Slashdot Mirror
Defending Open Source Security
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Nice article!
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
.. one example of which is This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Yes as we all know, *anyone* is free to modify the source code, and then sell or distribute it, and we're all such trusting souls. Only this morning I chmod +x'ed and executed a binary (as root) which I had earlier accepted from a kindly stranger. More FUD methinks..
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.
Heironymous' Prime Law of Journalism:
Opions are valued in inverse relation to the amount of money paid to produce them.
In this case, the opinion that transparency is bad for security is of so little value that it's difficult to answer it with a serious tone.
After all, Windows is remarkable for its security wrt to something like, OpenBSD, known for its secretive and opaque practices.
lol.
Ceci n'est pas une signature
Now that the MS source for NT 4 and Win2k is "out there", even if only in part, we'll have a good chance to see exactly how secure it is over the next several months.
Anyone want to bet that the number of exploited Windows security holes is NOT gonna soar?
I fail to see how his logic works.
Because I can view the source code and change the source code, I can introduce a flaw. Yet it would be far less likely for a for-profit closed source project to be swayed by some sort of ulterior motive to include a flaw, because we have seen exactly how ethical and steadfast corporations are in this modern day and age.
It seems that he doesn't acknowledge that the aspect that makes open source secure is that it's hard to have a unified, systematic, malevolent agenda due to the extensive peer review inherit in the system. People who have different agendas or motives than you will be viewing your changes.
While his hypothesized scenario is certainly possible, I wouldn't go so far as to say it is a bane.
10 yo kid knows that Linux is far more secure than Windows
SHE does throw dice.
Journalism is a difficult profession, demanding a rigorous editorial line between "church and state".
Yes, I'll second that faster than you can say "Antidisestablishmentarianism".
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.
.... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...
The real problem would be if only bad guys had your source code
Yeah, that would suck. That would really suck.
--
Go Debian!!!
Slashdot is feeding the troll. Just because the original article claims to be a balanced warning into OSS, a little research shows all his points to be wrong.
Just another journalist trying to make a story people - move along.
Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5
The rebuttal "Who's Guarding the Guards? We Are" , also hosted at devx. Average Rating: 4.9/5
Deltron 3030 - Virus (music video)
Let's see.. the most (un)likely way is that someone hacks a host server, mods the code and then updates the MD5 sums. Stupid. All major Open Source software know how to protect their codebases by holding offline checksums and isolated codebases. This is too unrealistic to happen these days, if you actually care about verifying what you just downloaded and are about to compile.
Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
Laughable. Aboslutely ridiculous !! Can this not happen in closed source environments ? A disgruntled employee perhaps ? I'm sure the article writer would say "but there is quality control, peer review.." I suppose that never happens in Open Source.. I mean, how can we actually review the code when it's publicly available. Oh, that's right.. we can. Open Source peer review is brutal at the best of times !
"I am not bound to please thee with my answers" [William Shakespeare]
On the other hand, if he means code that's been built openly... damn, what's better than having the software AND the source code for inspection? how do you beat that?
Bite my shiny metal... oops... Nevermind!
So.... it's not Open Source then. Way to let the hot air out of your puffed-up argument.
"I am not bound to please thee with my answers" [William Shakespeare]
So GNU/Linux source has been out for decades. Windows source has never been out except recently. Shall we do an exploits in the wild count? Note the in the wild part. It is a distinction that anti-virus researchers make as their are some pretty nasty computer virusses that have only been spotted in their labs, not on peoples pc's.
Every now and then some idiot is going to stand up and proclaim something really stupid. Instead of gently leading that person to proper care and attention in the form of a straight jacket and handfull of pills people print their ravings.
This guy is one of them. Opensource vs closed source means very little when it comes to security. Big holes can and have been found in both. What matters is how you respond to those holes. Opensource GNU/Linux is pretty fast. Closed source Microsoft is goddamn slow. So? MS is hardly the only closed source company. If someone ever post figures on the commercial unixes or OS's like symbian and shows the same terrible performance as MS then I will be impressed.
So far all the MS exploits prove is that they have some pretty sloppy working methods in redmond. Not that closed source itself is bad. If all closed source projects have the same track record as MS then it will be news. They don't.
HOWEVER, opensource has proven itself. Countless projects use it, linux kernel, gnu toolset, kde and gnome and all the other desktops, tron the os blueprint from japan, apache, mysql and postgress and the berkely databases, bsd even though it is dying and countless others.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.
At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.
Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.
First off, Malicious hackers have day jobs.
Lots of times they are professional programmers that like to play "games" on the weekends and in the evening.
MS's source code is like a prostitute. It's gets around and around to whoever has the money to afford it. To say that it never fell into the hands of a "bad man" even thru legitamate means is foolish.
People spend months and months researching and setting up specific attacks. Sometimes the stakes are worth hundreds of thousands of dollars when it comes to corporate espinoge and trade secrets.
Now most hardcore hackers even if they do have access to the source code definately isn't going to advertise it on warez sites and post their findings on slashdot. Their time is worth money/fame/insane pride to them too.
This latest release of the windows source to warez-style groups is definately NOT the first or the last time the source code to your programs is aviable to people you don't trust.
In Open source:
The developers have the source. The crackers have the source. YOU have the source.
In Closed source:
The developers have the source. The crackers have at least partial access to the source. Your screwed.
It may be a subtle difference, but also think about this:
How many discruntled employees piss in their bosses coffee? Or at least spit? Or use stale water(If they are pussies)?
Now how many programmers are entirely "there"?
Do you want your application to be the pissing ground for angry employees? Can you tell?
No of course not, their have been plenty of cases of otherwise perfectly good programs having security holes and backdoors planted in them by programmers.
You think it's going to stop because Bill Gates says it isn't so?
and /., can you stop reporting this, it's basically one huge troll & it only encourages people like him.
btw Mr. Jones, the choice isn't open vs. closed, it's open vs. possibly leaked. yah. nice. please go away.
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
The guy has a trimmed beard ! a trimmed beard!! No open source has ever touched him, or his facial hair would be reaching for the keyboard !
BUT MOD GRANDPARENT UP!
As previously discussed on /. Jones' comments are too controversial to ignore.
On the contrary, this type of comments are the ones you have to ignore. It is simply mindless, fact defying -1 troll.
I mean, when you see after a quick glance that author obviously did the research and ignored all the facts that didn't support his thesis, there's nothing you can tell him that will make him apologise, admit to mistake or sth like this.
When you see additional rhetorical manipulations (e.g. things that are insinuated but not stated straight, guilt by assosiation, or proof by analogy) you already know, that the point of the article was purposeful manipulation.
For some people operating systems, computer vendors, open vs close source, GPL vs BSD are religious matters and you don't want to get into discussing beliefs with religious fanatic.
Robert
Bastard Operator From 193.219.28.162
"When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get." I suppose he's one to pay for high-quality V|@gRa. :)
In other words, people will get it in their own. It is easy for a casual observer to train him/herself up on the facts and make their own judgement about whether security efforts have gone into OSS, and whether they will pay off. Somebody just saying "ooh, watch out" might give them pause -- but they can experience it for themselves.
The facts will (or will not) speak for themselves.
I realize I'm preaching to the choir, but here goes:
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).
And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.
Therefore, security problems for governments begin with knowing which distributions they can trust.
Security problems for governments exist because of negligence, for the most part. More below.
This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.
Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.
He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject
Like what I said? You might like my music
Windows is already hackable and riddled with security holes. How many barn doors there are isn't going to change the number of chickens that escape.
The limit of security is not a technical one, it is a human one: how many sociopaths bent on destruction of innocent bystanders are there. No doubt there are a few, and no doubt the network nature of internet gives them leverage disporportional to their numbers, however more ways of commiting the same heinous hacks isn't going to make much impact on their influence.
It occured to me recently that - if only because
:-/ I doubt anyone has ;-) ]
/. like effect of eveybody needing to
of the sheer quantity of security patches needed
to keep Micro$oft gear "safe" (such as it is...)
- that it's got an inherent -human- vulnerability,
ie on top of all the technical ones:
If SysOp's effective dedication wanes, even for
a week, eg due to illness, relationship glitches,
or some sort of disgruntlement with the employer,
the company's entire LAN may be at risk (ie, in
a M$-based server facility... where "Which urgent security patch would you like to apply today?"
is he rule, rather than the exception).
[One South Aussie company's IT guru stopped gen-
erating bills for their Clients to pay, ie so
that he'd have more time to play the horses, ie
at work & from elsewhere... using various flavors
of database-based computer systems in an attempt
to improve his odds...
ever tested these programs, eg using -old- data,
where results are known... or am I wrong?
Then there is the risk that some really urgent
patch won't be available, eg, due to some [D]DoS
or just a
download it at the same time, soon after it gets
released.
We've had to make a -few- patches & upgrades to
out e-Smith (now SEM Server) boxes, but nowhere
near as many as we're "offered" by Micro$oft...)
On the other hand, -our- risk is that we might
get lazy... and assume that our Linux-based boxen
are OK when there's a new vulnerabililty that
might affect them.
It really doesn't matter if its open source or closed source. The weakest part of any system will always be the person attached to the keyboard.
Blaster was a big problem because no one can be bothered to download a patch.
The MS source code was leaked because no one could be bothered to download a patch.
slashdot, news for crazed liberal socialist zealots
To be quite honest I never gave that Dev X's troll any thought. But apparently /. seems to feel that this very poorly written piece of work deserves not one but two front page storys. So be it. (I sure hope to hell that OSDN is not getting any cash from those losers. It would really ruin my day.)
/. artical. They can go toil in obscurity imo and we are ill served by even giving them the time of day.
Bottom line for me is that FUD is FUD is FUD is FUD. There are several ways to combat it and one of them is to just let those that want to FUD away while we continue to build, create, use, and accept that OSS is a good thing for everyone. Those with small minds are scared, good. I don't want those people involved with me and it makes me actually feel good when I see that they have to resort to such lies and FUD to try to defend what they see as "the only way".
I read a comment here the other day about how someone viewed OSS OSes as the ultimate capitalist leveling field. By making not only the hardware but the base software, the OS, open you then allow everyone to create things as they wish and without any strings. They even can make them closed source if they so wish but the hooks, protocals, and standards are open such that you can make the software work correctly, regardless of platform.
As has been sited here many times MS has not even given that freedom to it's programmers with it's lack of API documentation in addition to it's lack of standards (Unless you think that they are alone in being able to set them. Go away then you shrill.) and numerous changes in even their own types of file standards. (Why does MS Word docs have to change so often? Hello, forced upgrades.)
I really could care less about such FUD from some lame ass website that I personally have never visisted or even heard of until reading the inital
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
Much more likely is that distributions will be [...] created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Oh no! Linux is funded by Al Qaeda!
This ridiculous hysteria, more than anything else, shows how much this is just propaganda. Cut-rate contractors who code for low-budget government agencies already exist; why would a closed-source one be any more trustworthy than an open-source one?
If your quality control and background checks on outside contractors are so terrible that cut-rate Linux distributors could put in backdoors, why would you not have this problem with a bunch of contract VB coders? Especially since, in the latter case, they may only ever give you a compiled binary.
It's like fighting a war where we simply re-win the same outpost over and over again, and never make progress. Why?
Because the damned fools think that they're making a valid arguement when they're simply spitting out the same FUD over and over. Now, if they were to refute previously made refutations, further arguement can be made.
However, that would require them to be able to find something to refute our arguements with. Esentially, "Your guns are too big, so we'll back down and make this point again later." Urg.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Yes, MS has serious security issues. Does this mean no one else has any problems ? For every exploit known to the script kiddies, how many in Linux known to the people who exploit for a living ? Does no one remember that even rootshell.org got ownzored ?
This is not a signature.
In fact attempts to prove it have backfired:
i on =displaynews&NewsID=971
Linux security site abandoned
Is Linux security good enough or does no-one actually care?
http://www.techworld.com/news/index.cfm?fuseact
It seemed like a good idea at the time. Set up a website that allows users and developers alike to check which pieces of Linux code have been checked for security holes. The project, dubbed Sardonix, was a classic open source solution to a clear problem.
The scheme's originator Crispin Cowan, chief research scientist at WireX Communications, said: "Auditing is needed not just because some developers refuse to read, or follow such standards, but also because humans make mistakes and may fail to completely, or correctly, follow all rules perfectly."
Yet few became involved because, according to Cowan, there's no glory in auditing security holes.
Funded initially by the US defence establishment body Defense Advanced Research Projects Agency (DARPA), the research grant aiming to centralise what was, and remains, a fairly loosely structured review process dried up nine months ago.
The plan was that volunteer code auditors would be ranked according to the volume of code they examined and the number of security holes discovered. Points would be lost if holes were subsequently discovered in code passed as clean.
But, said Cowan, "I got a great deal of participation from people who had opinions on how the rankings should work, and then squat from anybody actually reviewing code."
Cowan added: "The Bugtraq model is: find a bug, win a prize - a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code. It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game."
Some have commented that few people can both code and have sufficient expertise to spot buried security bugs for no reward, while others moot a lack of visibility and marketing as the reason for the site's demise.
Only 22 pieces of code are listed on the site as having been audited, 14 as unaudited.
It's worth supporting things you believe in when the alternative is to let lies and FUD spread uncontested. It's particularly worthwhile for the benefit of those in the slightly wider audience who aren't generally informed about tech matters, and who might otherwise be swayed by rhetoric.
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
In theory the "many eyes" that can see open source will detect security problems. In practise it doesn't happen that way. The reason that open source code is more secure than closed source is that the designers and authors care more about their code as they KNOW it will be made public and they value their public reputation -- it's the same as a John Grisham making sure there are no speling errers in his books. Additionally in the Linux world they don't have to make security compromises suggested by some marketting department droid.
When security is designed in from the beginning it's far harder for a trivial hack to open up a computer to the world.
The security question should not be:
Closed or open source?
It should be:
Who do I want to trust? What project has a good reputation (OpenBSD maybe).
Too bad I can't use my mod points to mod Russel's article -1 Flamebait. A ridiculous article. Most source in an open source model is tightly controlled by a few people who review code changes submitted by others. Thus, the basis of his entire argument is false.
In this house we obey the laws of Thermodynamics!
...too stupid to ignore? Judas Priest on a pony, this is the same stuff that has been refuted time and time again.
Everytime you look at porn a devil gets their horns.
To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.
And closed source makes it trivial to keep anyone else from knowing that the binary has been modified. Anyone along the line can inject a backdoor or trojan.
It will be interesting to see how Microsoft fares with some of their source gone public. There is a trend dating back to Melissa that suggests an ever increasing level of malware. My own prediction is that, with a few cheap hacks to have my computer do what I want it to do instead of what Microsoft wants it to do, the level of malware will be a tad smaller than the trend projected. That despite the fact that the bad guys have every reason to use it and the good guys have every reason to avoid it, the leaked source, I mean.
in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.
For those who want a great look at security, both in a closed source and open source OS, take a look at the March issue of Linux Magazine - Stephen J Vaughan-Nichols article on Security is a Process, not a Product. Mr. Vaughan-Nichols writes and quite correctly that security is every user's job, and that as Linux gains in popularity so does the threat of security concerns.
I'll skip the comments about how incorrect the original article is and leave it to the responses' comment about fundamental misconceptions of Open Source. But the response is really an excellent read, well thought out and showing an solid example of classical debate rebuttal.
Kudos for writing an article that the same audience that will believe DevX would understand as well. Too often the repsonse to such articles is written to an entirely different audience and on such a technical plane that those who read, and believe, the first article are often times entirely incapable of understanding the second article. It's not their fault, they are not CSE types by any stretch.
can be made for the "closed source" community. At least with open source, you have the chance of seeing malicious or bugged code. How much spyware/adware/malware is out there now? Point proven.
and compared the result to your own compiled versions and how did you do the comparing? Just curious...
first post!!! you lame assholes... I can post first because my XBox is a american product and my pride in my great country and my great XBox accelerate everything...
If only they would make games for that bitch... IAve played Metroid Prime and it ruled... I hope M$ will buy those japanese bastards and port Metroid to my great american console system!!!
Join the fun!!!
I would know by viewing the source code.
Raj Against the Machine! http://social-butterfly.appspot.com/
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust.
GPL forces distributors to provide source code to their customer. Then the government is free to (and should) post the source to public audience. They can (and should, even for performance sake) recompile the binaries from the code provided. So...?
I think this guy didn't read GPL.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
To make things worse, the one that offers the malicious binaries can easily log from which IP's they where downloaded. Many people will download directly to their server using wget, and then install the binaries.
If people then omit to verify the integrity of the binaries one way or another, this whole scenario becomes quite risky. Not that I think any self-respecting person would follow this course of action, I still feel that some scriptkiddies out there might give this a try.
Therefore, beware!
Although I agree with the majority of the comments to this article I am glad that Mr Russell Jones wrote his article. Why ?
...
One big problem that the open source community faces is that of complacency -- ie knowing that we are: better, more secure,
What we know may well be true, but it will not remain true if we relax, content in the warm glow of our superiority. To remain ahead needs continuous awareness of the issues, which, in the case of security means a constant paranoia prompting reassessment of procedures, possible risks, etc.
There have been articles like that of Mr Russell Jones before; I hope that they keep coming just to remind everyone to keep on their toes.
Lest anyone think everyone at DevX is this ignorant/biased, a rebuttal was posted at DevX.
Noone else seems to have mentioned it.
To find it, take the original URL of the article and cut out everything after the "OpenSource" directory.
and illustrated by one quote from the article:
To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.
This has been the age-old cry of dictators and despots everywhere: "We are restricting the rights and freedoms of the populace for their own good!"
And it has never turned out to be true.
yep, microsoft's sales and profits are higher and ever, and with the demise of unix their overall percentage take within the tech market is getting greater as well.
Lets see what 'security systems' are open source.
Locks, keyed and combination, they still work well.
DES, AES, Blowfish, all these algorithms are available, but the security isn't weaker because of it.
Electronic tags that beep at the exit to a store, they still work.
As long as it isn't a broken algorithm, or a password that is being shown, it shouldn't be a problem.
distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing.
So, who's going to to compete with slackware on price? Or debian? Or mandrake? Or fedora? This type of statement is just *weird*.
creation science book
Hey, I just had a great idea!! If I form a company and deliberately write insecure, malicious code with backdoors in it, I could use it to control the governments of the world and become obscenely rich!
Oh, wait... someone else has already done that, and most likely patented the idea. I don't want to get busted for patent infringement, man!
Damn... back to the drawing board.
Organic free-range music... yum!
If both are compiled with the same compiler options then a simple CRC check should confirm they are identical. That's why all the binary downloads tend to have their signatures supplied as well.
All those moments will be lost in time, like tears in rain.
A firewall can indeed protect you from unknown and known vulnerabilities. You forget that a firewall's main purpose is to BLOCK. If all requests and attempts are blocked, then it does not matter how secure the OS was as the attempt never got through.
-]Phreak Out[-
You obviously haven't been keeping up with the recent hacks of GNU, Gentoo, Debian, etc...either that or your intentionally spreading misinformation, common on this website.
I feel your pain. What's worse is that none of these so-called writers ever seems to learn from their mistakes and publishes a retraction or a response. It makes you wonder if they really have any interest in journalism at all, or if they're just playing games.
The thing is, the general public hears all these conflicting messages about open source. It doesn't generally matter what the public thinks because the government will probably develop its software policies unilaterally without any public review or input, just as it does with anything that actually matters. The government will of course choose proprietary solutions from Microsoft more often than not, simply because MS is an icon of the capitalist ethos, and people in government generally do not have the political will to do anything that might be construed as "anti-capitalist" (hence, anti-american).
Public ignorance and confusion is a requisite condition for Government to follow its natural pathological course.
Is it possible that these foolish, uninformed, and perhaps even deceptive writers are acting in the interest of MS simply out of their love for profit uber alles? Or are they simply mindless MS fanboys? Or is it possible that they really do believe that their assertions are true, that they're being objective and relaying accurate information? This sort of intellectual laziness is really sad.
-- thinkyhead software and media
That's right, the windows admins have become battle tested and are very strong in dealing with security issues. No one on this site wants to hear it, but Windows admins are fighting real battles and improving while the OSS crowd sits on their 2% market share and boasts they are stronger, LMAO.
I hate to play the devils advocate, because I do believe in the viability of OSS as a solution, but: Maybe it's not the people uploading binaries and source that we should be worried about, maybe it's the people who are downloading. imagine: two IT guys, converting a small government branch, or other such institute, over to some OSS or another. with access to the source code, they could concievably put in their own back door. nobody would neccessarily know unless some drone did an audit and actually understood the program. Or am I wrong?
Well. What I am most afraid of, is not a "buffer overflow bug in version 1.2.3-pre11".
What is really scary is:
- spyware
- trojanware
- software with intentional backdoors (realPlayer)
- etc.
Everybody I know who uses windows has a boxen which behaves very strangely after they've downloaded and used "free" binaries.
For me the best security is this: I have two computers. The one IS NOT CONNECTED TO THE NETWORK (and runs linux for development/windows for warcraft III). The other is a laptop running windows 98 which is used for web browsing and installing shitty binaries and having fun. It is DEFINITELLY haxored. But I don't care.
I agree with some other posters who have noted that the author is trying to be controversial, or he is ignorant. Not so much ignorance of Open Source, but ignorance of software development practices in general.
There is no issue he does not raise that applies ten times over to a closed source project. Perhaps he's never been involved in a large scale software project. If he had been, he'd know that unless a company has software quality control procedures that are in place and practiced, and audited regularily, anything and everything is possible and does happen.
In the end, a customer has to trust the software house that it has these quality practices in place, that it follows them and that there are appropriate controls in place to ensure that they do. There are even standards, such as ISO 9000-3, that can be followed, but in the United States at least there is great resistence to adopting such standards which means ultimately you cannot trust any closed source software not developed under internationally recognized quality assurance standards. Period.
The author ends with the question "who watches the watchers?" In closed source development, unless they're compliant to independently verifiable quality assurance standards, the answer is simple. Nobody.
With Open Source, that's automatically built in.
No one , and I mean no-one, can simply wander in and check-in code to any OSS project without permission.
You have to have a track record and your submits get peer reviewed. After a while you may get change rights to the CVS. How long depends upon your skill and history. I'll never get bitkeeper access to linux kernel and neither could Mr Jones. I could try but it'll take a lot of hard effort to skill myself into kernel workings. I'll stick with userspace programs.
No different from a company ; start off low as a intern and then work up until you get to a responsible position and then you throw the spanner in the works.
The security breach will be placed into ANY source software from INSIDE, by someone working on the project.
Mr Jones - It doesn't matter is its closed or open source its usually an inside job. In closed source world the public will never hear of the problem as it'll get hidden under the carpet: in the open source world it in the open.
In a democratic society goverment taxpayer money should be seen to work and be seen working not hidden behind some closed door mentality.
Funny thing is that I just checked the devX webpage with this story on it and, of course, there's an ad for Microsoft .Net right next to it.
So much for objectivity.
It's easier to wear the spandex than to do the crunches. --David Lee Roth
Yes it is possible to hide stuff in open source code.
Few people actually review it, mostly because it is rare in the mainstream trusted stuff.
Closed source has lots of hidden things, and again few people review it, so it is rarely found.
Both cases we generally trust the source, but in open source at least we have the option NOT to trust them and check for ourselves. Closed source, we are at their mercy
Governments are not stupid. They may in fact be a lot more knowledgeable than, say, some fruit who thinks he's a journalist writing populist drivel at a MS shil site.
I'm sure they have some technically competent advisors. And then they have beancounters who make the very end decision cos in the end its all about the buck, not the bug.
Both authors are merely preaching to their choirs, it won't impact any real govt decision.
< 8 Hz voice >
...
...
Presenting a GNU/Dreamwerks production:
"WHEN TROLLS ATTACK"
A film of betrayal, intrigue and piss-poor articles. Starring Leanardo DiCaprio as Linus Torvalds, Robert DeNiro as Richard Stallman and Arnold DeSchwarzenegger as Eric Raymond. Featuring Danny DeVito as the troll.
Watch in Amazement as Linus uses quantocrypto beta wave brain analysis to get inside the mind of the troll...
"....I just have to decrypt this datastream....I'm in!"
Be Astounded as RMS insists on addressing Linus as GNU/Torvalds...
"Oi, GNU/Torvalds! That was my idea!"
Stand back in Awe as ESR deals with the troll the only way he knows how
"<BANG><BANG>....eat leaden death, troll....<BANG><BANG><BANG>..."
Be afraid....be very afraid...
The Machine stops.
Unless you use static linking and some system/3rd party libs are at a different revs, etc.
and he is saying it. Having written three books on M$-related topics, he's supposed to be an expert on open-source ? I don't think so... "You get what you pay for"... Sheesh, I paid nothing for his article, and that's what I got, so he's at least right in one particular instance.
I despise journalism like his, it's just yellow crap.
On Windows, the binary header contains a timestamp for when the file was compiled. So I could run the exact same build process twice, generating two "identical" binaries, but their checksums would still be different.
Whether that applies to any other platform on Earth, I don't know. My point is that you are making an assumption which is not necessarily true for all cases.
These same IT guys could, more easily I might add, install Windows and a backdoor product like BackOrifice.
But if they are the IT guys? Why would they need to build a backdoor? If you wanted access to the system after you have been terminated, just add an additional user to Active Directory (or your resident LDAP server) that no one would think to delete if you were fired.
Employees subverting a organization from within would be no more aided by OSS than any other program they can download or build themselves.
Whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa, whoa. Lois, this isn't my Batman glass. - Peter
while following a link from a MS ad on slashdot, I got the following error:
msxml3.dll error '80072f76'
/library/toolbar/3.0/vb.asp, line 34
:)
http://www.microsoft.com/ireland/security/
--
The requested header was not found
--
Now, to my mind that gives information that really shouldn't be in a public error message.
Weren't there a few holes in msxml3's parsing a while ago?
This is too conservative.... it was in the 19th century that this became accepted. It's known as "Kerckhoff's Principle." From Wikipedia:
If you're going to set up your firewall such that "all requests and attempts are blocked", you might as well just take out the cable.
Microsoft is the worst case scenario of closed software security. Why is it that we rarely ever hear of any other company's security holes? Why dont we hear both sides of the story? We almost never hear about Linux holes (oops, most are claimed not to be Linux holes if they aren't in the kernel...but a hole in MS's Office suite is supposed to be a WINDOWS hole...hrm...) Why did the article devolve into an attack on the credibility of Jones?
This is not a story, it is a Microsoft sponsored FUD piece. A site with Microsoft as an advertiser, running IIS on Windows 2000 trying to find something to spread FUD against OSS. I wonder if Devx would comment on how many security vulnerabilies have been exploited in IIS vs. the number of exploited vulnerabilities in Apache? Not necessarily related: Does Devx want to discuss why their IIS website uptime is so pathetic compared to most OSS web servers? Netcraft is showing a moving 90 day average uptime for www.devx.com of about three weeks.
Okay, here's my take on the situation:
It's far easier for a hacker to write a worm if he has access to ALL the source code that powers the internet. He can exploit, say, Linux boxes that run Apache to spread a worm because he found a flaw in the source code.
Yes sure, the flaw will be patched within days, hours or even minutes, but the damage will be done, albeit limited.
A patch is usually made AFTER the exploit is found, not before. You'd have to have an amazing auditing system in place in order to make 100% secure code. In my opinion, writing 100% secure code is impossible.
Microsoft tries to hide behind closed source hoping that by keeping the code closed nobody can easily detect a flaw and exploit it. The major problem with that philosophy is that the damage will be devastating were the code to be leaked...
Open Source = limited damage
Closed Source = ticking timebomb
Yuioup
If this guy had posted his article to his blog that gets 10 hits a week or some obscure message board, I'd agree with you. But his folly got posted on a major website, with a lot of exposer. So it was good that someone exposed the error of Jones' logic, just in case people without as much technical background as you and I fall for it.
Obviously it didn't take a ton of ink to defend OSS against this guys BS, so why not do it? Not to dis' the response or say it wasn't a great article. On the contrary, it was a great article. I especially like how he ends, after demolishing Jones' logic, by showing Jones' motives are rightly questioned too. I'm just saying, there is a difference between feeding trolls on some obscure message board and responding to credible people who have a fairly relatively large readership.
I think you guys should know that many areas of government are already demanding Linux solutions whenever possible and has been for quite some time. I know of other contractors who haven't sold a Win 2000 license to the gov in well over a year, all Redhat. Sometimes we even get requests for Gentoo and Debian systems.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source.
The open source model also guarantees someone, somewhere will spot that malicious code and take care of it. There are 2 sides to the equation.
One point that may be made involves the leaking of MS source. Linux source has been open forever. MS's security holes may only be beginning to be uncovered.
The point of the original article was that due to the open, free, and highly available nature of open source code that ANYONE could get it and fuck with it. Yes, it's just as likely that someone with fuck with closed code but that IS NOT THE POINT. The availability of open source code IS.
If someone at Microsoft implants a backdoor into Windows XP and it goes out with the next update, it will be a matter of hours until they find, fire, and more than likely arrest the guy that did it. There are very few people working directly with Windows code than there are people working with Linux/open source code. While the possibility of someone installing a backdoor is still there, the risk associated with doing so in a closed enviroment is much higher because the probability of being caught is much higher.
It is more likely that someone that wanted a way into your system would just, I don't know, hack a trojan into Gaim or something. Or even better, something with a large codebase. Open Office, Mozilla, and so on. All it would take is to package it as an RPM file then tell the core team you're packaging RPM's so they link to your site. Everyone that downloads that version has a nice gaping Goatse-style hole in their browser.
No, it's not likely, but without a doubt the probability of something like this happening with open source software is much higher than it happening with closed source software. As an aside, I'm sick of seeing rebuttal articles that do nothing besides lick the balls of open source ideological diatribe while simultaneously calling the integrity of the original articles author into question. If you're going to use that absolutely inane logic, then nothing that RMS, ESR, or Linus says has one bit of integrity either. In some way, all of them make money from open source software, so why is their integrity not in doubt when they speak of open vs closed software? Don't they have any bias? OF COURSE THEY DO! But of course, they're on 'our' side, so it's okay if they are biased. Whatever.
'Standards' in computing only impress those who are impressed by things like 'standards'.
This will happen because the open bag model, which lets anyone look into the bag and sell or distribute the grapes, virtually guarantees that someone, somewhere, will insert spiders into the grapes.
If you can see the grapes and the bag is transparent, then any spiders can be removed. If the grapes are sold in a can and you have to eat them in the dark, you might swallow a spider.
I don't want the (original) author to be shopping for my produce.
If Slashdot were chemistry it would look like this:Cadaverine
Overall, good points. However, I think there are a few grains of truth in the original article.
When running commercial distros, I've never been sure that the source I have actually matches the (precompiled) binaries that the distro provides. In more than one case, I've found that patches that have obviously been applied to the kernel I'm running aren't in the source provided with the distro.
This doesn't inspire confidence.
The solution, of course, is to throw out the commercial providers altogether and compile everything from inspected source stored in a secured repository. This isn't something a small company could do, but would be eminently practical for a large enough organization or a government.
Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
Well, it's sure is a lot better than not knowing at all what your software is doing. If Microsoft put backdoors in their system, there would be virtually no way of telling what they slipped in there and they could have been doing it for years. That is, of course, only following his logic. In reality, however, I think it would be somwhat difficult to include backdoors in commercial software without somebody out there noticing, but it's not beyond the realm of possibility.
Quis custodiet ipsos custodies
Well, who guards Microsoft? Who guards SCO? Nobody that's who. I like how he so carelessly glossed over that as if it wasnt' important.
--
Adobe's anti-counterfeiting softw
The basic argument here is that insiders are dangerous. I think the rebuttal fairly argues that insiders are no more dangerous in an OS environment that a proprietary environment. Security is multi-layered for this very reason.
We spend a lot of time dealing with network vulnerabilities these days because they are ubiquitous and disruptive. But, back in the corporate and Government corridors, people with critical secrets are always most fearful of the enemy inside. The bottom line is that a rogue technologist is a dangerous threat as is any rogue insider. We should design critical systems with the assumption that the bad guys are all around us.
It's one thing to let a troll blather on in the corner, it's another thing altogether to let them slander you. Let's use an example from the real world. Say I am a raging lunatic and a pathological liar. Say I'm standing on the street corner shouting lies about you at anyone who passes by. Now, if I'm standing on Slashdot Street, everyone will ignore me, right? But, suppose I'm standing at the corner of Front and Main, wearing a suit, and talking to a Police Officer, pointing over at you, while the Officer is taking notes and nodding. Are you going to ignore me then?
Hint - if you answered yes, go directly to Jail. Do not pass go.....
----
Not to be confused with Col.
is so badly written that it does not warrant a response. Perhaps the reason it irritates people is because of this.
Any preoccupation with ideas of what is right or wrong in conduct shows an arrested intellectual development. (Wilde)
The accusation of bias at the end does open source no credit; someone writing for O'Reilly could be accused of bias as easily as someone writing for DevX. Stone would have done better to leave that out, and read one of the advocacy FAQs instead. DevX itself hosts a better rebuttal than his.
Slashdot - News for Herds. Stuff that Splatters.
Jones says a malicious entity could ship a version of an open-source project with malevolent code in it. Well yes, but the same can be said about closed-source software too. There's been a few recent well-publicized attempts to insert malicious code into open-source projects, but so far nobody's actually managed to get that code shipped to end-users as part of an official release. If Jones is correct, then closed-source should do at least as well. Yet, over the years, I recall several major pieces of software that shipped with back-doors or viruses on the official media. These weren't just third parties distributing bad versions, this was malware on the official versions bought directly from the software maker and still in their shrink-wrap with their seals intact. Microsoft themselves in the not too distant past shipped a fairly obnoxious trojan program to their own developers on their own SDK CDs.
Jones' assertion may be technically correct, but as with all of his assertions a simple check of the track record shows that it's closed-source, not open-source, that has the larger problem by far.
However, there is some confusion in the article about what security means. One aspect of security is authenticity and integrity; another is secrecy. When you check the MD5 checksum on a download, you are checking the integrity of the files even though the contents are publicly available. Having the source code freely available can only help the quality of projects, and does not necessitate compromising code integrity.
(I wrote this yesterday and tried to post it as an article on /., but apparently there are so many more interesting and better written articles posted on the front page here that mine did not meet the qualifications to be posted. Or maybe it is just so off-topic and does not represent any real new ideas or news for nerds, you know, no stuff that matters is expressed in it, so don't read it.)
I am sure that all of you would agree that the free software community has been facing some bad publicity since the entire SCO incident started about a year ago. I am also sure that when the SCO goes away another publicity stunt will be performed by some other corporation or an entity that could potentially cause more trouble. An earlier article on /. reminded us that there are other dangers that could stall the development of free software projects - an illegally distributed application source base can become the next battlefield for the free source community. Whether this source code could be distributed with an intent to contaminate is not the issue, the issue is that it is important to convey the message to the public that this community does not want to contaminate its source code with proprietary software. We know that the Linux kernel for example is maintained by a group of people who would never want to be faced with the problem of proving in the court of law that their creation is really their own code. What about other projects? How many lawsuits are comming towards this community? I do not know that. But I understand that some preventative measures should be taken, some measures that will clearly display that this community wants free software and free software will not be stolen from other source bases.
:)
How can this be ensured and how can it be easily shown in a court of law that this community takes copyright issues seriously? One way that I see is to set up a server that runs the comparator by ESR against any new submission to any open source project against any code released either by mistake on with malice by a closed source vendor.
This will help to identify copyright problems before they arise. Of course to have a proprietary source code base on this server would probably be illegal in itself but it is unnecessary to have the proprietary source code, all that is needed is a set of hash-keys that identify that source code.
How could this work? A copyright protection server (CPS) would have hash-keys supplied by different vendors of software that falls into various categories and the free software projects are also divided into these categories. Let's say there is a free software project that deals with image manipulations. The CPS would run a hash-key generator on the new code submission and then would compare the generated keys with the keys supplied by Adobe or other companies specialized in image manipulations. Of-course the closed source companies would have to run the hash-key generators on their code and supply their keys, and someone has to tell them to do that, but if it is done right then the following would happen:
1. The Free Software community would have better protection from inappropriate code submissions.
2. This can be publicised and shown that the Free Software community takes their work seriously and goes to the great length, much more than any corporations to make sure that their code is Free and free of inappropriate submissions.
3. In a court of law this can be very useful, it shows good faith on the part of the free software community.
4. This would make it easier to also figure out whether the closed source vendors are misusing GPLed software
5. This makes a nice project that can be commercialized (with all the lates IP propaganda and lawsuites.)
6. This hopefully will prevent many possible infringement claims.
Well, this is just a thought, but I think this kind of verification will become part of reality at some point in the future, given more lawsuites.
Any thoughts, comments, suggestions, ideas?
You can't handle the truth.
How many people work at software development companies that sacrifice quality to meet a deadline that sales or marketing proposed to the customer?
How about a company thats taken a new and possibly bad direction because one of the executives or a newly appointed CEO wants to impress shareholders and make money for themselves?
Point being, OSS projects are typically written on a timeline based on one requirement, is the project ready for the release?
It has always been my opinion that publicly traded companies are ruined by their shareholders.
The road between democracy and tyranny is paved with secrecy in the name of security.
In Jone's article, he talks about what if a rogue distributer distributes a hacked version of Open Source Software? Ya know, this could happen :(
My question is, how many rouge distributors are there out there selling Micro$oft products? Judging from the number of virus writers there are out there, I would have to believe there's enough people out there with knowledge of Micro$oft operating systems to do this on Microsoft Proprietary products.
This potential problem isn't limited to Open
Source distributions. It could happen with proprietary products also. Look at how many counterfeit disks are coming out of third world countries these days.
You could be buying the latest $M XP, and it's a counterfeit from Russia with a back door, and several backup back doors in it also.
Think about it!
W.Kid
I take no responsibility for what I say. Even though I'm never wrong
This article follows the standard pattern:
1) Write an article on general software problems
2) Use a headline that refers to open source.
3) Hope to get paid by Microsoft.
The auther is right, there is a security problem. But that apply to closed source as well. How do we know that the new peace of software isn't full of trojans. In opensource we can at least check it for ourselves, in closed source we can't. And what's more important the distributer knows that we can't.
Then we have the problems with insiders modifying the openly available source, before patches are applied to your systems. A sysadmin with bad intents can always do damage to your systems. It doesn't matter if the code is closed or open.
The solution is to make sure that there is no superuser in your system that have access to everything.
Mutually exclusive parts of sensitive software should handled by different people. E.g. if you are responsible for the login system in a banking system you should not be responsible, or have access to the code that handles money more than on a need to know basis.
Good tools for doing such things would be to implement MAC (Mandatory Access Control). This would give you very high protection but is also important to realize that security costs money, just as unsecurity. E.g. MAC is a PITA to use so make sure that the things you protect is worth the extra trouble.
Lastly you will also have to realize that security is not only about software, locked doors and surveillance. It is very much about people and the spirit of your organization. The employeess must not only know that security is important but also why, or else your efforts to strengthen security may have opposite effects as you employees may start circumvent security procedures to make life easier.
God is REAL! Unless explicitly declared INTEGER
Think of proprietary software as a normal home with wooden or brick walls, roof, shades on the windows and locked doors.
Think of Open Source Software as a glass house where everything is transparent and anyone can look inside to see what's going on.
Wouldn't it be easier to see if there is something malicious going on inside a glass house than inside a normal house? Does Jones really think a burgler would try to rob a glass house? I certainly hope not! People with malicious intent prefer to HIDE their actions, whether it's sneaking in a home's back door or distributing an encypted binary with malicious code, because they don't want to be caught.
No sane burgler is going to rob a home where everyone can see what they are doing. Anyone who adds malicious code to an OSS project will get caught just as fast.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
I'm not sure how FreeBSD does it, but I know how Debian does it, and the fact that those people can find out what your email address is implies that the binaries you provide are cryptographically signed. This means that you are responsible for their integrity. You could certainly insert a big backdoor, but once they found out, they'd know who did it! They don't ask who you are because they don't need to know; you're the guy who's gonna get crucified if there's a problem.
A lot of large closed-source software companies can't make this claim. There's so many developers who have access to the source, and their procedures are so inadequate to the task of keeping track of who really did what, that if a backdoor appeared in their software they couldn't tell you with any confidence who did it.
By contrast, the released sources of open projects are accompanied with md5sum's (often signed themselves), so you could say with a fair degree of certainty whose hands the software was in when the backdoor appeared.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
He's just "A" Russell Jones, it's not like he's "THE" Russell Jones.
"Stop throwing the Constitution in my face, it's just a goddamned piece of paper!" - George W. Bush Nov. 2005
Apache doesn't do anything useful for hackers. IIS is full of functionality. It's not just a web-server and it's tied directly into the OS.
Apache is just a web-server and runs on top of the OS. There's quite simply nothing to hack with Apache. With IIS there's all kinds of remote functionality to play with maliciously.
Comparing Apache to IIS is apples and oranges. If Apache did even close to what IIS is capable of doing then maybe there'd be a valid comparison.
I run Apache on 2K logged in as an admin. The only thing that's been hacked is MySQL and they couldn't get anywhere and nothing of value was stored in it. I never figured out how exactly they managed to do it or when but the assumed hole was fixed. It hasn't been hacked since so I'm guessing it works.
In order to take advantage of the hack they'd have to upload a PHP page since the mySQL port is blocked to the outside.
Oh yes, and GuildFTP was shown to be able to crash the server despite the author's claim that the hole was fixed. The only reason it didn't crash the server was because the person testing the exploit knows me. I now run BulletProof FTP server which has no known remote exploits.
Ben
Work Safe Porn
It's not that I trust you or don't trust you. I'm sure that I can trust you a lot more than I need to trust you. If I have to ask why I should trust you then I probably should not trust you. Either way, I don't ask. If I did ask, I no idea of any answer you could give that would cause me to trust you. It's more like I'd trust you because the binaries are there than that I'd trust the binaries because I trust you.
...so I can clearly not choose the wine in front of you!
There was a good paper by Ross Anderson, a well known British security expert, that compared the security of open source vs closed source systems (sorry, paper is PDF). He set up a mathematical model for how quickly bugs would be found and fixed by the maintainers and testers, versus being found and exploited by attackers. His conclusion was that the two models would both be about equally successful.
A recent posting on the Unlimited Freedom blog took another look at Anderson's analysis and came up with some different results that were not as favorable. But either of these articles seem more convincing than this challenge by Russell Jones.
I didn't know you could throw a gauntlet, or that anyone 'as' recently thrown one.
As for the article, I'll let the outsiders debate this back and forth - us insiders have work to do, thank you. Bye.
Yes, it's true that closed, proprietary software can have malicious code introduced into them just as well as free software. But part of the original argument is that the barrier to entry to creating your own distribution of project X is extrememly low, probably even close to zero (the author never said this explicitly, but I think it was implied). So while, yes, closed systems could get infected, too, there is an underlying assumption that proprietary software has stricter screening of its employees for just such a reason. There is no screening in free software; it's basically a free-for-all.
Also, I see a lot of responses saying varying degrees of "geez, they can just verify their binaries/source trees!". Well, once again, this is the classic Linux naivete of assuming too much on the part of the user. Sure, if we're talking about highly sensitive software then there will presumably be some auditing mechanism to make sure the software is legit. However, to assume that everyone has ready access to intelligent programmers to verify all their computer purchasing decisions is rather absurd, especially in the lower levels of government.
In short, I didn't think the response was really responding to the argument at all. Of course closed software can have the same backdoors! But did the author even stop to ponder, "Hey, I wonder why he might have singled out free software as being more vulnerable? Hmmm, no reason I can think of!"
Check out Gartner security analyst John Pescatore's quote in response to windows source being leaked, saying:
Experts: Don't Panic over Windows Leak
So now I completely understand. It is bad or good depending mainly on spin and context. Thank god THESE guys are watching the watchers for us.
argan0n
Case in point.
More importantly -- and as I continually addressed in the letter I sent to Mistah Russell -- is the implicit assumption that governmental security review processes are automatically going to be less trustworthy than other security review processes. Russell does all he can to talk about the poor government, how terrible that they can't just buy something off the shelf. Buying something is no guarantee of security, and if I'm going to pay tax dollars for government employees to purchase software they're too busy killing interns to write themselves, they damn well better scope said software out. It's not enough that the guy's points are just wrong -- he goes one step further and insults those paying for crappy government by telling them that their crappy governments should buy crappy software in crappy ways.
-----------------------
You are what you think.
The idea that "someone" (the ubiquitous "Al Qaeda"?) is going to go to the trouble of creating an open source project - and one that is very useful to a government agency - and specifically an agency with something useful in it to disrupt or steal - build it up for several years - then control how the government gets the source so they don't see an exploit - then use it to do - what?
Try Googling for the Promis software and see how this really works.
The Department of Justice rips off a software firm, then lets Osama and Saddam get hold of the software.
THAT'S how the government is threatened by software.
Any idiot saying open source is a threat to national security is a fucking Microsoft troll, I don't care what his supposed OSS "credentials" are. That, or he's simply an idiot.
This whole discussion is a waste of time.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Talking Head Talking Head Talking Head Talking Head
Nothing like promoting one's own article too.
Mark Stone is a whore.
The issue isn't whether or not secrecy provides security. The issue is, what is the motive for writing the code. If a company is writing the code, unless you're a conspiracy theorist, the company is writing the code to sell and make money. Adding security flaws purposely would harm this primary interest if caught, and cause the customer to find someone else, if possible. Therefore, it is not in a company's interest to introduce security flaws into code. Now, with open source code, the motive of a particular programmer is less clear. He's not getting paid, so he either wants to write code so he can use it for himself, gain some leel of fame, etc. It would be easier, however, if the motive was to compromise the security of a software product, to join an open source project and sabotage it, than to try and gain employment at a software company and do the same thing.
Vote for Pedro
"A patch is usually made AFTER the exploit is found, not before."
Most of the stuff I've been patching recently has been found before an exploit becomes known. The recent OpenSSH patches, a result of careful code auditing, most of the recent PHP errors, same again.
Seems like a lot of worms get their "inspiration" from already posted security vulns and just rely on the fact that not everybody will patch them in time.
I am NaN
This really says a lot of how much A. Russell Jones is talking out of his arse.
:o)
Average Rating: 1.2/5 | Rate this item | 139 users have rated this item
Now, let us look at the rebuttal...
Average Rating: 4.8/5 | Rate this item | 29 users have rated this item
Hooah
I am NaN
Why am I not surprised that the site www.devx.com is running Microsoft-IIS/5.0 on Windows 2000 and there's a huge .Net ad on the front page.
While I agree with your logic, my only question is: What is in it for the proprietary software companies? Why would they produce hashes that protect open source projects, when open source projects could put them out of business?
I would not be expecting them to cooperate with this. This sets up Microsoft to sue, just like SCO, for any kernel after 2.6. The difference is they have the money to sway the opinions of average persons who are not nerds. And they outnumber us 10-1. They may not looking for a knockout punch, they may be looking for a long, dirty slog.
What if they were trying to do this:
Instigate a problem with SCO and Linux, offer a large chunk of change to license some unlimited unix rights, but all they wanted was the unlimited rights, so they couldn't ever be sued. What if they are working on a BSD project that is closed source at the OS level, but runs all the free stuff they won't have to support. They put a XP like desktop on it using their own proprietary APIs, and make updates about as easy as their current windowsupdate program. And you can update in a console as well. What if.
Now, I'm not ready for a tinfoil hat, but I can't help but to wonder. They have more experience with SCO Unix than anyone other than SCO (Xenix anyone?). They have used BSD code before, and still do (ftp.exe). They are the largest software company in the world, extremely profitable and have access to resources we can only dream of. And they are still hungry.
This is why I have my doubts about companies providing hashes to help open source authors.
Tequila: It's not just for breakfast anymore!
As previously discussed on /. Jones' comments are too controversial to ignore.
Ever consider that he's just playing you like a fool?
What "constant peer-review processes" are you referring to?
i on =displaynews&NewsID=971
http://www.techworld.com/news/index.cfm?fuseact
How about one shred of evidence that there are ANY eyes, much less many eyes! But you won't respond, because there is none.
Security only through obscurity doesn't work. Of course. But obscurity can help security.
Look at the banks. Can you readily find out how their Host Security Modules work? Is the cryptography open for review by anyone from sourceforge who cares to have a look? No. Do banks suffer a great deal from electronic theft, even from the inside? No.
They don't rely on secrey alone, but it does help.
The same can be said for the current generation of access cards from DirecTV. Why not just open up the specification for review? Well, as often is the case with security.. despite what the ill-informed might have you believe, is that despite good intentions.. sometimes things go wrong or get overlooked. How many security specific open-source projects have been compromised? Lot's.
So, before you jump on the band wagon.. just make sure you've given the situation at least a cursory logical review in your own mind and don't be so eager to repeat what one zealot or another has already said.
Sure, we can test all the code that comes in with others code base, however may things araise from this:
* Implementations of Standars: what if 2 implementations of a Standard (Open standard) that have been maded separatly comes up with a very similar code or even the same code (counting out variable names and stuff like that), current US laws and IP rights are very extreme as you can patent almost any process, algorithms, and other stuff.
Anyways, we are a comunity that makes and uses that code, we don't want any malicius code running on our machines anyway. We are a community, not a bunch of terrorists, or an organization creating a conspirancy to over take the world by hooking everyone with our software and latter control them. (ala M$)
C-x C-c
"which talked about high security applications of computing"
my work with the d.o.d. involved classes in how to avoid bad guys getting your software results. the one thing that the good-guy instructor stated was that its to expensive to bring in an expert on your hardware, its cheaper to exploit your fettish.
just a thought.