Slashdot Mirror
Defending Open Source Security
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Nice article!
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
The responder's best point is the last; if you trust software from some unknown project or company, who knows what you're getting. But trusting in major players, such as Apache, you can be at least as sure (if not more so) that you're getting good, stable, secure software as anything shipped from Redmond.
I fail to see how his logic works.
Because I can view the source code and change the source code, I can introduce a flaw. Yet it would be far less likely for a for-profit closed source project to be swayed by some sort of ulterior motive to include a flaw, because we have seen exactly how ethical and steadfast corporations are in this modern day and age.
It seems that he doesn't acknowledge that the aspect that makes open source secure is that it's hard to have a unified, systematic, malevolent agenda due to the extensive peer review inherit in the system. People who have different agendas or motives than you will be viewing your changes.
While his hypothesized scenario is certainly possible, I wouldn't go so far as to say it is a bane.
and we're all such trusting souls
I'm providing binary security updates for FreeBSD. The Project publishes source code patches (and adds them into the CVS tree); I take those and build binaries, in order to help people who cannot or don't want to build updated binaries themselves.
Thousands of people have used updates I've built; nobody has ever emailed to ask "who are you, and why should I trust you?"
We may not be *all* such trusting souls, but there are an awful lot of trusting souls out there.
Tarsnap: Online backups for the truly paranoid
There is no doubt it may help someone to break into your system if he has the source code or your OS and various deamons. Fortunately, when it's open-source, we can hope bugs allowing bad guys to break in may have been spotted by nice guys before and patched.
.... that would really suck. If for instance there was a leak of your source code on the internet, and of course only bad guys would look at it (because others do not give a shit) and thus you would get only the bad part of the opennes ...
The real problem would be if only bad guys had your source code
Yeah, that would suck. That would really suck.
--
Go Debian!!!
Slashdot is feeding the troll. Just because the original article claims to be a balanced warning into OSS, a little research shows all his points to be wrong.
Just another journalist trying to make a story people - move along.
Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5
The rebuttal "Who's Guarding the Guards? We Are" , also hosted at devx. Average Rating: 4.9/5
Deltron 3030 - Virus (music video)
So GNU/Linux source has been out for decades. Windows source has never been out except recently. Shall we do an exploits in the wild count? Note the in the wild part. It is a distinction that anti-virus researchers make as their are some pretty nasty computer virusses that have only been spotted in their labs, not on peoples pc's.
Every now and then some idiot is going to stand up and proclaim something really stupid. Instead of gently leading that person to proper care and attention in the form of a straight jacket and handfull of pills people print their ravings.
This guy is one of them. Opensource vs closed source means very little when it comes to security. Big holes can and have been found in both. What matters is how you respond to those holes. Opensource GNU/Linux is pretty fast. Closed source Microsoft is goddamn slow. So? MS is hardly the only closed source company. If someone ever post figures on the commercial unixes or OS's like symbian and shows the same terrible performance as MS then I will be impressed.
So far all the MS exploits prove is that they have some pretty sloppy working methods in redmond. Not that closed source itself is bad. If all closed source projects have the same track record as MS then it will be news. They don't.
HOWEVER, opensource has proven itself. Countless projects use it, linux kernel, gnu toolset, kde and gnome and all the other desktops, tron the os blueprint from japan, apache, mysql and postgress and the berkely databases, bsd even though it is dying and countless others.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes, there are millions of trusting souls out there who (if they have even considered the issue) perceive themselves to not have any *choice* but to trust the Microsoft Corporation. Your site appears to be reputable, and you presumably have nothing to gain by publishing malware. I think you have to some degree missed the point of the article, which talked about high security applications of computing, such as national security et al. To say that trusting a single corporation which will not let you show you the "ingredients" is more secure than having a choice of sources, compilers and so on is naive, at best IMO.
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
I was recently involved in a project where a large Swedish car manufacturer migrated to a corporate wide client platform. The operating system was supplied by a major American software company, packaged by a major American computer manufacturer, reviewed and further packaged by the car manufacturer's mother company and finally tailored for local requirements by one of our teams.
At any one of those stages, a hacked binary could've been introduced into the operating system. To modify a binary, even without access to the source code for said binary, is a trivial task for anyone with a rudimentary knowledge of assembler.
Proprietary code does not, in any way, prevent malicious code from entering the system. One of the points in the original article was that a malicious distribution could be specifically tailored for and marketed to, for instance, a government. My example above shows how a proprietary code operating system can be used in a similar way, and this time without any source code to check against.
As previously discussed on /. Jones' comments are too controversial to ignore.
On the contrary, this type of comments are the ones you have to ignore. It is simply mindless, fact defying -1 troll.
I mean, when you see after a quick glance that author obviously did the research and ignored all the facts that didn't support his thesis, there's nothing you can tell him that will make him apologise, admit to mistake or sth like this.
When you see additional rhetorical manipulations (e.g. things that are insinuated but not stated straight, guilt by assosiation, or proof by analogy) you already know, that the point of the article was purposeful manipulation.
For some people operating systems, computer vendors, open vs close source, GPL vs BSD are religious matters and you don't want to get into discussing beliefs with religious fanatic.
Robert
Bastard Operator From 193.219.28.162
"Fact" #1 doesn't say anything about the relative security. Linux also continues to get better. It started better and has stayed better. Windows started from crap security and has gotten slightly better.
"Fact" #2 is (a) wrong, and (b) a non-argument. It is wrong because even as root it is not as easy to unintentionally screw things up as it is in Windows, which does so many things automatically without user knowledge so as to not "inconvenience" the user with "unimportant" details. It is certainly not less secure than Windows.
It is a non-argument because it basically says "If you use Linux insecurely, it will be insecure." It's like saying a car with a bunch of anti-theft devices is just as (or more) insecure as one with none because if you leave it running with the keys in it and doors open, someone could steal it.
"Fact" #3 has been tried and refuted many times. It is not secure because it is not as common. There's been a variety of analyses to prove this wrong. The obvious one is that Linux and Unix are used far more than Windows on servers, and yet server attacks are still more common on Windows.
At some point you have to check your "facts" before calling them facts.
Fact #3: Since Apache/linux run 66% of the webservers, you'd think that there would be many more exploits for Apache than for MS's competing product, based on your reasoning.
It's not offtopic, dumbass. It's orthogonal.
It's like fighting a war where we simply re-win the same outpost over and over again, and never make progress. Why?
Because the damned fools think that they're making a valid arguement when they're simply spitting out the same FUD over and over. Now, if they were to refute previously made refutations, further arguement can be made.
However, that would require them to be able to find something to refute our arguements with. Esentially, "Your guns are too big, so we'll back down and make this point again later." Urg.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The impression I formed from the DevX article was that it was aimed at government (and I suppose you could article that that might influence large corporations, too).
In my experience government and corporate IT admins are *not* trusting souls. As an example, I once worked as a contractor for an agency that built software for the UK health service: everything I built was then reviewed and recompiled by in-house staff. The manager told me that they preferred open-source precisely because of the ability to review source code. Cost was only a secondary factor.
The same manager also commented that security-through-obscurity - relying on closed-source to deter evil-doers - was not an acceptable option as it placed to much reliance on third-parties.
This is where the serious fun begins.
in light of what happened this week (NT4 & Win2k's source being leaked (therefore much of XP and longhorn), microsoft cant claim that their source isn't available to 'bad people' anymore. My friend downloaded the source himself a couple of days ago, i didn't have a look because to be honest, i dont care. Microsoft's source being available is far worse for security than linux/BSD etc source being available because microsoft chose "security through obscurity" - OSS OS's dont. Since NO Firewall/Virus scanner can prevent you from holes in services that are supposed to run (MSN Messenger for example [was that leaked?]) there's going to be some bad stuff happening this week to companies running windows. Hopefully, this will give them reason to choose a more secure platform next time they change software, instead of just upgrading to the latest windows.
and illustrated by one quote from the article:
To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.
This has been the age-old cry of dictators and despots everywhere: "We are restricting the rights and freedoms of the populace for their own good!"
And it has never turned out to be true.
Hey, I just had a great idea!! If I form a company and deliberately write insecure, malicious code with backdoors in it, I could use it to control the governments of the world and become obscenely rich!
Oh, wait... someone else has already done that, and most likely patented the idea. I don't want to get busted for patent infringement, man!
Damn... back to the drawing board.
Organic free-range music... yum!