Slashdot Mirror
Is Open Source Fertile Ground for Foul Play?
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
I wish people would use any kind of proof with this type of article... but I suppose they can't.
:P
"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."
And of course there just CAN'T be any guard against the actual program being implemented differing from the publicly available source...
"I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."
And when those holes are discovered, they aren't published at all. And the proprietary owner has a far more difficult time finding these existing holes themselves. And most of all, there's NOTHING STOPPING THE PROPRIETARY OWNER from implementing this same type of worst-case scenario the author of this piece describes, and an even smaller chance of discovery by outsiders. Sheesh.
'You get what you pay for'?
Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.
There might be security concerns with Open Source (he, most interestingly, doesn't go into security concerns with closed source or compare track-records); however, Russell is trying to pull a fast one as this is a different (and, I'd argue, wrongful) criticism of OS.
RD
Igniting flame war in 5...4...we have main engine start...3...2...ignition!...1...
I watched C-beams glitter in the dark near the Tannhauser gate.
The whole thread that will light-up in response to this old chestnut!
"Flyin' in just a sweet place,
Never been known to fail..."
Everything he claims can go wrong with open source can go wrong with closed source, but with closed source you have fewer people watching to catch malicious code additions before stable release.
Bosh. Open source project leaders - especially the leaders of popular projects - don't let just anyone have write access. Also, commits almost always go to a mailing list to be reviewed by the other committers and lurkers.
And of course, there's no way a commercial product could be infiltrated by someone who wants to inject harmful code. Impossible!
The Army reading list
Releasing this kind of rhetoric just days after the latest MS security fiasco would be funny - if the reality wasn't so sad...
Closed source software, because of its very closedness, will inevitably lead to security concerns. This makes adoption of closed source software by governments particularly worrisome. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get if they fail to switch to open source software.
I doubt Microsoft will ever write software for Linux, but it's inevitable that that things like Lindows will forever strive to make Linux as easy as Windows because that's essential for Linux to take over the desktop market.
However, with that, some of the inherent security of Linux fails. Imagine an e-mail client that will execute a binary attachment with no questions asked because the user double-clicked on the pretty icon. That's how MyDoom spread on Windows, and basically, it's the fact that the current setup for Linux makes it hard to execute something new that makes people realize what they have before they run it...
As soon as we have pretty looking greeting card executables that run on Linux, the downfall will be what comes next...
Please cite some specific examples Mr. Jones.
I mean, there is a whole friggin lot of open-source out there, there's bound to be a few examples of the problem? Right? Right???
The ratio of people to cake is too big
Wow, an insightful first post.
This day will go down in history.
All these great reply's, these reasons why Russell is wrong, will never be read by the public because they're stuck in /.
Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Do it doug.
He's a genius! This is actually a clever critique of the very dangers of closed source software, just disguised as a moronic attack on open source.
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.
I mean, this can't actually be an argument that closed developed by a "core group" that "won't make the corrupted version public" is more trustworthy than open development where anyone can see the code. Right? Right?
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
Mod story down (-1, troll).
Can we please stop letting people use slashdot to increase the hit rate on their articles in order to make themselves seem relevant to their bosses?
Fred moody, the infamous anti-Linux ABC News columnist, was doing the exact same thing four years ago. In fact, he was writing on pretty much the same subject, that Open Source is insecure and untrustworthy by its very nature.
Those who do not study history are doomed to repost it.
Yeah, OSS software is at risk of exploits, but he's neglecting the fact that once geeks realize that they can't compile the open source version to the binary, a red flag goes next to the binary. And if the binary starts doing malware things, then that binary goes down in flames, and the project will immediately fork with the last released source.
devx.com
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:06:06 GMT
X-Powered-By: ASP.NET
In other news, the devx.com website was found lying in its own blood and excrement after being linked from Slashdot.ORG today.
I believe every word of this article because A Russell Jones certainly has no vested interest in Microsoft based web solutions.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
The author completely ignores the storied history of exactly this kind of thing in closed source software -- only these backdoors are called 'features' or 'easter eggs.'
We need a new term for this kind of journalistic troll.
-- Cheers,
-- RLJ
...but governments and organisations should be exercising a modicum of care over who they get their source and binaries from. Thats what MD5 checksums and trusted sources are there for.
Open source development is not truly open to everybody; it is normally open to everyone who you allow to contribute code to your project. They've normally proved themselves by offering bug fixes and mionor changes directly to you beforehand.
The barriers to inserting malicious code in closed source are lower, not higher. Many an engineer has inserted a backdoor in his code which he surrepticiously used to help customers who lose passwords or setup info. However, a backdoor is just another way for a cracker to break into the system. Also bored engineers often leave Easter eggs in their closed source, something hard to do when several thousand people may review your code to see what makes it tick. In mainstream projects like Linux kernel, the bar to being allowed to contribute code is quite high, and your initial attempts are likely to be looked on with scorn by other project members.
As for costing huge amounts of money, one wonders what cost MyDoom has been costing owners of that wonderful example of closed source software - Windows.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
From the article:
Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?
Oh, I don't know... maybe by looking at the source code?
Turn it around now: Suppose a private company sold software with malicious code included to subvert security. How would anyone outside the company know?
TheFrood
If you say "I'll probably get modded down for this..." then I will mod you down.
In addition, it looks like this fellow's got a seriously vested interest in the spread of MS's closed source products.
r l/index=books&field-author=A.%20Russell%20Jones/10 3-4406437-9264652
http://www.amazon.com/exec/obidos/search-handle-u
"We need a new term for this kind of journalistic troll."
No talent assclown.
DevX.com has reported a recent drop off in website hits and has implemented a campaign to "leverage" the Slashdot masses.
...
The new project entitled "Flaming Troll" was kicked off today with an article that would be very interesting and informative for your average Slashdot reader.
So far the project seems to be a success
They're called .md5s. Use them. They exist for a reason. You'd have to have some godawful cooperation between some very mean people to successfully pull off a corruption on widely deployed OSS software AND not throw red flags up among people who have clean versions and clean md5 hashes.
And, what's you're point on stagnant OSS projects? I don't see Microsoft supporting Win3.1 anymore, but there's a lot of people still using that. The difference is that NOBODY can go through it and fix it up or make anything of it. If someone decides to pick up the pieces on an abandoned piece of OSS that shows promise they can do that.
I hate when people do this. You didn't raise any issues that aren't a problem with ALL software, yet you are applying them specifically to OSS. If a server gets owned, it gets owned. It doesn't matter if it's commerical/proprietary, commercial/oss, or whatever. It's owned. Binaries can still be injected with malicious code. They're owned. Give it up. There's no inherent flaw in OSS.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I think you've kind of missed the point here. The question isn't "Is Open Source invincible?", the question is "Is deliberate program corruption more likely to occur, all else being equal, in an Open Source program or a commercial program?"
And while I'm not a free or open source fanatic, I have to say that I can't marshall any rational arguments that the commercial program is somehow safer from authorial corruption. It's virtually inconceivable that a large scale open-source program could have a backdoor or anything like that in it for any significant amount of time, and as for smaller projects, a one-man open source project may be just as likely to be corrupted as the one-man closed source product, but which is more likely to be detected before significant damage is done? The one with the source you can look at, hands down. (And the phrase "just as likely" is for rhetorical purposes; in the real world, the prospect of revealing the source surely impedes anybody who would put something nasty in there! That's way too accountable for someone like that's taste!)
No system can be made perfectly safe. But to claim that commercial software is safer from deliberate authorial corruption takes willful and deliberate ignorance. I mean, seriously, claiming that the software I can't see, that I'm not allowed to see, is more likely to be pure then the stuff anybody (or anybody I hire) can look at is? That flies in the face of both logic and common sense, and is the kind of claim that has be inflated into an long article to blind the reader with words before it can even come close to being seriously entertained; a paragraph summary doesn't pass the laugh test.
And remember, it's not only "Will it happen?", but "Which will do more damage?" Even when break-ins happen in Open Source, the damage is typically swiftly controlled; people's reputations are on the line! Who even knows how much closed-source damage has been caused from breakins? Again, people's reputations are on the line, and the incentives to cover such things up are high.
I just don't see a way, even in theory, where commercial software is safer against this sort of attack.
My guess is that the curve for open source is a lot different than commercial software.
Open source - starts off, lots of exploits because the code is readily available. People using the package (assuming it's valuable enough to merit it) fix problem, submit patches. Over time software becomes more secure.
Closed source - Exploits harder to find, eventually found due to sheer perseverance of legions of script kiddies and their slightly more talented bretheren. Company denies existence of problem, patches discreetly and only occasionally, eventually begins to become marginalized due to shoddy business practices, begins suing everyone in sight in a sad attempt to revive an obviously dying business. Meanwhile, Bill Gates rolls over in his sleep, makes another fifteen million dollars.
(Or maybe I've just had too much coffee today, and am being silly. Time will tell.)
-1, "1337" speak
Email the author. I just did, rebutting two of his "points". rjones@devx.com
... did they get it all? Only
Hey Russel,
Just two obvious points of rebuttal.
1. Your question:
Who's Watching the Watchers?
Makes a cold chill run down my spine, when I think of closed source
software. In fact, many of your statements, such as the rogue coder,
holds just as true, for CSS. The difference? You (as a consumer)
cannot see the code. At atmosphere, which breeds closedness, and
non-disclosure of hacker attacks, is far more scary, then one (such
as Debian), which openly announces, that it has been hacked. Imagine
a hacker gaining access to Microsoft code. Imagine MS catching him,
and removing the malicious code. But
the hacker will ever know.
Your statement, that "core" members, will port the code, just doesn't
make sense. Assuming we're not into the old chicken and egg problem,
with the bootstrapping compiler, an Open Source project, is defined
as having the source open. If you compile a program, and it ends up
different, then the one you downloaded, then something is very
wrong indeed.
2. In academia, and security circles, full disclosure, to be able to
repeat trials, and be able to uncover weaknesses in software, is the
norm. Hiding behind binary code, does not a very powerfull brickwall
make. Hiding behind a wellthought out design, which is not open to
attacks (confirmed by peerreview), and relies on algoritmic
defences, makes a strong brick wall.
I am sorry, but all in all, a very poor article.
Regards,
Svend
Close, but you misspelled it. Its: F-u-c-k-t-a-r-d
What guarantee, as a company, do you have that the product that you paid for wasn't authored with the intent of gathering malign information about you?
None whatsoever.
Remember those old ATI drivers that ran special "optimizations" when used with the quake3a binary? They were closed source and geared to misrepresent the performance of their card to the community. I suspect that if those drivers were open source that little trick wouldn't have gone unnoticed for long.
I'm not advocating open source as the end all and be all of things, because it isn't. However, you're an idiot if you think that paying for something means that it's safe.
For gods sake, look at IE.
I have worked in environments in which criminal gangs were quite active-specifically banks that process credit cards(www.outlander.com for my background).
The claim that Open Source Projects are especially vulnerable to infiltration by folks with malicious intent strikes me as strange.
We have large companies like Oracle and Microsoft extremely dependent upon technical help from politically volatile parts of the world(i.e. India/Pakistan where there was serious threat of nuclear war not long ago)--places where criminal terrorist organizations can operations they can't in a developed country. In India, there are for example tens of thousands of people that have been declared legally dead so someone can seize their property-and the victims can't clear up the issue years later.
It isn't an issue of intent. Some overseas criminal organizations have a reputation for blackmailing their countrymen that don't want to participate in criminal activity-holding relatives as hostage.
Can the average US company really do an effective background check in this kind of environment?
With an open source project, at least I have a reasonable chance of understanding who the actually engineers of project are-and I can judge the security based on the reputations of the people involved. I _can_ get independent examination of the code involved if I'm willing to pay for the service.
Large "US" companies have this habit of substituting the cheapest possible resources with no consideration of long term consequences. How much is the word of a Larry Ellison or Bill Gates really worth on the subject of security? Would you bet your life on their judgement?
Already we are seeing more and more proprietary software including adware components, anticompetitive modules which disable competitor's products, etc..
Our big problem today is that we are running thin on trusted sources for code. In this regard, the open source module is superior in that it easier for trusted sources to monitor open software. As to whether or not trustworthy companies will continue to exist...that is a question outside the open v. closed code question.
One of the really sad developments is that the growing lack of trust in the industry hurts the small companies the hardest. Quite often the small firms are the most trustworthy. Of course, small firms have a high fail rate. People who buy up failed small firms are often the worst wolves in the pack.