Slashdot Mirror
Is Open Source Fertile Ground for Foul Play?
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
I wish people would use any kind of proof with this type of article... but I suppose they can't.
:P
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
And of course there just CAN'T be any guard against the actual program being implemented differing from the publicly available source...
"I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
And when those holes are discovered, they aren't published at all. And the proprietary owner has a far more difficult time finding these existing holes themselves. And most of all, there's NOTHING STOPPING THE PROPRIETARY OWNER from implementing this same type of worst-case scenario the author of this piece describes, and an even smaller chance of discovery by outsiders. Sheesh.
'You get what you pay for'?
Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.
There might be security concerns with Open Source (he, most interestingly, doesn't go into security concerns with closed source or compare track-records); however, Russell is trying to pull a fast one as this is a different (and, I'd argue, wrongful) criticism of OS.
RD
Igniting flame war in 5...4...we have main engine start...3...2...ignition!...1...
I watched C-beams glitter in the dark near the Tannhauser gate.
The whole thread that will light-up in response to this old chestnut!
"Flyin' in just a sweet place,
Never been known to fail..."
i disagree....if there is a security hole, those implementing the software would ideally know enough to pick up on it fairly quickly. i mean, they do have the source, after all...
xao
http://TheHillforum.hopto.org
Everything he claims can go wrong with open source can go wrong with closed source, but with closed source you have fewer people watching to catch malicious code additions before stable release.
Bosh. Open source project leaders - especially the leaders of popular projects - don't let just anyone have write access. Also, commits almost always go to a mailing list to be reviewed by the other committers and lurkers.
And of course, there's no way a commercial product could be infiltrated by someone who wants to inject harmful code. Impossible!
The Army reading list
1) Write bogus article that will enrage slashdotters. Slashdot, being knee-jerk as it is, posts it to the front page.
2) Get a bazillion hits.
3) PLOFIT!
Releasing this kind of rhetoric just days after the latest MS security fiasco would be funny - if the reality wasn't so sad...
Closed source software, because of its very closedness, will inevitably lead to security concerns. This makes adoption of closed source software by governments particularly worrisome. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get if they fail to switch to open source software.
I doubt Microsoft will ever write software for Linux, but it's inevitable that that things like Lindows will forever strive to make Linux as easy as Windows because that's essential for Linux to take over the desktop market.
However, with that, some of the inherent security of Linux fails. Imagine an e-mail client that will execute a binary attachment with no questions asked because the user double-clicked on the pretty icon. That's how MyDoom spread on Windows, and basically, it's the fact that the current setup for Linux makes it hard to execute something new that makes people realize what they have before they run it...
As soon as we have pretty looking greeting card executables that run on Linux, the downfall will be what comes next...
Please cite some specific examples Mr. Jones.
I mean, there is a whole friggin lot of open-source out there, there's bound to be a few examples of the problem? Right? Right???
The ratio of people to cake is too big
He might be right. If governments switch from Windows to open-source OS, they might open their computers to the possibility of being infected by worms, virii, and trojans.
Don't blame Durga. I voted for Centauri.
Netcraft says that his server (running IIS) has only been up for 2 days.
I wonder if he's getting what he paid for.
Wow, an insightful first post.
This day will go down in history.
All these great reply's, these reasons why Russell is wrong, will never be read by the public because they're stuck in /.
Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Do it doug.
He's a genius! This is actually a clever critique of the very dangers of closed source software, just disguised as a moronic attack on open source.
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.
I mean, this can't actually be an argument that closed developed by a "core group" that "won't make the corrupted version public" is more trustworthy than open development where anyone can see the code. Right? Right?
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
This is simply the worst piece of FUD concerning Linux and OSS in general that I've ever read. And it's coming from the "Executive Editor" who should have taken a look for some actual examples of what he's talking about. The entire article is random speculation that "bad things can happen" with OSS because people can modify the source and he should be ashamed of having written it: unless of course he's being paid to write propaganda.
During a week when Microsoft admits it sat on the worst flaw ever for 6 months, and MyDoom and friends are rampaging around it's shameful to see an article written with so much fear and so little substance. He even manages to say that OSS might be used by terrorists against the US (although he doesn't use the word).
An absolutely disgusting piece of "journalism".
John.
While the article mentions that the exact attacks that you say could happen in open source software could also happen in closed commercial software, I find the "barriers to implementing them are much higher" concept to be absurd. Just as the articles sasy the core Linux kernel is tightly monitored, so is the software from Microsoft. However, when it comes to smaller products, products that I have worked on, I would have to chuckle at the naive view that somehow closed source is "better protected". Most smaller companies that I have worked with are *far* more interested in getting a product to release than checking for backdoors. Testing is for failure modes, not for subtle pointer errors that open the code to obscure exploits.
In open source software, the maintainers vet patches by peer review before admitting them into the main product line. Likewise, closed source products are peer reviewed, but by a much smaller team, who probably have much more similar agendas than people flung across the globe. Either could be compromised. This exact same article could have been entitled "Software Is Fertile Ground for Foul Play". The concern that backdoors exist is the reason Asian countries have been suspicious of Microsoft's closed source software. To assuage those fears, Microsoft provided the source code for review. If this review is successful in showing that no backdoors exist (and I have no idea how they can tell that some unobtrusive code isn't deliberately flawed) then surely open source can be equally reviewed, if not suffer a more stringent review by opening the question to the open source community within the country in question.
The security that closed source promises by "protecting the source" is security through a promise by a potentially hostile vendor. The security open source promises is the vigilance of those who review the code. I don't see how one is better than the other, but I surely don't see how closed source is going to make a potential target feel better than if they could review the source.
Sig under construction since 1998.
This is the type of argument you get from a lawyer, a technophobe or someone with a vested interest in being anti-open source. Arguments generally center around "security" "support" and "accountability".
One, Microsoft software, the most popular "closed source" software in the world, is rife with security holes. While the most popular (arguably) open-source software in the world, Apache, doesn't strike me as being terribly buggy *or* full of security holes. For instance, I don't have to update my apache software once a week.
Two, often for popular open-source products there is plenty of free and timely support. Advantage is also to the qualified technophile, who can support his or her own software, and not rely on the timetables of vendors.
Three, accoutability. What has Microsoft *ever* been accountable for? Viruses? Bugs? Data loss?
The problem with Open Source is that there are no controls as to what someone may program. You know I've seen WarGames I know what a back door is. Also a question of accountability. I hate to say it but for some things I am forced to trust Microsoft, not because of the quality of the work but for the accountability that they are held to. They have to make a semi-reliable and safe system or else they got out of business. This insures the proper cycle of software development and testing.
Mod story down (-1, troll).
Can we please stop letting people use slashdot to increase the hit rate on their articles in order to make themselves seem relevant to their bosses?
Fred moody, the infamous anti-Linux ABC News columnist, was doing the exact same thing four years ago. In fact, he was writing on pretty much the same subject, that Open Source is insecure and untrustworthy by its very nature.
Those who do not study history are doomed to repost it.
Open Source Is Fertile Ground for Foul Play
The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.
by A. Russell Jones February 11, 2004
An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably hi
Quality, performance, value; you get only two, and you don't always get to pick.
Yeah, OSS software is at risk of exploits, but he's neglecting the fact that once geeks realize that they can't compile the open source version to the binary, a red flag goes next to the binary. And if the binary starts doing malware things, then that binary goes down in flames, and the project will immediately fork with the last released source.
I wish people would use any kind of proof with this type of article... but I suppose they can't.
Who needs proof when you have FUD? See also SCO.
He argues that open source software, because of its very openness, will inevitably lead to security concerns.
Well, thankfully Windows is closed-source, or else there'd be security issues wi-- oh, hang on a sec.
devx.com
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:06:06 GMT
X-Powered-By: ASP.NET
In other news, the devx.com website was found lying in its own blood and excrement after being linked from Slashdot.ORG today.
I believe every word of this article because A Russell Jones certainly has no vested interest in Microsoft based web solutions.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
it currently has a score of 2/5. Once the /. effect is done we should all create an account and rate it as low as it can go.
I seem to remember there was an easter egg flight sim program that got into Excel somehow.
If closed source is so safe, how could this have happened?
Further, if that happened, how do you know that other more dangerous items haven't also been included in the windows products??
Aah, the sweet sweet tones of language in the hands of a master. What subtlety, what charm, what wit. Prithee kind sir, wherefore is thy prose, thy grasp upon the fundamentals comprising the very art of speech itself?
English Grade: C-, should learn not to use informal language when making a formal argument.
Cheers,
Ian
You may pay nothing for Linux (for example).
But you also pay $0 to MicroSoft to insure you against bad things happening to your computer/network.
The only thing you pay for with MS is basically that it will install an OS on your system. Read the EULA, they don't guarantee much else, and they certainly take no responsibility for things going wrong.
t
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be.
:-).
*Deletes 40 zillionth mydoom attachment in his inbox*, and I suppose other operating systems are more secure...what exactly are you suggesting we do about the lack of security in today's OS's? Linux, Windows, Unix even have all identified security flaws in their time...
What can we trust in code? You mention it right there Mr. Author, we can trust the latest and greatest stable Linux kernels, but if install a test kernel, or some hobbyist lil' app on the remote corners of the open source world on a production server, you get what you deserve. Incidentally the same goes for windows, WinXP latest Service pack is definitely more secure than any test versions of their OS's, or even the initial RTM builds of their operating systems. What gets deployed in a production environment...well duh....
The author says:
[Snip] Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
I suppose we trust Microsoft, SCO and IBM more? Puh-leez, if you need a totally secure OS, you're best off hiring your own programmers and starting from scratch, and hoping they're as secure as anyone else, oh wait can't trust them either...never mind just build an OS yourself then...
Ok I'm done ranting, everyone else's turn
...in bed
A number of governmental institution have chosen Linux not because it is free, but because of another distinct advantage: because it is open-source, they know what they pay for.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
The author completely ignores the storied history of exactly this kind of thing in closed source software -- only these backdoors are called 'features' or 'easter eggs.'
We need a new term for this kind of journalistic troll.
-- Cheers,
-- RLJ
Joe Barr, already has an article responding to this FUD. I personally feel these sorta FUD articles are outdated. With IBM, HP, and others already showing large profits from taking advantage of opensource, you would think they would come up with something that isn't drudging up arguments from 1998.
Awesome!
or with closed source, it really should be - you pay for what you get.
c'mon, this article has to be a joke.
closed source has all the problems of OS, and more, not vice-versa. you can at least review the code of a program before implementing it, and even if you don't know how to code, there's thousands of other users surveying the code as well for errors. the OS community wants OS to look good - sure there are some people in it that probably would/have coded a backdoor here and there, but that's few and far between - especially compared with the people writing exploits for commonly used closed source applications...
From the article, annotations added by me:
>Malevolent code can enter open source software at several levels.
1. >First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
Not likely indeed. Moving on.
2. >Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Organizations using Open Source Distributions generally purchase a vendor-supplied copy as well as a support contract.
As an aside, do you suppose non-US countries that use Microsoft products are concerned that Microsoft may not have their country's best interests at heart?
3. >Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines."
This isn't limited to Open Source itself. The same possibilities (and probabilities) exist for any company that uses customized software AT ALL -- at some point, you have to trust those doing the customizing, or get a third party to audit. I mean, after all, I can wreak havoc throughout an organization just by clever use of login scripts on Windows XP machines, and if everyone in the IT department is in on it, nobody else would be the wiser.
Now that I think of it, even if you're not customizing the software, you're trusting the people who make it. Does Microsoft have your best interests at heart? Does SCO? Does RedHat? Does anyone? That's why it's nice to be ABLE to scour the code -- the smartest, safest groups will obtain source code from those who write it, and have it audited by another group, and then again perhaps by another. Unless they're all in league with one another. [Insert tinfoil hat here]
So. Who's paying this guy?
1. Use open source products which you can modify if need-be. For example, you can have your tech support modify it to make it better fit your business needs (compared to trying to modify your business to fit around a microsoft software solution) or if a bug is doscovered you could either wait for the developement team that orginally made it to fix it or you could fix it yourself. Heck, you could even have your tech guys go through the code themsleves looking for security holes to fix.
2. Use closed source. If a bug appears, your at the mercy of Microsoft to fix it. That may mean months waiting while your system is vulnerable. No way to find the bugs, no way to fix them yourself. Your business could be relying on a time bomb and not even know it. And of course, with only the MS guys looking for holes, the chance they'll miss them is greater. More eyes scanning code usually means less bugs. And any time Microsoft could decide to drop the product or force you to upgrade or pay overcharged rates for licenses, all at Balmer's whims. Going with closed source is putting your business at the mercy of Microsoft (yes, I know closed source != just microsoft but what is easier: to type closed source or to simply type MS?)
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
You're Absolutley right. People going around trolling about open source without any plausible reason is a major detriment to the cause and the software. Companies/corps are going to pick whatever works best for them and adapt/change with it to their needs and Gov't should do the same. if the security was as bad as the article implies it to be, then why havent we seen any catastophic security failures on any of the open source systems currently being used by fortune 500 and Gov't. Hell, it couldn't be any worse than the MS systems in use.
I must bid you farewell....... "walks out amid the gunfire"
You get what you pay for? Examples: SCO UNIXWARE, Windows, MS-DNS, IIS, bea weblogix, etc.. Realization: I paid for crap!!! You get MORE THAN what you pay for! Examples: Linux, *BSD's, BIND, Apache, gcc, etc. Realization: Why did I pay for that crap??? The code from Diebold was closed, and how secure was it? Windows code is closed and I had to install a server just to keep the hoard of daily patches up to date. I think that the key to secure code is not a debate of open v. closed it is about having a programmer/company that cares about security and knows what they are doing. Hell NetBSD is open and very secure (read:unusable). This guy is a moron.
...but governments and organisations should be exercising a modicum of care over who they get their source and binaries from. Thats what MD5 checksums and trusted sources are there for.
Open source development is not truly open to everybody; it is normally open to everyone who you allow to contribute code to your project. They've normally proved themselves by offering bug fixes and mionor changes directly to you beforehand.
The barriers to inserting malicious code in closed source are lower, not higher. Many an engineer has inserted a backdoor in his code which he surrepticiously used to help customers who lose passwords or setup info. However, a backdoor is just another way for a cracker to break into the system. Also bored engineers often leave Easter eggs in their closed source, something hard to do when several thousand people may review your code to see what makes it tick. In mainstream projects like Linux kernel, the bar to being allowed to contribute code is quite high, and your initial attempts are likely to be looked on with scorn by other project members.
As for costing huge amounts of money, one wonders what cost MyDoom has been costing owners of that wonderful example of closed source software - Windows.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
His criticism reminds me of a speaker at a recent IEEE meeting at my school. She talked about the work environment, and some nuances of how to act or not to act.
One interesting thing about her contracting company she runs, is that if you charge more, you get more business. The thought here is that companies think that since this certain company costs more, it must be better. Obviously though, she did not get smarter by charging more, only richer.
That is the thinking that this fellow is using: chargine more must mean it's a better product. Sadly, he is in a large part of the population that does not understand the Open Source community, or business models. His view is outdated, and frankly, wrong.
Besides, what other companies besides M$ find a huge hole in all of their flagship products, but fail to patch it for close to a year?
Where exactly is the logic in this? In the open source world, at least there are "watchers", and you have the ability to "watch" yourself, or at least pay someone to review the code for you if you don't have the abilty. This isn't the case with almost all commercial software. This reeks of FUD and is poorly written.
you might remember from other high quality works, like...
.NET with VB .NET, Visual Basic Developer's Guide to Asp and IIS,
Mastering ASP
and...
How To Kill Penguins With Broken Shards of Windows.
*YAWN*
http://windows.scares.us
The marginal cost of all software is almost $0, because it costs almost nothing to copy bits.
Just because Microsoft gouges you $X to do that copying doesn't mean that the bits are of any greater quality; Microsoft has poured loads of cash into developing its products, and the Free Software / Open Source folks have poured loads of volunteer time (and sometimes, cash) into developing their software. You might look at the amount of effort that has gone into creating each, and then try to apply the get-what-you-pay-for adage to that, but applying it to the price of the box on the shelf is ludicrous.
Quick, do an Amazon search for "A.Russel Jones" (the author of the devx article).
Visual Basic book, asp.net in C# book... looks like Mr.Jones is up to his ears in non-open source work. I hate having someone that has no background in something condeming it.
Its like someone who is an ASP developer condeming Java before even coding a lick of it.
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Having read the full article, I have to say that this is one of the most annoying pieces of writing I've read in quite a while. The author of this paper is assuming some naive elitist position in a fantasy world where corporate interests can never be anti-government and where code produced by the masses is somehow 'dangerous' because it might be exploitable.
As several other comments have pointed out, there is absolutely nothing to the "foul play" argument presented in this article that could not also apply to a closed-source project. In my opinion, the major difference is that the closed-source project's flaws [and note that in this article the author is talking about deliberately introduced flaws - basically the idea that OSS projects might be converted into trojan horses], if they exist, might never be discovered at all. If I buy a copy of Windows, I have absolutely no clue whether or not any such flaws exist, but more importantly, I have no way to check because I can not examine the source code. At least with open source software, if I suspect misuse or even if I'm only paranoid, I can examine the source code myself or have someone knowledgable [whom I trust] do it for me
Overall, this seems to be a pretty blind and poorly thought-out attack. A pity that editors aren't more carefully edited. :-P
picpix image polls. create - share - vote. fun!
The old saying about getting what you pay was formulated as a result of experience with commercial enterprises. Of course you "get the shaft" with "free" commercial products -- commercial enterprises don't exist for the purpose of giving things away. Companies only give things away in the hopes that you'll actually buy something.
Open Source projects, on the other hand, are usually formed with the express goal of giving something away. They have every incentive to make their products valuable and no incentive to produce shoddy loss-leaders.
"You get what you pay for," even with respect to for-sale products, doesn't mean "you get value commensurate with your expenditure". Commercial enterprises are strongly incentivized to give the least possible value for the highest possible price. Extra quality and value, above and beyond the expectations of the customer, is an unnecessary expense to a business. Competition alleviates this somewhat, but companies are still only playing to the level of the competition. Doing the very best possible will seldom if ever be their goal, in contradistinction to Open Source projects, where it is frequently the main goal.
Proud member of the Weirdo-American community.
There is nothing preventing the U.S. Government's workers from modifying it to make it a security hardened version. The NSA's SELinux didn't have to be released back to the public. The NSA could have forked an entire distribution and gotten it really rock solid on security. The only reason they didn't was the value in our country of the government needing to return to the public what it creates with our tax dollars.
That said, the best setup for the government is to use 3-4 platforms in each agency. MacOS X on the average desktop. Linux on the many of the servers. Windows on some print and file servers. Maybe some Sun boxes for intense science work. How many times does it have to be said that a heterogenous network is harder to take down before people stop writing this shit?
As for the argument that Windows only gets hits more because of popularity... I want to wring the neck of every person I hear saying that. It's a disgusting display of post-modernist logic to computers. It's the IT variation of the post-modern attitude that there are no absolutes on morals, only relative standards that vary by cultural and personal views. It's a complete rejection of the concept that two systems can be designed such that one is inherently insecure because of its archetecture and that one is very secure by its design.
Click here or a puppy gets stomped!
For example, RSS encryption works BECAUSE it is widely understood. If the source being open makes a program insecure, then we would already have good ways of factoring large primes. DB
-DB-
E-mail is like a prison: a prison with no walls... and no toilet. -Strong Bad
Think about that outside the zealotry mode for a minute. I don't recall any follow up determining, "Hey this happened X_TIME ago, therefore clean programs should be reinstalled on your machine." Now I support the entire Open Source movement by all means, but think about how many include files, or other files could have been tweaked. Say low level include files, or something similar. There is no one, and I say this COMFORTABLY, no one that checks every program, every line of code on their machine. Sure you could lsof|grep -i listen every here and there to see what's what, but a covert chan can hide that. Look I don't want to get into a sysadmin/secadmin shootout here it'd be a draw and I don't care who you are, but... In my eyes, there is still a long way to go.
Take a look at cpan and some of the modules you have on your machine. How many are updated with normalcy? What about the whole sourceforge/freshmeat concept of 'sysadmining', where you find a neat program supported for what... a year? Maybe 2 if you're lucky... Sometimes it seems the cool Open Source gets, the more issues come out with it...
Every step you take... someone is watching you
MoFscker
absolutely right - 90% of all software I install on my box is compiled from source, I hardly ever use the vendor provided binaries. And I guess that a lot of other people do the same. Of course there are limits to what we can notice at a glance, but if things behave strangely, imho the first thing to do is compare the supplied binaries with binaries compiled from the available source...
What bothers me most about these typical "OS vs Proprietary" flamewars-in-waiting is when writers compare specific applications with some nebulous "Open Source" concept. You've all seen reviews that go something like this:
Open Source programs have serious problems. For example, I downloaded an Open Source command-line HTML-parser written by an undergraduate student. After feeding it random non-HTML files, the program crashed roughly half the time. By contrast, I evaluated the latest copy of Adobe Photoshop for Windows. Photoshop easily helped me modify my vacation photos, without a single glitch. Clearly, Proprietary applications are better suited for the market.
Most of the time, these writers compare all open source programs -- many of which are hobby projects -- to individual, highly-polished applications. Hardly fair and unbiased.
(now goes off to read the article)
It's interesting how he provides absolutely no evidence to support his claims. Obviously, nobody could take his stance and try to argue evidence, or else they would run into piles of evidence suggesting the exact opposite. This is sheer uninformed speculation. A couple choice quotes:
Same way people would know if someone was running a heroin production lab in the middle of Times Square. Open means open. If people create software designed to subvert security, they make closed software. Exhibit A: Gator/GAIN.
Anyone who wants to. Clearly this person has no idea how Free/Open-Source software works at all.
-3Suns
~~~~
The Revolution will be Slashdotted
The article's author fails to realize that the very nature of OSS makes this less likely than with closed source software. Peer review is inevitable and constant in OSS and it would very likely require a serious conspiracy in order to bring the 'nefarious plan' described to fruition. Alternatively, with closed source I would very likely be the only person who ever saw my source code and believe me, beating a security audit would not be difficult.
Maybe his article should be re-written to say "prosecuting fraud in the OSS world is likely to be more difficult for Governments than if they have a big fat company to hammer..."
LOL, his arguments are ridiculously easy to deconstruct. Not even worthy of an attempt, especially since his article is entirely based upon opinoin (stupidly faulty at that.)
Loading...
...if you pay employees to properly set up and audit your software. No software is truly "free" for an organization that pays employees, since that software has to be installed and maintained somehow. Even for my personal use, free software is not really free because I have to spend a considerable amount of time setting it up and I do value my time (somewhat). I do get what I pay for though, because it's worth the time and effort investment to have more solid, secure, and reliable software.
I am feeling fat and sassy
Diebold is a perfect counterargument to this article. Here, proprietary source mixed with a documented conflict of interest has possibly led to intentional security backdoors with the potential of creating massive social upheaval in the most powerful country in the world. Furthermore, while Diebold is getting caught with it's hand in the cookie jar because of leaked code and internal memos, we don't even know at all what the other electronic voting software companies are doing with their closed and secret code. Perhaps Mr. Jones could give a current example from the open source community with the same scope and complexity.
Someday he hopes to be The Russell Jones.
Obviously A. Russell Jones is unfamiliar with the review process that happens in most open-source development. It is ridiculous to believe that malicious code would just make its way into an open-source application.
Really what it seems like he is trying to do is demonize open-source developers...suggesting that it is likely that the group governing an open-source project would deliberately infect their own apps.
I can see the Apache Group chuckling at his assertions.
From the article:
Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?
Oh, I don't know... maybe by looking at the source code?
Turn it around now: Suppose a private company sold software with malicious code included to subvert security. How would anyone outside the company know?
TheFrood
If you say "I'll probably get modded down for this..." then I will mod you down.
A. Russell Jones may not know dick about oss, but he's a genious on the topic of "how to spike your web traffic for one day".
...his article is freely available.
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
They would have to release it public. Releasing a program source under the GPL, then not releasing the next version under the same cannot be done AFAIK.
Deriving (ie Version 2) would automagically fall under the GPL and would have to be released.
This isn't journalism. It's ignorance and/or stupidity.
Putting the romance back into necromancer.
This is indeed true, but it depends upon how you define 'pay'.
In the case of the government using open-source software, 'paying' to me means that the underlying code gets reviewed by govenrment employees or trusted subcontractors prior to being deployed, rather than paying cash for closed-source software. It is inconceivable to me that someone could argue that you have this option with closed-source software, or that you are more protected somehow because people getting a paycheck to write code would never do anything malicious. Even if you get to peek at the underlying closed-source code, how do you know that was the code used to compile the application? With open source you can guarantee it 100% by compiling it yourself. How does it get any better with closed-source? (rhetorical question of course...)
- Leo
You don't use science to show that you're right, you use science to become right.
Dear Mr. Russell Jones,
In your article you make a number of interesting points, which I shall attempt to cover in order:
1. An open source product will eventually contain a maliciously inserted security breach.
On what grounds do you base this statement? How can you be certain that Microsoft haven't been paid by the CIA to place backdoors in Windows? Why, then, should any government which isn't in on such secrets trust Windows? How could a government be certain that it knew all such secrets?
2. The core project code could be compromised.
Quite true. However, there have been instances in the past where Microsoft's code has been compromised even when sitting on Microsoft's servers:
http://www.theregister.co.uk/content/4/14265.html
3. A distribution will be built with security holes for the express purpose of selling to governments.
How do you know this hasn't already happened with Windows? You speculate much, but back up little. What kind of advertising budget would such a hacker require for gaining government mindshare?
4. Insiders could "customise" a well-respected secure distribution.
They already can. It's called "leaving accounts on the system". Or "logic bombs". Or "misconfigured systems". This problem has existed for almost as long as computers have.
5. Finally, you speculate that nobody is "watching the watchers". What, however, you appear to have misunderstood is that the government organisation would have a full copy of the source code and could compile it themselves to confirm the resulting program is identical to the shipped version. They could then audit the source code - either in-house or pay an outside organisation.
It is quite correct to state that "you have to put your trust in someone - who should you trust?". Otherwise the country would have to be run on every level entirely by one person, who would be responsible for writing, implementing and enforcing law. I'm not from the US but I'm sure your President would get tired of writing out all those speeding tickets!
I would argue "you should trust someone who can prove they have nothing to hide".
Open Source has nothing to hide. Come into the light.
basically the argument for closed source was that nobody could read through the code and exloit weaknesses or add trojans without anybody knowing and once linux becomes more mainstream the same virus woes will be the same for both platforms.
I waas going to remind him that linux users are stastictally (spelling???) more security concious (how many linux/unix users spend the bulk of there productivity time running as root?) than windows users but i didnt want to bring it up because he was the leader of our church.
And also more work is put into the linux kernels than in the NT5-5.1 kernels when it comes to the weaknesses that viruses rely on.
I was then going to remind him of OpenBSD, an open source OS that has had only 1 hole in the default install in the last seven years.
maybe next time when i get enough courage I will enlighten him some more.
In addition, it looks like this fellow's got a seriously vested interest in the spread of MS's closed source products.
r l/index=books&field-author=A.%20Russell%20Jones/10 3-4406437-9264652
http://www.amazon.com/exec/obidos/search-handle-u
As soon as the Linux kernel starts "phoning home", I can fix it because I have the sources and the GPL allows me. Linus Thorvalds knows that, so he is very reluctant in adding spyware to the kernel.
When Windows XP starts phoning home, the MS EULA doesn't allow me to do anything about it. Bill Gates knows that and is looking for ways to get more dollars out of his Windows licenses.
extern warranty;
main()
{
(void)warranty;
}
FREEVBCODE.COM -- Get high-quality, FREE Visual Basic code
The real kicker is that I can already get free, high-quality Visual Basic code... Just open the wrong attachment in Outlook.
"We need a new term for this kind of journalistic troll."
No talent assclown.
So, I guess I shouldn't take any of it seriously.
Glog!
> "We need a new term for this kind of journalistic troll."
Factoid (looks roughly like a fact might).
> Uhhuh? So? They'll be fixed in the next release?
At the whip of the vendor. Which, in Microsoft's case can be never, unless the "hole" gets publicity on the evening news. There are serious--and well-documented and submitted--bugs in Word that have been there since the early '90s, with no obvious intention from MS to ever fix them.
What, does this guy think some government is going to trust its infrastructure to some home-grown distro that they downloaded off the 'net for free? Please.
My beliefs do not require that you agree with them.
[From FUD-Induced Diatribe of an Aritcle:]
Malevolent code can enter open source software at several levels.
[1] First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
[2?] Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
[3]Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. [...]
[...] Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
I have this argument with my clients all the time. Many of them do not trust open source. They say, 'It is unsupported! We can't run production on unsupported software!'
My argument is that it is no different from internally developed application. None of the code I write is 'supported' any more than the open source code out there. If something breaks they have to pay me to fix it. If something breaks with some open source code, they still have to pay me to fix it.
Also, the advantage of open source is that even if the author's slipped something 'nefarious' into the code, you have a chance to see it. What do you do when someone slips spyware into a proprietary application you use?
So? If they don't get publicity, they're not worth fixing?
The owls are not what they seem
Of course, if he really believes what he says, he should be able to prove it by injecting bad code into (say) the Linux kernel, or apache.
DevX.com has reported a recent drop off in website hits and has implemented a campaign to "leverage" the Slashdot masses.
...
The new project entitled "Flaming Troll" was kicked off today with an article that would be very interesting and informative for your average Slashdot reader.
So far the project seems to be a success
He argues that open source software, because of its very openness, will inevitably lead to security concerns.
------------
Huh?
Microsoft isn't open last I checked. Hackers don't seem to have any problem with causing havok with a 'closed source' product.
------------
He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
-------------
Ok, I give. You get what you pay for? I've heard this for many years. I don't see my fast food burgers quite as large as the pictures nor do I see other items I pay for performing as advertised (cite Microsoft again). Not to bash these guys but think about it. How often has my IE browser links been jacked to some other site or a virus/worm trashed my up to date and patched system?
Microsoft has done great things for the industry however closed source isn't any more secure apparently.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
It cites GCC as an example of how destructive OS can be in that it removed the market for any other type of compiler
What a crock of an "article" that is. It's a group of posts on an OpenBSD mailing list. There is no response to the particular posting made (which, btw, is here, two levels down from what the poster linked to) because the mailing list maintainers shut down the thread as off-topic (appropriately). There are some funny, and valid, points raised by the article you linked to, but "GCC is destructive" isn't one of them.
There are still numerous other C/C++ compilers available. Yes, gcc comes with most distros. So? You can install a different one easily enough. And there are several available -- Intel, Watcomm, Borland, etc. Some are free, some are not. Most outperform gcc in various areas, sometimes in all areas. And, contrary to the post, there is still choice of compilers on Unix -- generally you can choose either the vendor's own compiler or gcc. Which is a vast improvement over the old situation -- you got to use the vendor's compiler. Which usually sucked (they've improved greatly, but we use g++ here because xlC v5 does an amazingly bad job at handling templates).
Yes, some embedded platforms only have gcc available now. Why? Because it's cheaper than rolling your own... it used to be that you had to purchase a compiler for an embedded platform. While this was an additional revenue stream for the company, the cost of building your own compiler, keeping it bug free, updating it to match emerging standards, and providing support vastly outweighed the revenue coming in. Sure, you still have to submit the platform specific code to the gcc-devel group, but it's a lot less work than writing your own. And, of course, gcc provides far better code (stability, speed, and size) than most of the custom compilers.
Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world?
No. There's still Konquerer and Safari (same codebase), there's Opera (commercial and closed), and several others. Don't like Mozilla? Pick another one.
The reality is, open source only destroys the market for other tools when the other tools are inferior. It may be that, eventually, the open source software is superior in every meaningful way and the other tools slide off into obsolecense. At that point you've reached the commoditization point for that group of software... it's unsurprising that the cheapest solution wins. It happens in every other market after all.
Although it doesn't quite fit since this is technically a commentary or opinion piece, in which case, "ignorant fool," would suffice.
Who do you get to be an expert to tell you something's not obvious? The least insightful person you can find? -J Roberts
The only problem would be if they accepted patches, and the patches are GPLed themselves. The "core group" has to follow the license of anyone who has rights on the code they distribute, i.e. they'd have to get rid of the contribution or comply with its license.
Programming can be fun again. Film at 11.
'I don't recall any follow up determining, "Hey this happened X_TIME ago, therefore clean programs should be reinstalled on your machine."'
That's because the relevant teams _checked_ the code against known good code to see if there had been anything planted. If there were problems, you would have heard about them.
Engineering and the Ultimate
They're called .md5s. Use them. They exist for a reason. You'd have to have some godawful cooperation between some very mean people to successfully pull off a corruption on widely deployed OSS software AND not throw red flags up among people who have clean versions and clean md5 hashes.
And, what's you're point on stagnant OSS projects? I don't see Microsoft supporting Win3.1 anymore, but there's a lot of people still using that. The difference is that NOBODY can go through it and fix it up or make anything of it. If someone decides to pick up the pieces on an abandoned piece of OSS that shows promise they can do that.
I hate when people do this. You didn't raise any issues that aren't a problem with ALL software, yet you are applying them specifically to OSS. If a server gets owned, it gets owned. It doesn't matter if it's commerical/proprietary, commercial/oss, or whatever. It's owned. Binaries can still be injected with malicious code. They're owned. Give it up. There's no inherent flaw in OSS.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I think you've kind of missed the point here. The question isn't "Is Open Source invincible?", the question is "Is deliberate program corruption more likely to occur, all else being equal, in an Open Source program or a commercial program?"
And while I'm not a free or open source fanatic, I have to say that I can't marshall any rational arguments that the commercial program is somehow safer from authorial corruption. It's virtually inconceivable that a large scale open-source program could have a backdoor or anything like that in it for any significant amount of time, and as for smaller projects, a one-man open source project may be just as likely to be corrupted as the one-man closed source product, but which is more likely to be detected before significant damage is done? The one with the source you can look at, hands down. (And the phrase "just as likely" is for rhetorical purposes; in the real world, the prospect of revealing the source surely impedes anybody who would put something nasty in there! That's way too accountable for someone like that's taste!)
No system can be made perfectly safe. But to claim that commercial software is safer from deliberate authorial corruption takes willful and deliberate ignorance. I mean, seriously, claiming that the software I can't see, that I'm not allowed to see, is more likely to be pure then the stuff anybody (or anybody I hire) can look at is? That flies in the face of both logic and common sense, and is the kind of claim that has be inflated into an long article to blind the reader with words before it can even come close to being seriously entertained; a paragraph summary doesn't pass the laugh test.
And remember, it's not only "Will it happen?", but "Which will do more damage?" Even when break-ins happen in Open Source, the damage is typically swiftly controlled; people's reputations are on the line! Who even knows how much closed-source damage has been caused from breakins? Again, people's reputations are on the line, and the incentives to cover such things up are high.
I just don't see a way, even in theory, where commercial software is safer against this sort of attack.
--
Evan "About to take down a Linux system running kernel 1.2.x for about 4 or 5 years and upgrade to SuSE 9.0"
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
My guess is that the curve for open source is a lot different than commercial software.
Open source - starts off, lots of exploits because the code is readily available. People using the package (assuming it's valuable enough to merit it) fix problem, submit patches. Over time software becomes more secure.
Closed source - Exploits harder to find, eventually found due to sheer perseverance of legions of script kiddies and their slightly more talented bretheren. Company denies existence of problem, patches discreetly and only occasionally, eventually begins to become marginalized due to shoddy business practices, begins suing everyone in sight in a sad attempt to revive an obviously dying business. Meanwhile, Bill Gates rolls over in his sleep, makes another fifteen million dollars.
(Or maybe I've just had too much coffee today, and am being silly. Time will tell.)
-1, "1337" speak
A small and ever-decreasing percentage of users compile their own binaries, let alone check the result. Also, not all of the exploits appear only in the binary; in at least one case the malefactors added a fairly hard-to-notice security hole to the CVS source, so the "official" binaries and checksums matched just fine.
Slashdot - News for Herds. Stuff that Splatters.
Email the author. I just did, rebutting two of his "points". rjones@devx.com
... did they get it all? Only
Hey Russel,
Just two obvious points of rebuttal.
1. Your question:
Who's Watching the Watchers?
Makes a cold chill run down my spine, when I think of closed source
software. In fact, many of your statements, such as the rogue coder,
holds just as true, for CSS. The difference? You (as a consumer)
cannot see the code. At atmosphere, which breeds closedness, and
non-disclosure of hacker attacks, is far more scary, then one (such
as Debian), which openly announces, that it has been hacked. Imagine
a hacker gaining access to Microsoft code. Imagine MS catching him,
and removing the malicious code. But
the hacker will ever know.
Your statement, that "core" members, will port the code, just doesn't
make sense. Assuming we're not into the old chicken and egg problem,
with the bootstrapping compiler, an Open Source project, is defined
as having the source open. If you compile a program, and it ends up
different, then the one you downloaded, then something is very
wrong indeed.
2. In academia, and security circles, full disclosure, to be able to
repeat trials, and be able to uncover weaknesses in software, is the
norm. Hiding behind binary code, does not a very powerfull brickwall
make. Hiding behind a wellthought out design, which is not open to
attacks (confirmed by peerreview), and relies on algoritmic
defences, makes a strong brick wall.
I am sorry, but all in all, a very poor article.
Regards,
Svend
> So? If they don't get publicity, they're not worth fixing?
This attitude is EXACTLY what is making OS so popular and attractive. Even a small bug can drive someone out there eventually crazy enough to pick up the code and fix it. There's a famous feature in Word that pushes footnotes to subsequent pages if line spacing is anything other than single spacing. Only the footnote, mind you, not the anchor and the surrounding text. As it so happens, double-spaced text with footnotes is extremely prevalent in academia and other formal environments, making this feature very well known amongst grad students and such. But again, since this feature hasn't brought down entire computer networks and hasn't been mentioned by Tom Brokaw on the six-o-clock news, it's not worth Microsoft's time to fix. Even though it significantly impedes Word's primary purpose, that of creating documents.
Does A. Russell Jones know anything about security??? It doesn't appear so from this article. This reads like something written by some un-informed CNN reporter from 1989. Did this guy do any investigation before spewing forth such ignorant dribble???
Governments "get what they pay for"? Are you kidding me? Governments typically pay FAR MORE for FAR LESS than any other organizations on the planet! Mainly due to incompetent employees paid on time of service rather than actual performance.
"sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way." Yea, so let's stick with the far more secure options of MS-Windows, etc...
"Instead, the security breach will be placed into the open source software from inside, by someone working on the project." Yea, cause there has never been an instance of a paid employee/developer inserting an Easter egg, back door, or other malicious code.
"As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart." I know my government is mostly stupid and ignorant, but I doubt "Joe's garageware jonix distribution" would make it through the laborious bidding process.
"the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes." Agreed. The difference is, we can actually learn about the presence of open-source holes MUCH faster than closed source. (See recent /.ed article!)
"Can Self-Policing Work?" Of course not! And that's exactly what closed-source is: self-policing! Open-source is open policing and scrutinizing by virtually anyone and everyone. Hmmmm... Should I rely on the QA/security efforts of a 10-20 person team who better play good politics to keep their jobs and/or get raises? OR, Should I consider the QA/security efforts of 100's of thousands of unapologetic experts?
This one gang kept wanting me to join cause I'm pretty good with a bo staff.
Close, but you misspelled it. Its: F-u-c-k-t-a-r-d
Fertilizer. Nothing but fertilizer.
The author's point seems to be that because Open Source software allows anyone to contribute code, that the chance for an "agent provocateur" to insert malicious code into a project is large, and that the use of such code by governments could result in significant security risks.
Let's forget for a moment that the author doesn't actually cite even a single instance of this actually occurring.
The real question is: is this any less likely in systems which are developed in the closed source/commercial world? Does the author believe that potential info-terrorists can't work to place themselves into companies where they might be able to achieve similar ends? It might be more difficult, but once achieved the chance of detection would seem to be significantly lower, since only a very select few get to view the source code in question, and they aren't necessarily motivated by security concerns (they are concerned with pushing their software out the door for sale).
Ask yourself this question: are companies like Microsoft more responsive to security bug alerts, or is Linux?
The author also writes:
Again, a similar question should be asked: isn't this a similar problem for closed source/commercial development, where it might be in the best interest of the company to either ignore or cover up significant security breaches, and where the cause of such breaches are hidden from the eyes of those qualified to perform security audits?The author asks the question "Who is watching the watchers?". The answer is simple: everyone is. Or at least everyone can, which is perhaps the best that can be done.
There is much pleasure to be gained in useless knowledge.
Instead of actually discussing the story, any presumed insult of open source is immediately flamed into oblivion. Look - I love open-source as much as the next geek, but how about we talk about this type of article like adults, and provide examples of our own?
Sure the guy could've taken a less flamatory tone, and could've provided a few specific examples, if there are any, but riddle me this, all you smarties, he does have the grain of an issue here.
Lets assume that open software becomes ever more mainstream, to the point where grandma can't tell or doesn't care the difference in method by which her email client was developed. What's protecting her against malicious or incompetent open-source developers? Or are we saying that all programmers are by nature 'good' people and also brilliant at their craft?
Sure, geeks can compile source, compare binaries, review code line-by-line, but it may shock you to know that normal people don't know or care how to do this.
You're next argument is that the 'good' geeks will discover and root out the 'bad' geeks. But in a world where OSS is mainstream, this will only happen after thousands, hundreds-of-thousands, or even millions of mainstream users are already compromised.
I'm not saying that commercially developed software has proven itself better, in fact usually its much worse, so far anyway, but OSS does have some of the same problems in a world where not every user is also a programmer.
OK, discuss...
"That naive cube! How long must I suffer this!" --Sheldon J. Plankton
Not to throw too much wood on the fire, but wasn't an Al Queida sympathizer arrested at Intel? Just imagine what he could have done! Intentional security breaches right in the chips! Start the paranoia meters!
(and this is nothing more than baseless speculation. I don't want to be sued by Intel)
Do a search on his email address (rjones@devx.com) and you'll find that R. Jones has been writing about MS technologies for many years, including numerous articles on Visual Basic, .Net, and C#. Small wonder he feels threatened by open source, it's a direct challenge to his career.
No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
As has been shown repeatedly, if you have a few guys writing closed code, they can put in pretty much whatever they want . Malicious intent can only be gleaned through a black box analysis. The problems become even greater where many people are working on code. Often companies will not pay for full code reviews, and only broad regression tests by third party, generally QA. Few companies will check for features that are not supposed to exist. Even if the company knows exactly what the software is doing, which is in fact never true, the user still has little assurance that the company is disclosing all features.
So, OSS software is still no worse off. Even if there is no formal code review of new submissions, interested parties can do informal code reviews. Blackbox analysis can still be done, but now offending code can be identified. Best of all, if you so choose, you can remove the troublesome feature and continue to use the rest of the functionality.
The stuff we download off the net, whether closed or open source, is always risky. We are assuming the coders are good guys. OSS is probably a little more trustworthy because there is no hiding behind technicalities. OSS is saying yes to all information requests, not cowardly hiding behind a policy of secrecy.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Yeah, and there is nothing stopping independent resellers of closed source software to insert anything they want. Poeple tend to forget that you don't need source code to figure out how the program works. It's just easier. And it's not like you really need to know the program either, just find a good place to stick something.
This is why we have trusted vendors. I'd bet from here to Tuesday that IBM performs internal audits on the software that it redistributes. And before it gets to IBM, Redhat does it's own. Before that then it is the people writing the software. There are three layers of people, two of which there are responsible people behind. If you are not using software except from a trusted vendor,your risk is low.
The only argument this guy makes is that it is not good to use software from people you don't trust. Duh. That point is true wether you are talking about open source software or not.
Why, o why must the sky fall when I've learned to fly?
A factoid would just be confusing though, because a good number of BBC radio 2 listeners will know factoids as interesting bits of trivia.
What guarantee, as a company, do you have that the product that you paid for wasn't authored with the intent of gathering malign information about you?
None whatsoever.
Remember those old ATI drivers that ran special "optimizations" when used with the quake3a binary? They were closed source and geared to misrepresent the performance of their card to the community. I suspect that if those drivers were open source that little trick wouldn't have gone unnoticed for long.
I'm not advocating open source as the end all and be all of things, because it isn't. However, you're an idiot if you think that paying for something means that it's safe.
For gods sake, look at IE.
I have never understood what those people are thinking when they publish .md5 files. I mean, really! If someone gets far enough to upload a compromised tarball, what stops him from also uploading a matching md5 file?
.sign files. Those are digital signatures made with the GNU privacy guard. Digital signatures make sure that the guy who owns the secret key (and only him) can create signatures, which then everyone can check.
Exactly. Nothing.
That's why people with more than one brain cell upload
Of course there are also caveats (some dark three-letter agency could have cracked the key with their Roswell quantum computers, or someone could have stolen the secret key), but those are far less likely than some asshat uploading a md5 sum. Everyone can create matching md5 files for any content, but only I can create sign files matching my secret key.
So please someone hit those GNOME idiots with a clue stick, those md5 files must go. Now.
Oh, and while you are at it, please also tell the gnome people to use a directory structure where mirror programs (and people!) can see whether there were new uploads without having to recurse through the monstrous moloch directory tree from hell. Thanks.
Sheesh. Now that wasn't so hard, was it?
Or is his point that it never gets any better than MyDoomA and MyDoomB and we better learn to live with it? 'Cause I think we already disproved that one...
Don't let THEM immanentize the Eschaton!
Plus, el supremo Jones fails to comprehend the concept of reverse engineering. Perhaps learning things is more difficult with that enormous wad of MicrosoftBucks that keeps showing up in his bank account.
-----------------------
You are what you think.
Compare DIEBOLD voting machines VS Autstralian voting system.
Photoshop, HP, etc hidden currency counterfit code VS the Gimp.
Trust that Microsoft won't embed heavilty encrypted code that causes problems with Mozilla, etc as has been documented many times before.
In short, open source free and low-cost software products are likely to be widely adopted in governments, where spending public money for licenses is a difficult justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify.
He never heard of a virus? EXE's are not that hard to change, and if you take the copy mechanism out, it's very easy to create a trojan from any given binary and even encrypt it. Source Code doesn't give you any magic way to corrupt a program, any more then a binary does. You have to trust the source, but in general 99% of the time there isn't anything to be worried about.
If he is this paranoid, the only solution is for the governemt to write their own operating system, monitor everyone's computers, library reading habits, television viewing and email. Only then can we TRUST that we will be safe.
So obvious... Maybe they are just hoping to sell more ads. Too bad for Mozilla and Adblock.
Due you seriously think that your suggested method of detection will fly with anyone, except a small slice of the computer user population who would have the skill (not to mention the time) to compile everything from source.
Due you think it is wise to wait and see if something acts strangely before doing something about it. How long do you think it would take you to notice that something was "behaving strangely" after all your files have been removed?
You need to widen your focus, the world is not comprised solely of developers and sysadmins....
Absolutely. Spot on. Can't use anything that's free, otherwise you automatically get problems.
/drinkable/, would they? Har har har.
Just as well nobody is stupid enough to breathe the air in the atmosphere isn't it? I mean, who wouldn't go with cans of Ozone Friendly FreshAir(TM) Only $10 A Can?
And as for that wet stuff that comes out of clouds, nobody, surely, would be dim enough to think that was actually
Repeat after me, all consumers: Free = Wrong. Pay Corporation $$$$$ = Right. Have you supported your local fat cat today by buying something that is normally available for no cash whatsoever?
Government has the ability to review, or hire someone to review, the source code they're going to use for an implementation and there are even gov admins who know how to do source control and compile software (shock, gasp, disbelief). They also know how to monitor their systems for suspicious activity.
Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public
What's he trying to say? They're not going to release the code for a public version of...what? And if they don't make the corrupt version public, what's the problem? Are they going to sneak it in to a government office and while the admin is looking the other way jam a thumb drive on the server? A-ha! Gotcha! What are they going to release if not the source code? And when the checksums and file sizes don't match they'll cover that how? Here's a new version of Mozilla, don't worry about the source code, just install this...whatever...and trust us.
Maybe some of you closer to the daily process can help me think of a scenario where that could happen, because I can't.
If someone is making living writing crap like that, I'm definitely on the wrong end of the business.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
The Borland InterBase database server had a backdoor in place for 6 years! It wasn't until the product was open sourced that the backdoor was made public. See here for details.
Urinalist?
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Has he no knowledge of the numerous papers that have pretty much torn apart the concept he proposed? Or did he think he invented the idea of Security by Obscurity???
Yes, not letting people see the holes in your software does make it harder to break into them. But it also makes it impossible for white hats (good guys/hackers) to find and correct them.
Open source has pretty much demonstrated that the number of white hats examining their software is greater than the number of black hats (criminals/crackers) and that the white hats tend to have more experience, creativity, and skill that then black hats.
Finally, when your stuff DOES get cracked open, the open source nature means it is far easier to figure out how it happened, to fix it, and to publicize the fix preventing additional break ins.
Q.E.D. Open Source is more secure than Close source.
excitingthingstodo.blogspot.com
I work for a major corporation that uses open source, but we don't publish anything into production without doing extensive security testing. This includes third party security audits, and they've ripped apart just about every single vendor's POS (piece of software) that we've installed. At least when they uncover a problem with the open source packages, we can get patches quickly or it's actually a vendor's product that interfaces with Apache, etc. If you're that big an entity with sensitive information and don't follow basic security measures, you're just asking for trouble. I don't think any IT professional in today's world can plead ignorance to security (funding, well, that's a different story) :\
Just my $0.02
If the government or any business is installing server software or mission critical applications it should be by a sysadmin. These people should not have the slightest problem compiling from source.
How strange it is to be anything at all
A small and ever-decreasing percentage of users compile their own binaries, let alone check the result. [Emphasis added]
.05% of 100,000 is 50 .05% of 100,000 checking than 50% of 10.
Compare:
50% of 10 is 5
I'd much rather have
It takes very few to notice something peculiar and investigate. The malefactors get caught out if anybody notices anything. Since anybody can examine everything of interest, it would be extremely difficult for a malefactor to actually accomplish much of anything against Open Source.
This story makes no sense whatsoever. From what I can work out, he's saying that although the source may be auditable, back-doors could be introduced (but not made public) before it is compiled into a distro. Leaving aside the obvious GPL violation :-) he seems to be saying that someone in Red Hat, for example, would be introducing the back-door. But how is this any different than someone in Microsoft doing so with Windows, except that the source was never available in the first place? And why, exactly, would Red Hat be likely to do this while Microsoft does not?
It just doesn't make sense. Indeed, Microsoft only launched it's Shared Source Initiative and Government Security Programme, allowing restricted access to the Windows source, because it acknowledged source auditability to be an advantage of open source.
You're missing the point. They _know_ when the compromises took place. I had a project on Savannah, and when they discovered the backdoor, the had the CVS repository from backup from before the incident, and from after the incident. Each project leader was to compare the diffs between the two to make sure that there was no altered code.
Engineering and the Ultimate
The attempts failed because of the meticulous grooming given by the "many eyes" watching each open source release.
Any one can write a new kernel patch. But getting these patches accepted is a whole different story.
Conversely, years after the commercial, closed-source program Borland Interbase was released and used worldwide, it was found that it contained a back-door.
So recent history proves the article is wrong. Facts demonstrate exactly the opposite of what the article rants about.
Conclusion: the article is an unsubstantiated troll written by a Microsoftie eager to fart FUD at the Penguin. Ignore.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
Oh the irony! The very next slashdot story is about Windows NT and 2000 source code being leaked to the net.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I found your article quite thought provoking, as the arguments seem logical, but they do not match with my several decades of engineering and operating enterprise class software systems. I think that there's a disconnect between the theoretical weaknessess of the open source software development model that you raise and it's actual practice.
With open source software, anyone can in theory contribute code, but in practice there are two strong limits on abuse: open source projects are actually closely controlled by a core set of trusted developers, so outsiders can't submit code directly into the repository, and anyone who is concerned can inspect the code. So, to actually get an intentional flaw into an open source project, one would have to spend time becoming a trusted developer, then construct a flaw subtle enough that it would not be detected by other developers working on the project. And because the process is completely transparent and thoroughly auditable, once any intentional code defects are located the source can be determined and addressed, other code from the same source inspected, and so on. So while in theory there's the risk that you mention, it doesn't seem to actually occur.
With closed source software, in theory access to the source code is limited to trusted employees, but in practice most software companies are fairly easy to penetrate (via new hires, consultants, and outsourcing) so that a malicious engineer could gain access to the source code and submit changes, and for most closed source projects there is far less peer review of the code, so those changes are less likely to be noticed. And since there is no public visibility into the situation, there is less incentive to fix the actual problem, and technical concerns can be overridden by business goals. You can read the widely disseminated Diebold emails for an example of this sort of thinking. So while in theory closed source software might seem better controlled, in practice there are numerous occurrances of engineers injecting code into their projects for personal gain (in Nevada, for example, they regularly catch engineers inserting "cheats" into gambling machines, sometimes after amassing small fortunes).
The end result is that in practice, open source projects have much less trouble with errant code getting into their projects than do closed source projects.
While I believe that "you get what you pay for" is generally good advice, I think that you're missing the ways that companies "pay for" open source software, i.e. by "barter" rather than cash. The many companies using open source software all "pay for" the development of the operating system, but they do so through contributing engineering effort (e.g. IBM, SGI, HP) and by submitting bug reports, rather than by paying a vendor to do the engineering and testing. Of course, many companies purchase support contracts for open source software, in which case they're "getting what they pay for" through the more traditional mechanism of money. So you're not getting something for nothing -- you're just paying by effort, or by purchasing a support contract, instead of for software licensing costs.
When companies that I've been with have used open source software it's rarely for the simplistic reason that there's no purchase price -- it is because the total cost of ownership is lower. I've run extremely large server farms of a wide range of operating systems (NT, BSD, Linux, Solaris, Digital UNIX, HP/UX, etc.) and in every case the purchase price of the software was insignificant compared to the operational costs (hardware, staffing, etc.). Rather pleasantly, open source systems have matured to the point where they're not only easier and less expensive to acquire (no vendor negotiations, etc.) but are often as low or lower in cost to deploy and operate, and as efficient or more efficient. Of course, the specific situations shape the issues -- if you need an enterprise class database, MySQL isn't an option, and if your application only runs on NT, you run NT. But in my experience, when picking between comparable open and closed source solutions, it's better for the customer to pick the open source solution and spend the offset licensing fees on staff or training.
Enable 3D printed prosthetics!
I think the government might just have the time to make this sort of check, and as others have said, it only takes one person to notice. Your second point is valid, as is born out by the Debian/micq dispute (also mentioned previously in these comments), but that ironically isn't a point that Jones attempted to make in the article - he seems to be concerned with unpublished back-doors that don't appear in the source.
My boss used to do custom business software and database programming back in the big iron days. He said that in order to do customer support they would often build in a way to shell into the machines remotely to do the diagnostics.
No problem there. But the kicker was that he would build back doors into the programs that only he knew about, so if they changed the front door passwords or otherwise screwed it up, he could still get in.
The big problem was that he wouldn't tell his customers about these back doors. This is financial and tax data we're talking about. He saw no ethical problem with this. None at all. Fortunately he's not a malicious guy,
This isn't a suprise to anybody, right? I was just shocked at the total and complete lack of guilt over doing this. And he's otherwise a normal guy. That's scary.
Why do I have this? I don't smoke.
Good point, How many people use the OEM of windows that came with their computer? I'm sure this number is easily over 50%. That man in the middle is any computer manufacturer. "But Dell/HP/Gateway would never do that to us!" Really, seeing how they are manufactured in places like China and India, which lead the world in pirated software, do you really trust them? To put it more bluntly... do you trust China to manufacture computers that are to be used in the US Department of Defense??!?!
"Interesting" article.
.net related services, that coupled with the site running on IIS makes me question the Agenda of the author.
I was particularly interested in the advertising at the bottom of the page for a number of M$ and
Just my $0.02
The only argument this guy makes is that it is not good to use software from people you don't trust.
True. Obvious.
What's maybe not so obvious is the less you have to trust the vendor, the better.
Contrast:
[ ] Always trust Microsoft
[ ] Always trust RedHat
Why the ^%*^&%&* should I have to trust RedHat?
Methinks that an essential part of any con game is that the victim must trust the con artist.
I submitted the following response in a letter to the editor:
Dear Sir or Madam,
I am concerned that Mr. Jones's column of February 11th, "Open Source is Fertile Grounds for Foul Play," indicates a significant misunderstanding of open-source development processes. The argument presented is that all software development carries the risk that malicious code will be inserted by insiders, and that open-source is especially vulnerable because more people are insiders. The first part is absolutely true, and applies to both closed- and open-source development as Mr. Jones acknowledges, but the second part does not stand up to scrutiny.
Most open-source projects have only a small group of "core developers" who have the ability to modify the official source code, just as is the case with proprietary software development. Any malicious person could insert destructive code into his or her own copy, but not back into the official version. That leaves the possibility of intentional compromise by the core developers, or by subsequent distributors. The first is a risk, but less so than with proprietary software: The number of people in a position to corrupt the source is similar in both models, but the possibility of outside review reduces the danger for open-source software. Mr. Jones posits that core developers could avoid such scrutiny by not making the corrupted version public, but this is nonsensical: The version of the source code available for use is by definition also available for review.
The other concern raised is that distributors who re-package open source software could add vulnerabilities. Again, this is possible, but no more so than with proprietary software. It's easy for an attacker to add malicious code to compiled binaries; indeed much pirated software is reported to contain viruses or Trojan Horses. For both open-source and proprietary software, the solution is the same: Be careful who you get your software from. Downloading open-source software directly from the public sources or buying a packaged version from a trustworthy distributors is no riskier than buying e.g. Windows directly from Microsoft or a system integrator like IBM. If a consumer buys either open- or closed-source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.
Open-source is not the security panacea that some advocates make it out to be, but it doesn't incur the added risks which Mr. Jones attributes to it, either. A government or other user which applies common sense to its software acquisition is no more at risk from open-source software than closed-source, and may even be a bit safer.
Respectfully,
Eric Anderson
--
Eric Anderson - anderson@cs.uoregon.edu
University of Oregon Network Security Research Lab
PGP fingerprints:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12
9544 C724 CAF3 DC63 8CAB 5F30 68AE 5C63 B282 2D79
It's funny, but if you just make opposite words out of this article, you get something that sounds just as reasonable about Microsoft.. Try it out!
"In short, Microsoft's expensive and high-cost software products are likely to be widely adopted in governments, where spending public money for licenses is an easy justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify."
"Microsoft software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be."
Man, this is fun! Nothing like reading Microsoft gimp droppings! drool.
As evreyone posting / reading on this site knows Open Source is a platform that is used to share knowledge about techniques, inner workings of software / hardware. This has been used only for the benifit of the community that is intrested no membership card required and was never even pushed into the mainstream. Now companies are realizing that there is no "magic" to operating systems and they can do it them selves, own the code and hire programmers to code it for them. They are under no pressure to patch the software, or even listen to the linux community at large on procedures. Maintaining software becomes faster and easier and MUCH less expensive once the project is done it is theirs and no need to pay any one any additional fees to keep it. This is all because apparently we have discovered all there is to know about operating systems. How do I know this? Simply because there has not been an innovation that has eclipsed Linux even kernel 2.2 can keep up with the GUI's and stability that Microsoft has started, the gui hasent changed since the Mac in 1982, Multi tasking was started in UNIX before the Mac, there is nothing new Microsoft hasn't invented a single thing since day 1, Bill even bought QDOS to build on to become MSDOS. Now is the mal educated that think that open source is wrong because they think we are trying to take over the big software companies and take all of their profits... LOL ... We are just watching this happen some of us take credit where we really shouldn't we are just sharing knowlege. It just so happpens that this is the same knowlege that software companies have and is availible for any one to learn. Do you have to use linux to take advantage of it, no! Reading source on AGP will give you a very good understanding of what it is about and then could apply this to *ANY* operating system as long as you are still building on AGP.
Open Source will always exist weather certain individuals think it is right or not because we are curious and best of all when it really comes down to it do we really care it evreyone on the planet uses Open Source? No, it just gives an oppertunity to learn about computing. Open source is not for profit it is about education it just so happens that no one is able to take this lesson any further than what is already out there.
That is why closed source is going to die a slow and painfull death in the Operating system world, they have done it to themselves. The door is always open for an amazing new interface, filing system, method for organizing, optimzing, executing code. When that happens the open source community will get together and learn on how it works and in time will be able to understand how it works. Operating systems as of the time of this writing have been completed. Unless some thing/one comes along with a new ideal Open source will take over as it is now for all to see and use. Move on and work on the "Next big thing" and try to out do open source we *Want you to*.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Some do. I'm proof by existance.
There is a way to get the work out. /., USENET, mailing lists and distro alerts are just a few ways.
As for the malware in the source, you are of course correct. However, it is exposed, so therefore can be found. In fact, will be found, eventually.
Mr Jones,
So, a major Closed Source OS vendor including specific checks for software that competes with that vendor's other software offerings and refuses to work or crashes when the competing software is launched is not a possibility? No, its a fact, and Microsoft did it. Articles like these simply allow Open Source Software users and authors to ignore their writers indefinately actually, since it is obvious that authors such as yourself do not understand the core principles of Open Source.
I have a large number of analogies that might make sense to you, here is one.
Closed Source:
I like to work on cars. I have an idea for a car that I would like to build. I build my car. I show it. Painfully over a period of years, from looking at other custom cars, I come up with one that I really like and then maintain it because I enjoy it.
The Closed Source Analouge:
I like to code. I have an idea for some code that I would like to write. I write the code and distribute as closed source shareware. Painfully, over a period of years, from user observations and using other code, I come up with something that really serves my needs, that I maintain because I enjoy it.
Open Source:
I like to work on cars. I have an idea for a car that I would like to build. I build a prototype of my car. I show it to the world and explain my idea. Other people who like to build cars may or may not help by randomly showing up in my garage and wrenching, bringing cool tools, paint, parts, etc. Other people will suggest improvements or point out flaws. In a matter of months, the initial build is done and I get to use the car I like and copies of my car are available to anyone who wants to test drive it or use it everyday. Further improvements arrive and I oversee their addition to the car. It weighs less, goes faster, is more comfortable, and does things I couldn't have dreamed of because it leverages the skill, talent, and needs of everyone who liked the idea. I maintain it, or allow others to maintain it, because its is a tour de force in the automotive realm and suits my needs better than any other car in existence.
Open Source Analogue:
See above, inserting code for car.
Now, I ask you, would we let anyone run a grinder over my beautiful car? Would we be any less observant of the additions being made than the single shareware author? Would anyone else working on the car allow a malcontent to destroy the engine?
Once it is out of my hands and in the community, the probability of changes you describe occurring are lost in the noise compared to the probability that a major vendor will try to handicap its competitors. As has been SEEN in the past and will be SEEN in the future. You really shouldn't comment on things you don't truely understand.To believe that people whose hearts and souls are intwined in something have less motive to maintain the purity of their code compared to people who are punching a timeclock and subject to the whims of managers, deadlines, competition, and cost containment is a manifest misunderstanding of the nature of man.
Stop playing chicken little and take off the tinfoil hat.
andy
The Big News Page
...that take months or more to get patched, you have well documented holes that take HOURS to get patched.
I mod down pyramid schemes in sigs.
I have worked in environments in which criminal gangs were quite active-specifically banks that process credit cards(www.outlander.com for my background).
The claim that Open Source Projects are especially vulnerable to infiltration by folks with malicious intent strikes me as strange.
We have large companies like Oracle and Microsoft extremely dependent upon technical help from politically volatile parts of the world(i.e. India/Pakistan where there was serious threat of nuclear war not long ago)--places where criminal terrorist organizations can operations they can't in a developed country. In India, there are for example tens of thousands of people that have been declared legally dead so someone can seize their property-and the victims can't clear up the issue years later.
It isn't an issue of intent. Some overseas criminal organizations have a reputation for blackmailing their countrymen that don't want to participate in criminal activity-holding relatives as hostage.
Can the average US company really do an effective background check in this kind of environment?
With an open source project, at least I have a reasonable chance of understanding who the actually engineers of project are-and I can judge the security based on the reputations of the people involved. I _can_ get independent examination of the code involved if I'm willing to pay for the service.
Large "US" companies have this habit of substituting the cheapest possible resources with no consideration of long term consequences. How much is the word of a Larry Ellison or Bill Gates really worth on the subject of security? Would you bet your life on their judgement?
Developers and sysadmins are the only ones who are going to notice anyway...my mom doesn't think about whether or not her new program does just what it says it will, and wouldn't update it, or ever be aware of this type of problem unless somebody told her about it.
Do you think Microsoft finds most of the vulnerabilities in it's products, or the legion of geeks out there?
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
If all someone does is check an MD5 on the executable they produce, they wasted their time and might as well have fetched the binary because nothing they build on their own is likely to match the official binary's MD5 anyway. The only real way to guarantee integrity is to require that every checked-in version of every file be signed using a trusted developer's key that is not stored on the public server. Far fewer than 100K people are even capable of doing such a check for any project without resulting in gazillions of false alarms that would only make it harder to spot the one real intrusion; realistically it will only be done by someone on the project's dev team. In other words, about the same number of people are really doing an effective check on an open-source project as would be doing one on a closed-source project. Given that a source-level exploit is more likely to occur in the first place when the source is widely and anonymously available, I'd say this indicates a danger that really is greater for open source. That doesn't mean open source is generally less secure; it just means that this one scenario does not favor them. The sourceforge etc. exploits demonstrate the danger of source exploits, and the open source community would be better off recognizing it than denying it.
Slashdot - News for Herds. Stuff that Splatters.
Any half-way decent government, I'm sure, will be much more interested in how secure the evironment is. Personally, I'd spend more money on a secure platform, then I would on a free, unstable platform.
Wether it's Microsoft, IBM, hell! It could be Apple. I'd just want to get to know them reeal good before doing anything like that with them.
People discover the meaning of life between getting piss drunk and the following hangover.
If all someone does is check an MD5 on the executable they produce, they wasted their time and might as well have fetched the binary because nothing they build on their own is likely to match the official binary's MD5 anyway.
Indeed, even if they built their executable on the very computer the official binary was produced on, by executing the exact same commands as those used to produce the official binary, straight after the official binary was made, their binary's MD5 might well not match the official one, since many systems include the build time in their object files...
The big problem with the closed source model (as we may be about to find out first hand) is that once the source gets leaked, all those holes are out in public. The security through obscurity design model kinda falls apart at that point.
The guy that wrote the original article is definately trolling. Unless he really is a fool. I think anyone with even a little insight into how OSS works understands why it's inherently MORE secure than close source. This "closed source is more secure" meme gets floated and shot down several times a year.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source.
Of course you can get the source code and modify it. However, 99.9% of the time you cannot commit it back to the tree without first getting to know the guys running the project. And what usually comes first is submitting patches to the project via a project member (uaully a high-level member since some level of oversight and accountability is needed).
Once that 'trial period' has passed, then a coder can usually check into the repository head. However, I don't see any major difference in that respect to someone working at [insert super software company here] and someone coming in and being a good person for a bit and then adding back doors to code.
The author assumes that as soon as you get the repository login set up on yr machine, then you're just able to start fucking things up. This is highly unlikely and since that, in my view, is the most fundamental piece of team programming, I find his argument to be dead right there.
As for distributing the results, that is also flawed but not by logic, but by market forces. Even if someone got a hold of the entire RedHat repository or Evolution for that matter, I don't think people would be using that product for a few reasons.
1. Lacks credibility. Forks have enough time gaining intrest from the project they forked off. So why would someone want to fork something just to insert back doors and take over the world. Seems like an awful waste of time and effort. And just because you fork it, doesn't mean they'll come.
2. Even if a 'malware' fork happened, it wouldn't stay afloat long. It would probably take less than a day for someone to figure out something was going down and to spread the word. Again, the OS community is the key here. You wouldn't see this happen behind closed doors.
This guy lives in the fairytale land of spooks and secrets and bad guys around every corner. While I'm sure there's plenty of falling outs of people in various projects and groups, it's highly unlikely that any of these scenerios the author plays out will ever come true. In any ecosystem, only the strong will survive. And I just can't seem some 'malware' being released and taking over everything. In fact, all the worst case infections and money losers to date have all happened in the ActiveX/DevX/.NET/M$ propreitary, closed door, secret world. Of course this guy has this opinion. He exists in a world where everone is paranoid and everything not yours is evil or doomed to failure or ripe for punishing.
Free your mind..
Back in the 30's and 40's Time and Life Magazine publisher, Harry Luce, overlooked the realities of Chaing kai-Shek's brutal regime in China, choosing to believe Chiang was a christian and a good leader, while Mao was a monster backed by the godless communists of Moscow. Luce's publications were the word. Too bad he had it wrong and couldn't see it. This guy is about as blind to reality.
First of all, it was Henry Luce. He and Charlie Soong were making an absolute fortune from printing and selling bibles in China. Charlie Soong was well connected with the Kuo Min Tang and eventually one of his daughters married Chiang Kai Shek, and another married Sun Yat Sen.
The Kuo Min Dang however was not really considered a 'brutal regime' until the communist movement arrived in the cities (ShangHai in particular) after which it cracked down brutally on Communist and the infant Trade Union Movement.
Before that however, the Kuo Min Dang was the political successor to a criminal organisation known as the Green Gang, who eventually came to distribute nearly half of the opium in China. Chang Kai Shek rose to a position of power in the Green Gang before joining the military. Once the Kuo Min Dang was in power, they assisted the Green Gang in distributing opium and eliminating competitors.
Later, when the Nationalist army was fighting the Communists, Henry Luce and Charlie Soong lobbied in Washington to support 'christian' Chang Kai Shek. Many millions of dollars were funneled from Washington, but very little of it reached the troops fighting on the ground. Most of the money appears to have ended in Charlie Soong's sons and Chang Kai Shek's bank accounts.
Chang Kai Shek and Charlie Soong were probably the richest and most successful 'rice christians' in history.
>>
I am the director, and this is my movie
...When in doubt, think for yourself.
I submit another very realistic possibility:
Open source - starts off with lots of exploits, remains with lots of exploits because more 'community' resourses are being spent on breaking it than fixing it. Over time, software becomes irrelevant.
Closed source (and all closed sourse software is developed by Microsoft, ya know) - Exploits are harder to find, but are eventually exploited by people with nothing better to do with their time. Company patches discreetly, and over time, software becomes more secure, and company programming techniques become more refined.
Now I'm not trying to make generalizations as the parent apparently is. I just wanted to point out that both models have their merits and flaws, regardless of the zealots who suggest that one system is perfect.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
How many times have you gotten the shaft from a company you actually bought their software from? And have had a support contract with?
I've had more luck getting and giving support for open source products then I have for ones I actually paid for. I'm not saying that paid software sucks just for that reason or anything, there are a ton of products for which theres no open source alternative even coming close, and probably won't for an extremely long time, but don't try to sell the argument that poor support in free software makes it bad when we almost all know from experience how poor the paid support often is.
Hidden under their tiny Open Source section:
rebuttal
Looking at the list of topics in their menu, and the predominance of MS products, it's obviously a biased site.
He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
The federal department I work for is rapidly moving towards open source because we cannot afford to be constantly screwed by the traditional commercial vendors. We simply couldn't afford to keep paying for screw ups by HP, Cisco, Unisys, MCI, Teleglobe, and Dell. Nor could we afford the upgrade cycle recommended by commercial software vendors like Microsoft.
So we are increasing our in house staff by 3 full-time people - no expensive contractors, and adopting open source to reduce cost, and take control over our infrastructure and in the process improving reliability drastically, saving the taxpayers big dollars on reduced overtime for operational costs, drastically reduce software maintaince costs, and make nearly everyone but Microsoft and friends happy.
That was a piss poor article!
Already we are seeing more and more proprietary software including adware components, anticompetitive modules which disable competitor's products, etc..
Our big problem today is that we are running thin on trusted sources for code. In this regard, the open source module is superior in that it easier for trusted sources to monitor open software. As to whether or not trustworthy companies will continue to exist...that is a question outside the open v. closed code question.
One of the really sad developments is that the growing lack of trust in the industry hurts the small companies the hardest. Quite often the small firms are the most trustworthy. Of course, small firms have a high fail rate. People who buy up failed small firms are often the worst wolves in the pack.
Well, I'd rather be able to read the source at all, than to blindly trust.
You know, we had that, the NSA getting companies to put backdoors into products. Here in Switzerland:
http://jya.com/nsa-sun.htm
--
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
I don't think you quite understood his scenario. Let's say Vendor X gets a contract to provide a government agency with 800 desktop computers, with Linux, OpenOffice, etc. Meeting a bunch of carefully written specs from that agency's IT department. Vendor X takes Fedora or Gentoo or Debian and customizes it, complete with a "Foo Agency" splash screen, encrypted disk partitions, escrowed bypass for crypto, etc.
How do we know they didn't plant malware in OpenOffice? What geeks will have access to this binary? Geeks won't even know this mini-distro exists. How much do you know about the Linux being used by Burlington Coat Factory, for example?
I'm not saying this argument is airtight, just that you didn't really address it.
Wouldn't help you against a C compiler hack in the style of Ken Thompson's classic. That's a pretty paranoid example but it does show that to be perfectly secure in your system you do need to know everything about it, from the ground up. Compiling from a known-good source isn't always enough.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
In days gone by the term would just be "usenet poster"
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Addendum to my previous comment, I hadn't read the article carefully enough:
:)
yes, there is the issue of big name distros like Debian getting rooted. Yes, we heard about the attempt to corrupt Linux BKCVS (someone committed to the repository, disguised as Dave Miller). The OSS community as a whole found and corrected every case and the author of this article is looking for the time when we won't catch such a subversive change.
Developer trust on the Internet is typically done via PGP/GPG too. Numerous key signatures verifying someone's identity are not ultimate proof, but they assist in reassuring people that a person with that name exists and probably is fairly trustworthy. I've mostly found all of the OSS developers I've met to be forthcoming and truthful and wanting their programs to be rock solid and uncorrupt.
And only half tongue in cheek (considering the possibility that this is a fake)
But can you explain why there are traces of Code Red sitting in the zipfile of the alleged leaked Windows source code?
http://www.lowth.com/alist/author/-/A%20Russell%20 Jones/1
.NET Programming 10-Minute Solutions
Mastering ASP.NET with VB.NET
Mastering ASP.Net with Visual C#
Visual Basic Developer's Guide to Asp and IIS
Now, he may be serious with his accusations against open source. His message borders on the evangelical against open source software? A proprietary, Microsoft zealot, which is no better or worse than a rabid Linux Zealot?
There's already a rebuttal editoral on Devx.com's main webpage by another Engineer there.
http://www.devx.com/opensource/Article/20135
Now as to whether this was some kind of publicity stunt to garner more traffic to their website, since before today I'd never heard of them... they've been quite successful. They've probably seen more traffic today than in quite a while, but it seems likes an infantile cry for attention.
Why not? It's obviously that absurd and completely ridiculous claims can be made for public perusal (aka SCO) and gather quite a bit of the media spotlight. It's a precedent already set in our culture that favors glitz and glamor over substance.
Ron,
n .html
I'm going to discuss some of the more glaring issues with your article below:
"An old adage that governments would be well-served to heed is: You get what
you pay for. When you rely on free or low-cost products, you often get the
shaft, and that, in my opinion, is exactly what governments are on track to
get."
Much hullaballo has been caused by the use of the word Free in Free Software.
Please remember it's free as in freedom, not cost. Also remember that major
players such as IBM, HP, and Dell and numerous smaller companies are actively
involved in the creation and maintainence of Linux. It's not just a hobbyist
OS anymore.
"Eventually--and inevitably--an open source product will be found to contain a
security breach--not one discovered by hackers, security personnel, or a CS
student or professor. Instead, the security breach will be placed into the open
source software from inside, by someone working on the project."
There are known cases where this has happened on closed-source projects.
Microsoft Windows, in fact, has many "easter eggs" which are basically hidden
suprises for the user if he/she hits a certain combination of keys. Even
these relatively minor "jokes in the code" and potential "security problems"
wouldn't fly in an open source project since, in order to succeed *all of the
people involved in the project* would need to be in on the breach.
Case in point: there was some code which was committed to the Linux kernel a
while back which would have introduced a security flaw. Within hours of it's
commit to the repository it was caught by the other maintainers, who determined
it was a mistake, not a deliberate breach.
"Because anyone can create and market--or give away--a Linux distribution,
there's also a reasonably high risk that someone will create a distribution
specifically intended to subvert security. And how would anyone know?"
Because they can check the source, and most of us who do use Linux would check
the source. Any "subversive" distribution would quickly be detected by the
community at large.
"I'm not naive enough to think that proprietary commercial operating system
software doesn't have the same sort of vulnerability, but the barriers to
implementing them are much higher, because the source is better protected. I
think such a scenario is far less likely than finding a group of people willing
and able to create and market a malware open source distribution."
Your assertion here is incorrect. Since there are fewer people in a company
to actually vet the software out before it gets released, it's much more likely
that a problem will get out into the wild before anyone catches it.
Case in point: Microsoft Window's numerous security bugs. A bug in the IP
stack of Microsoft Windows is what allowed the CodeRed worm to work it's way
into so many corporate networks all over the world year before last.
"Who's Watching the Watchers?"
All of us.
In summary, I find your article to be another piece of FUD from someone who is
either unwilling or not capable of fully understanding Free Software or Open
Source Software. I find it sad that it passes for news on an otherwise
respectable site.
Good day,
GJC
=====
Gregory John Casamento -- CEO/President Open Logic Corp.
-- bheron on #gnustep, #linuxstep, & #gormtalk ----------------
Please sign the petition against software patents at:
http://www.petitiononline.com/pasp01/petitio
-- Maintainer of Gorm (featured in April Linux Journal) -------
Gregory Casamento
## Chief Maintainer for GNUstep
That's part of the goodness of Open Source...it's eminently auditable by everyone.
However, the diversity, the forkedness of OS software means there are thousands of variations that would all need auditing.
You're not going to get everybody to audit each version. You're not going to be able to register and secure each place along the chain from source to your company's thousand desktops that the software touches base.
Without a trusted source, and tracability, it's all over. And for the most part, a pressed closed-source CD from a commercial outfit has a lot more of the 'opening' for corruption closed than a source repository on the public internet and/or a binary update website at Red Hat.
In a paranoiac's world, a 'trusted source' is necessary for any software distribution method, open or closed souce in origin.
---
Now where have we heard of them before?
Oh, yes. They're the ones associated with Darl McBride's infamous code presentation at CDXPO. So I guess if you can't impune open source development by supporting McBride's inane ramblings, encourage one of your publications to sling a little mud with old, outdated theories that being able to see source code means that the criminal element will be writing exploits for it or infiltrating the kernel develpoment team and inserting backdoors.
Yes, sir! At DevX and Jupitermedia, security through obscurity is alive and well.
I couldn't find a single idea in this ``piece'' (oh, it's a piece alright) that was original or to be taken seriously. I suspect that the author just had a flash (``Ooh! Ooh! "Who will guard the guards?" That's clever now I can write an anti-Linux article!) and saw a chance for his employer to get some web page hits.
CUR ALLOC 20195.....5804M
1. Lose job to offshoring
2. Grow desparate
3. Sell out to big corps by writing article
4. Profit!
Table-ized A.I.
scripsit BoomerSooner:
A financial transaction may not be required to get the binaries, no. But eventually, they pay.
In principio creauit Linus Linucem.
One of the main reasons for governments to use Open Source is that they can train and employ their own people in it's use, mainenance, and development. That is an investment in your country's future. People will be looking at the source in schools, learning how to extend and maintain it with features useful to the people using it. Backdoors would likely be found.
Why is it more likely that an open source company installing systems for a large government agency would install malware than an equivalent closed source company? The government agency should be subjecting the computers to some kind of security and quality assurance tests in any case. If they are handling confidential data, the tests become even more rigorous.
Why trust some company from a foreign country over a company from your own country working with source your own people can inspect and compile? The reasons for governments to use open source are: they can build up their own people's technical knowledge doing do, they are then independent from possibly hostile and certainly mercenary foreign corporations, and most importantly, they can check and compile the source for security reasons. Claiming that they wouldn't do such a thing is simply ignoring one of the most important reasons a country would want to use open source in the first place.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
This story comes right after the story that Windows 2000 and NT code has been leaked onto the net. Now that both Linux and 2000/NT source are out there, we can ask the question, which of those two source code trees are you more worred about having in the wild!?
In my next incarnation, I hope to come back as a code monkey.
/* Source Code Windows 2000 */ #include "win31.h" #include "win95.h" #include "win98.h" #include "workst~1.h" #include "evenmore.h" #include "oldstuff.h" #include "billrulz.h" #include "monopoly.h" #include "backdoor.h" #define INSTALL = HARD char make_prog_look_big(16000000); void main() { while(!CRASHED) { display_copyright_message(); display_bill_rules_message(); do_nothing_loop(); if (first_time_installation) { make_100_megabyte_swapfile(); do_nothing_loop(); totally_screw_up_HPFS_file_system(); search_and_destroy_the_rest_of-OS2(); make_futile_attempt_to_damage_Linux(); disable_Netscape(); disable_RealPlayer(); disable_Lotus_Products(); hang_system(); } //if
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if (still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_31();
do_nothing_loop();
} // if
} //while
if (fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
} //if /* printf("Welcome to Windows 3.1"); */ /* printf("Welcome to Windows 3.11"); */ /* printf("Welcome to Windows 95"); */ /* printf("Welcome to Windows NT 3.0"); */ /* printf("Welcome to Windows 98"); */ /* printf("Welcome to Windows NT 4.0"); */
printf("Welcome to Windows 2000");
if (system_ok())
crash(to_dos_prompt)
else
system_memory = open("a:\swp0001.swp",O_CREATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
} // while
create_general_protection_fault();
} // main
This! Makes! You! Sound! A! Lot! More! Like! William! Shatner!
Do your best, hope for the best, suspect the worst.
on expensive or budget busting software.
At least with free software, when you get the shaft, you can often still afford to hire a programmer to get it out.
While with closed source software, you usually have to learn to work around the shaft until marketing decides whether they would make more $ taking it out or sticking it in further...
Who's accountable? Names and phone numbers are what most businesses expect. Not a handle in an IRC channel. Not Usenet posts.
what if there was someone to hold accountable? someone who knew about the software because they installed it themselves? Names and phone numbers covered.
Do you seriously think, that if you ever sued a Microsoft due to a software bug leading to a massive security breach, you'd ever see a red cent? No, there is terms in their EULA's that absovle them of any resonsibility. How is this different from the terms stated in GPL/BSD licenses? What accountability are you refering to?
5468652047616D65
"You get what you pay for."
:)
Flawed assumption: There is a direct relation between quality and price.
Why is it wrong? Because in the real world, where some of us still live, many factors aside from quality influence the price. Here is a short list of some:
* Quantity, lowering per-unit-prices
* Price perceptions, i.e. brand vs. no-brand
* Delivery, packaging and other overhead costs
* Regulations, legal costs and other burned money
* Intentional price modifications, i.e. dumping
And then, of course, the entire logic only applies to things that are actually sold. Any math person knows that comparisons with zero are always dangerous. Quick, what's two times zero? Maybe we should just double the price for Linux, then (in his eyes) it becomes twice as good.
Assorted stuff I do sometimes: Lemuria.org
"Let's say Vendor X gets a contract to provide a government agency with 800 desktop computers, with Windows, Office, etc. Meeting a bunch of carefully written specs from that agency's IT department. Vendor X takes Windows XP and customizes it, complete with a "Foo Agency" splash screen, encrypted disk partitions, escrowed bypass for crypto, etc.
"How do we know they didn't plant malware in Windows? What geeks will have access to this binary? Geeks won't even know this mini-distro exists. "
The problem with your example, and with the article that preceded this thread, is that it discusses problems that are common to both open and closed source. The real question is "how can we trust contractors to not screw us". Blaming open-source is disingenuous.
Where is the documented review process for closed-source software? Are the reviewers in THAT process qualified? Who decides that they are? How even is the quality in closed-source software, and how would you prove it one way or another?
Who's accountable? Well, ultimately (just as with most closed-source software), the user of the software is solely responsible for whatever the software does. If you're talking about "accountability" in terms of "who do I sue?", then I would assume that you would sue the company that packages your particular piece of software. I'm pretty sure most of those companies that are reputable enough to have lawsuits filed against them in the event of some unspecified situation with code will have phone numbers and addresses. If you're a business using software that's not available through some easily identifiable source, then you're operating in the "stupid zone".
I understand the point that you're trying to make, but the argument just doesn't have any teeth. There are too many differences with the way things are in reality for the theory to make any sense.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law