Slashdot Mirror
Defending Open Source Security
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Nice article!
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
.. one example of which is This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Yes as we all know, *anyone* is free to modify the source code, and then sell or distribute it, and we're all such trusting souls. Only this morning I chmod +x'ed and executed a binary (as root) which I had earlier accepted from a kindly stranger. More FUD methinks..
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.
Heironymous' Prime Law of Journalism:
Opions are valued in inverse relation to the amount of money paid to produce them.
In this case, the opinion that transparency is bad for security is of so little value that it's difficult to answer it with a serious tone.
After all, Windows is remarkable for its security wrt to something like, OpenBSD, known for its secretive and opaque practices.
lol.
Ceci n'est pas une signature
Now that the MS source for NT 4 and Win2k is "out there", even if only in part, we'll have a good chance to see exactly how secure it is over the next several months.
Anyone want to bet that the number of exploited Windows security holes is NOT gonna soar?
I fail to see how his logic works.
Because I can view the source code and change the source code, I can introduce a flaw. Yet it would be far less likely for a for-profit closed source project to be swayed by some sort of ulterior motive to include a flaw, because we have seen exactly how ethical and steadfast corporations are in this modern day and age.
It seems that he doesn't acknowledge that the aspect that makes open source secure is that it's hard to have a unified, systematic, malevolent agenda due to the extensive peer review inherit in the system. People who have different agendas or motives than you will be viewing your changes.
While his hypothesized scenario is certainly possible, I wouldn't go so far as to say it is a bane.
There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.
.... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...
The real problem would be if only bad guys had your source code
Yeah, that would suck. That would really suck.
--
Go Debian!!!
Slashdot is feeding the troll. Just because the original article claims to be a balanced warning into OSS, a little research shows all his points to be wrong.
Just another journalist trying to make a story people - move along.
Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5
The rebuttal "Who's Guarding the Guards? We Are" , also hosted at devx. Average Rating: 4.9/5
Deltron 3030 - Virus (music video)
Let's see.. the most (un)likely way is that someone hacks a host server, mods the code and then updates the MD5 sums. Stupid. All major Open Source software know how to protect their codebases by holding offline checksums and isolated codebases. This is too unrealistic to happen these days, if you actually care about verifying what you just downloaded and are about to compile.
Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
Laughable. Aboslutely ridiculous !! Can this not happen in closed source environments ? A disgruntled employee perhaps ? I'm sure the article writer would say "but there is quality control, peer review.." I suppose that never happens in Open Source.. I mean, how can we actually review the code when it's publicly available. Oh, that's right.. we can. Open Source peer review is brutal at the best of times !
"I am not bound to please thee with my answers" [William Shakespeare]
So GNU/Linux source has been out for decades. Windows source has never been out except recently. Shall we do an exploits in the wild count? Note the in the wild part. It is a distinction that anti-virus researchers make as their are some pretty nasty computer virusses that have only been spotted in their labs, not on peoples pc's.
Every now and then some idiot is going to stand up and proclaim something really stupid. Instead of gently leading that person to proper care and attention in the form of a straight jacket and handfull of pills people print their ravings.
This guy is one of them. Opensource vs closed source means very little when it comes to security. Big holes can and have been found in both. What matters is how you respond to those holes. Opensource GNU/Linux is pretty fast. Closed source Microsoft is goddamn slow. So? MS is hardly the only closed source company. If someone ever post figures on the commercial unixes or OS's like symbian and shows the same terrible performance as MS then I will be impressed.
So far all the MS exploits prove is that they have some pretty sloppy working methods in redmond. Not that closed source itself is bad. If all closed source projects have the same track record as MS then it will be news. They don't.
HOWEVER, opensource has proven itself. Countless projects use it, linux kernel, gnu toolset, kde and gnome and all the other desktops, tron the os blueprint from japan, apache, mysql and postgress and the berkely databases, bsd even though it is dying and countless others.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.
At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.
Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.
First off, Malicious hackers have day jobs.
Lots of times they are professional programmers that like to play "games" on the weekends and in the evening.
MS's source code is like a prostitute. It's gets around and around to whoever has the money to afford it. To say that it never fell into the hands of a "bad man" even thru legitamate means is foolish.
People spend months and months researching and setting up specific attacks. Sometimes the stakes are worth hundreds of thousands of dollars when it comes to corporate espinoge and trade secrets.
Now most hardcore hackers even if they do have access to the source code definately isn't going to advertise it on warez sites and post their findings on slashdot. Their time is worth money/fame/insane pride to them too.
This latest release of the windows source to warez-style groups is definately NOT the first or the last time the source code to your programs is aviable to people you don't trust.
In Open source:
The developers have the source. The crackers have the source. YOU have the source.
In Closed source:
The developers have the source. The crackers have at least partial access to the source. Your screwed.
It may be a subtle difference, but also think about this:
How many discruntled employees piss in their bosses coffee? Or at least spit? Or use stale water(If they are pussies)?
Now how many programmers are entirely "there"?
Do you want your application to be the pissing ground for angry employees? Can you tell?
No of course not, their have been plenty of cases of otherwise perfectly good programs having security holes and backdoors planted in them by programmers.
You think it's going to stop because Bill Gates says it isn't so?
and /., can you stop reporting this, it's basically one huge troll & it only encourages people like him.
btw Mr. Jones, the choice isn't open vs. closed, it's open vs. possibly leaked. yah. nice. please go away.
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
As previously discussed on /. Jones' comments are too controversial to ignore.
On the contrary, this type of comments are the ones you have to ignore. It is simply mindless, fact defying -1 troll.
I mean, when you see after a quick glance that author obviously did the research and ignored all the facts that didn't support his thesis, there's nothing you can tell him that will make him apologise, admit to mistake or sth like this.
When you see additional rhetorical manipulations (e.g. things that are insinuated but not stated straight, guilt by assosiation, or proof by analogy) you already know, that the point of the article was purposeful manipulation.
For some people operating systems, computer vendors, open vs close source, GPL vs BSD are religious matters and you don't want to get into discussing beliefs with religious fanatic.
Robert
Bastard Operator From 193.219.28.162
"Fact" #1 doesn't say anything about the relative security. Linux also continues to get better. It started better and has stayed better. Windows started from crap security and has gotten slightly better.
"Fact" #2 is (a) wrong, and (b) a non-argument. It is wrong because even as root it is not as easy to unintentionally screw things up as it is in Windows, which does so many things automatically without user knowledge so as to not "inconvenience" the user with "unimportant" details. It is certainly not less secure than Windows.
It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." It's like saying a car with a bunch of anti-theft devices is just as (or more) insecure as one with none because if you leave it running with the keys in it and doors open, someone could steal it.
"Fact" #3 has been tried and refuted many times. It is not secure because it is not as common. There's been a variety of analyses to prove this wrong. The obvious one is that Linux and Unix are used far more than Windows on servers, and yet server attacks are still more common on Windows.
At some point you have to check your "facts" before calling them facts.
Fact #3: Since Apache/linux run 66% of the webservers, you'd think that there would be many more exploits for Apache than for MS's competing product, based on your reasoning.
It's not offtopic, dumbass. It's orthogonal.
I realize I'm preaching to the choir, but here goes:
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).
And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.
Therefore, security problems for governments begin with knowing which distributions they can trust.
Security problems for governments exist because of negligence, for the most part. More below.
This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.
Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.
He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject
Like what I said? You might like my music
It's like fighting a war where we simply re-win the same outpost over and over again, and never make progress. Why?
Because the damned fools think that they're making a valid arguement when they're simply spitting out the same FUD over and over. Now, if they were to refute previously made refutations, further arguement can be made.
However, that would require them to be able to find something to refute our arguements with. Esentially, "Your guns are too big, so we'll back down and make this point again later." Urg.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.
and illustrated by one quote from the article:
To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.
This has been the age-old cry of dictators and despots everywhere: "We are restricting the rights and freedoms of the populace for their own good!"
And it has never turned out to be true.
Hey, I just had a great idea!! If I form a company and deliberately write insecure, malicious code with backdoors in it, I could use it to control the governments of the world and become obscenely rich!
Oh, wait... someone else has already done that, and most likely patented the idea. I don't want to get busted for patent infringement, man!
Damn... back to the drawing board.
Organic free-range music... yum!
This is too conservative.... it was in the 19th century that this became accepted. It's known as "Kerckhoff's Principle." From Wikipedia:
Okay, here's my take on the situation:
It's far easier for a hacker to write a worm if he has access to ALL the source code that powers the internet. He can exploit, say, Linux boxes that run Apache to spread a worm because he found a flaw in the source code.
Yes sure, the flaw will be patched within days, hours or even minutes, but the damage will be done, albeit limited.
A patch is usually made AFTER the exploit is found, not before. You'd have to have an amazing auditing system in place in order to make 100% secure code. In my opinion, writing 100% secure code is impossible.
Microsoft tries to hide behind closed source hoping that by keeping the code closed nobody can easily detect a flaw and exploit it. The major problem with that philosophy is that the damage will be devastating were the code to be leaked...
Open Source = limited damage
Closed Source = ticking timebomb
Yuioup
(I wrote this yesterday and tried to post it as an article on /., but apparently there are so many more interesting and better written articles posted on the front page here that mine did not meet the qualifications to be posted. Or maybe it is just so off-topic and does not represent any real new ideas or news for nerds, you know, no stuff that matters is expressed in it, so don't read it.)
I am sure that all of you would agree that the free software community has been facing some bad publicity since the entire SCO incident started about a year ago. I am also sure that when the SCO goes away another publicity stunt will be performed by some other corporation or an entity that could potentially cause more trouble. An earlier article on /. reminded us that there are other dangers that could stall the development of free software projects - an illegally distributed application source base can become the next battlefield for the free source community. Whether this source code could be distributed with an intent to contaminate is not the issue, the issue is that it is important to convey the message to the public that this community does not want to contaminate its source code with proprietary software. We know that the Linux kernel for example is maintained by a group of people who would never want to be faced with the problem of proving in the court of law that their creation is really their own code. What about other projects? How many lawsuits are comming towards this community? I do not know that. But I understand that some preventative measures should be taken, some measures that will clearly display that this community wants free software and free software will not be stolen from other source bases.
:)
How can this be ensured and how can it be easily shown in a court of law that this community takes copyright issues seriously? One way that I see is to set up a server that runs the comparator by ESR against any new submission to any open source project against any code released either by mistake on with malice by a closed source vendor.
This will help to identify copyright problems before they arise. Of course to have a proprietary source code base on this server would probably be illegal in itself but it is unnecessary to have the proprietary source code, all that is needed is a set of hash-keys that identify that source code.
How could this work? A copyright protection server (CPS) would have hash-keys supplied by different vendors of software that falls into various categories and the free software projects are also divided into these categories. Let's say there is a free software project that deals with image manipulations. The CPS would run a hash-key generator on the new code submission and then would compare the generated keys with the keys supplied by Adobe or other companies specialized in image manipulations. Of-course the closed source companies would have to run the hash-key generators on their code and supply their keys, and someone has to tell them to do that, but if it is done right then the following would happen:
1. The Free Software community would have better protection from inappropriate code submissions.
2. This can be publicised and shown that the Free Software community takes their work seriously and goes to the great length, much more than any corporations to make sure that their code is Free and free of inappropriate submissions.
3. In a court of law this can be very useful, it shows good faith on the part of the free software community.
4. This would make it easier to also figure out whether the closed source vendors are misusing GPLed software
5. This makes a nice project that can be commercialized (with all the lates IP propaganda and lawsuites.)
6. This hopefully will prevent many possible infringement claims.
Well, this is just a thought, but I think this kind of verification will become part of reality at some point in the future, given more lawsuites.
Any thoughts, comments, suggestions, ideas?
You can't handle the truth.