Slashdot Mirror


Open Source a National Security Threat

n3xup writes "Dan O'Dowd, CEO of Green Hills Software, suggests that open source software has the capability of being sabotaged by foreign developers and should not be used for U.S. military or security purposes. He likened Linux with a Trojan Horse- free, but in the end a lot of trouble. O'Dowd thinks that unfriendly countries will attempt to hide intentional bugs that the Open Source community will have no chance of finding."

19 of 921 comments (clear)

  1. Re:Well, here's the obvious (imho) response. by Jim_Hawkins · · Score: 3, Interesting

    Hate to break it to you, but there are a lot of other places that would *love* to have US information than good ol' Osama. These other governments have money. They have the resources to hire someone to insert this code into any open source project.

    As for the NSA inspecting this code -- that's all well and good. But, how often do hundreds of individuals look over OpenSource code and miss a big for awhile. "Awhile" is all it takes for a foreign government to download A LOT of information that they shouldn't have.

    Contrary to popular belief, a lot of places do not like America. It's not the big lovable teddy bear that it likes to think it is. It's a great country, but it should do everything it has to do to protect itself.

  2. This is an old story, and FUD anyway by Bruce+Perens · · Score: 5, Interesting
    Green Hills is a failing company that is seeing its market go to Open Source. In contrast, Wind River, which is in the same market with the same customers, embraces Linux.

    The fact is that Green Hills products are no more secure, and may well be less secure, because they don't have the "many eyes" looking at their source code. We've had trojan horse attempts in Open Source software. They get caught quickly. But even if the source is disclosed, nobody outside of their tiny company has an incentive to do productive work on the internals of a Green Hills operating system in the way that people who modify GNU/Linux do. And security audits by such a small company can't catch everything.

    The best example of this has been the Borland Interbase database. This was used for airline reservations, and had a trojan horse buried in it for 6 to 9 years while it was a proprietary product. The door could have been found by anyone who did an ASCII dump of the product, but those who did kept it secret, and probably took a lot of free flights. An Open Source coder found the door some months after the database went Open Source, and had an incentive to report it - at that point he was one of the people doing productive work on the database and only wanted it to work better and more securely.

    This "black hats" (people who are motivated for bad purposes) vs. "white hats" (good purpose) phenomenon is important to consider when you evaluate the security of Open Source. Generally the only people who would look for vulnerabilities in proprietary software, outside of its manufacturer, are looking to exploit them! This is hardly the case with Open Source.

    Thanks

    Bruce

  3. Re:the rest world chooses linux for the same reaso by bit01 · · Score: 4, Interesting

    (who knows what M$ + NSA put in the closed windows source that might hurt other nations)?

    Cryptographic code for a start.

    ---

    It's wrong that an intellectual property creator should not be rewarded for their work.
    It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
    Reform IP law and stop the M$/RIAA abuse.

  4. Pure FUD, indeed by krygny · · Score: 3, Interesting

    Well, he said it all, so it must be true; even though he backs it up with nothing. This is so wrong on so many levels I don't even know where to begin. His assetions are hardly worth addressing. Therefore, pure FUD.

    Ok, I'll bite just once: I doubt there is a single weapon system procured by the DoD in the last 10 years that does not have a subsatantial portion of it outsourced overseas. Most procurments now require some % of it, by contract.

    --
    Research shows that 67% of those who use the term "research shows", are just making shit up.
  5. Re:Understand the Source Perspective by Altus · · Score: 5, Interesting


    thats why you do testing and code reviews. its not like these people are downloading new kernals in the field, any code that goes into a government project requires immense testing and code review... PERIOD. I dont care who wrote it.

    if the military wanted to use open source software they would likely take the source and lock it down, producing a branch, for them that would be secured and standardized after a large review. if they wanted to bring in new functionality from the "public" branch it would mean a new verion of their "secure and approved" branch which would have to go through the same review process again.

    Its not like they dont have to do this anyway with the code they produce now... sure they arent expecting people to try an sabotage them but you can do that without intention simply by making a coding error. Testing & code review is essential to the process.

    this isnt that much differnt that what the military does with hardened versions of comercial processors... sure they lag behnind their comercial counterparts because they have to be hardend and tested heavily, but then they work, and they are able to leverage the initial design work and testing done when the hardware was being developed for comercial purposes.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  6. Outsourced Proprietary Software? by rlp · · Score: 4, Interesting

    At least OSS lets the prospective user review the source code. U.S. companies are rapidly outsourcing proprietary development to foreign countries. Key infrastructure software (and firmware) is being developed in countries such as mainland China (including code used for the U.S. telecom system). Meanwhile, the U.S. military is rapidly adopting off-the-shelf components to reduce costs. But, by all means, lets ignore this, and concentrate on OSS ...

    --
    [Insert pithy quote here]
  7. Re:Understand the Source Perspective by D3 · · Score: 5, Interesting

    The NSA already produces their own version of secure Linux. It wouldn't surprise me one bit that they check that code very carefully. I doubt they just grab a copy of the RedHat ISO images and lock down the starup files.

    Also, your code would have to be integrated enough into the calculations to only mis-fire when aimed at a certain target or to mis-fire at a set percentage. If the mis-fires were too high they wouldn't buy off on the weapon.

    --
    Do really dense people warp space more than others?
  8. Funny How Great Minds Think Alike... by EXTomar · · Score: 4, Interesting

    If you were a paranoid Iranian or North Korean computer user and look at Microsoft Windows would you think the same thing? Heck, why would a Chinese user think that MS and the NSA/CIA/alphabet soup is trying to snoop them? Because MS allows a select group to look at their source?!?

    At least with Open Source you have the source to ultimately check for yourself. Vendors like Novel, IBM, and RedHat are supposed to be actively looking at the source to make sure no one is slipping stuff in that doesn't belong but if you don't believe them you can do it yourself.

    So you have a Mr. Dan O'Dowd trying to a terrorist ghost threat into Open Source. The problem is that the source is there for you to inspect. With Microsoft the only word you have is their word that they aren't monkeying with the OS to monitor you.

    IMHO, BSD and Linux are perfect for Military and security applications. You can inspect every corner of the kernel. You can freeze on a specific version because you always have that source code. You can branch and patch as you see fit. This seems perfect for the military and security branches. With Microsoft you have to "signup" (how much money does it cost to do that?) to view the source and then what? The only proof you have is that this particular version of Windows hasn't been monkeyed with. What about the patches and hotfixes? *shrug*

    When it really boils down to it are you going to believe the source you compiled, you control yourself or Microsoft? I think Mr. O'Dowd's trust is ill placed.

  9. Ignore this at your peril by FWMiller · · Score: 4, Interesting

    I'm a long time Linux user and have been around open-source for a long time. While the source of this article is obviously questionable, I work for a Defense Contractor and I'm here to tell you, the points raised in the article have some truth to them.

    If you're selling products to the govt and those products use an operating system, the issue of being able to GUARANTEE that your code base is not and cannot be coerced is very real. Everyone has (or should have) seen the techniques used to obfuscate trojan horses by using a compiler or some other tool that makes this problem even harder.

    The problem being eluded to here is about a chain of control of a code base that can be demonstrated to satisfy a DoD or other govt customer. While no process can ever be completely secure, the real point is, if you have a choice between a system that has been developed in a closed environment where you can keep an eye on everyone involved and and open-source development, the prior development is easier to verify. You can call it FUD but this is a real issue within the govt circles and WILL limit the use of Linux in certain applications.

    --
    Frank W. Miller
  10. Amusing article by u-235-sentinel · · Score: 5, Interesting

    Even if Linux were as secure as Windows, Windows is the wrong benchmark. Defense systems should be held to a higher standard.

    As secure as Windows? He's kidding .. right?

    When I worked for the AirForce, they had several instances in which systems were comprimised (desktops). Various worms came out of the blue and just hammered their network. My systems running Linux noticed it immediately. In fact I was told there was NO problem. After a few hours of watching the logs logging attacks over and over again I then noticed a general email sent out to all explaining there was a problem and instructions were provided.

    As secure as Windows? God I hope not!

    The Federal Aviation Administration (FAA) requires software that runs commercial (and many military) aircraft be approved as part of a DO-178B certification. DO-178B Level A is the highest safety standard for software design, development, documentation, and testing. It is required for any software whose failure could cause or contribute to the catastrophic loss of an aircraft.

    Several operating systems have been DO-178B Level A certified. Until Linux is certified to DO-178B Level A, our soldiers, sailors, airmen and marines should not be asked to trust their lives with it.


    If Linux isn't at this level then what is the point of the article? Linux is certified for various things in the military. Whenever I stand up a server I was asked what OS I would be running. Everyone was apprehensive it would be Windows which requires a whole heap of testing before it's allowed to run in production. As soon as I told security it was either Unix or Linux they would sigh and tell me to go ahead. Much more confidence there :-)

    --
    Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
  11. all in the family by blooba · · Score: 5, Interesting
    both my father and i were DoD software engineers, me as a developer, and he as a tester. i do commercial stuff nowadays, and dad's retired. we both know, for a cold hard fact, that no national security- or defense-related software ever goes into production without passing the most rigorous reviews and testing, throughout its entire lifecycle. from functional descriptions, through design reviews, code walkthroughs and acceptance testing, everything is closely monitored and recorded.

    so, please explain to me again how open source terrorists are going to slip their malware under our noses?

  12. Re:Understand the Source Perspective by duffbeer703 · · Score: 4, Interesting

    Friendly fire is a fact of life for surface based anti-aircraft weaponry. Creating a spoof-proof friend or foe anti-aircraft system is a non-trivial problem.

    That's one of the reasons why the US has always focused on fighter aircraft at the expense of anti-air artillery and SAM systems.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  13. Re:Understand the Source Perspective by Rei · · Score: 5, Interesting

    I think the DoD's biggest fear concerning OSS is not that the software is too insecure, but that it is *too good* for something available in the public domain. If other countries can get all of the tools they need for a weapon apart from, say, a specific 1000-line guidance or control program, and can make any changes to the tools that they need, that gives them a *major* bonus. Lets not forget how hard our government has worked to stop the export of technology in general - including software - to countries deemed "enemies".

    --
    SILENCE BLATHERING TOADIES! We are your new masters.
  14. Green Hills FUD was covered on groklaw months ago by Jayfar · · Score: 3, Interesting

    Is this a dup? I dunno, but Green Hills FUD was discussed on groklaw at great length over 3-1/2 months ago.

  15. Re:Understand the Source Perspective by Giggle+Stick · · Score: 3, Interesting

    I wonder if they've found any security vulnerabilities that they aren't telling the world about? They would fix it in their versions, but leave it in the main one, so that they could exploit it against enemies that are using Linux and other GNU stuff.

  16. Supporting comment by Allen+Zadr · · Score: 5, Interesting
    Here's a supporting comment...

    Just as parent post suggested. Except, the govenment is already auditing open source, and customizing the Linux kernel to it's own needs... Does nobody remember NSA Secure Linux?

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.
  17. Re: Do we need another comment? by Anonymous Coward · · Score: 3, Interesting
    Maybe this: How has the penguin got into the US army? Let's look on the Land Warrior project:


    http://www.usatoday.com/tech/news/2002/02/07/tech- military.htm tells the first part (or may be the first and the second) of the story: The army started its own proprietary development, employing several contractors to design completly new system (of hardware and software, not only a software operating system). The development proved to be expensive and inefficient, not leading to anything usable---they got it reviewed, learned the lesson and changed their approach. They adopted and adapted mostly commertially available off the shelf parts, including the Windows operating system. Then they moved forward, up to actual tests of usable equipment.


    The next part is told at http://www.nationaldefensemagazine.org/article.cfm ?Id=1238 The new design, including Windows, failed its test. The army again learned its lesson, the whole system was redesigned, and Linux adopted for its operating system.


    The army did not take Linux out of sheer stupidity, not knowing other alternatives---the army took Linux after serious considerations of its rich and expensive experience with several other alternatives.


    Mr. O'Dowd speaks of Linux being worse than Windows, and Windows being almost as bad as Linux. Looks like his Green Hills Software was part of the firs expensive exprience of the army, first losing its contracts to Windows, and then to Linux.

  18. So US-Centric by abe+ferlman · · Score: 3, Interesting

    A lot of other governments are moving away from Microsoft b/c they're pretty sure we're using Windows to spy on them.

    Unfortunately, you can't guarantee that someone looking to subvert windows in a subtle way won't be hired by (or more interestingly, license their code to) Microsoft- so with closed source you basically get the worst of all possible worlds.

    --
    microsoftword.mp3 - it doesn't care that they're not words...
  19. US has software trojans too... by Dr_Marvin_Monroe · · Score: 4, Interesting

    Lest us not forget that WE'VE been planting trojans in software shipped overseas too. I recall a story here regarding deliberately sabotaged software shipped to some Russian pipline project. As I recall, the trojaned pipeline test software was designed to operate the pipeline at 10X normal pressure and cause an explosion...which it properly did, setting back the Russian government's energy plans.

    When other governments start using OSS, they may be freeing themselves of these US planted trojans. I believe THAT is the major fear of the US government... Not that they will fail to detect a foreign planted bug in some fighterjet, but that OUR planted bugs will be found by China/India/Pakastan/Iran/etc... This would also seem to explain our government's looking the other way with regard to the Microsoft settlement. Remember that the anti-trust settlement was made within a week or so of September 11. Remember also the "Green Lantern" project, where our government was activly looking for ways to co-opt peoples boxes.

    Software than cannont be easily trojaned creates just one more difficulty for our spy agencies. As with the gangster who was using pretty secure encryption, the government is now forced to use things like hardware keystroke loggers (meaning they have to have physical access to the unit), sneek-and-peek, you get the idea.

    The US government has an interest in keeping people using insecure systems. How easy to you think it was to open those Windows laptops captured in Afganastan? Why, the NSA had those famous "NSA-KEY" entrys to Windows!... Easy as pie. The last thing they want is for KSM and OBL to start putting strong-encrypted filesystems on their Linux laptops in Afganastan. No way to plant the backdoor!

    Expect to see a lot more of this type of FUD... The US Government has plenty of time and money to make sure that their Linux systems are safe, they just don't want others using them...