Defending Open Source Security
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Heironymous' Prime Law of Journalism:
Opions are valued in inverse relation to the amount of money paid to produce them.
In this case, the opinion that transparency is bad for security is of so little value that it's difficult to answer it with a serious tone.
After all, Windows is remarkable for its security wrt to something like, OpenBSD, known for its secretive and opaque practices.
lol.
Ceci n'est pas une signature
Now that the MS source for NT 4 and Win2k is "out there", even if only in part, we'll have a good chance to see exactly how secure it is over the next several months.
Anyone want to bet that the number of exploited Windows security holes is NOT gonna soar?
There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.
.... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...
The real problem would be if only bad guys had your source code
Yeah, that would suck. That would really suck.
--
Go Debian!!!
I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.
At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.
Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.
Playing the devil's advocate here, you can trust source from Apache yes, but can you trust a precompiled Apache HTTPD from ACME GPU/Linxu?
The impression I formed from the DevX article was that it was aimed at government (and I suppose you could article that that might influence large corporations, too).
In my experience government and corporate IT admins are *not* trusting souls. As an example, I once worked as a contractor for an agency that built software for the UK health service: everything I built was then reviewed and recompiled by in-house staff. The manager told me that they preferred open-source precisely because of the ability to review source code. Cost was only a secondary factor.
The same manager also commented that security-through-obscurity - relying on closed-source to deter evil-doers - was not an acceptable option as it placed to much reliance on third-parties.
This is where the serious fun begins.
in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.
(I wrote this yesterday and tried to post it as an article on /., but apparently there are so many more interesting and better written articles posted on the front page here that mine did not meet the qualifications to be posted. Or maybe it is just so off-topic and does not represent any real new ideas or news for nerds, you know, no stuff that matters is expressed in it, so don't read it.)
I am sure that all of you would agree that the free software community has been facing some bad publicity since the entire SCO incident started about a year ago. I am also sure that when the SCO goes away another publicity stunt will be performed by some other corporation or an entity that could potentially cause more trouble. An earlier article on /. reminded us that there are other dangers that could stall the development of free software projects - an illegally distributed application source base can become the next battlefield for the free source community. Whether this source code could be distributed with an intent to contaminate is not the issue, the issue is that it is important to convey the message to the public that this community does not want to contaminate its source code with proprietary software. We know that the Linux kernel for example is maintained by a group of people who would never want to be faced with the problem of proving in the court of law that their creation is really their own code. What about other projects? How many lawsuits are comming towards this community? I do not know that. But I understand that some preventative measures should be taken, some measures that will clearly display that this community wants free software and free software will not be stolen from other source bases.
:)
How can this be ensured and how can it be easily shown in a court of law that this community takes copyright issues seriously? One way that I see is to set up a server that runs the comparator by ESR against any new submission to any open source project against any code released either by mistake on with malice by a closed source vendor.
This will help to identify copyright problems before they arise. Of course to have a proprietary source code base on this server would probably be illegal in itself but it is unnecessary to have the proprietary source code, all that is needed is a set of hash-keys that identify that source code.
How could this work? A copyright protection server (CPS) would have hash-keys supplied by different vendors of software that falls into various categories and the free software projects are also divided into these categories. Let's say there is a free software project that deals with image manipulations. The CPS would run a hash-key generator on the new code submission and then would compare the generated keys with the keys supplied by Adobe or other companies specialized in image manipulations. Of-course the closed source companies would have to run the hash-key generators on their code and supply their keys, and someone has to tell them to do that, but if it is done right then the following would happen:
1. The Free Software community would have better protection from inappropriate code submissions.
2. This can be publicised and shown that the Free Software community takes their work seriously and goes to the great length, much more than any corporations to make sure that their code is Free and free of inappropriate submissions.
3. In a court of law this can be very useful, it shows good faith on the part of the free software community.
4. This would make it easier to also figure out whether the closed source vendors are misusing GPLed software
5. This makes a nice project that can be commercialized (with all the lates IP propaganda and lawsuites.)
6. This hopefully will prevent many possible infringement claims.
Well, this is just a thought, but I think this kind of verification will become part of reality at some point in the future, given more lawsuites.
Any thoughts, comments, suggestions, ideas?
You can't handle the truth.