Is Open Source Fertile Ground for Foul Play?
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
Oh yeah, see this for a good example of closed source software in action.
Tom
Someday, I'll have a real sig.
From the article, annotations added by me:
>Malevolent code can enter open source software at several levels.
1. >First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
Not likely indeed. Moving on.
2. >Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Organizations using Open Source Distributions generally purchase a vendor-supplied copy as well as a support contract.
As an aside, do you suppose non-US countries that use Microsoft products are concerned that Microsoft may not have their country's best interests at heart?
3. >Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines."
This isn't limited to Open Source itself. The same possibilities (and probabilities) exist for any company that uses customized software AT ALL -- at some point, you have to trust those doing the customizing, or get a third party to audit. I mean, after all, I can wreak havoc throughout an organization just by clever use of login scripts on Windows XP machines, and if everyone in the IT department is in on it, nobody else would be the wiser.
Now that I think of it, even if you're not customizing the software, you're trusting the people who make it. Does Microsoft have your best interests at heart? Does SCO? Does RedHat? Does anyone? That's why it's nice to be ABLE to scour the code -- the smartest, safest groups will obtain source code from those who write it, and have it audited by another group, and then again perhaps by another. Unless they're all in league with one another. [Insert tinfoil hat here]
So. Who's paying this guy?
You're Absolutley right. People going around trolling about open source without any plausible reason is a major detriment to the cause and the software. Companies/corps are going to pick whatever works best for them and adapt/change with it to their needs and Gov't should do the same. if the security was as bad as the article implies it to be, then why havent we seen any catastophic security failures on any of the open source systems currently being used by fortune 500 and Gov't. Hell, it couldn't be any worse than the MS systems in use.
I must bid you farewell....... "walks out amid the gunfire"
His criticism reminds me of a speaker at a recent IEEE meeting at my school. She talked about the work environment, and some nuances of how to act or not to act.
One interesting thing about her contracting company she runs, is that if you charge more, you get more business. The thought here is that companies think that since this certain company costs more, it must be better. Obviously though, she did not get smarter by charging more, only richer.
That is the thinking that this fellow is using: chargine more must mean it's a better product. Sadly, he is in a large part of the population that does not understand the Open Source community, or business models. His view is outdated, and frankly, wrong.
Besides, what other companies besides M$ find a huge hole in all of their flagship products, but fail to patch it for close to a year?
I suspect that was because of the recent patch to windows that came out just a few days ago. Hmmm...when was the last time I needed to update the linux server or apache for security reasons? Hmmm...oh well, my memory's not that good, anymore.
Apparently, of the rich, by the rich, for the rich.
I have this argument with my clients all the time. Many of them do not trust open source. They say, 'It is unsupported! We can't run production on unsupported software!'
My argument is that it is no different from internally developed application. None of the code I write is 'supported' any more than the open source code out there. If something breaks they have to pay me to fix it. If something breaks with some open source code, they still have to pay me to fix it.
Also, the advantage of open source is that even if the author's slipped something 'nefarious' into the code, you have a chance to see it. What do you do when someone slips spyware into a proprietary application you use?
You're missing the point. They _know_ when the compromises took place. I had a project on Savannah, and when they discovered the backdoor, the had the CVS repository from backup from before the incident, and from after the incident. Each project leader was to compare the diffs between the two to make sure that there was no altered code.
Engineering and the Ultimate
Actually, in practice there has seldom been any peer reveiw of code in 'closed source' software companies. Unless a project or program has major funding, clout, and visibility, the coders write some unit test cases and hope any bad bugs are caught in system testing (which gets reduced when the schedule gets tight - in contrast Open Source software usually has no schedule). Open Source software is therefore infinitely more secure as more often than not at least 2 pairs of eyes have seen any particular piece of code.
I think the government might just have the time to make this sort of check, and as others have said, it only takes one person to notice. Your second point is valid, as is born out by the Debian/micq dispute (also mentioned previously in these comments), but that ironically isn't a point that Jones attempted to make in the article - he seems to be concerned with unpublished back-doors that don't appear in the source.
My boss used to do custom business software and database programming back in the big iron days. He said that in order to do customer support they would often build in a way to shell into the machines remotely to do the diagnostics.
No problem there. But the kicker was that he would build back doors into the programs that only he knew about, so if they changed the front door passwords or otherwise screwed it up, he could still get in.
The big problem was that he wouldn't tell his customers about these back doors. This is financial and tax data we're talking about. He saw no ethical problem with this. None at all. Fortunately he's not a malicious guy,
This isn't a suprise to anybody, right? I was just shocked at the total and complete lack of guilt over doing this. And he's otherwise a normal guy. That's scary.
Why do I have this? I don't smoke.
The big problem with the closed source model (as we may be about to find out first hand) is that once the source gets leaked, all those holes are out in public. The security through obscurity design model kinda falls apart at that point.
The guy that wrote the original article is definately trolling. Unless he really is a fool. I think anyone with even a little insight into how OSS works understands why it's inherently MORE secure than close source. This "closed source is more secure" meme gets floated and shot down several times a year.
Wouldn't help you against a C compiler hack in the style of Ken Thompson's classic. That's a pretty paranoid example but it does show that to be perfectly secure in your system you do need to know everything about it, from the ground up. Compiling from a known-good source isn't always enough.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.