Slashdot Mirror
Defending Open Source Security
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Nice article!
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
.. one example of which is This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Yes as we all know, *anyone* is free to modify the source code, and then sell or distribute it, and we're all such trusting souls. Only this morning I chmod +x'ed and executed a binary (as root) which I had earlier accepted from a kindly stranger. More FUD methinks..
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.
I fail to see how his logic works.
Because I can view the source code and change the source code, I can introduce a flaw. Yet it would be far less likely for a for-profit closed source project to be swayed by some sort of ulterior motive to include a flaw, because we have seen exactly how ethical and steadfast corporations are in this modern day and age.
It seems that he doesn't acknowledge that the aspect that makes open source secure is that it's hard to have a unified, systematic, malevolent agenda due to the extensive peer review inherit in the system. People who have different agendas or motives than you will be viewing your changes.
While his hypothesized scenario is certainly possible, I wouldn't go so far as to say it is a bane.
Slashdot is feeding the troll. Just because the original article claims to be a balanced warning into OSS, a little research shows all his points to be wrong.
Just another journalist trying to make a story people - move along.
Let's see.. the most (un)likely way is that someone hacks a host server, mods the code and then updates the MD5 sums. Stupid. All major Open Source software know how to protect their codebases by holding offline checksums and isolated codebases. This is too unrealistic to happen these days, if you actually care about verifying what you just downloaded and are about to compile.
Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
Laughable. Aboslutely ridiculous !! Can this not happen in closed source environments ? A disgruntled employee perhaps ? I'm sure the article writer would say "but there is quality control, peer review.." I suppose that never happens in Open Source.. I mean, how can we actually review the code when it's publicly available. Oh, that's right.. we can. Open Source peer review is brutal at the best of times !
"I am not bound to please thee with my answers" [William Shakespeare]
So.... it's not Open Source then. Way to let the hot air out of your puffed-up argument.
"I am not bound to please thee with my answers" [William Shakespeare]
So GNU/Linux source has been out for decades. Windows source has never been out except recently. Shall we do an exploits in the wild count? Note the in the wild part. It is a distinction that anti-virus researchers make as their are some pretty nasty computer virusses that have only been spotted in their labs, not on peoples pc's.
Every now and then some idiot is going to stand up and proclaim something really stupid. Instead of gently leading that person to proper care and attention in the form of a straight jacket and handfull of pills people print their ravings.
This guy is one of them. Opensource vs closed source means very little when it comes to security. Big holes can and have been found in both. What matters is how you respond to those holes. Opensource GNU/Linux is pretty fast. Closed source Microsoft is goddamn slow. So? MS is hardly the only closed source company. If someone ever post figures on the commercial unixes or OS's like symbian and shows the same terrible performance as MS then I will be impressed.
So far all the MS exploits prove is that they have some pretty sloppy working methods in redmond. Not that closed source itself is bad. If all closed source projects have the same track record as MS then it will be news. They don't.
HOWEVER, opensource has proven itself. Countless projects use it, linux kernel, gnu toolset, kde and gnome and all the other desktops, tron the os blueprint from japan, apache, mysql and postgress and the berkely databases, bsd even though it is dying and countless others.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
First off, Malicious hackers have day jobs.
Lots of times they are professional programmers that like to play "games" on the weekends and in the evening.
MS's source code is like a prostitute. It's gets around and around to whoever has the money to afford it. To say that it never fell into the hands of a "bad man" even thru legitamate means is foolish.
People spend months and months researching and setting up specific attacks. Sometimes the stakes are worth hundreds of thousands of dollars when it comes to corporate espinoge and trade secrets.
Now most hardcore hackers even if they do have access to the source code definately isn't going to advertise it on warez sites and post their findings on slashdot. Their time is worth money/fame/insane pride to them too.
This latest release of the windows source to warez-style groups is definately NOT the first or the last time the source code to your programs is aviable to people you don't trust.
In Open source:
The developers have the source. The crackers have the source. YOU have the source.
In Closed source:
The developers have the source. The crackers have at least partial access to the source. Your screwed.
It may be a subtle difference, but also think about this:
How many discruntled employees piss in their bosses coffee? Or at least spit? Or use stale water(If they are pussies)?
Now how many programmers are entirely "there"?
Do you want your application to be the pissing ground for angry employees? Can you tell?
No of course not, their have been plenty of cases of otherwise perfectly good programs having security holes and backdoors planted in them by programmers.
You think it's going to stop because Bill Gates says it isn't so?
and /., can you stop reporting this, it's basically one huge troll & it only encourages people like him.
btw Mr. Jones, the choice isn't open vs. closed, it's open vs. possibly leaked. yah. nice. please go away.
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
As previously discussed on /. Jones' comments are too controversial to ignore.
On the contrary, this type of comments are the ones you have to ignore. It is simply mindless, fact defying -1 troll.
I mean, when you see after a quick glance that author obviously did the research and ignored all the facts that didn't support his thesis, there's nothing you can tell him that will make him apologise, admit to mistake or sth like this.
When you see additional rhetorical manipulations (e.g. things that are insinuated but not stated straight, guilt by assosiation, or proof by analogy) you already know, that the point of the article was purposeful manipulation.
For some people operating systems, computer vendors, open vs close source, GPL vs BSD are religious matters and you don't want to get into discussing beliefs with religious fanatic.
Robert
Bastard Operator From 193.219.28.162
"Fact" #1 doesn't say anything about the relative security. Linux also continues to get better. It started better and has stayed better. Windows started from crap security and has gotten slightly better.
"Fact" #2 is (a) wrong, and (b) a non-argument. It is wrong because even as root it is not as easy to unintentionally screw things up as it is in Windows, which does so many things automatically without user knowledge so as to not "inconvenience" the user with "unimportant" details. It is certainly not less secure than Windows.
It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." It's like saying a car with a bunch of anti-theft devices is just as (or more) insecure as one with none because if you leave it running with the keys in it and doors open, someone could steal it.
"Fact" #3 has been tried and refuted many times. It is not secure because it is not as common. There's been a variety of analyses to prove this wrong. The obvious one is that Linux and Unix are used far more than Windows on servers, and yet server attacks are still more common on Windows.
At some point you have to check your "facts" before calling them facts.
Fact #3: Since Apache/linux run 66% of the webservers, you'd think that there would be many more exploits for Apache than for MS's competing product, based on your reasoning.
It's not offtopic, dumbass. It's orthogonal.
> Now that the MS source for NT 4 and Win2k is "out there"
Which suggests the argument that even if your code isn't "Open Source" it may still be "open source", so even if source availability is a security handicap, the field may still be more level than closed source shops would like to think.
Sheesh, evil *and* a jerk. -- Jade
I realize I'm preaching to the choir, but here goes:
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).
And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.
Therefore, security problems for governments begin with knowing which distributions they can trust.
Security problems for governments exist because of negligence, for the most part. More below.
This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.
Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.
He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject
Like what I said? You might like my music
It really doesn't matter if its open source or closed source. The weakest part of any system will always be the person attached to the keyboard.
Blaster was a big problem because no one can be bothered to download a patch.
The MS source code was leaked because no one could be bothered to download a patch.
slashdot, news for crazed liberal socialist zealots
It's like fighting a war where we simply re-win the same outpost over and over again, and never make progress. Why?
Because the damned fools think that they're making a valid arguement when they're simply spitting out the same FUD over and over. Now, if they were to refute previously made refutations, further arguement can be made.
However, that would require them to be able to find something to refute our arguements with. Esentially, "Your guns are too big, so we'll back down and make this point again later." Urg.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Programming can be fun again. Film at 11.
It's worth supporting things you believe in when the alternative is to let lies and FUD spread uncontested. It's particularly worthwhile for the benefit of those in the slightly wider audience who aren't generally informed about tech matters, and who might otherwise be swayed by rhetoric.
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
The security question should not be:
Closed or open source?
It should be:
Who do I want to trust? What project has a good reputation (OpenBSD maybe).
I'll skip the comments about how incorrect the original article is and leave it to the responses' comment about fundamental misconceptions of Open Source. But the response is really an excellent read, well thought out and showing an solid example of classical debate rebuttal.
Kudos for writing an article that the same audience that will believe DevX would understand as well. Too often the repsonse to such articles is written to an entirely different audience and on such a technical plane that those who read, and believe, the first article are often times entirely incapable of understanding the second article. It's not their fault, they are not CSE types by any stretch.
I would know by viewing the source code.
Raj Against the Machine! http://social-butterfly.appspot.com/
To make things worse, the one that offers the malicious binaries can easily log from which IP's they where downloaded. Many people will download directly to their server using wget, and then install the binaries.
If people then omit to verify the integrity of the binaries one way or another, this whole scenario becomes quite risky. Not that I think any self-respecting person would follow this course of action, I still feel that some scriptkiddies out there might give this a try.
Therefore, beware!
and illustrated by one quote from the article:
To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.
This has been the age-old cry of dictators and despots everywhere: "We are restricting the rights and freedoms of the populace for their own good!"
And it has never turned out to be true.
Lets see what 'security systems' are open source.
Locks, keyed and combination, they still work well.
DES, AES, Blowfish, all these algorithms are available, but the security isn't weaker because of it.
Electronic tags that beep at the exit to a store, they still work.
As long as it isn't a broken algorithm, or a password that is being shown, it shouldn't be a problem.
I feel your pain. What's worse is that none of these so-called writers ever seems to learn from their mistakes and publishes a retraction or a response. It makes you wonder if they really have any interest in journalism at all, or if they're just playing games.
The thing is, the general public hears all these conflicting messages about open source. It doesn't generally matter what the public thinks because the government will probably develop its software policies unilaterally without any public review or input, just as it does with anything that actually matters. The government will of course choose proprietary solutions from Microsoft more often than not, simply because MS is an icon of the capitalist ethos, and people in government generally do not have the political will to do anything that might be construed as "anti-capitalist" (hence, anti-american).
Public ignorance and confusion is a requisite condition for Government to follow its natural pathological course.
Is it possible that these foolish, uninformed, and perhaps even deceptive writers are acting in the interest of MS simply out of their love for profit uber alles? Or are they simply mindless MS fanboys? Or is it possible that they really do believe that their assertions are true, that they're being objective and relaying accurate information? This sort of intellectual laziness is really sad.
-- thinkyhead software and media
I agree with some other posters who have noted that the author is trying to be controversial, or he is ignorant. Not so much ignorance of Open Source, but ignorance of software development practices in general.
There is no issue he does not raise that applies ten times over to a closed source project. Perhaps he's never been involved in a large scale software project. If he had been, he'd know that unless a company has software quality control procedures that are in place and practiced, and audited regularily, anything and everything is possible and does happen.
In the end, a customer has to trust the software house that it has these quality practices in place, that it follows them and that there are appropriate controls in place to ensure that they do. There are even standards, such as ISO 9000-3, that can be followed, but in the United States at least there is great resistence to adopting such standards which means ultimately you cannot trust any closed source software not developed under internationally recognized quality assurance standards. Period.
The author ends with the question "who watches the watchers?" In closed source development, unless they're compliant to independently verifiable quality assurance standards, the answer is simple. Nobody.
With Open Source, that's automatically built in.
Governments are not stupid. They may in fact be a lot more knowledgeable than, say, some fruit who thinks he's a journalist writing populist drivel at a MS shil site.
I'm sure they have some technically competent advisors. And then they have beancounters who make the very end decision cos in the end its all about the buck, not the bug.
Both authors are merely preaching to their choirs, it won't impact any real govt decision.
This is too conservative.... it was in the 19th century that this became accepted. It's known as "Kerckhoff's Principle." From Wikipedia:
Okay, here's my take on the situation:
It's far easier for a hacker to write a worm if he has access to ALL the source code that powers the internet. He can exploit, say, Linux boxes that run Apache to spread a worm because he found a flaw in the source code.
Yes sure, the flaw will be patched within days, hours or even minutes, but the damage will be done, albeit limited.
A patch is usually made AFTER the exploit is found, not before. You'd have to have an amazing auditing system in place in order to make 100% secure code. In my opinion, writing 100% secure code is impossible.
Microsoft tries to hide behind closed source hoping that by keeping the code closed nobody can easily detect a flaw and exploit it. The major problem with that philosophy is that the damage will be devastating were the code to be leaked...
Open Source = limited damage
Closed Source = ticking timebomb
Yuioup
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source.
The open source model also guarantees someone, somewhere will spot that malicious code and take care of it. There are 2 sides to the equation.
One point that may be made involves the leaking of MS source. Linux source has been open forever. MS's security holes may only be beginning to be uncovered.
The point of the original article was that due to the open, free, and highly available nature of open source code that ANYONE could get it and fuck with it. Yes, it's just as likely that someone with fuck with closed code but that IS NOT THE POINT. The availability of open source code IS.
If someone at Microsoft implants a backdoor into Windows XP and it goes out with the next update, it will be a matter of hours until they find, fire, and more than likely arrest the guy that did it. There are very few people working directly with Windows code than there are people working with Linux/open source code. While the possibility of someone installing a backdoor is still there, the risk associated with doing so in a closed enviroment is much higher because the probability of being caught is much higher.
It is more likely that someone that wanted a way into your system would just, I don't know, hack a trojan into Gaim or something. Or even better, something with a large codebase. Open Office, Mozilla, and so on. All it would take is to package it as an RPM file then tell the core team you're packaging RPM's so they link to your site. Everyone that downloads that version has a nice gaping Goatse-style hole in their browser.
No, it's not likely, but without a doubt the probability of something like this happening with open source software is much higher than it happening with closed source software. As an aside, I'm sick of seeing rebuttal articles that do nothing besides lick the balls of open source ideological diatribe while simultaneously calling the integrity of the original articles author into question. If you're going to use that absolutely inane logic, then nothing that RMS, ESR, or Linus says has one bit of integrity either. In some way, all of them make money from open source software, so why is their integrity not in doubt when they speak of open vs closed software? Don't they have any bias? OF COURSE THEY DO! But of course, they're on 'our' side, so it's okay if they are biased. Whatever.
'Standards' in computing only impress those who are impressed by things like 'standards'.
This will happen because the open bag model, which lets anyone look into the bag and sell or distribute the grapes, virtually guarantees that someone, somewhere, will insert spiders into the grapes.
If you can see the grapes and the bag is transparent, then any spiders can be removed. If the grapes are sold in a can and you have to eat them in the dark, you might swallow a spider.
I don't want the (original) author to be shopping for my produce.
If Slashdot were chemistry it would look like this:Cadaverine
The basic argument here is that insiders are dangerous. I think the rebuttal fairly argues that insiders are no more dangerous in an OS environment that a proprietary environment. Security is multi-layered for this very reason.
We spend a lot of time dealing with network vulnerabilities these days because they are ubiquitous and disruptive. But, back in the corporate and Government corridors, people with critical secrets are always most fearful of the enemy inside. The bottom line is that a rogue technologist is a dangerous threat as is any rogue insider. We should design critical systems with the assumption that the bad guys are all around us.
Jones says a malicious entity could ship a version of an open-source project with malevolent code in it. Well yes, but the same can be said about closed-source software too. There's been a few recent well-publicized attempts to insert malicious code into open-source projects, but so far nobody's actually managed to get that code shipped to end-users as part of an official release. If Jones is correct, then closed-source should do at least as well. Yet, over the years, I recall several major pieces of software that shipped with back-doors or viruses on the official media. These weren't just third parties distributing bad versions, this was malware on the official versions bought directly from the software maker and still in their shrink-wrap with their seals intact. Microsoft themselves in the not too distant past shipped a fairly obnoxious trojan program to their own developers on their own SDK CDs.
Jones' assertion may be technically correct, but as with all of his assertions a simple check of the track record shows that it's closed-source, not open-source, that has the larger problem by far.
However, there is some confusion in the article about what security means. One aspect of security is authenticity and integrity; another is secrecy. When you check the MD5 checksum on a download, you are checking the integrity of the files even though the contents are publicly available. Having the source code freely available can only help the quality of projects, and does not necessitate compromising code integrity.
In Jone's article, he talks about what if a rogue distributer distributes a hacked version of Open Source Software? Ya know, this could happen :(
My question is, how many rouge distributors are there out there selling Micro$oft products? Judging from the number of virus writers there are out there, I would have to believe there's enough people out there with knowledge of Micro$oft operating systems to do this on Microsoft Proprietary products.
This potential problem isn't limited to Open
Source distributions. It could happen with proprietary products also. Look at how many counterfeit disks are coming out of third world countries these days.
You could be buying the latest $M XP, and it's a counterfeit from Russia with a back door, and several backup back doors in it also.
Think about it!
W.Kid
I take no responsibility for what I say. Even though I'm never wrong
Think of proprietary software as a normal home with wooden or brick walls, roof, shades on the windows and locked doors.
Think of Open Source Software as a glass house where everything is transparent and anyone can look inside to see what's going on.
Wouldn't it be easier to see if there is something malicious going on inside a glass house than inside a normal house? Does Jones really think a burgler would try to rob a glass house? I certainly hope not! People with malicious intent prefer to HIDE their actions, whether it's sneaking in a home's back door or distributing an encypted binary with malicious code, because they don't want to be caught.
No sane burgler is going to rob a home where everyone can see what they are doing. Anyone who adds malicious code to an OSS project will get caught just as fast.
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
I'm not sure how FreeBSD does it, but I know how Debian does it, and the fact that those people can find out what your email address is implies that the binaries you provide are cryptographically signed. This means that you are responsible for their integrity. You could certainly insert a big backdoor, but once they found out, they'd know who did it! They don't ask who you are because they don't need to know; you're the guy who's gonna get crucified if there's a problem.
A lot of large closed-source software companies can't make this claim. There's so many developers who have access to the source, and their procedures are so inadequate to the task of keeping track of who really did what, that if a backdoor appeared in their software they couldn't tell you with any confidence who did it.
By contrast, the released sources of open projects are accompanied with md5sum's (often signed themselves), so you could say with a fair degree of certainty whose hands the software was in when the backdoor appeared.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
"A patch is usually made AFTER the exploit is found, not before."
Most of the stuff I've been patching recently has been found before an exploit becomes known. The recent OpenSSH patches, a result of careful code auditing, most of the recent PHP errors, same again.
Seems like a lot of worms get their "inspiration" from already posted security vulns and just rely on the fact that not everybody will patch them in time.
I am NaN
While I agree with your logic, my only question is: What is in it for the proprietary software companies? Why would they produce hashes that protect open source projects, when open source projects could put them out of business?
I would not be expecting them to cooperate with this. This sets up Microsoft to sue, just like SCO, for any kernel after 2.6. The difference is they have the money to sway the opinions of average persons who are not nerds. And they outnumber us 10-1. They may not looking for a knockout punch, they may be looking for a long, dirty slog.
What if they were trying to do this:
Instigate a problem with SCO and Linux, offer a large chunk of change to license some unlimited unix rights, but all they wanted was the unlimited rights, so they couldn't ever be sued. What if they are working on a BSD project that is closed source at the OS level, but runs all the free stuff they won't have to support. They put a XP like desktop on it using their own proprietary APIs, and make updates about as easy as their current windowsupdate program. And you can update in a console as well. What if.
Now, I'm not ready for a tinfoil hat, but I can't help but to wonder. They have more experience with SCO Unix than anyone other than SCO (Xenix anyone?). They have used BSD code before, and still do (ftp.exe). They are the largest software company in the world, extremely profitable and have access to resources we can only dream of. And they are still hungry.
This is why I have my doubts about companies providing hashes to help open source authors.
Tequila: It's not just for breakfast anymore!