpose of giving things away. Companies only give things away in the hopes that you'll actually buy something.
Open Source projects, on the other hand, are usually formed with the express goal of giving something away. They have every incentive to make their products valuable and no incentive to produce shoddy loss-leaders.
"You get what you pay for," even with respect to for-sale products, doesn't mean "you get value commensurate with your expenditure". Commercial enterprises are strongly incentivized to give the least possible value for the highest possible price. Extra quality and value, above and beyond the expectations of the customer, is an unnecessary expense to a business. Competition alleviates this somewhat, but companies are still only playing to the level of the competition. Doing the very best possible will seldom if ever be their goal, in contradistinction to Open Source projects, where it is frequently the main goal.
Proud member of the Weirdo-American community.
Has this guy been following the news? Dude, Apache is the most popular web server in the industry. Blue Linux: Why would a company with the resources of IBM bother with open source?
This guy should never be allowed to write another IT article. I would be embarrased of publishing something like that if I was his editor.
There is nothing preventing the U.S. Government's workers from modifying it to make it a security hardened version. The NSA's SELinux didn't have to be released back to the public. The NSA could have forked an entire distribution and gotten it really rock solid on security. The only reason they didn't was the value in our country of the government needing to return to the public what it creates with our tax dollars.
That said, the best setup for the government is to use 3-4 platforms in each agency. MacOS X on the average desktop. Linux on the many of the servers. Windows on some print and file servers. Maybe some Sun boxes for intense science work. How many times does it have to be said that a heterogenous network is harder to take down before people stop writing this shit?
As for the argument that Windows only gets hits more because of popularity... I want to wring the neck of every person I hear saying that. It's a disgusting display of post-modernist logic to computers. It's the IT variation of the post-modern attitude that there are no absolutes on morals, only relative standards that vary by cultural and personal views. It's a complete rejection of the concept that two systems can be designed such that one is inherently insecure because of its archetecture and that one is very secure by its design.
Click here or a puppy gets stomped!
Someone has to state the obvious...
Some of these big things in the world have been based on "free" service, and don't indeed "give the shaft". Redcross, public domain art work, literature, and scientific material.
Most of the stuff in life is better when it is not paid for (e.g. love/sex, friendships, politicians, a speech/event at the local social/religious gathering, directions at the gas station in a new town, a recipe from friends, etc). A visit to the "free" national/state parks can be as refreshing as, if not more than, visiting a disney themepark.
S
For example, RSS encryption works BECAUSE it is widely understood. If the source being open makes a program insecure, then we would already have good ways of factoring large primes. DB
-DB-
E-mail is like a prison: a prison with no walls... and no toilet. -Strong Bad
When I first started reading the article I declared it FUD, then I read a little more into the first paragraph and thought "Inserting seemingly harmless yet malicious code into a project...not too terribly far fetched". Then I read on to discover that his examples were way further out of the realm of reason than where I was going. The idea that a subversive group would create an entire distribution expressly intent on undermining security is just sorta silly (based purely on my view that a distribution is not an easy thing to put together, let alone get people to adopt.)
That being said, I can see someone inserting malicious code into a certain program for devious acts at a later date.
Maybe the question(s) should have been:
What measures are taken to ensure that app included with a distribution has been certified "on the level"?? Is there a point ever where the intentions of an open source FTP server or Media Player(for example) are questioned?
This seems likely to be taken advantage of in the vein of adware, but "attacks" still seem possible.
The / in
Considering how much I paid to read his article.
Think about that outside the zealotry mode for a minute. I don't recall any follow up determining, "Hey this happened X_TIME ago, therefore clean programs should be reinstalled on your machine." Now I support the entire Open Source movement by all means, but think about how many include files, or other files could have been tweaked. Say low level include files, or something similar. There is no one, and I say this COMFORTABLY, no one that checks every program, every line of code on their machine. Sure you could lsof|grep -i listen every here and there to see what's what, but a covert chan can hide that. Look I don't want to get into a sysadmin/secadmin shootout here it'd be a draw and I don't care who you are, but... In my eyes, there is still a long way to go.
Take a look at cpan and some of the modules you have on your machine. How many are updated with normalcy? What about the whole sourceforge/freshmeat concept of 'sysadmining', where you find a neat program supported for what... a year? Maybe 2 if you're lucky... Sometimes it seems the cool Open Source gets, the more issues come out with it...
Every step you take... someone is watching you
MoFscker
absolutely right - 90% of all software I install on my box is compiled from source, I hardly ever use the vendor provided binaries. And I guess that a lot of other people do the same. Of course there are limits to what we can notice at a glance, but if things behave strangely, imho the first thing to do is compare the supplied binaries with binaries compiled from the available source...
What bothers me most about these typical "OS vs Proprietary" flamewars-in-waiting is when writers compare specific applications with some nebulous "Open Source" concept. You've all seen reviews that go something like this:
Open Source programs have serious problems. For example, I downloaded an Open Source command-line HTML-parser written by an undergraduate student. After feeding it random non-HTML files, the program crashed roughly half the time. By contrast, I evaluated the latest copy of Adobe Photoshop for Windows. Photoshop easily helped me modify my vacation photos, without a single glitch. Clearly, Proprietary applications are better suited for the market.
Most of the time, these writers compare all open source programs -- many of which are hobby projects -- to individual, highly-polished applications. Hardly fair and unbiased.
(now goes off to read the article)
It's interesting how he provides absolutely no evidence to support his claims. Obviously, nobody could take his stance and try to argue evidence, or else they would run into piles of evidence suggesting the exact opposite. This is sheer uninformed speculation. A couple choice quotes:
Same way people would know if someone was running a heroin production lab in the middle of Times Square. Open means open. If people create software designed to subvert security, they make closed software. Exhibit A: Gator/GAIN.
Anyone who wants to. Clearly this person has no idea how Free/Open-Source software works at all.
-3Suns
~~~~
The Revolution will be Slashdotted
The writer doesn't seem to grasp the idea that something for free also can be both safe and sound. Open != Soviet Russia!?
In that sense love, culture and the work of non-profit organizations (including the UN, scientific organisations etc.) are both evil and posing a threat to society.
Bah! If i could, I'd mod this article Troll!
The more you know, the less you need. [Admin added: from me.]
The article's author fails to realize that the very nature of OSS makes this less likely than with closed source software. Peer review is inevitable and constant in OSS and it would very likely require a serious conspiracy in order to bring the 'nefarious plan' described to fruition. Alternatively, with closed source I would very likely be the only person who ever saw my source code and believe me, beating a security audit would not be difficult.
Maybe his article should be re-written to say "prosecuting fraud in the OSS world is likely to be more difficult for Governments than if they have a big fat company to hammer..."
LOL, his arguments are ridiculously easy to deconstruct. Not even worthy of an attempt, especially since his article is entirely based upon opinoin (stupidly faulty at that.)
Loading...
...if you pay employees to properly set up and audit your software. No software is truly "free" for an organization that pays employees, since that software has to be installed and maintained somehow. Even for my personal use, free software is not really free because I have to spend a considerable amount of time setting it up and I do value my time (somewhat). I do get what I pay for though, because it's worth the time and effort investment to have more solid, secure, and reliable software.
I am feeling fat and sassy
Just a troll. Don't feed it.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Diebold is a perfect counterargument to this article. Here, proprietary source mixed with a documented conflict of interest has possibly led to intentional security backdoors with the potential of creating massive social upheaval in the most powerful country in the world. Furthermore, while Diebold is getting caught with it's hand in the cookie jar because of leaked code and internal memos, we don't even know at all what the other electronic voting software companies are doing with their closed and secret code. Perhaps Mr. Jones could give a current example from the open source community with the same scope and complexity.
Didn't DARPA pay for the initial research into IP (and part of BSD, which the IP stack was built on?). Wasn't this a completely open process (hence the RFCs)? How many governments are NOT using IP? How many pieces of software do NOT use BSD code in some way? Does this guy have a clue?
DevX is a division of Jupitermedia Corporation. See our Corporate information page for more information about Jupitermedia and its other divisions: Internet.com, Earthweb.com, Jupiter Research, and Jupiter Events.
Say no more...
A bad article -- he is simply trolling for traffic, in my opinion. His argument is equally the case for closed source programs. Didn't some products go out a few years ago with virus in the shrinkwrap box!! Couldn't happen with a closed source program!! And I don't think a government would get thier linux distro from 'dancing monkeys discount linux cd's' Really
Someday he hopes to be The Russell Jones.
You are hereby slashdotted to heck, prince of insufficient light
I just emailed the author and his editor, and suggest any interested folks do the same:
Author: rjones@devx.com
Editor: lpiquet@devx.com
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree. -Martin Luther
Obviously A. Russell Jones is unfamiliar with the review process that happens in most open-source development. It is ridiculous to believe that malicious code would just make its way into an open-source application.
Really what it seems like he is trying to do is demonize open-source developers...suggesting that it is likely that the group governing an open-source project would deliberately infect their own apps.
I can see the Apache Group chuckling at his assertions.
had anything directly to do with quality ? If that held true I'd never go with either the top or bottom bidders but that 80% er would get my business. In either light OSS and control over the source looks good, the support you get then depends on how stingy, stupid, or serious you are about succeeding, businesses cost money to operate...
errr....umm...*whooosh* *whoosh* Is this thing on ?
He must be on something.
Proletariat of the world, unite to get high
In Soviet Russia, I ruled you
I think he's way off base here open source software has fewer holes. I mean look at windows it seems like I'm downloading a security update every day or two and the response time of microsoft is slow at best. While on the open source side if a hole is found it's fixed fairly fast comparatively.
And on another note is it not true that good security systems are made tried and true only by the availability of the workings of the system(source code)? Security of proprietary systems is cracked again while the tried and true still live on.
Survival of the fittest and all.
-This sig has been discontinued after a sudden realization.
In old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because proprietry products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free proprietry software will put their country's and their citizens' data in harm's way. Eventually and inevitably an proprietry product will be found to contain a security breach not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the proprietry software from inside, by someone working on the project.
This will happen because the proprietry model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter proprietry software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Windows code is carefully scrutinized, that's not terribly likely. Much more likely is that vendors will be created and advertised for free, or created with the express purpose of marketing them to governments at cut- rate pricing. As anyone can create and market a vendor, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every proprietry software package installed and used on the machines.
How Can This Happen?
The products of the proprietry software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, a free open-source operating system, the free open-source Apache Web server, and proprietry office suites. There are several reasons that proprietry software and Windows in particular are seeing such a dramatic uptick in use, including IBM's extensive Windows support effort over the past several years, and the widespread perception that Windows is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major Windows vendors such as Microsoft and others have been able to discover and remedy attacks on their core source- code servers. The vendors point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market or give away a Windows vendor, there's also a reasonably high risk that someone will create a vendor specifically intended to subvert security. And how would anyone know?
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group
From the article:
Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?
Oh, I don't know... maybe by looking at the source code?
Turn it around now: Suppose a private company sold software with malicious code included to subvert security. How would anyone outside the company know?
TheFrood
If you say "I'll probably get modded down for this..." then I will mod you down.
what ghandi-con does this put us at?
(And isn't this the guy who writes all those books about ASP.NET and VB?)
====
Crudely Drawn Games
A. Russell Jones may not know dick about oss, but he's a genious on the topic of "how to spike your web traffic for one day".
Well now they are down to rhetoric, the facts have abandoned them. Frankly I love the claims about Microsoft and Security. M$ OS can best be described as an "Anti-Security System." It is the destroyer of all security.
Never Politically Correct ~ I prefer the facts If you don't like what I say, get a life, or comment yourself.
More than once I've seen closed source software installing adware/spyware on my Windows box - I've never seen the same thing happening with OSS. Following the author's logic, that's impossible... authors of closed source software are so honest and nice they would never do something like that - must be the OSS people disguising themselves as proprietary software vendors then ;)
...being an Executive Editor and all.
Why exactly would this be pointed out as a link to a worthy news tid bit? In the short description given you can see it's nothing more but flame bait...hence me replying.
It has happened before, in the Inslaw/Promis Software Affair.
Oh yeah, that was a propietary app. Guess there's no security there either.
Read, L
...his article is freely available.
hmm...I wonder if we can make a paypal account to buy a bigger FOSS ad to see if he changes his tune...
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Someone tell this guy source code is verified and supervised before making it to releases. Pffft trolling to fame is easier than ever.
It sounds like some FUD you could try back in 1999.
At least come up with something new.
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
They would have to release it public. Releasing a program source under the GPL, then not releasing the next version under the same cannot be done AFAIK.
Deriving (ie Version 2) would automagically fall under the GPL and would have to be released.
This isn't journalism. It's ignorance and/or stupidity.
Putting the romance back into necromancer.
This is indeed true, but it depends upon how you define 'pay'.
In the case of the government using open-source software, 'paying' to me means that the underlying code gets reviewed by govenrment employees or trusted subcontractors prior to being deployed, rather than paying cash for closed-source software. It is inconceivable to me that someone could argue that you have this option with closed-source software, or that you are more protected somehow because people getting a paycheck to write code would never do anything malicious. Even if you get to peek at the underlying closed-source code, how do you know that was the code used to compile the application? With open source you can guarantee it 100% by compiling it yourself. How does it get any better with closed-source? (rhetorical question of course...)
- Leo
You don't use science to show that you're right, you use science to become right.
Dear Mr. Russell Jones,
In your article you make a number of interesting points, which I shall attempt to cover in order:
1. An open source product will eventually contain a maliciously inserted security breach.
On what grounds do you base this statement? How can you be certain that Microsoft haven't been paid by the CIA to place backdoors in Windows? Why, then, should any government which isn't in on such secrets trust Windows? How could a government be certain that it knew all such secrets?
2. The core project code could be compromised.
Quite true. However, there have been instances in the past where Microsoft's code has been compromised even when sitting on Microsoft's servers:
http://www.theregister.co.uk/content/4/14265.html
3. A distribution will be built with security holes for the express purpose of selling to governments.
How do you know this hasn't already happened with Windows? You speculate much, but back up little. What kind of advertising budget would such a hacker require for gaining government mindshare?
4. Insiders could "customise" a well-respected secure distribution.
They already can. It's called "leaving accounts on the system". Or "logic bombs". Or "misconfigured systems". This problem has existed for almost as long as computers have.
5. Finally, you speculate that nobody is "watching the watchers". What, however, you appear to have misunderstood is that the government organisation would have a full copy of the source code and could compile it themselves to confirm the resulting program is identical to the shipped version. They could then audit the source code - either in-house or pay an outside organisation.
It is quite correct to state that "you have to put your trust in someone - who should you trust?". Otherwise the country would have to be run on every level entirely by one person, who would be responsible for writing, implementing and enforcing law. I'm not from the US but I'm sure your President would get tired of writing out all those speeding tickets!
I would argue "you should trust someone who can prove they have nothing to hide".
Open Source has nothing to hide. Come into the light.
"You get what you pay for?" The government? I guess those $400 toilet seats must be be something special.
Question: what one operating system has had 100 or maybe 1000 times more security problems than all other OSes combined? I'll give you one guess.
basically the argument for closed source was that nobody could read through the code and exloit weaknesses or add trojans without anybody knowing and once linux becomes more mainstream the same virus woes will be the same for both platforms.
I waas going to remind him that linux users are stastictally (spelling???) more security concious (how many linux/unix users spend the bulk of there productivity time running as root?) than windows users but i didnt want to bring it up because he was the leader of our church.
And also more work is put into the linux kernels than in the NT5-5.1 kernels when it comes to the weaknesses that viruses rely on.
I was then going to remind him of OpenBSD, an open source OS that has had only 1 hole in the default install in the last seven years.
maybe next time when i get enough courage I will enlighten him some more.
Similar parallels to the government paying $400 for a hammer and $1000 for a toilet......hmmmmmmmm
As soon as the Linux kernel starts "phoning home", I can fix it because I have the sources and the GPL allows me. Linus Thorvalds knows that, so he is very reluctant in adding spyware to the kernel.
When Windows XP starts phoning home, the MS EULA doesn't allow me to do anything about it. Bill Gates knows that and is looking for ways to get more dollars out of his Windows licenses.
extern warranty;
main()
{
(void)warranty;
}
FREEVBCODE.COM -- Get high-quality, FREE Visual Basic code
The real kicker is that I can already get free, high-quality Visual Basic code... Just open the wrong attachment in Outlook.
How do you know that every version of Microsoft Windows or SCO UNIXware or IRIX or Solaris or hell even Mac OS X isn't riddled with keystroke loggers and data miners? Because you paid money for it and can't inspect it?
It could happen that a Linux distro's binary distribution could be in fact corrupted with such things, but the project's creators would be held responsible apon discovery, just like any major corporation which would try to attempt this. The source would be safe because it would be subject to peer review.
The argument is basically the opposite; any software that you donwload/purchase in binary form could be corrupt and you should review and compile all your software from source code, i.e. open source. Good one.
CAn'T CompreHend SARcaSm?
"We need a new term for this kind of journalistic troll."
No talent assclown.
Yes - I see their twisted logic.
..yes, it's me that's foul - I see! ;)
Again another article I refuse to read!
And if I told W. Russell Jones how to kill me and he did..
Open Source leads to greater public scrutiny, and thereby greater awareness.
Awareness is inherently good. All security professionals know that even an awareness of insecurity is preferable to an illusion of security. Would you trust a even a single crypto algorithm that wasn't fully disclosed? Of course not.
Just look at Windows. It's so widespread, one might hope the security holes could all have been found & identified by now. Unfortunately the "closed source" nature of MS-Windows ensures that these critical security bugs will keep trickling out from what is seeminginly an inexhaustible fountain of fallibility.
When bugs are identified in open source code, they can be fixed very quickly. More hands are simply available to do the auditing and patching. You might even be able to fix it yourself.
I will always have more confidence in code which is truly subject to public scrutiny. Seeing is believing!
So, I guess I shouldn't take any of it seriously.
Glog!
maybe so maybe not. what about closed source/propriatary softwares that NOBODY can see the source code from.those companies can put ANYTHING in there and you are at their mercy.
Crisis is the rule, not the exception.
Simply not true, at least with software.
There is a place for open source software in business and government along with closed source(I know other may diagree)
But the licensing cost of software is not the only important cost for most businesses.
So saying you get what you pay for is a silly argument, at least to me.
Ok, interesting point, but there is no opportunity to review the source code in proprietary software systems, whereas open source software at least holds out the possibility of peer review. A good example would be the infamous backdoor that Thompson put in the earliest incarnations of the Unix login program. And since we are well aware of the history of backchannel government intervention in proprietary software systems, dating at least as far back as DES, there is no reason to believe that the walls to intervention are any higher; at best, they are just more opaque.
It's been said time and again, but it's an old adage that governments would be well-served to heed is: Security through obscurity is no security at all.
Thanks for listening,
> "We need a new term for this kind of journalistic troll."
Factoid (looks roughly like a fact might).
This reminds me of the white paper at http://www.adti.net/opensource.pdf by the Alexis de Tocqueville Institution. While they make some very good points, in the end I still don't agree with their argument.
Most people would die sooner than think; in fact, they do.
> Uhhuh? So? They'll be fixed in the next release?
At the whip of the vendor. Which, in Microsoft's case can be never, unless the "hole" gets publicity on the evening news. There are serious--and well-documented and submitted--bugs in Word that have been there since the early '90s, with no obvious intention from MS to ever fix them.
What, does this guy think some government is going to trust its infrastructure to some home-grown distro that they downloaded off the 'net for free? Please.
My beliefs do not require that you agree with them.
-1 Flamebait Of course theres going to be someone thatll do something evil. It happens in proprietary software too! People are evil, or at least have the capability of being so. Of course anywhere you have people, you have the potential to do damage. I COULD mod the code, or I could just as easily trogan a win2k/XP solution with an in house virus, that will never get out to see the light of Symantec, or any other AV scanner. It's not open source thats the problem, but people. At least w/ open source, you can try and spot it. Now if we had machines writing code, there'd be no tendency for evil, just watch the Matrix :-D
-- (appended to the end of comments you post, 120 chars)
We need a new term for this kind of journalistic troll. "Micro$oft payee"?
"Freedom means freedom for everybody" -- Dick Cheney
[From FUD-Induced Diatribe of an Aritcle:]
Malevolent code can enter open source software at several levels.
[1] First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
[2?] Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
[3]Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. [...]
[...] Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
I have this argument with my clients all the time. Many of them do not trust open source. They say, 'It is unsupported! We can't run production on unsupported software!'
My argument is that it is no different from internally developed application. None of the code I write is 'supported' any more than the open source code out there. If something breaks they have to pay me to fix it. If something breaks with some open source code, they still have to pay me to fix it.
Also, the advantage of open source is that even if the author's slipped something 'nefarious' into the code, you have a chance to see it. What do you do when someone slips spyware into a proprietary application you use?
So? If they don't get publicity, they're not worth fixing?
The owls are not what they seem
Of course, if he really believes what he says, he should be able to prove it by injecting bad code into (say) the Linux kernel, or apache.
if i get what i pay for, does that mean if i pay microsoft enough money i won't have problems with their products? hmm.. i think ballmer or gates should use this as their next big push for microsoft products. especially when governments consider moving to open source software. if they just pay microsoft endless amounts of money, there won't be any problems.
DevX.com has reported a recent drop off in website hits and has implemented a campaign to "leverage" the Slashdot masses.
...
The new project entitled "Flaming Troll" was kicked off today with an article that would be very interesting and informative for your average Slashdot reader.
So far the project seems to be a success
"You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
:-P I don't really get how it passed him that a company well-known for their licenses are equally well-konwn for their flawed software... Price and quality has nothing to do with each other in this case.
Sounds like a quote from someone who has no idea about what open source is...
This and this:
"because of its very openness, will inevitably lead to security concerns"
leads me to not even care about wasting my time reading whatever more rubbish he came up with. One of the very basic lessons you learn when studying computer security is that openness is good. Security by obscurity is bad.
Beware: In C++, your friends can see your privates!
He argues that open source software, because of its very openness, will inevitably lead to security concerns.
------------
Huh?
Microsoft isn't open last I checked. Hackers don't seem to have any problem with causing havok with a 'closed source' product.
------------
He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
-------------
Ok, I give. You get what you pay for? I've heard this for many years. I don't see my fast food burgers quite as large as the pictures nor do I see other items I pay for performing as advertised (cite Microsoft again). Not to bash these guys but think about it. How often has my IE browser links been jacked to some other site or a virus/worm trashed my up to date and patched system?
Microsoft has done great things for the industry however closed source isn't any more secure apparently.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
why does /. waste our time and bandwidth with useless stories such as this? is cmdrtaco having a slow news day?
The people who read Slashdot are generally not interested in DevXs party line, so they won't be back.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
...what he's talking about is introducing holes, but that's pretty much a non-issue. Even in commercial software, instances of hidden backdoors are very very rare. On Linux, the only example I can think of was the miserably failed attempt to introduce a backdoor (by changing a == test into a = assignment) into a debian(?) repository, which wasn't even the root repository.
This would be an issue if the systems were so incredibly, insanely secure that it would be easier to introduce holes than find holes. However, both in Linux and Windows there's holes being found and exploited - hardly ever inserted and exploited.
His idea of the "core group" going rouge and not releasing source makes no sense - people can compile the source themselves and verify that the binary matches the official one. So basicly, he's not making much sense.
Kjella
Live today, because you never know what tomorrow brings
Although it doesn't quite fit since this is technically a commentary or opinion piece, in which case, "ignorant fool," would suffice.
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.
You mean as opposed to the security hole ridden crap that my tax $$ pay for now?
All these differences depend on what factor is "open". GPL only opens the source for reading, so anyone can look under the hood, or even make their own version, but no one is compelled to use those changes. Insecurity from malware included in source would be worse in open source projects if there were no auditability for who contributed the malware. However, just running an open source project usually requires greater check-in auditability than closed source, just to keep the team manageable, so (all other things being equal) open source projects are *more* secure than closed source. And since anyone can search for, and fix, bugs in the source code, there's more early reporting of bugs, and the project itself is not necessarily the bottleneck in fixing them.
Inside most software teams, the source is open, up to the boundary with other organizations. OSS merely widens that boundary to include all other organizations, until the boundary disappears. But teams are usually closed in either model, with only a few with the power to commit changes. It's project management that makes the difference in permeability to malware. And open source has advantages over closed ones, in the ease of auditing the code.
--
make install -not war
The only problem would be if they accepted patches, and the patches are GPLed themselves. The "core group" has to follow the license of anyone who has rights on the code they distribute, i.e. they'd have to get rid of the contribution or comply with its license.
Programming can be fun again. Film at 11.
This is a specious argument. It assumes that bad code can somehow be slipped into open source code while proprietary code could never ever have such bugs.
There have been software packages that have had backdoors in them for a decade and these were not found until someone open sourced the code.
CERT(R) Advisory CA-2001-01 Interbase Server Contains Compiled-in Back Door Account
Even Microsoft code has been found to have back doors in it:
Netscape Engineers are Weenies
Yes, there will be mistakes made. Security is a process, not a state. The biggest mistake would be for a company to assume that software is secure just because it is open source. No, just being open source doesn't sprinkle magic pixie dust on your product, but it does let you get the sources from the vendor, have another firm or your own in house programmers audit the code to ensure that it is back door free and relatively clean and then you build the code yourself.
Before writing opensource software I recommend all programmers read the following:
Secure Programming for Linux and Unix HOWTO
This document covers everything the article covered and a lot more.
As a last note. Open source software is to computer programming as the scientific method is to science. It is a peer review process that slowly results in better and better software over time. Closed source software is like alchemy of the old days. In just 20 years the open source programmers have build entire platforms that can challenge anything that the proprietary programmers can develop. Where will we be in another 20 years? in 100 years? in 1000 years?
haven't we been down this road, what, a million times before. doesn't IBM,sun, novell, ah hell, everyone EXCEPT microsoft, make this guy look like a big dumbshit. okay, next. move on. (hell, imagine a beowolf cluster of guys like this). oh yeah, they're all at SCO.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
An old adage that governments would be well-served to heed is: You get what you pay for.
Quite right.
When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'
Well, then open source shouldn't be a concern. Open source software isn't "free" as in "no cost". Quite to the contrary: open source software may well require you to pay considerably more for skilled developers and skilled system managers to adapt and deploy it. And in return for doing so, you get better quality software and you lower your overall operating costs. The fact that open source also happens to save you licensing fees is icing on the cake.
That is in sharp contrast to a lot of commercial software that promises to be so trivial that even an untrained monkey can use it. Of course, it doesn't actually deliver on those promises--many problems are just intrinsically hard and no matter how many dialog boxes and help files you add, people still won't be able to use it--but it gives the appearance of doing so, and that is arguably far worse.
In different words, the commercial software vendors are in the tradition of snake oil salesmen and miracle healers, who charge a huge amount of money for their miracle cures and try to keep charging you. Open source developers, in contrast, are more often in the category of skilled medical professionals: you hire them, you pay them a good salary, they solve your problem, and then they go on to the next patient.
Why new name? 'Charleton', 'Fraud' or 'Pighead' seem to fit.
Back in the 30's and 40's Time and Life Magazine publisher, Harry Luce, overlooked the realities of Chaing kai-Shek's brutal regime in China, choosing to believe Chiang was a christian and a good leader, while Mao was a monster backed by the godless communists of Moscow. Luce's publications were the word. Too bad he had it wrong and couldn't see it. This guy is about as blind to reality.
A feeling of having made the same mistake before: Deja Foobar
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
I'm still trying to figure out what the hell this is supposed to mean. It's complete gobbledegook.
If they don't make the corrupted version public, a) it isn't open source, it's propriatary and its propriataryness is the risk; b) it's of no risk to the public; c)It's of no risk to the government if they properly audit their version of the code, simply comparing it to the public code would take care of this, something a computer can do in a matter of some seconds.
And the primary reason for a government to use open source is to audit the code, so they know that MS or whoever hasn't slipped a backdoor in, and once the code is audited, built and tested you distribute internally as binaries, which you can do because it's open source and doesn't require seat licenses.
So here's what you do if you're a government. You download Open Office from three different public mirrors in three different countries. You check the MD5 of each of them and then each of them against the other. If it all checks out you know you have public code that thousands of eyeballs are looking at. You hand it off to your NSA, they audit it, modify it for internal use as necessary, build it, test it, put the binary on an internal governement agency server.
There ya go.
The statement makes absolutely no sense.
As opposed to MS having a salesman show up, hand you a binary disk or four and say, "It's cool, trust us. Would we lie?"
If I were France or China I'd say, "Shit yeah!" and download Slack.
Hell, I don't trust closed source with my typing business anymore, let alone my country.
KFG
First install the patches up to current, then go trolling to try to piss off the slashdot crowd.
Doing it in the other order would be a really bad idea
Thats why most free/open source based company's make their money on services, and not necessarily the products they sell. Comparing the service I've gotten from Free Software comanies compared to having the highest priority service contract you can have with Microsoft at a Fortune 100 company, I'd glady pay nothing for Free Software because the support I am paying for is superior.
Microsoft has done quite well at having lots of security bugs pointed out of their closed source products, and closed source vendors like SGI HP (HP-UX) don't exactly have stellar security records either.
Remember the Alamo, and God Bless Texas...
'I don't recall any follow up determining, "Hey this happened X_TIME ago, therefore clean programs should be reinstalled on your machine."'
That's because the relevant teams _checked_ the code against known good code to see if there had been anything planted. If there were problems, you would have heard about them.
Engineering and the Ultimate
They're called .md5s. Use them. They exist for a reason. You'd have to have some godawful cooperation between some very mean people to successfully pull off a corruption on widely deployed OSS software AND not throw red flags up among people who have clean versions and clean md5 hashes.
And, what's you're point on stagnant OSS projects? I don't see Microsoft supporting Win3.1 anymore, but there's a lot of people still using that. The difference is that NOBODY can go through it and fix it up or make anything of it. If someone decides to pick up the pieces on an abandoned piece of OSS that shows promise they can do that.
I hate when people do this. You didn't raise any issues that aren't a problem with ALL software, yet you are applying them specifically to OSS. If a server gets owned, it gets owned. It doesn't matter if it's commerical/proprietary, commercial/oss, or whatever. It's owned. Binaries can still be injected with malicious code. They're owned. Give it up. There's no inherent flaw in OSS.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I think you've kind of missed the point here. The question isn't "Is Open Source invincible?", the question is "Is deliberate program corruption more likely to occur, all else being equal, in an Open Source program or a commercial program?"
And while I'm not a free or open source fanatic, I have to say that I can't marshall any rational arguments that the commercial program is somehow safer from authorial corruption. It's virtually inconceivable that a large scale open-source program could have a backdoor or anything like that in it for any significant amount of time, and as for smaller projects, a one-man open source project may be just as likely to be corrupted as the one-man closed source product, but which is more likely to be detected before significant damage is done? The one with the source you can look at, hands down. (And the phrase "just as likely" is for rhetorical purposes; in the real world, the prospect of revealing the source surely impedes anybody who would put something nasty in there! That's way too accountable for someone like that's taste!)
No system can be made perfectly safe. But to claim that commercial software is safer from deliberate authorial corruption takes willful and deliberate ignorance. I mean, seriously, claiming that the software I can't see, that I'm not allowed to see, is more likely to be pure then the stuff anybody (or anybody I hire) can look at is? That flies in the face of both logic and common sense, and is the kind of claim that has be inflated into an long article to blind the reader with words before it can even come close to being seriously entertained; a paragraph summary doesn't pass the laugh test.
And remember, it's not only "Will it happen?", but "Which will do more damage?" Even when break-ins happen in Open Source, the damage is typically swiftly controlled; people's reputations are on the line! Who even knows how much closed-source damage has been caused from breakins? Again, people's reputations are on the line, and the incentives to cover such things up are high.
I just don't see a way, even in theory, where commercial software is safer against this sort of attack.
Government, and indeed any business, IT people and developers should have processes in place to be checking for these types of issues anyway, regardless if the software is "open" or "closed". It just makes sense that if you are going to depend on it for your success/failure. This should also include watching for maintenance updates and bug fixes. Watching the Security Focus Linux and MS lists shows similar numbers of discovered exploits. In a lot of cases the same tool has the same exploit on any platform on which is installed. Bottom line, decisions should be made on what the software can do for you and how well it's built, not on whether it's open source or not.
Frenchman to King Arthur - "You've got two empty halves of coconuts and you're bangin' 'em together"
and its not like the same thing hasn't happened with commercial servers (half-life, anyone?)
Notice the article immediately preceding this one.
...this guy is the editor on DevX.
You remember DevX don't you? The VB crowd's version of Slashdot. I have always mistrusted anything from DevX, especially their Java/C and C++ advice, because they always seem to be a little too pro-Microsoft. I would say that DevX is a Microsoft shill site.
You should be as surprised that DevX published this opinion as you are when it's published in the Windows System Journal.
Never by hatred has hatred been appeased, only by kindness - the Buddha
The Secunia list of products' vulnerabilites shows I made the right choice with Windows XP Home:
XP Home: 50 security advisories
RedHad 8: 140 security advisories
RedHat 9: 82 security advisories(they're getting better)
Debian 3.0: 276 security advisories
Gentoo 1.0: 194 security advisories
Mandrake 9.x: 158 security advisories
Actually, I'd rather run OS X (29 security advisories) but all the good games are for Windows.
And for the BSD is dying trolls, FreeBSD 5.x has 23 security advisories listed, OpenBSD 3.2 has 29 security advisories.
So you see, it is clear from the numbers I've taken from a single source (a company I know nothing about), I have proven that you should dump Linux and move to Windows XP Home, OS X, or BSD. Don't hate the author of the article...hate your hole-filled bug-ridden trap-laden OS.
...but in actuality I suspect very few organisations have audited the 20-50 odd million lines of code that make either a Windows release or Linux distribution.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Original quote:
"... an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so."
Ok, what if we rule out open source as insecure, as the author does, and rewrite the above:
Modified quote:
"... an individual or group of IT insiders could target a single organization by licencing a closed-cource kernel, and then customizing it for an organization, including malevolent code as they do so."
Ahh, much better! The author sure is right that closed source gives much better security.
In another article, the same author claims:
/me thinks that he has missed the point with Open Source completely...
The point is not so much that open source is copycatting Microsoft but rather that open source vendors understand that Linux users, especially the great mass of potential Linux users, aren't any different from Windows users. They want the same applications, with the same features, the same ease of use, and largely, the same look and feel. As Linux moves beyond the hobbyist and server space into the corporate and home desktop space, there will be an increasing number of Linux users who genuinely don't care whether their applications are open source, and in fact would probably rather use their familiar Microsoft applications, if they are available, than retrain on unfamiliar and less mature applications. "
On the other hand, he has a point concerning Linux while quoting Pavlicek's Top Ten list in yet another article:
The multiple-GUI problem illustrates a basic difference in Windows and Linux. Windows has one general GUI interface which has served many millions of people and works for many millions of different applications. The Mac (another successful consumer OS) is similar; one general GUI works across all Mac applications. Why is Linux different? [...]
Give them the real thing, Microsoft. Give them choice. Port the applications and development tools [to Linux]. Turn the millions of Microsoft developers loose on Linux, and let them build the future on both platforms.
Provided they do so with Open Source, that is!
The more you know, the less you need. [Admin added: from me.]
We need a new term for this kind of journalistic troll.
:-)
Troll de jour?
--
Evan "About to take down a Linux system running kernel 1.2.x for about 4 or 5 years and upgrade to SuSE 9.0"
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
Of course, lower-cost software will on average not be as good as more expensive stuff. You get what you pay for whenever the producer expects to be paid in money for her creative effort. After all, if you are going to charge for your software, you will charge as much as you think is fair.
Free software is entirely different. Since it is given away on principle, not because it couldn't possibly fetch a higher price, judging it on price is just fabulously uninsightful. Which is better, Pine or Mutt? They're both free. Oh, then they must be equally good. Riiiiight...
"The biggest problem with communication is the illusion that it has taken place."
Point taken that w/o a tightly controlled version control, integration test and security QA process you are bound to collect intentional and unintentional bugs and problems
BUT
All of those same things are true in closed source code too. And once introduced into a closed system, problems tend to persist far longer and resist all attempts to correct them.
Reality bears this out.
Where he gets his source from? SCO internal memo regarding the evilness of Open Source?
The way I look at it, nothing is hackerproof. If there is a way to engineer something, there is always another way to reverse engineer it, whether or not it actually get you back from Z to A is another story. From a security point of view, whether a piece of software is open source doesn't make the software any more or less secure. It is an indication of how much thrill a hacker could get out of hacking it.
Closed source development gives you a false sense of security. It is hard to imagine how secured a piece of software could be when it is coded by a trusted 7-men team (let's take a managable small integer as an example). Conversely, open source allows public peer review. It can ensure that the software developed is well tested and hacked before it goes into production use. In addition to that, governments could always hire security experts to audit the code, as they should even with closed soft counterparts.
The fear of open source could actually be political as well. We all know that in a capitalist world, nothing ever is open or free (although of course the politicians would tell you otherwise). And suddenly, you have these people giving stuff away for free -- pretty much like an act of communism where stuffs are shared around without regard of making a profit -- some people would of course scream, because the reason why the care about the technology is mostly for the profit they're getting out of it. And some others are hired to scream. Russell Jones seems to be one of those.
People like that are only in for the money...
:roll eyes:
Security is only secure if it can withstand scrutiny of the public because of it's openness.
This forces the people involved to keep their code up to date.
Security by obscurity is a fools game as people who have to work with obscurity get sloppy, 1 leak is lethal as MS is proving on a ever increasing rate.
Last leak only repaired after 6 years?
Perhaps it would be better to post the full text to articles like this somewhere on Slashdot for people to read here and discuss instead rewarding so called "experts" with thousands of hits to their websites?
It seems like some obscure people post inflamatory comments about some topic on the web and suddenly a link shows up on Slashdot and the authors website gets lots of hits, so it looks good to the advertisers on the website and the author makes more money. Paul Thurott is a good example. Just who is W. Russell Jones and what are his qualifications?
I think this trick is why we continue to see more and more postings to Slashdot that really don't fall into the realm of traditional Slashdot postings and discussions.
I know if I want to get some hits to a website I would cookup something that would get attention and post it to Slashdot.
Let's don't be suckers to someone else's scams.
They just want us all to register so we can mod the article down, then go somewhere and tout their huge subscription numbers.
Nice try fellas, not gonna bite.
First, you do indeed get what you pay for. With Open Source, you pay indirectly (by supporting companies that support Open Source), by taxes (where Government involvement is concerned) and by whatever charges the organizations you buy from add.
Overall, Open Source investment amounts to billions, if not trillions, of "effective" dollars a year, where an "effective dollar" can be anything (eg: time or some other resource).
As a nation, or as a world, we are not spending nearly as much on Windows. We do indeed get what we pay for. Open Source, by having the greater investment, is the superior product.
Then, we get to the security concerns. A concern is not the same as a reality. It's a feeling, not a fact. There are no useful evaluations of security, except for the rule that code is either broken or not.
99.9% of the more recent attacks on the Internet have exploited people's stupidity, greed and lust. Writers of worms, trojans, etc, have realised that people are far easier to attack than the computers.
Open Source is less vulnerable to human weakness, because it involves so many humans, so many egos, and so much pride. The "limitations" in many Open Source packages are often because certain popular ideas (eg: macros that can do anything, in a word processor file) allow attackers to exploit end-users to the full.
You are unlikely to ever see a real, serious, virus written for Linux. Why? Because the diversity is too rich. In the same way that a highly bio-diverse forest can survive almost any attack from disease or pestilence because the attacker is too specialized to reach any but a very tiny subset of what is there, viruses cannot seriously hamper Open Source because it is impossible to write a single binary that will support every possible Linux system.
To write a meaningful virus for Linux, you must first write a shell-script to identify the architecture, library versions, kernel version, kernel options, security mechanism(s) and capabilities.
From there, you must extract the relevent binary from an archive. Because de-archivers (including tar) aren't necessarily there, or necessarily the version you want, you've got to have the extraction code also in the shell script.
There are seven orthogonal security mechanisms that could be in place, something like ten architectures, four significant C libraries and something like eight common configurations.
In other words, you have (2^7) x 10 x 4 x 8 targets you would need to aim at, which means you would need to have 40,960 versions of your worm, to offer any serious threat to Linux. Less than that, and the sheer diversity will eliminate the worm or seriously cripple it.
The very thing that companies have complained about with Linux (the lack of absolute conformity at the binary level between all platforms) is a very effective barrier to hostile software.
The only really effective attack is at the level of source code. Indeed, there are many stories of a virus in the old AT&T Unix source code, injected and maintained by a companion virus in the compiler provided.
However, the mere fact that the story is so legendary shows how rare source-level attacks are.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
My guess is that the curve for open source is a lot different than commercial software.
Open source - starts off, lots of exploits because the code is readily available. People using the package (assuming it's valuable enough to merit it) fix problem, submit patches. Over time software becomes more secure.
Closed source - Exploits harder to find, eventually found due to sheer perseverance of legions of script kiddies and their slightly more talented bretheren. Company denies existence of problem, patches discreetly and only occasionally, eventually begins to become marginalized due to shoddy business practices, begins suing everyone in sight in a sad attempt to revive an obviously dying business. Meanwhile, Bill Gates rolls over in his sleep, makes another fifteen million dollars.
(Or maybe I've just had too much coffee today, and am being silly. Time will tell.)
-1, "1337" speak
Here's a list (from Sophos) of worms and virii available for GNU/Linux:
u x/Lion
/more/ secure; potential exploits can be discovered, and holes filled more effectively, in much less time. Microsoft took six MONTHS to announce a critical exploit and issue a fix, for their primary product!
Linux/Adore
Linux/Cheese
Linux/Devnull-A
Lin
Linux/Ramen
Linux/Slapper-A, B, C
Linux/OSF-A
Linux/Rst-A, B
I'd post a list of Windows virii and worms, except that it would take too long to download over a broadband connection.
Suffice it to say, just because GNU/Linux is Open-Source doesn't mean that people are more able to write apps to exploit it. If anything, Open Source is
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
If i recall it Microsoft gave out enormous rebates. Munich did take into account that these rebates wouldnt last longer than to the next upgrade of their Windows systems and they would be at square one again. With linux they know they can move money from paying Microsoft to pay local companies to tailor linux in ways that is impossible with Windows.
MS is just trying to keep customers in their treadmill'o'upgrades.
HTTP/1.1 400
Another one bites the dust
A small and ever-decreasing percentage of users compile their own binaries, let alone check the result. Also, not all of the exploits appear only in the binary; in at least one case the malefactors added a fairly hard-to-notice security hole to the CVS source, so the "official" binaries and checksums matched just fine.
Slashdot - News for Herds. Stuff that Splatters.
...Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.
The problem with his argument is that the software in question is, generally, under the GPL. An organization large enough to suffer serious consequences through an introduced vulnerability (such as a national government) would draw attention to itself by using open source software, and inevitably someone would demand that they make their (corrupted) versions public. I don't buy that these corruptions would go unnoticed long enough to have serious consequences.
Never mind that his whole editorial is conjecture without proof that this has ever actually occurred (and no, bug list comparisons don't count. Sorry.)
Read my keyboard review.
The real problem he's talking about here is just as applicable to open or closed source.
I can easily develop and deploy malicious code from inside an organization using one of the multitude of closed systems (like excel or word).
Or I can be exposed by a contractor inserting all manner of backdoors etc. into projects they work on.
The real issue is one of trust and he seems to think we can trust someone we can sue more than something we can't
Email the author. I just did, rebutting two of his "points". rjones@devx.com
... did they get it all? Only
Hey Russel,
Just two obvious points of rebuttal.
1. Your question:
Who's Watching the Watchers?
Makes a cold chill run down my spine, when I think of closed source
software. In fact, many of your statements, such as the rogue coder,
holds just as true, for CSS. The difference? You (as a consumer)
cannot see the code. At atmosphere, which breeds closedness, and
non-disclosure of hacker attacks, is far more scary, then one (such
as Debian), which openly announces, that it has been hacked. Imagine
a hacker gaining access to Microsoft code. Imagine MS catching him,
and removing the malicious code. But
the hacker will ever know.
Your statement, that "core" members, will port the code, just doesn't
make sense. Assuming we're not into the old chicken and egg problem,
with the bootstrapping compiler, an Open Source project, is defined
as having the source open. If you compile a program, and it ends up
different, then the one you downloaded, then something is very
wrong indeed.
2. In academia, and security circles, full disclosure, to be able to
repeat trials, and be able to uncover weaknesses in software, is the
norm. Hiding behind binary code, does not a very powerfull brickwall
make. Hiding behind a wellthought out design, which is not open to
attacks (confirmed by peerreview), and relies on algoritmic
defences, makes a strong brick wall.
I am sorry, but all in all, a very poor article.
Regards,
Svend
> So? If they don't get publicity, they're not worth fixing?
This attitude is EXACTLY what is making OS so popular and attractive. Even a small bug can drive someone out there eventually crazy enough to pick up the code and fix it. There's a famous feature in Word that pushes footnotes to subsequent pages if line spacing is anything other than single spacing. Only the footnote, mind you, not the anchor and the surrounding text. As it so happens, double-spaced text with footnotes is extremely prevalent in academia and other formal environments, making this feature very well known amongst grad students and such. But again, since this feature hasn't brought down entire computer networks and hasn't been mentioned by Tom Brokaw on the six-o-clock news, it's not worth Microsoft's time to fix. Even though it significantly impedes Word's primary purpose, that of creating documents.
Does A. Russell Jones know anything about security??? It doesn't appear so from this article. This reads like something written by some un-informed CNN reporter from 1989. Did this guy do any investigation before spewing forth such ignorant dribble???
Governments "get what they pay for"? Are you kidding me? Governments typically pay FAR MORE for FAR LESS than any other organizations on the planet! Mainly due to incompetent employees paid on time of service rather than actual performance.
"sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way." Yea, so let's stick with the far more secure options of MS-Windows, etc...
"Instead, the security breach will be placed into the open source software from inside, by someone working on the project." Yea, cause there has never been an instance of a paid employee/developer inserting an Easter egg, back door, or other malicious code.
"As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart." I know my government is mostly stupid and ignorant, but I doubt "Joe's garageware jonix distribution" would make it through the laborious bidding process.
"the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes." Agreed. The difference is, we can actually learn about the presence of open-source holes MUCH faster than closed source. (See recent /.ed article!)
"Can Self-Policing Work?" Of course not! And that's exactly what closed-source is: self-policing! Open-source is open policing and scrutinizing by virtually anyone and everyone. Hmmmm... Should I rely on the QA/security efforts of a 10-20 person team who better play good politics to keep their jobs and/or get raises? OR, Should I consider the QA/security efforts of 100's of thousands of unapologetic experts?
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
Close, but you misspelled it. Its: F-u-c-k-t-a-r-d
-Matt
The playing field is even though when it comes to backdoors. Yeah, debian and FSF and OpenSSH have been cracked and backdoors attempted at one point or another. but, the same thing happens to closed source software. It's just different. Half Life 2 could have been back doored if the cracker wanted to go that route. There have been many backdoors that have snuck into programs by employees. You can argue all day as to why one is better than the other, but it comes down to, they are just different.
One of the best things we have to fight against this is gpg sigs and md5 sums. I know they aren't perfect because if someone cracked the server those are kept on then it doesn't really matter. but none the less, they do help a lot; and distros that have made it a point to check them before installing have helped lessen the problem of backdoored software.
A funny observation... it seems on slashdot any time you put a conflicting view point up (conflicting to the slashdot norm) it gets modded down, but the second you put "I am not trolling" or "I'll probably get modded down for this.." it gets modded up. Just an interesting observation.
Or mod me, 'cause I took the time to make a link.
Fertilizer. Nothing but fertilizer.
The author's point seems to be that because Open Source software allows anyone to contribute code, that the chance for an "agent provocateur" to insert malicious code into a project is large, and that the use of such code by governments could result in significant security risks.
Let's forget for a moment that the author doesn't actually cite even a single instance of this actually occurring.
The real question is: is this any less likely in systems which are developed in the closed source/commercial world? Does the author believe that potential info-terrorists can't work to place themselves into companies where they might be able to achieve similar ends? It might be more difficult, but once achieved the chance of detection would seem to be significantly lower, since only a very select few get to view the source code in question, and they aren't necessarily motivated by security concerns (they are concerned with pushing their software out the door for sale).
Ask yourself this question: are companies like Microsoft more responsive to security bug alerts, or is Linux?
The author also writes:
Again, a similar question should be asked: isn't this a similar problem for closed source/commercial development, where it might be in the best interest of the company to either ignore or cover up significant security breaches, and where the cause of such breaches are hidden from the eyes of those qualified to perform security audits?The author asks the question "Who is watching the watchers?". The answer is simple: everyone is. Or at least everyone can, which is perhaps the best that can be done.
There is much pleasure to be gained in useless knowledge.
I love open source and what it allows you to accomplish. However, open source does allow some foul play to go on. (Sure things can happen with closed source too.) PHPNuke is a good example of a huge community, but a program with a lot of holes. I don't mean that as an insult. It's perhaps impossible to keep up with all the changes all the time and someone will always figure out some new exploit. I think it is naive to assume that everyone who looks at code does so with the hope of finding improvements. How many times to PHPNuke sites get defaced? It is partly the fault of the operator? Yes, but some exploits are so new that you don't know what to defend against. The PHPnuke.org site has itself been brought down several times and the creator of PHPnuke has seriously considered developing a more professional closed-source product several times. So you can hate me now. I don't really care.
Instead of actually discussing the story, any presumed insult of open source is immediately flamed into oblivion. Look - I love open-source as much as the next geek, but how about we talk about this type of article like adults, and provide examples of our own?
Sure the guy could've taken a less flamatory tone, and could've provided a few specific examples, if there are any, but riddle me this, all you smarties, he does have the grain of an issue here.
Lets assume that open software becomes ever more mainstream, to the point where grandma can't tell or doesn't care the difference in method by which her email client was developed. What's protecting her against malicious or incompetent open-source developers? Or are we saying that all programmers are by nature 'good' people and also brilliant at their craft?
Sure, geeks can compile source, compare binaries, review code line-by-line, but it may shock you to know that normal people don't know or care how to do this.
You're next argument is that the 'good' geeks will discover and root out the 'bad' geeks. But in a world where OSS is mainstream, this will only happen after thousands, hundreds-of-thousands, or even millions of mainstream users are already compromised.
I'm not saying that commercially developed software has proven itself better, in fact usually its much worse, so far anyway, but OSS does have some of the same problems in a world where not every user is also a programmer.
OK, discuss...
"That naive cube! How long must I suffer this!" --Sheldon J. Plankton
Not to throw too much wood on the fire, but wasn't an Al Queida sympathizer arrested at Intel? Just imagine what he could have done! Intentional security breaches right in the chips! Start the paranoia meters!
(and this is nothing more than baseless speculation. I don't want to be sued by Intel)
I'm not surprised he'd say this, given what a good source for "dark-side" information his site always is. Unfortunately, I'm also not surprised at the churlish, childish pseudo-refutations being flung back at him. otoh, the best piece so far has been the "get what you payfor" vs. "IIS uptime as seen on Netcraft" response.
C'mon, folks. Grow up. Yes this is garbage journalism. Why not burn Knoppix CDs to give to your non-techy friends as you explain all the reasons why F/OSS is better to counter the FUD? Personal recommendations from people that someone trusts are the best kind of marketing. And good marketing is all that Linux is lacking in order to achieve the kind of dominance we all believe it deserves.
cheers...ank
and yes, I'm preparing to be modded down
Still hoping for Gentle Treatment...
Do a search on his email address (rjones@devx.com) and you'll find that R. Jones has been writing about MS technologies for many years, including numerous articles on Visual Basic, .Net, and C#. Small wonder he feels threatened by open source, it's a direct challenge to his career.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
As has been shown repeatedly, if you have a few guys writing closed code, they can put in pretty much whatever they want . Malicious intent can only be gleaned through a black box analysis. The problems become even greater where many people are working on code. Often companies will not pay for full code reviews, and only broad regression tests by third party, generally QA. Few companies will check for features that are not supposed to exist. Even if the company knows exactly what the software is doing, which is in fact never true, the user still has little assurance that the company is disclosing all features.
So, OSS software is still no worse off. Even if there is no formal code review of new submissions, interested parties can do informal code reviews. Blackbox analysis can still be done, but now offending code can be identified. Best of all, if you so choose, you can remove the troublesome feature and continue to use the rest of the functionality.
The stuff we download off the net, whether closed or open source, is always risky. We are assuming the coders are good guys. OSS is probably a little more trustworthy because there is no hiding behind technicalities. OSS is saying yes to all information requests, not cowardly hiding behind a policy of secrecy.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
> We need a new term for this kind of journalistic troll. How about "Microsoft employee" or "SCO employee?"
Yeah, and there is nothing stopping independent resellers of closed source software to insert anything they want. Poeple tend to forget that you don't need source code to figure out how the program works. It's just easier. And it's not like you really need to know the program either, just find a good place to stick something.
This is why we have trusted vendors. I'd bet from here to Tuesday that IBM performs internal audits on the software that it redistributes. And before it gets to IBM, Redhat does it's own. Before that then it is the people writing the software. There are three layers of people, two of which there are responsible people behind. If you are not using software except from a trusted vendor,your risk is low.
The only argument this guy makes is that it is not good to use software from people you don't trust. Duh. That point is true wether you are talking about open source software or not.
Why, o why must the sky fall when I've learned to fly?
Huh? I got mod points today, and I was going to moderate, but there's no 'alternate reality' selection. Offtopic seems misleading, even though also accurate.
Most Linux distos include a blanket warning statement that says "THIS SOFTWARE IS PROVIDED AS IS" and basically they claim no fitness for any particular task. While that portion of the contract may be invalid, a buyer looking for a particular fitness seems to be without a market. Its not like this is a Linux or a Open Source phenomenon; you have to look long and hard to find any commercial system with a guarentee. (Progeny, perhaps?)
What his article comes down to is trust, or the expectation of trust. He brings up Debian's downtimes, but its not like Microsoft's update system hasn't encountered its own share of troubles. I mean, why does anyone trust SkyOS? Should I trust it more than a open source kernel? Why do I trust Microsoft to Get It Right(tm)?
I Browse at +4 Flamebait
Open Source Sysadmin
A factoid would just be confusing though, because a good number of BBC radio 2 listeners will know factoids as interesting bits of trivia.
", the more issues come out with it..."
Like what? So your saying a whole paradigm of unknown problems are just sitting waiting to be discovered with OSS? Please. What level headed OSS advocate ever said that OSS is immune from the same security issues that are common to all software? The only argument I've seen is that security through obscurity isn't a better model and the OSS tends to react faster once flaws are found. I see no flaws in this logic or proof otherwise. But I guess if you want to hint that OSS has some deep seeded problems as un-yet found that's your prerogative. You speak of discomfort that the FSF hasn't put out some PR campaign claiming that "they've renewed their focus on security practices". I know a little company in Redmond whose done just that, and look at how effective that's been.
I'd argue that the more popular OSS gets( is that what you meant by "cool"?) the more we see the advantages over traditional closed source development. Do you think we being seeing such a monumental shift in Enterprise computing if the backers hadn't spent millions trying to decide if OSS is better than the current in place model? Don't get me wrong, a bad OSS development team will produce crappy software. But as opposed to close source where the bugs are hidden and not disclosed at least we have a chance to do something about it. That alone trumps any of the "future" issues that you say will come out.
If you wanna get rich, you know that payback is a bitch
What guarantee, as a company, do you have that the product that you paid for wasn't authored with the intent of gathering malign information about you?
None whatsoever.
Remember those old ATI drivers that ran special "optimizations" when used with the quake3a binary? They were closed source and geared to misrepresent the performance of their card to the community. I suspect that if those drivers were open source that little trick wouldn't have gone unnoticed for long.
I'm not advocating open source as the end all and be all of things, because it isn't. However, you're an idiot if you think that paying for something means that it's safe.
For gods sake, look at IE.
While I'm not down on the details of the GNU.org breakin, I'm a big Debian fan and am fairly well-read on their breakin.
And I happen to recall a call going out saying 'We know we were 0wn3d on this date. Who has MD5 sums from before this date?'
Honestly, you haven't added anything to this discussion. The concept of 'tainted source' is not new to the Open Source community. In terms of submission of patches, people actually *read* the code in question before adding it to existing code repositories. In terms of breakins, the code in question is assumed to be corrupted, only being certified 'clean' after it can be MD5'ed against a pre-breakin archive.
Yes, you are right that noone reads every line of every program they compile/install. However, that's not the issue at hand here, because noone reads every line of every program they buy off the shelf. After all, with closed-source systems, you don't even have the option.
Also, abandonware is another moot point. If you don't want your favorite project abandoned, contribute to it. Again, this isn't even something you have a choice about in the closed-source world.
Yeesh.
If businesses think that they can gain a competitive advantage by altering their software to provide reports on other, competing products within an organization, marketing [sic] pressures will eventually force them to do exactly that.
(I assume he means "market", not "marketing" -- if not, his argument makes even less sense; furthermore, I assume he means "if businesses can gain a competitive advantage", not if they "think" they can. They could always be wrong.)
In an essay defending the commercial software development model ("you get what you pay for"), he presents an example of how market forces could compel companies to create spyware? This is good for the customer?
If anything, this seems like an argument for noncommercial, open-source software...
I have never understood what those people are thinking when they publish .md5 files. I mean, really! If someone gets far enough to upload a compromised tarball, what stops him from also uploading a matching md5 file?
.sign files. Those are digital signatures made with the GNU privacy guard. Digital signatures make sure that the guy who owns the secret key (and only him) can create signatures, which then everyone can check.
Exactly. Nothing.
That's why people with more than one brain cell upload
Of course there are also caveats (some dark three-letter agency could have cracked the key with their Roswell quantum computers, or someone could have stolen the secret key), but those are far less likely than some asshat uploading a md5 sum. Everyone can create matching md5 files for any content, but only I can create sign files matching my secret key.
So please someone hit those GNOME idiots with a clue stick, those md5 files must go. Now.
Oh, and while you are at it, please also tell the gnome people to use a directory structure where mirror programs (and people!) can see whether there were new uploads without having to recurse through the monstrous moloch directory tree from hell. Thanks.
Sheesh. Now that wasn't so hard, was it?
Why put this flame bait here? Don't we have enough material for a lifetime already from SCO? :-)
The funny thing is that I heard this argument back in 1995 from a guy that tought 555.555.555.555 would be a valid IP address. His argument was exactly the same: "you get what you pay for". But it's a self-defeating argument, since it would make you choose AIX, HP/UX, and Oracle over much less expensive Microsoft products.
Irony of ironies, Microsoft products may be the only good example of getting just what you paid for. And sometimes even less.
Besides, Microsoft advocates should not attempt to polarize the argument, since Microsoft is the guy in the middle when it comes to price.
Or is his point that it never gets any better than MyDoomA and MyDoomB and we better learn to live with it? 'Cause I think we already disproved that one...
Don't let THEM immanentize the Eschaton!
Plus, el supremo Jones fails to comprehend the concept of reverse engineering. Perhaps learning things is more difficult with that enormous wad of MicrosoftBucks that keeps showing up in his bank account.
-----------------------
You are what you think.
To look at it another way...
If the user has examined just 5% of the source on his machine, that is 5% more than he could see on a closed source system. You should also take into consideration that each user maybe looking at different sections of code, so among the community you are looking at much larger portions of the codebase having been examined. With a closed source version of the FSF breach, we wouldn't even have the opportunity to check the program. Our only recourse would be to locate an earlier version or hope that the vendor located any malicious code that had gotten into the system.
Even if we could trust closed source vendors producing completely secure code, all it takes is someone between the vendor and the consumer modifying the product. Closed source doesn't magically protect the user from tampering. No CD patches are an excellent example of people modifying closed source software to behave differently. That No CD patch could easily have been a backdoor or any number of other malicious pieces of code. All it would take is someone patching some popular app and replacing the patched version somewhere in the distribution system. Just think of the problems a popular patched app could do if it were placed on something like Downloads.com.
Compare DIEBOLD voting machines VS Autstralian voting system.
Photoshop, HP, etc hidden currency counterfit code VS the Gimp.
Trust that Microsoft won't embed heavilty encrypted code that causes problems with Mozilla, etc as has been documented many times before.
In short, open source free and low-cost software products are likely to be widely adopted in governments, where spending public money for licenses is a difficult justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify.
He never heard of a virus? EXE's are not that hard to change, and if you take the copy mechanism out, it's very easy to create a trojan from any given binary and even encrypt it. Source Code doesn't give you any magic way to corrupt a program, any more then a binary does. You have to trust the source, but in general 99% of the time there isn't anything to be worried about.
If he is this paranoid, the only solution is for the governemt to write their own operating system, monitor everyone's computers, library reading habits, television viewing and email. Only then can we TRUST that we will be safe.
So obvious... Maybe they are just hoping to sell more ads. Too bad for Mozilla and Adblock.
Due you seriously think that your suggested method of detection will fly with anyone, except a small slice of the computer user population who would have the skill (not to mention the time) to compile everything from source.
Due you think it is wise to wait and see if something acts strangely before doing something about it. How long do you think it would take you to notice that something was "behaving strangely" after all your files have been removed?
You need to widen your focus, the world is not comprised solely of developers and sysadmins....
If you get what you pay for then pay something in the region of what you'd have paid for a years worth of MS licenses and have the code of the OS projects your gonna be using security audited.
And at the end of it you can have some confidence in the security, more than can be said for the closed source option.
Although I agree to a point with your argument I would like to draw your attention to a rather crucial difference between use of Windows and Linux/Unix in general.
;-). In other words, malicious code will find a wide open barn door straight into the heart of the OS. Duh.
Windows does not have a facility to temporarily raise privilege level like what can be found in Linux ("su", for example), nor does the default installation support/encourage that model. The net consequence for a Windows user who occasionally installs software is that they're likely to run the system with Administrator privileges (that's the equivalent of root to those that have been lucky enough never to have been near a Windows box
Compare that against Linux where distributions basically enforce the creation of a user account for normal use, in other words, lowered privilege during normal operation. That doesn't stop root level activities, but they require explicit permission first. It is considered good practice not to run any Unix box as root, and that alone will be quite a substantial barrier to deep level exposures (assuming the malware isn't exploiting an OS vulnerability to escalate its privilege level - that's a risk in itself).
If I compare the two approaches I favour the Unix one, because it encourages the user to be safe without making too much a point of it. It is unrealistic to expect the average end user to understand the depths of system security - that is our job. It would be a bit like expecting them to be a car mechanic before they're allowed to drive - that would be too high an expectation. Having a driving license (i.e. having had a degree of training) would be nice, though..
Insert
#include <advocacy/gentoo.h>
#include <advocacy/freebsd.h>
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
I think that any government agency serious about security would probably audit the code and possibly add more security to the code of any distro they want to use before they begin to use the software. The only way I can see someone taking advantage of open source, without getting caught relatively quickly would be to publish something as open source, provide clean source, but compile the actual programs from a different source with malicious security holes. Now, this would only work if the organization using this installed from binaries. Other than that, I think it would take very little time for someone to notice malicious code in the source. Honestly, I would be that governments love open source because they can see exactly what is going on and add or remove what they need to. I can't really see this situation coming up in real life:
Boss: "So, did you install the software on the new security mainframe?"
Employee: "Yup, Red Hat is all ready to go. Oh crap! Forgot to turn the firewall on. I'll be right back!"
SIGFAULT
Absolutely. Spot on. Can't use anything that's free, otherwise you automatically get problems.
/drinkable/, would they? Har har har.
Just as well nobody is stupid enough to breathe the air in the atmosphere isn't it? I mean, who wouldn't go with cans of Ozone Friendly FreshAir(TM) Only $10 A Can?
And as for that wet stuff that comes out of clouds, nobody, surely, would be dim enough to think that was actually
Repeat after me, all consumers: Free = Wrong. Pay Corporation $$$$$ = Right. Have you supported your local fat cat today by buying something that is normally available for no cash whatsoever?
Government has the ability to review, or hire someone to review, the source code they're going to use for an implementation and there are even gov admins who know how to do source control and compile software (shock, gasp, disbelief). They also know how to monitor their systems for suspicious activity.
Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public
What's he trying to say? They're not going to release the code for a public version of...what? And if they don't make the corrupt version public, what's the problem? Are they going to sneak it in to a government office and while the admin is looking the other way jam a thumb drive on the server? A-ha! Gotcha! What are they going to release if not the source code? And when the checksums and file sizes don't match they'll cover that how? Here's a new version of Mozilla, don't worry about the source code, just install this...whatever...and trust us.
Maybe some of you closer to the daily process can help me think of a scenario where that could happen, because I can't.
If someone is making living writing crap like that, I'm definitely on the wrong end of the business.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
As opposed to getting the shaft from closed source?
Dumbass.
geek write open source because commercial products suck. It's that simple. The best OSS projects with large user base were created because there was a need for a better product. If the commercial products satisfied the user and was affordable, OSS wouldn't have gotten this far. Instead, it has grown because people want software that is better. Nothing is perfect, but the top OSS projects do produce better software than the proprietary counterparts. It is a matter of pride for developers, that's why it will get fixed.
the author rabidly hates dutch and gypsies.
Banner ads? Wow, I remember those, now that you mention them. The userContent.css I found at gozer.org/mozilla/ad_blocking/ has really spoiled me.
i don't like my old sig.
occasion ...
...
I can't remember that date and times
Now for the md5 post above this, first off you must be off your rocker to think md5 makes a difference, and I think the response to that post sums it up fine. rm realprog_md5_csum
md5 compromises_csum
Reupload... Give it a rest there. All that would be needed in say a *nix environment be it Linux, BSD, Solaris, whatever, is one nicely placed backdoor, md5 checksum and all/
MoFscker
The Borland InterBase database server had a backdoor in place for 6 years! It wasn't until the product was open sourced that the backdoor was made public. See here for details.
I guess I'm proud to be known by the quality of my "enemies". Hah, I'm being Stalkdotted! Be careful, Anonymous Coward, you might learn something.
--
make install -not war
I'm sorry, that's a cliche, not an argument.
Certainly there are enough counter examples to prove that cost is not proportional to quality.
But, then again, people who live in glass houses shouldn't throw stones. Ergo, I am wrong.
The diff command and MP5 checksums of a clean repository will be sufficient to validate if something was tampered with or not.
Since open source repositories have multiple mirrors all over the world, not to mention hundreds (or thousands, even millions in the case of certain projects) individuals who keep copies of the source - it is less likely that tampering would go unnoticed in Open Source for any significant period of time.
Whereas, closed source shops - while having multiple branches of code in the repository - have only one master repository and backups. That is it. If the main repository gets hacked - or a module 'legitimately' modified by an disgruntled employee, there is no guarantee the company will be able to:
A) Detect the problem to begin with - the dogs will be eating the binary dog food, after all, and won't know if the release they got from the company is good or not. There is little motivation to put resources toward reviewing the code - certainly not at the level that the OS community can muster.
B) Fix the problem - a company can sit on a problem for months or years because they are motivated to only apply resources to things that will increase revenue. Not so with OS - anyone can submit a patch to a software team to correct problems - so the combination of the number of eyeballs looking for problems, and the low cost of fixing problems wins hands down.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
you get what you are persuaded to pay for..
... in an Open Source program or a commercial program?"
Why do you think that open-source and commercial form a dichotomy? If anything, Free and commercial is as close to a dichotomy as anyone is going to find in comparing those two general camps. But, Red Hat, IBM, Suse, etc are all examples of Free commercial software.
Urinalist?
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
What skill? ./configure && make && sudo make install that's pretty damned brainless after 6 months exposed to a command line, and can be monkeyed out in even less time. You don't need to understand any of the source underneath to re-compile and check if the binaries match.
That which is done from love exists beyond good and evil
check out the link:
http://www.secunia.com/product/?menu=#os_M
it lists security holes for different os's
#of holes in Linux 2.6: 1
#of holes in winxp home: 50
#of holes in winxp pro: 58
this guy brings up some good points. Too bad there is no evidence to support them.
Except with open source, you can always spin off your own distro with your buddies if the ones currently around don't work for you, and it's a lot harder to move to another nation if your homeland's government (democracy or not) doesn't work for you.
So if democracies are a good idea for governments (which could be also argued are like operating systems, for example), open source is a good idea for software with the extra benefit of being able to find another distro or fix yourself up one if the current one is unsatisfactory. Just use a little common sense when choosing a specific program. Malware and the like are the product of a few people with interests against the whole; a whole bunch of people, on the other hand, aren't going to purposely give themselves problems.
Has he no knowledge of the numerous papers that have pretty much torn apart the concept he proposed? Or did he think he invented the idea of Security by Obscurity???
Yes, not letting people see the holes in your software does make it harder to break into them. But it also makes it impossible for white hats (good guys/hackers) to find and correct them.
Open source has pretty much demonstrated that the number of white hats examining their software is greater than the number of black hats (criminals/crackers) and that the white hats tend to have more experience, creativity, and skill that then black hats.
Finally, when your stuff DOES get cracked open, the open source nature means it is far easier to figure out how it happened, to fix it, and to publicize the fix preventing additional break ins.
Q.E.D. Open Source is more secure than Close source.
excitingthingstodo.blogspot.com
Right on.
Was this guy hired by Micro$oft? Seriously.
His arguments were so unconvincingly and universally applied to both open and closed source software that the whole article seemd like a joke.
I have yet to see even a *small* example of what he's talking about, but on the other had there's numerous examples of proprietary software having back-doors, exploits and vulnerablities that were not fixed for YEARS after the release of a product.
Examples:
1. Pix firewalls. These things have had numerous problems from day one and many were not fixed for many months.
2. I think it was 3com that had a default password on their switches/routers that anyone could use to access them. This was put in place by the company to allow technicians to service any unit.
3. The meta-data hidden in M$ Office documents. It has now even been documented by the government (and eventually Micro$oft) how to reduce the amount of meta-data in those documents. Hmm, I don't think this would have been an issue with open-source software.
There's many, many more examples, but these are they only ones I can think of off the top of my head.
He also said Linux was riddled with about the same amount of security problems as Windows. In what world? If you look at sheer numbers of vulnerabilities, yes a copy of Windows 2000 (56) has less than a copy of Red Hat Advanced Server 2.1 (109). But look at the actual exploits; most of the Windows problems will allow REMOTE administrative access or complete DOS. The Red Hat/Linux vulnerabilities are largely local application DOS issues and local privilege escalation in an application that usually isn't even running. Not to mention it may not even be installed (oh no! they've compromised mutt!). Conversely, how many Windows machines have been affected by worms compared to Linux machines?
Additionally, there are many programs on Linux that have their vulnerabilities found and fixed because the source is freely available. How many holes still exist in Windows and are waiting to be discovered?
All of the real-world proof completely refutes all of his pretenses.
Bah.
I don't want to sell anything, buy anything, or process anything. I don't want to sell anything bought or processed...
I work for a major corporation that uses open source, but we don't publish anything into production without doing extensive security testing. This includes third party security audits, and they've ripped apart just about every single vendor's POS (piece of software) that we've installed. At least when they uncover a problem with the open source packages, we can get patches quickly or it's actually a vendor's product that interfaces with Apache, etc. If you're that big an entity with sensitive information and don't follow basic security measures, you're just asking for trouble. I don't think any IT professional in today's world can plead ignorance to security (funding, well, that's a different story) :\
Just my $0.02
If the government or any business is installing server software or mission critical applications it should be by a sysadmin. These people should not have the slightest problem compiling from source.
How strange it is to be anything at all
"The proof of the pudding is in the eating."
For those of you not familiar with English-language aphorisms and especially those that don't know that a few centuries ago, "proof" meant "test", this means, in the context of interest:
So, which code base has proven to be the less secure?
A small and ever-decreasing percentage of users compile their own binaries, let alone check the result. [Emphasis added]
.05% of 100,000 is 50 .05% of 100,000 checking than 50% of 10.
Compare:
50% of 10 is 5
I'd much rather have
It takes very few to notice something peculiar and investigate. The malefactors get caught out if anybody notices anything. Since anybody can examine everything of interest, it would be extremely difficult for a malefactor to actually accomplish much of anything against Open Source.
This story makes no sense whatsoever. From what I can work out, he's saying that although the source may be auditable, back-doors could be introduced (but not made public) before it is compiled into a distro. Leaving aside the obvious GPL violation :-) he seems to be saying that someone in Red Hat, for example, would be introducing the back-door. But how is this any different than someone in Microsoft doing so with Windows, except that the source was never available in the first place? And why, exactly, would Red Hat be likely to do this while Microsoft does not?
It just doesn't make sense. Indeed, Microsoft only launched it's Shared Source Initiative and Government Security Programme, allowing restricted access to the Windows source, because it acknowledged source auditability to be an advantage of open source.
You're missing the point. They _know_ when the compromises took place. I had a project on Savannah, and when they discovered the backdoor, the had the CVS repository from backup from before the incident, and from after the incident. Each project leader was to compare the diffs between the two to make sure that there was no altered code.
Engineering and the Ultimate
Closed Source Is Fertile Ground for Foul Play
The nature of closed source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into closed source and avoid detection during security testing, making government adoption of closed source particularly worrisome.
by Swoogan February 11, 2004
An old adage that governments would be well-served to heed is: A penny saved is a penny earned. When you rely on medium and high-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because closed source products are less capable or less efficient than non-commercial products, but because sooner or later, governments that rely on expensive closed source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--a closed source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the closed source software from inside, by someone working on the project.
This will happen because the closed source model, which does not let anyone modify source code and sell or distribute the results, virtually guarantees that if the writer inserts malicious code into the source it will not be found. Malevolent code can enter closed source software at several levels. First, and most worrisome, is that the core project code could be compromised by inclusion of source fix or extension. As the core code is not carefully scrutinized, it is terribly likely. Even more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows (for example), and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every closed source software package installed and used on the machines.
How Can This Happen?
The products of the closed source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, an expensive closed-source operating system, the expensive closed-source IIS Web server, and closed source office suites. There are several reasons that closed source software--and Windows in particular--are seeing such a dramatic uptick in use, including Microsoft's extensive Windows support effort over the past several years, and the perception that Windows is more secure than Linux, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major closed source distributors such as Microsoft and others have been able to discover and remedy attacks on their core source-code servers. The distributors point to the fact that they discovered and privately discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give a
Swoogan
sigs are for losers...and ppl who can think of one.
The attempts failed because of the meticulous grooming given by the "many eyes" watching each open source release.
Any one can write a new kernel patch. But getting these patches accepted is a whole different story.
Conversely, years after the commercial, closed-source program Borland Interbase was released and used worldwide, it was found that it contained a back-door.
So recent history proves the article is wrong. Facts demonstrate exactly the opposite of what the article rants about.
Conclusion: the article is an unsubstantiated troll written by a Microsoftie eager to fart FUD at the Penguin. Ignore.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
Oh the irony! The very next slashdot story is about Windows NT and 2000 source code being leaked to the net.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
-------- In Soviet Russia, "Soviet Russia" sigs hate Slashdot.
The cleint's new web site involoved the buying and selling of goods and by using open source, there was the chance of someone having access to 90% of the code base and could find ways of exploiting the system. Because of this, they decided to code their own. That's not to say that there won't be exploits, but it also helps them keep a leg up on compeition.
To think this doesn't happen, I ran an online browser-based MMPOG that was opensource. People would download the source to figure out how to exploit the system. wasn't exactly fair, so I rewrote a lot of the code and never realeased it. That pissed off the GPL-Nazi crowd, even though nothing wrong with it because I was using the code for internal use and wasn't going to sell or distribute it. Personally its one reason why I switched now completely away from Linux to FreeBSD in protest now that affordable dedicated FreeBSD servers are out there.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Here is an article detailing how MS shipped a virus to developers.
3 /0 714nw1.html
http://news.com.com/2100-1001_3-240413.html
For something more recent here is an article about a virus Novell shipped out.
http://www.nwfusion.com/newsletters/netware/200
Now why should we believe that closed source is so much safer than open source.
That Mr. Jones' article is immediately followed on Slashdot by an alarmist story about how the Win2K source has been leaked, and how this means a new flood of vulnerabilities is coming now that the source code is available.
Boy, secret propietary code sure is safe, isn't it?
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
I found your article quite thought provoking, as the arguments seem logical, but they do not match with my several decades of engineering and operating enterprise class software systems. I think that there's a disconnect between the theoretical weaknessess of the open source software development model that you raise and it's actual practice.
With open source software, anyone can in theory contribute code, but in practice there are two strong limits on abuse: open source projects are actually closely controlled by a core set of trusted developers, so outsiders can't submit code directly into the repository, and anyone who is concerned can inspect the code. So, to actually get an intentional flaw into an open source project, one would have to spend time becoming a trusted developer, then construct a flaw subtle enough that it would not be detected by other developers working on the project. And because the process is completely transparent and thoroughly auditable, once any intentional code defects are located the source can be determined and addressed, other code from the same source inspected, and so on. So while in theory there's the risk that you mention, it doesn't seem to actually occur.
With closed source software, in theory access to the source code is limited to trusted employees, but in practice most software companies are fairly easy to penetrate (via new hires, consultants, and outsourcing) so that a malicious engineer could gain access to the source code and submit changes, and for most closed source projects there is far less peer review of the code, so those changes are less likely to be noticed. And since there is no public visibility into the situation, there is less incentive to fix the actual problem, and technical concerns can be overridden by business goals. You can read the widely disseminated Diebold emails for an example of this sort of thinking. So while in theory closed source software might seem better controlled, in practice there are numerous occurrances of engineers injecting code into their projects for personal gain (in Nevada, for example, they regularly catch engineers inserting "cheats" into gambling machines, sometimes after amassing small fortunes).
The end result is that in practice, open source projects have much less trouble with errant code getting into their projects than do closed source projects.
While I believe that "you get what you pay for" is generally good advice, I think that you're missing the ways that companies "pay for" open source software, i.e. by "barter" rather than cash. The many companies using open source software all "pay for" the development of the operating system, but they do so through contributing engineering effort (e.g. IBM, SGI, HP) and by submitting bug reports, rather than by paying a vendor to do the engineering and testing. Of course, many companies purchase support contracts for open source software, in which case they're "getting what they pay for" through the more traditional mechanism of money. So you're not getting something for nothing -- you're just paying by effort, or by purchasing a support contract, instead of for software licensing costs.
When companies that I've been with have used open source software it's rarely for the simplistic reason that there's no purchase price -- it is because the total cost of ownership is lower. I've run extremely large server farms of a wide range of operating systems (NT, BSD, Linux, Solaris, Digital UNIX, HP/UX, etc.) and in every case the purchase price of the software was insignificant compared to the operational costs (hardware, staffing, etc.). Rather pleasantly, open source systems have matured to the point where they're not only easier and less expensive to acquire (no vendor negotiations, etc.) but are often as low or lower in cost to deploy and operate, and as efficient or more efficient. Of course, the specific situations shape the issues -- if you need an enterprise class database, MySQL isn't an option, and if your application only runs on NT, you run NT. But in my experience, when picking between comparable open and closed source solutions, it's better for the customer to pick the open source solution and spend the offset licensing fees on staff or training.
Enable 3D printed prosthetics!
still living in their parents house?
I think the government might just have the time to make this sort of check, and as others have said, it only takes one person to notice. Your second point is valid, as is born out by the Debian/micq dispute (also mentioned previously in these comments), but that ironically isn't a point that Jones attempted to make in the article - he seems to be concerned with unpublished back-doors that don't appear in the source.
I, doubt, he'd, bother, to, read, it, since, you, obviously, have, a, fetish ,with, the, comma.
My boss used to do custom business software and database programming back in the big iron days. He said that in order to do customer support they would often build in a way to shell into the machines remotely to do the diagnostics.
No problem there. But the kicker was that he would build back doors into the programs that only he knew about, so if they changed the front door passwords or otherwise screwed it up, he could still get in.
The big problem was that he wouldn't tell his customers about these back doors. This is financial and tax data we're talking about. He saw no ethical problem with this. None at all. Fortunately he's not a malicious guy,
This isn't a suprise to anybody, right? I was just shocked at the total and complete lack of guilt over doing this. And he's otherwise a normal guy. That's scary.
Why do I have this? I don't smoke.
Good point, How many people use the OEM of windows that came with their computer? I'm sure this number is easily over 50%. That man in the middle is any computer manufacturer. "But Dell/HP/Gateway would never do that to us!" Really, seeing how they are manufactured in places like China and India, which lead the world in pirated software, do you really trust them? To put it more bluntly... do you trust China to manufacture computers that are to be used in the US Department of Defense??!?!
"Interesting" article.
.net related services, that coupled with the site running on IIS makes me question the Agenda of the author.
I was particularly interested in the advertising at the bottom of the page for a number of M$ and
Just my $0.02
The only argument this guy makes is that it is not good to use software from people you don't trust.
True. Obvious.
What's maybe not so obvious is the less you have to trust the vendor, the better.
Contrast:
[ ] Always trust Microsoft
[ ] Always trust RedHat
Why the ^%*^&%&* should I have to trust RedHat?
Methinks that an essential part of any con game is that the victim must trust the con artist.
But to claim that commercial software is safer from deliberate authorial corruption takes willful and deliberate ignorance.
What, you mean all the big corporations aren't looking out for my best interest?
Sure I'm paranoid, but am I paranoid enough?
as an example: Borland InterBase backdoor detected
I submitted the following response in a letter to the editor:
Dear Sir or Madam,
I am concerned that Mr. Jones's column of February 11th, "Open Source is Fertile Grounds for Foul Play," indicates a significant misunderstanding of open-source development processes. The argument presented is that all software development carries the risk that malicious code will be inserted by insiders, and that open-source is especially vulnerable because more people are insiders. The first part is absolutely true, and applies to both closed- and open-source development as Mr. Jones acknowledges, but the second part does not stand up to scrutiny.
Most open-source projects have only a small group of "core developers" who have the ability to modify the official source code, just as is the case with proprietary software development. Any malicious person could insert destructive code into his or her own copy, but not back into the official version. That leaves the possibility of intentional compromise by the core developers, or by subsequent distributors. The first is a risk, but less so than with proprietary software: The number of people in a position to corrupt the source is similar in both models, but the possibility of outside review reduces the danger for open-source software. Mr. Jones posits that core developers could avoid such scrutiny by not making the corrupted version public, but this is nonsensical: The version of the source code available for use is by definition also available for review.
The other concern raised is that distributors who re-package open source software could add vulnerabilities. Again, this is possible, but no more so than with proprietary software. It's easy for an attacker to add malicious code to compiled binaries; indeed much pirated software is reported to contain viruses or Trojan Horses. For both open-source and proprietary software, the solution is the same: Be careful who you get your software from. Downloading open-source software directly from the public sources or buying a packaged version from a trustworthy distributors is no riskier than buying e.g. Windows directly from Microsoft or a system integrator like IBM. If a consumer buys either open- or closed-source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.
Open-source is not the security panacea that some advocates make it out to be, but it doesn't incur the added risks which Mr. Jones attributes to it, either. A government or other user which applies common sense to its software acquisition is no more at risk from open-source software than closed-source, and may even be a bit safer.
Respectfully,
Eric Anderson
--
Eric Anderson - anderson@cs.uoregon.edu
University of Oregon Network Security Research Lab
PGP fingerprints:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12
9544 C724 CAF3 DC63 8CAB 5F30 68AE 5C63 B282 2D79
It's funny, but if you just make opposite words out of this article, you get something that sounds just as reasonable about Microsoft.. Try it out!
"In short, Microsoft's expensive and high-cost software products are likely to be widely adopted in governments, where spending public money for licenses is an easy justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify."
"Microsoft software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be."
Man, this is fun! Nothing like reading Microsoft gimp droppings! drool.
As evreyone posting / reading on this site knows Open Source is a platform that is used to share knowledge about techniques, inner workings of software / hardware. This has been used only for the benifit of the community that is intrested no membership card required and was never even pushed into the mainstream. Now companies are realizing that there is no "magic" to operating systems and they can do it them selves, own the code and hire programmers to code it for them. They are under no pressure to patch the software, or even listen to the linux community at large on procedures. Maintaining software becomes faster and easier and MUCH less expensive once the project is done it is theirs and no need to pay any one any additional fees to keep it. This is all because apparently we have discovered all there is to know about operating systems. How do I know this? Simply because there has not been an innovation that has eclipsed Linux even kernel 2.2 can keep up with the GUI's and stability that Microsoft has started, the gui hasent changed since the Mac in 1982, Multi tasking was started in UNIX before the Mac, there is nothing new Microsoft hasn't invented a single thing since day 1, Bill even bought QDOS to build on to become MSDOS. Now is the mal educated that think that open source is wrong because they think we are trying to take over the big software companies and take all of their profits... LOL ... We are just watching this happen some of us take credit where we really shouldn't we are just sharing knowlege. It just so happpens that this is the same knowlege that software companies have and is availible for any one to learn. Do you have to use linux to take advantage of it, no! Reading source on AGP will give you a very good understanding of what it is about and then could apply this to *ANY* operating system as long as you are still building on AGP.
Open Source will always exist weather certain individuals think it is right or not because we are curious and best of all when it really comes down to it do we really care it evreyone on the planet uses Open Source? No, it just gives an oppertunity to learn about computing. Open source is not for profit it is about education it just so happens that no one is able to take this lesson any further than what is already out there.
That is why closed source is going to die a slow and painfull death in the Operating system world, they have done it to themselves. The door is always open for an amazing new interface, filing system, method for organizing, optimzing, executing code. When that happens the open source community will get together and learn on how it works and in time will be able to understand how it works. Operating systems as of the time of this writing have been completed. Unless some thing/one comes along with a new ideal Open source will take over as it is now for all to see and use. Move on and work on the "Next big thing" and try to out do open source we *Want you to*.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Yup, that's true. Hey, Russel, how much did you pay for your wife?
Uh huh.
Well, it shows.
Whenever I hear that stupid argument, I am reminded of that scene in Blues Brothers, in the restaurant:
Jake: How much for the little girl? How much for the women?
Man: What?
Jake: Your women. I want to buy your women. The little girl, your daughters... sell them to me. Sell me your children
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
Some do. I'm proof by existance.
There is a way to get the work out. /., USENET, mailing lists and distro alerts are just a few ways.
As for the malware in the source, you are of course correct. However, it is exposed, so therefore can be found. In fact, will be found, eventually.
I didn't rtfa, but the kind of FUD against OSS that it apparently implies is at best misleading, and at worst . . . well I don't like to think in the "at worst" terms . . .
http://slashdot.org/articles/04/02/12/2114228.shtm l?tid=109&tid=187
It just lacks the advantage of peer review all these years.
Mr Jones,
So, a major Closed Source OS vendor including specific checks for software that competes with that vendor's other software offerings and refuses to work or crashes when the competing software is launched is not a possibility? No, its a fact, and Microsoft did it. Articles like these simply allow Open Source Software users and authors to ignore their writers indefinately actually, since it is obvious that authors such as yourself do not understand the core principles of Open Source.
I have a large number of analogies that might make sense to you, here is one.
Closed Source:
I like to work on cars. I have an idea for a car that I would like to build. I build my car. I show it. Painfully over a period of years, from looking at other custom cars, I come up with one that I really like and then maintain it because I enjoy it.
The Closed Source Analouge:
I like to code. I have an idea for some code that I would like to write. I write the code and distribute as closed source shareware. Painfully, over a period of years, from user observations and using other code, I come up with something that really serves my needs, that I maintain because I enjoy it.
Open Source:
I like to work on cars. I have an idea for a car that I would like to build. I build a prototype of my car. I show it to the world and explain my idea. Other people who like to build cars may or may not help by randomly showing up in my garage and wrenching, bringing cool tools, paint, parts, etc. Other people will suggest improvements or point out flaws. In a matter of months, the initial build is done and I get to use the car I like and copies of my car are available to anyone who wants to test drive it or use it everyday. Further improvements arrive and I oversee their addition to the car. It weighs less, goes faster, is more comfortable, and does things I couldn't have dreamed of because it leverages the skill, talent, and needs of everyone who liked the idea. I maintain it, or allow others to maintain it, because its is a tour de force in the automotive realm and suits my needs better than any other car in existence.
Open Source Analogue:
See above, inserting code for car.
Now, I ask you, would we let anyone run a grinder over my beautiful car? Would we be any less observant of the additions being made than the single shareware author? Would anyone else working on the car allow a malcontent to destroy the engine?
Once it is out of my hands and in the community, the probability of changes you describe occurring are lost in the noise compared to the probability that a major vendor will try to handicap its competitors. As has been SEEN in the past and will be SEEN in the future. You really shouldn't comment on things you don't truely understand.To believe that people whose hearts and souls are intwined in something have less motive to maintain the purity of their code compared to people who are punching a timeclock and subject to the whims of managers, deadlines, competition, and cost containment is a manifest misunderstanding of the nature of man.
Stop playing chicken little and take off the tinfoil hat.
andy
The Big News Page
...that take months or more to get patched, you have well documented holes that take HOURS to get patched.
I mod down pyramid schemes in sigs.
On the one hand I support open source and think it's far more sensible than "security by obscurity". But on the other hand, governments getting the shaft sounds like an excellent thing, long past due, well earned and much to be encouraged. Oh me oh my, the dilemma!
I have worked in environments in which criminal gangs were quite active-specifically banks that process credit cards(www.outlander.com for my background).
The claim that Open Source Projects are especially vulnerable to infiltration by folks with malicious intent strikes me as strange.
We have large companies like Oracle and Microsoft extremely dependent upon technical help from politically volatile parts of the world(i.e. India/Pakistan where there was serious threat of nuclear war not long ago)--places where criminal terrorist organizations can operations they can't in a developed country. In India, there are for example tens of thousands of people that have been declared legally dead so someone can seize their property-and the victims can't clear up the issue years later.
It isn't an issue of intent. Some overseas criminal organizations have a reputation for blackmailing their countrymen that don't want to participate in criminal activity-holding relatives as hostage.
Can the average US company really do an effective background check in this kind of environment?
With an open source project, at least I have a reasonable chance of understanding who the actually engineers of project are-and I can judge the security based on the reputations of the people involved. I _can_ get independent examination of the code involved if I'm willing to pay for the service.
Large "US" companies have this habit of substituting the cheapest possible resources with no consideration of long term consequences. How much is the word of a Larry Ellison or Bill Gates really worth on the subject of security? Would you bet your life on their judgement?
If you aren't vetting the FOSS code you run, you could potentially be exposed to something like that. But that is an argument for decent software auditing practices, (regardless of source type) not an argument not to use FOSS.
The conclusion is as suspect as a five 9's reliability claim for a M$ OS, but the underlying concern is legitimate.
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
Quick everyone! crash his mail server just to show him hes misguided! That'll teach them...
95% of all computer errors occur between chair and keyboard (TM)
Developers and sysadmins are the only ones who are going to notice anyway...my mom doesn't think about whether or not her new program does just what it says it will, and wouldn't update it, or ever be aware of this type of problem unless somebody told her about it.
Do you think Microsoft finds most of the vulnerabilities in it's products, or the legion of geeks out there?
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
The "automatiseringsgids" a weekly magazine in the Netherlands on IT, just reported that Open Source did not get it's foot in the door of Government.
One of the biggest problems mentioned about putting open source to work was the very high level of trust a company has to have to get any contracts from government, ruling out (open source) upstarts.
And this guy says:
Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Yeah, like that's ever gonna happen. What a load of (door slams) - shrek.
<br>
Hell, I PAID for Windows 9x/2000. And all I've been doing this past year is scraping off the mess on the hard drive from crap like Nimda/Code Red/Klex/MyDoom/etc. that exploits the stuff I paid for. That, and flinching like a soldier in Iraq everytime I see another article like this!
I'm not tense. I'm just terribly, terribly, alert.
Do I want my government to pay a premium for software, or use open source for free?
Neither product can guarantee it's bulletproof, so in the end, Open Source is still the best option.
Does a taxpayer care whether software that was exploited was OS or MS? Nope. They just want to know how much money came out of their wallet to pay for it.
If all someone does is check an MD5 on the executable they produce, they wasted their time and might as well have fetched the binary because nothing they build on their own is likely to match the official binary's MD5 anyway. The only real way to guarantee integrity is to require that every checked-in version of every file be signed using a trusted developer's key that is not stored on the public server. Far fewer than 100K people are even capable of doing such a check for any project without resulting in gazillions of false alarms that would only make it harder to spot the one real intrusion; realistically it will only be done by someone on the project's dev team. In other words, about the same number of people are really doing an effective check on an open-source project as would be doing one on a closed-source project. Given that a source-level exploit is more likely to occur in the first place when the source is widely and anonymously available, I'd say this indicates a danger that really is greater for open source. That doesn't mean open source is generally less secure; it just means that this one scenario does not favor them. The sourceforge etc. exploits demonstrate the danger of source exploits, and the open source community would be better off recognizing it than denying it.
Slashdot - News for Herds. Stuff that Splatters.
Yet another thing to put down to intelligence failure.
I remember, back when I was at college, someone from one of my countries intelligence agencies (consider them equivalent to the NSA) visiting to give a talk about what they did. Which apparently mostly consisted of drinking coffee, from how much they could tell us.
But more seriously, one of the things they did was helping ensure that software products were secure, by checking over their code. If I remember correctly, they went as far as saying that they wouldn't approve software unless they had the source code. I would imagine that other countries have similar departments doing the same thing.
Which puts, in terms of governmental security, open and closed source on the same footing, does it not? Okay, sure, many businesses aren't large enough to make it worthwhile companies opening their source to them, but this should at least answer his governmental concerns.
...Microsoft or SCO.
I read the article and the guy made some reasonable points which did give me some concerns. However, on thinking it over there is a major difference between open and closed projects.
If a backdoor is inserted in an open source project, then the chances are that someone somewhere will eventually find it. And once it is found the CVS logs will indicate who made the change, or if no CVS logs (savages!) then there will be a very small set of people in the frame. Once the culprit is known they are history, the open source people will regard them as scum (would you want them on your project?) and if the word spreads to their employer they're in line for the sack.
No one would tolerate someone who subverts a project like that, and their reputation would spread I think. Apart from legal issues.
On the other hand, a closed source project even if the backdoor is found (unlikely) the company could say anything about it (after all you dont have access to the version control software) so it might even be a 'feature' supported by an unwritten company policy.
Bitter and proud of it.
fefe is right. .md5 files are no security at all. You want signatures. .md5 files actually make me laugh whenever I see them because some idiot thinks that somehow they make a difference. They don't. Stop fooling yourself. Start using digital signatures.
Need a Python, C++, Unix, Linux develop
My security/user friendliness diagram currently looks like this: On the left side is MS Bob, which was so user friendly it would offer to change your password for you after three failed attempts to log in. On the right side is DG/UX B2 Secure, which was so user hostile that you could configure it to create three log entries when the user ran "ls" and if you attempted to mount an NFS share on a directory with an admin-read-only ACL set, no non-administrative user would be able to read that directory, even if all other indications were that the directory were readable.
The E-Mail card thing has been in the industry longer than I have. In college our VM/CMS mail system would inevitably go down every christmas as the christmas card worms would get executed and spread to every user in each user's mailbox. This would be a problem in MS Bob (or its current descendents) as well as in DG/UX B2 secure. It'll be a problem in Linux when we have a lot of users and it'll be a problem in whatever's next too.
See a common thread here? It's not the software...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
learn how to communicate
I noticed a couple of minor errors in your article, so I fixed them for you. You're welcome!
An old adage that governments would be well-served to heed is: Caveat Emptor. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because closed source products are less capable or less efficient than open source products, but because sooner or later, governments that rely on proprietary software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an proprietary product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the proprietary software from inside, by someone working on the project.
This will happen because the proprietary model, which hides the source from external audits, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter proprietary software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source disguised as a fix or extension. As the core Windows code is carefully scrutinized, that's not terribly likely. Much more likely is that versions will be created and advertised, or created with the express purpose of marketing them to governments at cut-rate pricing. It's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every proprietary software package installed and used on the machines.
How Can This Happen?
The products of the proprietary software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, an expensive proprietary operating system, the expensive and proprietary Internet Information Server, and proprietary office suites. There are several reasons that proprietary software--and Windows in particular--are seeing such a dramatic downtick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, or at least that vulnerabilities are patched quicker.. (Use this link to see an example of how long Microsoft can take to fix a critical vulnerability, or this link to see what Gartner Group thinks about IIS and security.)
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks against proprietary software vendors have been more successful (in other words, undiscovered or unreported). Because so few people can audit the Windows source code, there's also a reasonably high risk that someone will create a modification specifically intended to subvert security. And how would anyone know?
Open source software advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same ey
When the DOD buys computer hardware and software, they use a set of guidelines and rules based on the so called Orange Book. This mandates verifying the production process, and specifically mentions things like the possibility to introduce backdoors into firmware etc.
The DOD figured a few decades ago how to deal with that, so don't worry too much about them and computers from China and India... worry about the home machines of their employees, and about yourself tho.
Btw, eventho it is outdated somewhat, the DOD Orange Book on secure systems is a good read, and is required reading for anyone who has to deal with security.
Oh, like we look to Ol' Dirty Bastard for tech advice.
Russell,
I'm not sure what the goal of your article is. If you want to simply promote your opinion about OSS and security issues then you have, no doubt, succeeded. If you - as executive editor of an institution which has (I hope) aspirations of journalistic integrity - wished to present an issue worthy of discussion in an evenhanded and truth-centric fashion, you've failed miserably. I suppose I shouldn't be surprised or even disappointed, it's typical of what passes for journalism these days. The fact is, your article presented nothing that hasn't been put forth already in the past few years, and it completely ignored any of the counterpoints to the so-called security concerns presented by OSS. It would be refreshing to see someone in your position take a more balanced approach and present two articles, describing the opposing viewpoints, side-by-side. Or have a debate between proponents of both sides.
Soap-boxing is all too obvious, especially when the material is recycled so blatantly.
A small and ever-decreasing percentage of users compile their own binaries
Did you just nuke the Gentoo servers or something?
If all someone does is check an MD5 on the executable they produce, they wasted their time and might as well have fetched the binary because nothing they build on their own is likely to match the official binary's MD5 anyway.
Indeed, even if they built their executable on the very computer the official binary was produced on, by executing the exact same commands as those used to produce the official binary, straight after the official binary was made, their binary's MD5 might well not match the official one, since many systems include the build time in their object files...
Another irony in this article is that the author is either unaware or overlooked the undetected internal network breach that MS incurred in, I believe, 2000. Could it be the source of the leaked code in the other article (I can't access it and haven't read the posts)? Perhaps. That breach was, by varying accounts, 9-12 weeks in duration. No small amount of time for those with ill intent. Was code tampered with? Is there even now code in there that is malicious? At the time there were a variety of accounts from different executives. They got the code, they may have, they didn't. Who knows which was true. It's a 'faith based' system in that we have to believe them with no verification. Have there been other breaches? Will we ever know? How long will they last before they're detected? " Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify." I'll agree with him on this point but at the same time this really proves that the article is mere FUD pablum. Security breaches have cost Corporations, Governments, Individuals time and huge amounts of money for years. With windows, unix, linux, even some of the old stalwart mainframe o/s's. They will continue to do so whether due to software flaws or administrative error. Readers can decide for themselves which ones have cost more. Oh! It's A Russell Jones and not 'W'. Amusingly enough W Russell Jones is Utah securities company facing a fraud case witrh SEC..... Is it the water over there?
Q: What do you call a man with pants made out of leafs? A: Russel! Here's my letter to him: Dear Russel, I quote, "An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft" Therefore, it comes as no surprise that your article is freely available on the internet. I trust that anyone reading your article understands that since they did not pay for it, your opinion is barely worth the electrons it was beamed with. By your argument, it's probably worth just about as much as mine is. Take note here: I mostly use Windows. I'm not a Linux fanatic, though I definitely like it. But I'm sorry to say that yours is one of the least well-researched and well thought out articles I have every come across. The only possible exception would be any of the recent letters from SCO. If you have an opinion, that's fine, but you're presenting a biased, one-sided view, which doesn't point out any of the positive advantages of open source. For example: what's to stop a malicious programmer inserting evil code into Windows? Checks by fellow programmers, right? How many? Two? Three? In OSS, you might have have checks by the ENTIRE OSS community! That's got to be safer. Sure, maybe someone could slip some code in there, and maybe it survives for a day or even a week. But it's going to be picked up, and assuming governments aren't upgrading their software every day, by the time they get the next update, it'll be clean. Opinions should best be taken with a grain of salt. Opinions that claim there is no other side to their arguments should be taken with several kilograms of it. And probably a couple of bottles of Tequila too. (No lemon is needed - the article's already left a sour taste in my mouth.) Cheers, Joel
Physicist, consultant, science communicator
His Books start at number 7 in the search.
Same old stuff by someone scared that Open Source means their livelihood is at stake.
This is a better analysis:
XP Home (known): 50 security advisories
XP Home (hidden, yet to be exploited): 1000+
RedHat 8 (known): 140 security advisories
RedHat 8 (hidden, yet to be exploited): 0
RedHat 9 (known): 82 security advisories(they're getting better)
RedHat 9 (hidden, yet to be exploited): 0
Debian 3.0 (known): 276 security advisories
RedHat 3.0 (hidden, yet to be exploited): 0
Gentoo 1.0 (known): 194 security advisories
Gentoo 1.0 (hidden, yet to be exploited): 0
Mandrake 9.x (known): 158 security advisories
Mandrake 9.x (hidden, yet to be exploited): 0
Nope, I don't think I want to be running Windows XP.
Meh.
Big ad inserted in the column advertising a sub-side of the authors site called FreeVBCode.net
Welcome to FreeVbCode.Com, the place on the Web for the highest quality, free visual basic code. Currently, there are 2896 code examples and articles on this site. New code is added every day. Be sure to submit your code for inclusion.
That sure looks like safe, high quality stuff to me!
+--------------------- You idiot! I told you we were facing the wrong way!
Certainly OSS coders could write deceptive garbage code, but from what I have seen this is not the case. OSS coders seem to take pride in
1: the quality
2: in the origin and
3: the security, found in OSS so far.
Sounds like the article was written by another paid lackey.
OH THE SHAME I fell off the wagon and use sigs again!
Can you say "Paid Shill"??
(Stolen sig) Remember: it's a "Microsoft virus", not an "email virus", a "Microsoft worm", not a "computer worm
Russell Jones editorial piece on DevX, "Open Source Is Fertile Ground for Foul Play", represents his view ... but not DevX's view as a whole. I've worked at DevX for a few years and have often championed Open Source within the company. After seeing Russell's piece last night, I couldn't sleep until writing this rebuttal.
Imagine a hacker gaining access to Microsoft code.
I guess we no longer need to imagine...
I doubt, therefore I may be.
The big problem with the closed source model (as we may be about to find out first hand) is that once the source gets leaked, all those holes are out in public. The security through obscurity design model kinda falls apart at that point.
The guy that wrote the original article is definately trolling. Unless he really is a fool. I think anyone with even a little insight into how OSS works understands why it's inherently MORE secure than close source. This "closed source is more secure" meme gets floated and shot down several times a year.
Is this a new public service announcement paid for by Microsoft?
Open source is not less secure; security comes not from the code, but from the security model. I thought everyone abandoned the folly idea that there is 'security through obscurity' by now.
The real risks come from using code that has not been thoroughly reviewed and contains holes which can be exploited.
And if anyone can lure with what seems to be an authentic build of an official module that in fact is deliberately corrupted - what do you think programmers have been up to for the past forty years?
I don't think many people realise how easy it is to lure a bank, take out source code, recompile it with whatever additions you want, and insert it back into production. That's how the half-cent scheme took place. The trick here is to not make a move for the big money until it's really big money - and most programmers don't care enough about money, so things generally work out.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source.
Of course you can get the source code and modify it. However, 99.9% of the time you cannot commit it back to the tree without first getting to know the guys running the project. And what usually comes first is submitting patches to the project via a project member (uaully a high-level member since some level of oversight and accountability is needed).
Once that 'trial period' has passed, then a coder can usually check into the repository head. However, I don't see any major difference in that respect to someone working at [insert super software company here] and someone coming in and being a good person for a bit and then adding back doors to code.
The author assumes that as soon as you get the repository login set up on yr machine, then you're just able to start fucking things up. This is highly unlikely and since that, in my view, is the most fundamental piece of team programming, I find his argument to be dead right there.
As for distributing the results, that is also flawed but not by logic, but by market forces. Even if someone got a hold of the entire RedHat repository or Evolution for that matter, I don't think people would be using that product for a few reasons.
1. Lacks credibility. Forks have enough time gaining intrest from the project they forked off. So why would someone want to fork something just to insert back doors and take over the world. Seems like an awful waste of time and effort. And just because you fork it, doesn't mean they'll come.
2. Even if a 'malware' fork happened, it wouldn't stay afloat long. It would probably take less than a day for someone to figure out something was going down and to spread the word. Again, the OS community is the key here. You wouldn't see this happen behind closed doors.
This guy lives in the fairytale land of spooks and secrets and bad guys around every corner. While I'm sure there's plenty of falling outs of people in various projects and groups, it's highly unlikely that any of these scenerios the author plays out will ever come true. In any ecosystem, only the strong will survive. And I just can't seem some 'malware' being released and taking over everything. In fact, all the worst case infections and money losers to date have all happened in the ActiveX/DevX/.NET/M$ propreitary, closed door, secret world. Of course this guy has this opinion. He exists in a world where everone is paranoid and everything not yours is evil or doomed to failure or ripe for punishing.
Free your mind..
I hate to break it to this author, but no matter what product you're talking about, there is a certain amount of trust involved. The question he raises is should one put more faith in open source software, or closed?
I would predict that the rate at which malicious code gets rooted out for any software project is roughly proportional to any other code that gets tossed (buggy, unnecessary, etc). So, if we look at it that way, is open source more at risk or less?
The author has also made the argument that it's not just a matter of getting rid of bad code, though, it's also the frequency at which it is inserted into the project. According to him, this is much more likely in open source. He asks, who's watching the watchers? Well, I am. All the other open source coders are. I would like to ask him, with respect to proprietary code: who's watching those watchers?
No one, that's who.
sev
but have you considered the following argument: shut up.
Back in the 30's and 40's Time and Life Magazine publisher, Harry Luce, overlooked the realities of Chaing kai-Shek's brutal regime in China, choosing to believe Chiang was a christian and a good leader, while Mao was a monster backed by the godless communists of Moscow. Luce's publications were the word. Too bad he had it wrong and couldn't see it. This guy is about as blind to reality.
First of all, it was Henry Luce. He and Charlie Soong were making an absolute fortune from printing and selling bibles in China. Charlie Soong was well connected with the Kuo Min Tang and eventually one of his daughters married Chiang Kai Shek, and another married Sun Yat Sen.
The Kuo Min Dang however was not really considered a 'brutal regime' until the communist movement arrived in the cities (ShangHai in particular) after which it cracked down brutally on Communist and the infant Trade Union Movement.
Before that however, the Kuo Min Dang was the political successor to a criminal organisation known as the Green Gang, who eventually came to distribute nearly half of the opium in China. Chang Kai Shek rose to a position of power in the Green Gang before joining the military. Once the Kuo Min Dang was in power, they assisted the Green Gang in distributing opium and eliminating competitors.
Later, when the Nationalist army was fighting the Communists, Henry Luce and Charlie Soong lobbied in Washington to support 'christian' Chang Kai Shek. Many millions of dollars were funneled from Washington, but very little of it reached the troops fighting on the ground. Most of the money appears to have ended in Charlie Soong's sons and Chang Kai Shek's bank accounts.
Chang Kai Shek and Charlie Soong were probably the richest and most successful 'rice christians' in history.
>>
I am the director, and this is my movie
...When in doubt, think for yourself.
I submit another very realistic possibility:
Open source - starts off with lots of exploits, remains with lots of exploits because more 'community' resourses are being spent on breaking it than fixing it. Over time, software becomes irrelevant.
Closed source (and all closed sourse software is developed by Microsoft, ya know) - Exploits are harder to find, but are eventually exploited by people with nothing better to do with their time. Company patches discreetly, and over time, software becomes more secure, and company programming techniques become more refined.
Now I'm not trying to make generalizations as the parent apparently is. I just wanted to point out that both models have their merits and flaws, regardless of the zealots who suggest that one system is perfect.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
I posted this exact same story about 12 hours earlier, but it got rejected!
Anyway, good to get this out in the light.
How many times have you gotten the shaft from a company you actually bought their software from? And have had a support contract with?
I've had more luck getting and giving support for open source products then I have for ones I actually paid for. I'm not saying that paid software sucks just for that reason or anything, there are a ton of products for which theres no open source alternative even coming close, and probably won't for an extremely long time, but don't try to sell the argument that poor support in free software makes it bad when we almost all know from experience how poor the paid support often is.
I've seen so many "yes, it will cause problems" and "no it wont"
and theer are people who get only binaries, but hey, if you're smart, and you have a system like debian,and keep email updates, you'll be fine, if the package servers get hacked, they shut them down, and tell people not to try to fetch packages...
with microsoft it's "holy shit! someone found a security leak!" "shhh, shut up moron! we knew about that leak already, wanna get us in trouble?!" "no... ok." "we'll release a patch once some damage has been done so we dont look bad." "Sounds like a plan!"
opensource, you might get a vulnerability, but, it'll get fixed quickly and you'll know about it asap.
Yes.
A few points of interest, as he was a:
...But according to the responsible judge, guilty of providing aid and comfort to enemies of the United States or somesuch. His name is Mike (Maher) Hawash, no doubt there's stuff all over Google.
It's a case that's local to me, not to mention a case of the PATRIOT Act in action, so I've taken mild interest.
Pardon the offtopicness.
...When in doubt, think for yourself.
Hidden under their tiny Open Source section:
rebuttal
Looking at the list of topics in their menu, and the predominance of MS products, it's obviously a biased site.
He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
The federal department I work for is rapidly moving towards open source because we cannot afford to be constantly screwed by the traditional commercial vendors. We simply couldn't afford to keep paying for screw ups by HP, Cisco, Unisys, MCI, Teleglobe, and Dell. Nor could we afford the upgrade cycle recommended by commercial software vendors like Microsoft.
So we are increasing our in house staff by 3 full-time people - no expensive contractors, and adopting open source to reduce cost, and take control over our infrastructure and in the process improving reliability drastically, saving the taxpayers big dollars on reduced overtime for operational costs, drastically reduce software maintaince costs, and make nearly everyone but Microsoft and friends happy.
> A small and ever-decreasing percentage of users compile their own binaries,
/usr/share/examples/ports-supfile ... you just synchronized links to fresh source tarballs for about 10,000 major applications.
/usr/ports/www/apache13+mod_ssl && make install clean ... you just downloaded, configured, compiled, and installed Apache, OpenSSL, and all dependencies from source (takes about 5 minutes of completely unattended time on an Athlon 1700). If any of those source tarballs don't match the checksums, your port build will stop and warn you about it.
> let alone check the result.
In the Linux world, you're quite right - but keep in mind that Linux isn't the entire Open Source world. The BSD world is *far* more source-centric, and makes it so trivially simple to compile from source using the ports tree that most BSD'ers I know only use pre-compiled packages for truly ENORMOUS projects like KDE.
cvsup
cd
Coming soon to Slashdot: meta-meta-moderation!
From the 2nd paragraph of article:
First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
Furthermore there is nothing to stop the propriatary vendor of inserting their own spyware. Open source is the only way for governments to go if they want to reduce the risks posed by closed source software.
The article has a point however on the subject that you do get what you pay for but neiglects that one can also pay for features in open source software (if nothing else by sponsoring the dev.). Plus since a government is spending community money it makes sense that such is applied in a way beneficial to the community instead of an individual(s).
VB.NET".
Consider the source. Of course, now that Win2000 source has been leaked I guess that means we can't trust that OS any more, either.
Oh, wait...
That was a piss poor article!
I agree. When the author bitches about not having any control over what happens to the source, because its in the hands of everyone, he purposely leaves out the fact that you have even less control over closed-source software. I wonder how he'll feel 3 or 4 years down the road, when Linux is in heavy competition for the MS market share, and MS decides to use its secret backdoor...
SRSLY.
"This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us." --Western Union internal memo, 1876.
"I think there is a world market for maybe five computers." --Thomas Watson, Chairman of IBM, 1943.
"Governments that rely on free open source software will put their country's and their citizens' data in harm's way." --W. Russell Jones, 2004
Already we are seeing more and more proprietary software including adware components, anticompetitive modules which disable competitor's products, etc..
Our big problem today is that we are running thin on trusted sources for code. In this regard, the open source module is superior in that it easier for trusted sources to monitor open software. As to whether or not trustworthy companies will continue to exist...that is a question outside the open v. closed code question.
One of the really sad developments is that the growing lack of trust in the industry hurts the small companies the hardest. Quite often the small firms are the most trustworthy. Of course, small firms have a high fail rate. People who buy up failed small firms are often the worst wolves in the pack.
Well, I'd rather be able to read the source at all, than to blindly trust.
You know, we had that, the NSA getting companies to put backdoors into products. Here in Switzerland:
http://jya.com/nsa-sun.htm
--
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
Here's how it works. Write up some flamebait about an OS with a legion of zealous followers. Submit link to said article to a few advocacy sites for that particular OS. Those site post, smaller sites follow their lead... Sit back and get swamped with traffic, driving up you banner money. Ask John Dvorak about his signature "This OS is doomed. I know, I used to use a Mac myself" opinion columns. /. editors should be more careful about linking to articles like this. You only encourage more of it.
In short, don't feed the troll. The Mac sites wised up after a while. Learn from our experiences, and you can avoid our mistakes :-)
Most of the issues he raised can be resolved through better security and policing of a projects source code. It's just as likely that a disgruntled hacker at Microsoft or someone working on one of a million other "legitimate" projects could insert a backdoor.
The article would have served a better purpose by discussing the vulnerability of ALL code bases. I don't see how he can justify saying it's a problem specific to open source.
You have Charlie confused with T.V. and 'sons' with H.H. Kung, Ai-ling Kung, T.V.'s son and a few others. Chiang was always brutal, favoring the interests of the Green Gang and businesses over that of the peasants. Small wonder the reds were so successful when Chiang was eventually executing the KMT generals who were appalled by the corruption and starved his own conscript soldiers. Chiang's batpism was for show, to appease May-ling Soong's mother (Charlie's wife), but it's evident Chiang didn't embrace any virtues. Luce, among others, believed the way to save post-war China from Moscow was to support Chiang, which, was a major blunder and typical of the disconnected-from-reality idealism of the time.
Anyway, it's nice to see being a blind, hack journalist still pays. I'd like to hear how W. Russell Jones feels about Microsoft NT-base Code released into the wild.
A feeling of having made the same mistake before: Deja Foobar
Funny that. In light of today's news of the Windows source being leaked.
Un-news
uh, Fucktard?
(Stolen sig) Remember: it's a "Microsoft virus", not an "email virus", a "Microsoft worm", not a "computer worm
i think what he's saying is that:
say today, i am a rogue developer. i implant some bad code into my part of the tree.
i leave it dormant...for 3 years. An accomplice then uses it to hack 5 servers (which have the 3 year old exploit compiled in).
>>They _know_ when the compromises took place
that's right. they think the compromise happened just recently. they'll never think to check far into the past for WHEN the original bad code was implanted. and no one will go back 3 years to check md5sums. they won't even know to check that time frame.
they'll just compare the md5s before and after the 5 servers were RECENTLY infiltrated...and they'll match, unless they go back 3 years.
this of course would include closed source just as well as open source. i see no reason why OSS would be any more susceptible to this kind of thing. closed source would be just as susceptible, imho.
And this is different from closed source exactly how? Oh that's right, malicious code is hidden in closed source code! For that matter, has anyone ever recieved the source code for a virus in their email and compiled it? no, they come as a binary. Besides that, The malicious code inserted in an OSS project could be traced back to it's contributer. That's a pretty strong reason not to target open-source projects.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so.
Again, how does having closed source improve this? If you have a contractor making custom programs for your organization, what is to create them from making it malicious code?
He didn't even bother to spell check his Latin "quote".
How can the rest of his article be trusted?
Of course you could do an MD5 check on the SOURCE before you compile to make sure it is an official release...
This guy sounds like another Microsoft shill. If the recent vulnerabilities in Window XP are any indication, I don't think people are anymore secure running closed source software. Besides choice is good, and anything that makes companies like Microsoft compete is even better.
Maybe "future BBC reporter" would be close?
Forget thrust, drag, lift and weight. Airplanes fly because of money.
I don't think you quite understood his scenario. Let's say Vendor X gets a contract to provide a government agency with 800 desktop computers, with Linux, OpenOffice, etc. Meeting a bunch of carefully written specs from that agency's IT department. Vendor X takes Fedora or Gentoo or Debian and customizes it, complete with a "Foo Agency" splash screen, encrypted disk partitions, escrowed bypass for crypto, etc.
How do we know they didn't plant malware in OpenOffice? What geeks will have access to this binary? Geeks won't even know this mini-distro exists. How much do you know about the Linux being used by Burlington Coat Factory, for example?
I'm not saying this argument is airtight, just that you didn't really address it.
This is ridiculous. This guy was obviously paid by Microsoft in some way or another. Anyone who knows anything about OSS can tell you that OSS authors, well those of popular OSS projects, have the intent of functionality and stability. There is no agenda other than to make a good product. What? You think the mozilla team is spying on us right now? Of course not. Anyways, if you trust Microsoft over anything then you might as well kill yourself right now.
I'm not anti-microsoft. I'm anti-bullshit. Which means I'm anti-microsoft.
How about "liar" or "Microsoft employee"?
The higher the technology, the sharper that two-edged sword.
> Which "the government" probably wouldn't purchase. Jones might not have noticed, but most linux installations run in government and the private sector are from the Big Name distributors.
That's what made me laugh. A government is going to buy an OS "subsidized and supported by organizations that may not have U.S. or other government interests at heart". The Defense Department is going to by alQaedix (or even RedFlag Linux) because it's cheap? Has this troll never heard of, say the NSA's Security-Enhanced Linux?
Anyway, he omits that subversion of an OS could almost as easily be done in any closed source software, especially with the trend to subcontract and outsource.
We've heard this propaganda for the last X years (where X is a large number). It's never been proven correct (in fact the reverse has been adequately proven to anyone with a clue) and there's no reason to suppose it will be. Face it, linux and other unices for which source was available were considered good enough to warrant research by the NSA (an organisation renowned for its dependence on security of information).
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
IMO this is a call for a mass move to security via obscurity. Get real -- all software has problems. And just 'cause it's open source doesn't mean you get the shaft. How many open Windows security holes do you think there are right now? They're discovering more and more as the months go by.
Slightly offtopic, there is a valid problem with FLOSS, though. I think open source developers give users that proverbial shaft when they try to clone Windows programs in FLOSS; it is often inconsistent with the developer's taste, resulting in a jumble of bad UI features that often don't work.
People who design UIs make something with intrinsic usability value, not just something they expect people to be very accustomed to. When the bulk of developers get used to that, we'll probably see FLOSS that's better a a whole.
Wouldn't help you against a C compiler hack in the style of Ken Thompson's classic. That's a pretty paranoid example but it does show that to be perfectly secure in your system you do need to know everything about it, from the ground up. Compiling from a known-good source isn't always enough.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
In days gone by the term would just be "usenet poster"
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Except, if you get owned you can compare a known-clean md5 against the currently stored one. If there's a discrepancy between the 1/15/04 and 1/14/04 md5, and you weren't compromised prior to that (but, let's face it, if you get compromised on a compromised machine, maybe md5 hashes shouldn't be your biggest concern), you can restore the 1/14/04 copy and alert people that all of the copies from your server after that (and any that may have replicated to other servers) are tainted and need to be recovered from your new system. They serve their purpose, even if they aren't the best solution for protecting the downloader.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Yes, it is.
Same stupid crap. Why should I believe that a company whom I pay is more trustworthy than a company I do not? Is Redhat intrinsically less trustworthy than Microsoft? I think their very willingness to relelease all their source proves unequivicobly that it is THEY who are trustworthy, and that Microsoft's fanatical secrecy proves that they are not.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Wouldn't governments issue grants to or contract groups to work on the open source projects?
This is the same model they use for many projects, which aren't even software, already.
Sunless Jowler is an anagram for W Russell Jones. I think that connotes an appropriate image.
His use of that old adage fails on a logical level when used in reference to open source software:
1. You get what you pay for
2. Open source costs nothing
Therefore
3. You get nothing.
It is obvious that three is false, so either 1 and/or 2 must also be false. We know 2 is true, so 1 must be false.
If we admit the possibility of malicious code being inserted (didn't sendmail have this in one release?) then:
a. The government has a far better chance of spotting it in open source than closed source software
b. The eyes of the world will be on that code, multiplying the chance of discovery greatly. The more commonly the code is used, the greater the chance of discovery
The argument he uses is laughable. He talks about the temptation to build in special debugging and monitoring capabilities. This is precisely the sort of actions that will be less common with Open Source, because everyone can see it. So his fears about Open Source are far better placed in closed source.
And finally:
'This problem isn't new. In fact, it's far older than any computer technology. The Latin phrase Quis custodiet ipsos custodies, which translates to "Who will guard the guards?" shows that people have been struggling with the same problem for centuries. You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves.'
He requires some grand conspiracy by all the discoverers of any potential security hole. "Ssh, do not tell the world, and I will shower you with riches!" - Osama Bin Laden.
It is certainly much much easier for a worker in a company to insert malicious code and get away with it than it is with Open Source software.
"If you compile a program, and it ends up different, then the one you downloaded, then something is very wrong indeed.".
Not always true.
If I were to steal MacOSX's source code and fire up my compiler, the binary would probably not match. I highly doubt everyone uses the same compiler. Different compilers produce different optimizations (which is why XCode+gcc3.3 is free and CodeWarrior is $500). Also worth considering is that one could use a different version of the same compiler (newer versions tend to optimize better). Lastly, not everyone uses the same compiler flags & optimization settings.
http://www.lowth.com/alist/author/-/A%20Russell%20 Jones/1
.NET Programming 10-Minute Solutions
Mastering ASP.NET with VB.NET
Mastering ASP.Net with Visual C#
Visual Basic Developer's Guide to Asp and IIS
Now, he may be serious with his accusations against open source. His message borders on the evangelical against open source software? A proprietary, Microsoft zealot, which is no better or worse than a rabid Linux Zealot?
There's already a rebuttal editoral on Devx.com's main webpage by another Engineer there.
http://www.devx.com/opensource/Article/20135
Now as to whether this was some kind of publicity stunt to garner more traffic to their website, since before today I'd never heard of them... they've been quite successful. They've probably seen more traffic today than in quite a while, but it seems likes an infantile cry for attention.
Why not? It's obviously that absurd and completely ridiculous claims can be made for public perusal (aka SCO) and gather quite a bit of the media spotlight. It's a precedent already set in our culture that favors glitz and glamor over substance.
When I was (allegedly) testing at MS, a coworker noticed, via netstat, that her build machine had open connections from the PRC. She yelled at netops/security but they were too full of themselves, and of pity for her as a breasted American, to look into it.
The earlier incident with a Russian (?) 0wnz0ring the windows source is another example.
Then MS comes up with the "shared source" inititiative, which completely blows the security-by-obscurity advantage. All the well-funded bad guys have all the source they need to review for new exploits. You don't. Bidding against a subsidiary of the Chinese army? Watch that industrial espionage...
Do you suppose MS has never hired a disgruntled contractor? I suppose they've never angered one enough to, oh, generate a class-action lawsuit. Or two.
This is just a stupid, stupid article.
Ron,
n .html
I'm going to discuss some of the more glaring issues with your article below:
"An old adage that governments would be well-served to heed is: You get what
you pay for. When you rely on free or low-cost products, you often get the
shaft, and that, in my opinion, is exactly what governments are on track to
get."
Much hullaballo has been caused by the use of the word Free in Free Software.
Please remember it's free as in freedom, not cost. Also remember that major
players such as IBM, HP, and Dell and numerous smaller companies are actively
involved in the creation and maintainence of Linux. It's not just a hobbyist
OS anymore.
"Eventually--and inevitably--an open source product will be found to contain a
security breach--not one discovered by hackers, security personnel, or a CS
student or professor. Instead, the security breach will be placed into the open
source software from inside, by someone working on the project."
There are known cases where this has happened on closed-source projects.
Microsoft Windows, in fact, has many "easter eggs" which are basically hidden
suprises for the user if he/she hits a certain combination of keys. Even
these relatively minor "jokes in the code" and potential "security problems"
wouldn't fly in an open source project since, in order to succeed *all of the
people involved in the project* would need to be in on the breach.
Case in point: there was some code which was committed to the Linux kernel a
while back which would have introduced a security flaw. Within hours of it's
commit to the repository it was caught by the other maintainers, who determined
it was a mistake, not a deliberate breach.
"Because anyone can create and market--or give away--a Linux distribution,
there's also a reasonably high risk that someone will create a distribution
specifically intended to subvert security. And how would anyone know?"
Because they can check the source, and most of us who do use Linux would check
the source. Any "subversive" distribution would quickly be detected by the
community at large.
"I'm not naive enough to think that proprietary commercial operating system
software doesn't have the same sort of vulnerability, but the barriers to
implementing them are much higher, because the source is better protected. I
think such a scenario is far less likely than finding a group of people willing
and able to create and market a malware open source distribution."
Your assertion here is incorrect. Since there are fewer people in a company
to actually vet the software out before it gets released, it's much more likely
that a problem will get out into the wild before anyone catches it.
Case in point: Microsoft Window's numerous security bugs. A bug in the IP
stack of Microsoft Windows is what allowed the CodeRed worm to work it's way
into so many corporate networks all over the world year before last.
"Who's Watching the Watchers?"
All of us.
In summary, I find your article to be another piece of FUD from someone who is
either unwilling or not capable of fully understanding Free Software or Open
Source Software. I find it sad that it passes for news on an otherwise
respectable site.
Good day,
GJC
=====
Gregory John Casamento -- CEO/President Open Logic Corp.
-- bheron on #gnustep, #linuxstep, & #gormtalk ----------------
Please sign the petition against software patents at:
http://www.petitiononline.com/pasp01/petitio
-- Maintainer of Gorm (featured in April Linux Journal) -------
Gregory Casamento
## Chief Maintainer for GNUstep
No, it isn't.
Better not let this guy know that the NSA has developed their own version of Linux and made the source code publicly available. Just think! The terrorists could see the source and hack the government, all because they wanted to 'save money' of free software!
I haven't read the article, but I think it's safe to say that the author needs to get a clue and a ticket back to reality rather badly.
I have a high point assessment for anyone who uses the first initial plus middle name. It strikes me as an affectation.
w. russell jones? How you doin', w?
> once geeks realize that they can't compile the open source version to the binary ... ... and then there's the Ken Thompson attractor.
There is no need to worry. OSS has not been developed for selfless reasons like to benefit mankind. OSS software was developed by people who didn't like what was currently available for x86 platforms, and wanted something better for _their_ machines. The standard clique that you get what you pay for doesn't apply here, because the software wasn't developed for you. It was developed to be used by the authors. Now, the main motive to develop something, if you're not getting paid for it, is because you want it to work better than what is currently available. Therefore, don't worry that OSS is free as in beer. Because your access to it is a side affect of the development process, that give access to anyone who wants to improve the software.
Vote for Pedro
That's part of the goodness of Open Source...it's eminently auditable by everyone.
However, the diversity, the forkedness of OS software means there are thousands of variations that would all need auditing.
You're not going to get everybody to audit each version. You're not going to be able to register and secure each place along the chain from source to your company's thousand desktops that the software touches base.
Without a trusted source, and tracability, it's all over. And for the most part, a pressed closed-source CD from a commercial outfit has a lot more of the 'opening' for corruption closed than a source repository on the public internet and/or a binary update website at Red Hat.
In a paranoiac's world, a 'trusted source' is necessary for any software distribution method, open or closed souce in origin.
---
Sheesh, didn't you know you could download it for free? Hell I even have IE on my Mac.
Also, some tools put date fields in binaries. We had this problem a few times with .COFF files at a place I worked a few years back.
---
Now where have we heard of them before?
Oh, yes. They're the ones associated with Darl McBride's infamous code presentation at CDXPO. So I guess if you can't impune open source development by supporting McBride's inane ramblings, encourage one of your publications to sling a little mud with old, outdated theories that being able to see source code means that the criminal element will be writing exploits for it or infiltrating the kernel develpoment team and inserting backdoors.
Yes, sir! At DevX and Jupitermedia, security through obscurity is alive and well.
I couldn't find a single idea in this ``piece'' (oh, it's a piece alright) that was original or to be taken seriously. I suspect that the author just had a flash (``Ooh! Ooh! "Who will guard the guards?" That's clever now I can write an anti-Linux article!) and saw a chance for his employer to get some web page hits.
CUR ALLOC 20195.....5804M
It's taken at face-value that you truly aren't trying to troll, and that you fully expect to get modded down, so don't care.
Then again, it *IS* called karma-whoring for a reason...
"You get what you pay for."
So because your Life was given to you, it has no value either?
scripsit yar:
Not to mention that the state or whomever is really concerned about security can simply compile from source (hell, if I, in all my ineptitude, call build a decent Linux-From-Scratch system, I'm pretty sure the feds can) and audit the updates' sources before they build and deploy those.
This is truly idiotic. (The article, that is, not yum's post.)
In principio creauit Linus Linucem.
Some big idiot says something stupid and the /. community responds!
1. Lose job to offshoring
2. Grow desparate
3. Sell out to big corps by writing article
4. Profit!
Table-ized A.I.
scripsit Tony-A:
Methinks that's why it's called a confidence game. ;)
In principio creauit Linus Linucem.
Surely you're joking...you *do* realize that submissions for code that becomes part of (most) open-source projects goes through serious peer review and public scrutiny before it becomes part of a product tree, right? Show me how I can get that kind of accountability with a closed-source product.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
It's a nice hack but fails if I get login.c and the compiler from independent sources. That hack depends on my getting both pieces from the same source.
The classic example is to have a cashier that trades tickets for dollars and a ticket taker that takes the tickets. If you have one that does both you have to trust that one. With two of them who are not in cahoots with each other, very little trust is required.
I hate to be the dorky Philosophy nerd, but this article commits quite a bit of fallacious reasoning... Quaternio Terminorum. Equivocation is a bitch.
OK, I'm convinced. As a long-time Linux user, I am concerned about security, so I'm going to switch from using OSS software to go totally Microsoft as a proprietary solution so that I don't have to worry about security concerns.
... , uhhhhhhhhh
Take that, you poor losers who are subject to MyDoom, Blaster, Slammer, and ,
Never mind.
Checksums aren't sufficient. Where are you getting the MD5 to check against? From the same server the attacker would have compromised to modify the tarball you just downloaded? Do I need to explain what's wrong with that? To protect against a server compromise and subsequent source-code exploit, the source needs to be signed with something the attacker cannot find on that server and you as the recipient need to be capable of verifying that signature. Fat chance, unless you both happen to be on the same development team.
Slashdot - News for Herds. Stuff that Splatters.
One of the main reasons for governments to use Open Source is that they can train and employ their own people in it's use, mainenance, and development. That is an investment in your country's future. People will be looking at the source in schools, learning how to extend and maintain it with features useful to the people using it. Backdoors would likely be found.
Why is it more likely that an open source company installing systems for a large government agency would install malware than an equivalent closed source company? The government agency should be subjecting the computers to some kind of security and quality assurance tests in any case. If they are handling confidential data, the tests become even more rigorous.
Why trust some company from a foreign country over a company from your own country working with source your own people can inspect and compile? The reasons for governments to use open source are: they can build up their own people's technical knowledge doing do, they are then independent from possibly hostile and certainly mercenary foreign corporations, and most importantly, they can check and compile the source for security reasons. Claiming that they wouldn't do such a thing is simply ignoring one of the most important reasons a country would want to use open source in the first place.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
This story comes right after the story that Windows 2000 and NT code has been leaked onto the net. Now that both Linux and 2000/NT source are out there, we can ask the question, which of those two source code trees are you more worred about having in the wild!?
In my next incarnation, I hope to come back as a code monkey.
You really should, try to avoid, using so many, commas. You really don't, need that many, and it makes you sound, like William Shatner.
Avoid Open Source operating systems -- use Microsoft's? It's more secure? Looking at the referenced info at secunia.com: (# security advisories => OS)
Nope, that can't be it.
Trojan horses, back doors etc. are more likely in Open Source than proprietary? Easter Eggs, back doors seem to creep into Microsoft's products -- wonder what else might be in there....
You get what you pay for? Hmmmm. The article *was* free. Ah. Very Zen.
the best things in life are free.
I never paid for the theory of relativity
I never paid for discovery of electromagnitism
I never paid for my friends
and I certainly
never should of paid for blue screens and security holes and wasted time.
I agree, and take it the step further of saying that if I were concerned with security, I would do the compile myself simply to avoid scenarios like that. Of course, personally I'm not and I use precompled OSS binaries for convenience.
We stuff easter eggs in propritary source all the time. Who says some angry employee/ex-employee couldn't just stuff in some evil code? And i'm not talking about the easter eggs everyone knows about, I'm talking about stuff nobody ever finds except for maybe the 3 people who were in on the gag.
easter eggs appear less in open source code because it's really hard to keep them a secret. (because people sometimes get bored and read the source code).
Problem is, almost any time OSS is discussed here on this site, people bring up the merits of the 'ideal' and seldom the practical.
The knife cuts both ways. And while OSS has many merits, many of it's advocates never think beyond their ideals.
Just something to think about.
---
I could as well attack a developer's machine and obtain his private keys, and start submitting patches with his signature.
Maybe compilers need a switch to force them to generate identical binaries consecutively. Or maybe a tool that can strip the variable stuff and diff the rest.
at the microsoft ads on the page.
SHEESH
I confess.. I diffed the MS version of libpng (1.0 ver 0.88 beta 2) with that which came from a gnu source (kindly provided in a zip in the same directory).
Now I wonder, would it be appropriate to show the changes here? Did they ever distribute this in any way, does anyone know? A simple diff file I could post, 333 lines and 8k, with labels of the files being compared. With it the source could be reconstructed, I assume.
As for changes, they include their own header that defines a couple items and includes standard include files... commented out said std includes as they were already included in some files, commented out provided declarations and "windowized" various calls for items such as writing. That and changed var names and a couple types of allotted memory.
I feel this was vague enough to not merit any taintedness, but is a MS GNU compliance review due? there are changes, that may or may not have been contributed (doubtful they were, but I don't know), and also the code may have never been distributed or used in any way.
Do post comments.
AC
OMFG SOURCE CODE R0Xx0R!!1!!111 http://homepage.mac.com/xidius/pictures/sourcecode .jpg ;)
- Xidius
/* Source Code Windows 2000 */ #include "win31.h" #include "win95.h" #include "win98.h" #include "workst~1.h" #include "evenmore.h" #include "oldstuff.h" #include "billrulz.h" #include "monopoly.h" #include "backdoor.h" #define INSTALL = HARD char make_prog_look_big(16000000); void main() { while(!CRASHED) { display_copyright_message(); display_bill_rules_message(); do_nothing_loop(); if (first_time_installation) { make_100_megabyte_swapfile(); do_nothing_loop(); totally_screw_up_HPFS_file_system(); search_and_destroy_the_rest_of-OS2(); make_futile_attempt_to_damage_Linux(); disable_Netscape(); disable_RealPlayer(); disable_Lotus_Products(); hang_system(); } //if
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if (still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_31();
do_nothing_loop();
} // if
} //while
if (fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
} //if /* printf("Welcome to Windows 3.1"); */ /* printf("Welcome to Windows 3.11"); */ /* printf("Welcome to Windows 95"); */ /* printf("Welcome to Windows NT 3.0"); */ /* printf("Welcome to Windows 98"); */ /* printf("Welcome to Windows NT 4.0"); */
printf("Welcome to Windows 2000");
if (system_ok())
crash(to_dos_prompt)
else
system_memory = open("a:\swp0001.swp",O_CREATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
} // while
create_general_protection_fault();
} // main
It seems like machines vs humans in Matrix.
For Closed software, it is expensive, more easily attacked since it is controlled by a single corp.
For Open software, it is cheap like shit, very easily attacked since it could be controlled by different intruders.
I think people hate Microsoft products because they are jealous at Bill Gates, right?
You make it sound like someone who would insert a backdoor into a binary distribution of a software project would be bound by a license... which he can just as easily hide by distributing the source minus his backdoor.
;)
Unless the GPL had magically grown a body, and bashed down the doors of violators, this particular argument is pretty much moot.
All that being said, the only response I have to this particular article is, "So what makes this specific to OSS?"
One other little thought.
The number of "eyes" for a particular project tend to be proportionate to the number of computers using it. Not 1:1, miond you, but it's a good guess that if a program has very few "eyes" looking out for it, then it'll probably not have a lot of users, either.
Here's the logic behind my thinking in terms of a couple algebraic lines:
Eyes == (bug reports(developer users + development team))(rnd(1))
bug reports == problem(developers + users)(rnd(1))
Explanation:
For every user and every developer who has a problem with the software there's the potential of a bug report. The rnd(1) multiplier is an arbirary pseudo-function (.0001 to 1) implying that a percentage of the users will not submit a bug report, either out of laziness, or some other personal reason.
Now, the bug report alerts all developers to the bug, and thus, for every bug report, a number of the developers will look to the source in whatever specialty they represent to find the problem. In Open Source, this includes those users who also happen to be skilled in programming. So, you multiply the number of programmers, and those members of the core team against the bug reports, and modify (rnd(1) multiplier) according to the number of programmers who actually know of one particular section of the program, and are willing to look.
Well, I'll just shut up now and let the discourse continue.
The Penguin Producer
"I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
Yeah - better protected - the good old variation of security by obscurity trick! Only the good guys get to see the code ...
Where is this doccumented review process? Are the 'peers' qualified? Be honest. The quality is very, very uneven in much open source code.
I know that there's a magickal 'peer review' process where ad-hoc review goes on. And code that is critical to some entity gets the review that entity deems necessary. Who's accountable? Names and phone numbers are what most businesses expect. Not a handle in an IRC channel. Not Usenet posts.
---
For a /great/ example of what Mr. Jones is describing - backdoors and deliberate modification of software for malicious use - google for "promis" and "inslaw".
The allegations in a nutshell - The feds stole software from INSLAW and arranged to have it sold to foreign banks and governments. Modifications to the software are alleged to be able to allow the CIA to access the software in use by foreign governments by way of a backdoor.
Smile at the irony.
Lets see.
Windows... about $200 (included in package is BSOD , MS Blaster , Mydoom and other cool bonus "features")
Unix... over $500 (included in package is uncertainty about continued support and the fact that you know your helping kill linux and help Darl pay off his second house)
Linux... free... (Security & stability included)
I guess its nice not to get what you pay for sometimes.
http://www.devx.com/opensource/Article/20135
in the article it cliams that the watchfull eye of the comunity wouldn't be able to notice the coruption if the source was kept secret, would this still be considered open source then?.
this scenario could work out from any software vender. wether or not open source or propriatary, if the core developement team made a design change to incorperate some major security flaw then hid it. microsoft, apple, novel or any other companie could have this same thing happen without anyone noticing.
what is this guy really trying to achive here? is this mearly a ploy to damage the inroads opensorce software has made on saving government money? or is he just a pawn for some companie that has an axe to grind because they lost a contract with the government?
Better yet, use GPG signatures. MD5sums won't help much if the intruder gets onto the main download site. GPG requires them to get onto the developer's workstation, which is probably harder.
Why does anyone bother using MD5 when GPG is so easy?
I have read other articles by this guy. The last one I read he was saying that linux needs to get rid of the multiple desktop environments and go with one. I think what he was really saying is linux should just make itself another copy of windows. It sounded like he was saying (this is just what I got from it) that terrorists are going to create a free operating system and then market it to the government and then try and compromise the security of our wonderful nation. I bet he doesn't leave his house after 9-11 either.
"When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get."
Bah! I've found that when you rely on expensive products you still often get the shaft. If you're going to get screwed anyway, you might as well save some money.
-Rich
heres some proof...
the online text based game orkfia used to be opensource at sourceforge.net, until to many people would download the source, and try to use it to Cheat or Hack into the game. Many were succesfull, so they stooped being opensource
Still hoping for Gentle Treatment...
Hi Russel, nice article. Can I ask you though why didn't you mention the other side of the equation - well hidden back doors in such proprietary software as Borland/Inprise Interbase 4.x and 5.x ?
If we look at this site we will see that while Interbase code was closed at Borland, the back door was not found and could only be revealed once the source became open in the Open source Interbase 6.0 and 6.01
You will also see an example of an Open source Firebird 0.9-3 and earlier having a back door account. Now let's see, in both cases the back doors were found in the Open Source Software, however in the first case the reason the back door was found was exactly because the code was released as open source. What does this tell us? There must be more occurrences of hidden back doors in proprietary software than in the open source software because in the open source software these things don't stay hidden for too long. To answer your question " Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?" - this is how they will know, by compiling a binary from a trusted brunch of the code and comparing the binaries. That is one way to know. On the other hand code under GPL must be also distributed as source code. So simply get the source from your vendor and check it by either compiling it and comparing binaries or hiring an outside consultant to go over the source.
You cannot easily go over the source of a proprietary system, which makes a job of security certification so much harder. You see, your article is very one-sided, could you please make some amendments to it and include the discussion of the dangers of the proprietary code, and include some examples, since facts make an article so much more believable, more than just simple fud.
Thank you.
You can't handle the truth.
This! Makes! You! Sound! A! Lot! More! Like! William! Shatner!
Do your best, hope for the best, suspect the worst.
on expensive or budget busting software.
At least with free software, when you get the shaft, you can often still afford to hire a programmer to get it out.
While with closed source software, you usually have to learn to work around the shaft until marketing decides whether they would make more $ taking it out or sticking it in further...
If one line of source changes, the whole system must be recertified.
Not to mention keeping their ear to the ground listening for any rumblings of security issues with the software, as an active member of a community.
;-)
Professional system administrators are *engaged* and interested in the success of their employer and are paid to be so.
Send the tinkerers and the kiddies home... let's get some work done.
+++OK ATH
Considering the titles of the books this guy has written:
Mastering ASP.Net with Visual C#
.NET Programming 10-Minute Solutions
Mastering ASP.NET with VB.NET
Visual Basic Developer's Guide to Asp and IIS
I'd say it sounds much more like someone with an active interest in the success of Microsoft and their business model.
Who's accountable? Names and phone numbers are what most businesses expect. Not a handle in an IRC channel. Not Usenet posts.
what if there was someone to hold accountable? someone who knew about the software because they installed it themselves? Names and phone numbers covered.
Do you seriously think, that if you ever sued a Microsoft due to a software bug leading to a massive security breach, you'd ever see a red cent? No, there is terms in their EULA's that absovle them of any resonsibility. How is this different from the terms stated in GPL/BSD licenses? What accountability are you refering to?
5468652047616D65
note to self:
/. while drunk results in embarrasing posts
reading
5468652047616D65
"You get what you pay for."
:)
Flawed assumption: There is a direct relation between quality and price.
Why is it wrong? Because in the real world, where some of us still live, many factors aside from quality influence the price. Here is a short list of some:
* Quantity, lowering per-unit-prices
* Price perceptions, i.e. brand vs. no-brand
* Delivery, packaging and other overhead costs
* Regulations, legal costs and other burned money
* Intentional price modifications, i.e. dumping
And then, of course, the entire logic only applies to things that are actually sold. Any math person knows that comparisons with zero are always dangerous. Quick, what's two times zero? Maybe we should just double the price for Linux, then (in his eyes) it becomes twice as good.
Assorted stuff I do sometimes: Lemuria.org
"Let's say Vendor X gets a contract to provide a government agency with 800 desktop computers, with Windows, Office, etc. Meeting a bunch of carefully written specs from that agency's IT department. Vendor X takes Windows XP and customizes it, complete with a "Foo Agency" splash screen, encrypted disk partitions, escrowed bypass for crypto, etc.
"How do we know they didn't plant malware in Windows? What geeks will have access to this binary? Geeks won't even know this mini-distro exists. "
The problem with your example, and with the article that preceded this thread, is that it discusses problems that are common to both open and closed source. The real question is "how can we trust contractors to not screw us". Blaming open-source is disingenuous.
An old adage that governments would be well-served to heed is: You get what you pay for.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
Ah the irony of this comment: "I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
Coming just before the announcement by MS that portions of the WinNT/2K source code is out in the wild and that the likelihood of new attacks on Windows will increase, I find it so ironic that the Open Source movement gets highlighted for being more likely to be compromised by security flaws. There's nothing funnier than real life I say.
And anything I don't like is foul :-))
(BTW, I am going to patent English Alphabet.
Jee so much of money waiting for me
http://www.devx.com/opensource/Article/16969/0/pag e/1
Would you be happy with an open source package being freely available to download with an intentional "back door" put in the source?
This guy's fear for the security compromises is sensible if the need for intentional maintenance "back doors" is met in freely available source code. If this were the case, the script kiddie doesn't need to even write a script, he can read of a built-in vulnerability and abuse the system.
Of course that's not going to happen: were I working on a project for a particular client of such importance as a govenrment, I'd audit all the code and customise, improve or strengthen it where needed (the issue of subsequent code release under GPL/LGPL etc. would need serious thought and consideration, paticularly if such maintenance access methods had been included).
Take care.
Ken.Lewis
When you rely on proprietary products you often get the shaft, especially if you cannot audit and compile the code yourself. See:
- AARD
- NSA key in Lotus
- NSA key in MS-Windows
This applies to all areas, especially infrastructure. For now you have a choice, you can choose Kerberos and OpenLDAP, where you can audit the code. Or, you can experiment your money away with MS-ActiveDirectory and hope that it does what it claims to on the box and hope that none of the currently known remote exploits cause you any trouble.Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
... it doesn't change the problem.
...
It is *BAD CODE* which allows security violations and problems to occur.
BAD CODE can be either A) Open, or B) Closed.
With A), you have the laws of redundancy also on your side. The fact that so many eyeballs can see the code, means that its public, and that bugs are going to be publically known...
All the gov't needs to do, in order to protect itself from bad code, is: NOT RUN BAD CODE.
How can they tell if the code is bad, if they don't have access to the source? 4,000,000 pairs of eyeballs looking at the same bug is gonna mean that bug is fixed, pretty fast
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
1. There is no such thing as *the* Open Source community. The BSD development process is as different from Linux as OpenBeOS is is different from Apache. Same goes for licensing.
2. "You get what you pay for". Who says one can't pay for the development of Open Source Software and thus make sure the product works and is supported?
3. Security by Obscurity has never worked for a long period of time.
4. Vendor lock-in for proprietary data formats is pure evil and is not a question of Open vs. Closed Source. I don't want my government to rely on Third Party vendors to process publically available data.
Who paid this guy to spread FUD?
I find it VERY hard to take security advice from a website that runs IIS5 on Windows 2000. Considering the recent win2k source leak, I bet hey'll be the first jumping up and down going "you see! you see!" in that typically ignorant way.
And, indeed, that is the common usage. But thats not what it originally meant. See here for a fuller description (a page I wrote, ages ago).
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Must learn to preview: Try here
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
What was the borland database called that they open-sourced and then found a backdoor in that proably had existed for many years? qed. Just too lazy to look up the story, it was on /. tho.
You're not going to get everybody to audit each version.
No, you're going to choose a single base version and fully audit it, then you will declare that version as the default. For each new version you then need only audit the changes.
My company does the exact same thing with closed source software, so why can't the same rules apply to OSS? We won't roll out WinXP SP 2 until it has gone through validation. It would be no different if we were running E.g. Linux and were planing to upgrade to kernel 2.6
> It's a nice hack but fails if I get login.c and the compiler from independent sources
Or cross-check multiple independent compilers. Even if the login.c equivalent relies on Gnu C extensions, it would be extremely hard to arrange that multiple versions of gcc all built backdoors into themselves when used to compile each other. If you also allow for stage1 of gcc being compiled with other compilers, and for cross compilation, it gets even harder.
rant
Heck, I'll sell Linux to the government for 4 billion dollars. That should guarantee them a good value.
Looking at this article from a DoD IT admin perspective, going thru his points:
1. He discounts his first concern in the same sentence.
2. Security compromise by blindly installing a cut-rate distribution? Give me a break: large government agencies (by their very nature) will instill their own version control and authentication beyond what the open source community does, aka RedHat's already been COE certified by DISA.
3. Sure his last scenario is likely to occur: a malevolant individual in IT support compromises his local systems. Why is this limited to just open source? That's why there's the agency control processes from 2. above.
I'd like to see a measurable case against; the measurable budgetary case for exists.
Is it a rule, that there's an exception to every rule?
The article may have been a troll or not well thought out as someone pointed out. But, I'd say that the author has a point and the open source community should keep their eyes open and even offer tools to prevent possible attacks. The most difficult to detect as well as most far-ranging attack will be in the compiler or the kernel. Which is not to say that the other applications/daemons should be neglected. After all, many of them run as root. Another thing is user education; users should be made to distrust binaries by default. Only signed apps or those that can be traced back to the original sources should be worthy of acceptance.
I can download a package from a Redhat mirror and compare the MD5 of the downloaded file with the published ones on the RH site.
I have noticed some mirror sites having MD5 key files on there, which kinda defeats the point!
But the authors left in several nasty, nasty flaws that would have been identified within weeks if not within a day in the open source world. Listed in order of damage to the government's planned uses:
Hundreds of millions of dollars of R&D and hardware and software development went right down the toilet. In the meantime, RSA based, public code implementations of telephonen encryption have been trivially developed and used worldwide. (PGPphone is at least 15 years old, for example.)
This kind of thing goes on all the time in the closed source world. Developing in a closed source world is like keeping Consumer Reports from examining your appliances when you sell them: it's often just a terrible, terrible idea for the world at large and you as a potential consumer, and it costs the company huge amounts of money down the road.
damn it, I thought that locked that guy up. Why is anyone still paying for his articles?
Source base distributions are more popular than ever.
This seems to argue that governments can't use open source in case one of their own coders alters it to make it insecure. This is ridiculous. I build bespoke software for a living, as do about 90% of coders worldwide. The trust question is far more wide-ranging than your argument suggests. Using closed source software merely moves the question of trust from people selected by a government to people whom they have never even met, who might even be contractors to the closed source company.
J.
You're only jealous cos the little penguins are talking to me.
A rebuttal has been published on the DevX web site. It pretty much sums up what is being said here.
Open Source is funded by IBM and a few other large companies with a powerful vested interest in non-proprietary operating systems. The lack of interest in writing for scads of worthy projects at Sourceforge.net kinda demonstrates that. E.g., what Mac OS X version of OOo?
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
And Linux geeks never pride themselves on rebuilding everything from the kernel up using gcc, and even if they did do that, which they don't, they'd always download an independent C compiler to build gcc first, of course... ;-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Isn't that what you are guaranteed to get with the Convicted Monopolist? You might get it with some of the poorer Linux distros, but they can always be replaced, and if all else failed, Linux could be replaced with BSD with little change as far as the end users were concerned.
This guy is either very naive, or simply a liar. The fact is that any government, even of a "Banana Republic", can afford to employ a few competent software engineers, if they use the money they save on not funding Bill's gang of cowboys. These software engineers can review the code for holes, and can fix and customise the way they want, to make a better experience for all. However, they may not need so many low-grade support staff, whose job function is to apply the constant stream of Service Packs from Redmond.
It actually makes more carreer opportunities, those who have been confined to menial support work can start to fix things themselves, many will show unsuspected talent, in much tha same way that in the bad old days of early mainframes, more than a few of those employed in the menial position of "operator" learned programming skills in their spare time (after all, they had a computer to play with...) and advanced to more rewarding positions.
I'm not convinced that's true at all. I think some governments are moving to Open Source because (a) it's cheaper, and (b) it doesn't involve vendor lock-in to a corp with a history of sharp pricing policies.
I rather suspect that any philosophical or moral reasons to support Open Source are utterly lost on most of the governments who might adopt it, and that the chances of those governments -- who are doing this to save money, and probably for no other reason -- spending a fortune employing skilled software developers and QA people to vet the code they're using and future-proof themselves is rather small.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
in the source there in the directory /win2k/private/shell/iexplore/
there is a file called none other than "gnumakefile"
Since it requires the individual to actually notice something, your statement would be more accurately written: The malefactors get caught out if somebody notices something.
Big backdoor.
= zd nn
http://zdnet.com.com/2100-11-527115.html?legacy
Government of the people, by corporate executives, for corporate profits.
The article starts with a strawman, "The nature of open source makes security problems an inevitable concern." and it descends from there. Comments such as "Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be." are actually more applicable to the state of Windows than Open Source.
The article is just another unresearched article by an author with an axe to grind against open source.
I have sco everything. It works so well. THere techsupport is very good. I found out about it a Mickey D's. I clean up floors and look at there compus. kff123@aol.com
Nice one, this same story can be found in the CodeBreakes. Time and time again it has been shown that keeping an algorithum secrete is no way of implementing security. The more open you are and the more people who try to hack the system the more secure it becomes as each weakness is exposed. This makes open source stronger than hidden source. Microsoft should pay hackers money for exposing their security holes. What worries me is how many back doors they have placed in Windows, I do not trust them. I am fairly sure they are hiding something.
Sorry, I've always been berated for my poor commas when I write english. I do try to constrain myself, but well :)
I certainly didn't pay for his opinion.
I remember the early days of irc chatrooms.
Users were polite and kind. Seldomly was
the use of kick and bann commands enforced
Almost no control of users behaviour was needed
Few years later irc chatrooms are battlegrounds
for bots to control channels
and heavy monitoring follow you anywhere you go
Salshdot is an example of how you can't
let information flow free without some sort of
"control".
Open Source movement will follow the same path
and soon enough major linux distributors
will have to depart from the
free for all model and start impossing
some sort of control/ownership/liability on the
their respective distributions.
It's relatively easy right now to clone one
(modified) popular linux kernel module and plant it in a
linux box and let it rip
- these are not the droids you are looking for -
From the article: "Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project." This can happen with closed source too. At least with open source it is possible for dozens of people to examine the source and potentially detect this backdoor.
It makes me feel like I'm listening to Captain Kirk.
Proud neuron in the Slashdot hivemind since 2002.
"Borland released the InterBase program as open-source software in July, meaning that anyone may scrutinize the software, modify it and redistribute it. [...] Programmer Frank Schlottman-Godde from the open-source Firebird project discovered the vulnerability Dec. 18..." (- ZDNet)
Sounds like a pretty strong argument for open source to me.
Where is the documented review process for closed-source software? Are the reviewers in THAT process qualified? Who decides that they are? How even is the quality in closed-source software, and how would you prove it one way or another?
Who's accountable? Well, ultimately (just as with most closed-source software), the user of the software is solely responsible for whatever the software does. If you're talking about "accountability" in terms of "who do I sue?", then I would assume that you would sue the company that packages your particular piece of software. I'm pretty sure most of those companies that are reputable enough to have lawsuits filed against them in the event of some unspecified situation with code will have phone numbers and addresses. If you're a business using software that's not available through some easily identifiable source, then you're operating in the "stupid zone".
I understand the point that you're trying to make, but the argument just doesn't have any teeth. There are too many differences with the way things are in reality for the theory to make any sense.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
Closed-source software is all blind ends, like tangled underbrush. For small minds, as for small animals, it's a good trade to improve your ability to hide at the expense of the same for that which threatens you, or your prey. For large minds, as for large animals, it's better to be able to see what threatens you so you can do something about it.
Look at the difference between the kind of people who prefer closed source and those who prefer open source. They're the same ones who prefer that we don't expand beyond earth. They don't like thinking big, because they can't do it.
A healthy ecosystem has niches for lots of different survival strategies. Let's hope the rats and bacteria drop their insistence that their way is the only way, so we don't have to sterilize the swamps.
>> As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
This is really a funny argument! Why should the government choose a distribution from a company, which they can't trust? And why should it be easier to undermine the government-security with an completely open-sourced product (where many eyes can always view the source) than with a closed source product (where maybe no one outside the company can check the source at all)? I now have to read the rest of the article, but the first few lines seem not very objective!
Isn't this argument as old as locks? What produces a better lock?
1) A box containing a secret that isn't easy to examine
2) A box open to inspection that interested parties can improve
Microsoft believe (or say they believe) it's the former, many people (myself included) believe it's the latter. Open Source can only work if you believe it's the latter.
Most government agencies behave as if they believe option 1. So what is their motivation in choosing Open Source?
What I'd really like is "Open Source Government" (are you listening Mr Blair?).
Of course all locks (and all software) is less than perfect, and flaws will be found in both kinds, but I think they are more visible and easier to fix if we can all see.
This is exactly the attitude that will keep OSS from being widely accepted.
"Professional Windows system administrators" rarely have problems, because of the exact reasons you stated.But not all systems are run by professionals, or have just chosen to ignore that fact.
Check for yourself, the code for windows is now readily available.
Vote for new mod!!! Score:-2,Imbecile
Are there third-party vendors recompiling Windows, Office etc? I haven't seen this, although it could be true. My perception is that a given release of a Microsoft product will contain the same binaries no matter which vendor distributes/installs it. That allows for much easier verification that there has been no tampering with the binaries.
As others have pointed out, a given release of an open source package can have different binaries depending on many variables in the release environment, even the time. So the mere fact that a binary has the "wrong" md5 hash doesn't set off any alarm bells.
Does that make sense?
Logically the two arguments don't go together very well. You can hire professionals (who act like professionals) for either OS. My comments were more towards those who don't admin in a professional manner.
+++OK ATH
You don't need to recompile Windows to change its behaviour. You just need to install certain binaries. For example, the GINA authentication DLLs, or the LiteStep explorer replacement.
And viruses don't need to recompile a binary to infect it. They simply modify the PE header then piggyback at the end of the file. This was the case before Windows even existed.
I disagree that it's "easier" to verify that binaries haven't been tampered with. Microsoft releases many versions of their DLLs and they do not provide MD5 sums. You could compare against a known good source but how would you know if the difference was because of deceit or because of an upgrade? You'd need access to all valid versions of Windows, including every intermediate version, including non-Microsoft versions that are bundled with third party software (eg, DirectX betas are often bundled with third party games, but similar bundles occur for non-gaming software).
Microsoft tried using digital signatures as an improvement over MD5 sums, but their vetting processes were flawed. You might remember the ActiveX control that was signed despite its only action being to reboot the computer. Microsoft revoked the signature but only after the author brought their attention to it. Who says that there aren't trojans in existing ActiveX controls? They don't even have to be intentional; the flaws in Microsoft code used by viruses aren't intentional.
Finally, malware already exists despite there being no access to Windows source code. Scripting languages in Windows are powerful enough to cause the same disruption as corrupted binaries. So a perfect set of uncorrupted binaries proves nothing.
I hear what you're saying but I disagree that it makes any practical difference. The example the author provided - a rogue contractor delivering trojaned software - can happen with closed source. The author claimed that open-source makes trojans easier to deploy, but I see no evidence to support such an outlandish claim, and my own understanding of the issues leads me to disagree with such claims.
You need to trust your staff and your vendors. That is the bottom line.
Bullshit! I'm an MCSE and I know lots o' stuff about Admining. I have an MCSE afterall! I tried to use the Linux OS and it was hard! No control panels! No pictures! Nothing!
I've been an MCSE for several years, and I really like Windows. Because all the time my companies servers get compromised, all I have to do is reinstall and then there is no more compromise!
And this virus stuff is no big deal. Man, if you got a virus under Linux, it would corrupt your source code, and then you couldn't reinstall. But because there is no source code for Windows, that can't happen.
I think it's somewhat sad that some nobody bashes Linux in a little article and it gets slashdotted. I mean sure it's nice to know not everyone loves Linux, but remember the source people...
my karma will be here long after I'm gone
Luce, among others, believed the way to save post-war China from Moscow was to support Chiang, which, was a major blunder and typical of the disconnected-from-reality idealism of the time. .....
I seem to recall two diplomats returning their assesments on both the suitability and likelihood of success of Chang Kai Shek and the Nationalists. Their assesments were negative, and Henry Luce successfully lobbied to have both men fired from the diplomatic service.
That the Administration was ignoring the advice it's own diplomatic staff and listening to Luce and (you are right) T.V. Soong makes me shake my head
>>
I am the director, and this is my movie
Given that a source-level exploit is more likely to occur in the first place when the source is widely and anonymously available, [Emphasis added]
Point made, but methinks the realities strongly favor open source.
The NIH (Not Invented Here) syndrome is probably stronger in open source than in closed source. While I could easily fork something with my own nefarious code, or submit long anonymous patches to whoever maintains the main line, the odds are that I would be totally ignored. Seems like during the OpenSSH stuff, Debian refused to patch without first being shown the exploit.
I can anonymously get open source.
Except for making an obvious point, there is no way I can anonymously put open source anywhere that stands much of a chance of making any difference. Too many eyes. Too much suspicion.
And Linux geeks never pride themselves on rebuilding everything from the kernel up using gcc, and even if they did do that, which they don't, they'd always download an independent C compiler to build gcc first, of course... ;-)
Almost all don't. A few paranoids will. Quietly. Until they finally "find proof". And it only takes one.
However, the diversity, the forkedness of OS software means there are thousands of variations that would all need auditing.
Um, no. First of all, software isn't forked that badly, in general. Second, you only need to audit the version you are planning to deploy. If it doesn't pass muster and there's a fork available that claims that it will, you audit that. If there's no fork available, you look for another piece that'll solve the same problem. If it's not available, then you patch the first one or develop from scratch in-house. IN any case, it's never necessary to audit all the thousands of free software packages out there.
If I were running things, government agencies would be required to audit all source code before deploying the application, and they'd be required to compile it themselves, with a 'trusted' compiler, that they also compiled themselves. (Now someone show me what'shisfaces comment about how you can't trust the compiler).
The whole 'trusted source' thing takes care of many problems. Say NSA audits sendmail and actually determines that it's 'safe' (heaven forbid!). Now Everyone Else knows that NSA liked it, and they may not need to audit it themselves, they can just go with the version NSA audited. See what I mean?
In a paranoiac's world, a 'trusted source' is necessary for any software distribution method, open or closed souce in origin.
In a paranoid's world, there is no such thing as a trusted source. :)
Like what I said? You might like my music
Click here.
I cringe and winge when I read articles such as these (the original FUD article, not the rebuttal). This guy is either an idiot who actually believes this stuff or it's M$ sponsored FUD. I don't know which is worse.....
All the rebuttals are well argued, but unfortunately, most PHB's eyes glaze over when you start making points and talking about "straw men". Their eyes light up though when you start talking about how the evil Open Source will cost you money. The M$ ads right next to the article just show how much bull$hit all this is..
Sorry, I know you've all read this before, but it feels to preach to the /. choir.....
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
Now, arguing from this scenario to a general denegration of open source depends on several assumptions:
I guess the only thing we can conclude from this is that the words "open source" are no more magical than the words "patented". Hucksters for years have slapped "patented" on their technology as a way to make it seem better, and convince people to buy it. That doesn't mean that they're not selling snake oil, or worse. ("Patented million-bit encryption", anyone?)
In a sense, the article is right, "open source" are not magic words that can be slapped on something to make it more secure. That's because open source isn't just a marketing label. It actually means something about the software. The cautionary tale here is about not getting suckered by fast-talking scam artists, but I don't see what connection this has to open source.
Actually, if you look at the doomsday scenario closely, it comes out as an argument for open source - the problem in the doomsday scenario is that the government has been sold code which is different from that running all over the planet (and being inspected by people all over). Therefore, if the government chooses someone who's work they can't verify, they might have trouble.
Therefore, the government should insist on a way to verify the work of consultants who set up computer systems for them. One such method is to require that all source be handed over to the government. Another way is to skip the consultants entirely, and have government employees go get the open source from known good sources. (yes, those employees could sabotage things, but couldn't they do that no matter what?)
Open source doesn't eliminate the fact that at some point, someone less technical has to trust someone more technical. ("Trusting Trust" and all that) That's just the way it is. However, open source lets you dramatically reduce the length of that chain of trust. This is a good thing.
It's not like anybody still using windows. They might as well put their code on display in the Smithsonian.
He points out a site that has a listing of known security holes on each OS. Well when I looked there and compares Windows2000 Pro to Linux 2.4.x kernel (the two mainstays for each side) 59 (windows) vs 15 (linux 2.4) issues. Hmm yeah Linux has a whole lots of security issues.. This guy is either a moron or he is being paid directly or indirectly by Redmond.
Wow... people will say anything for $$
Scott
janitor
sdn website family
email: scott at sboss dot net
I agree that open source software is a bad thing. It should be outlawed. Open sourceness encourages companies and the people to stop paying programmers for their hard work.
Stop posting links to Wikipedia - it is not a real encyclopedia - it is just an amateur "open source" project which nobody can trust. A real encyclopedia has Ph.D. editors, not teenagers etc!