Is Open Source Fertile Ground for Foul Play? 723
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
Take action (Score:5, Informative)
Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."
Here's the article, site has been slashdotted (Score:5, Informative)
Open Source Is Fertile Ground for Foul Play
The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.
by A. Russell Jones February 11, 2004
An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.
This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably hi
Impartiality (Score:5, Informative)
Re:Fear Outlook Express for Linux... (Score:1, Informative)
You heard it here first, anon. for a reason.
Already a Good Rebuttal (Score:3, Informative)
you get what you pay for... (Score:2, Informative)
c'mon, this article has to be a joke.
closed source has all the problems of OS, and more, not vice-versa. you can at least review the code of a program before implementing it, and even if you don't know how to code, there's thousands of other users surveying the code as well for errors. the OS community wants OS to look good - sure there are some people in it that probably would/have coded a backdoor here and there, but that's few and far between - especially compared with the people writing exploits for commonly used closed source applications...
You really have two choices: (Score:3, Informative)
2. Use closed source. If a bug appears, your at the mercy of Microsoft to fix it. That may mean months waiting while your system is vulnerable. No way to find the bugs, no way to fix them yourself. Your business could be relying on a time bomb and not even know it. And of course, with only the MS guys looking for holes, the chance they'll miss them is greater. More eyes scanning code usually means less bugs. And any time Microsoft could decide to drop the product or force you to upgrade or pay overcharged rates for licenses, all at Balmer's whims. Going with closed source is putting your business at the mercy of Microsoft (yes, I know closed source != just microsoft but what is easier: to type closed source or to simply type MS?)
WTF? (Score:3, Informative)
Re:Sounds like someone trying to by controversial. (Score:3, Informative)
Slashdotted: Article text here: (Score:1, Informative)
This will happen because the proprietry model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter proprietry software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Windows code is carefully scrutinized, that's not terribly likely. Much more likely is that vendors will be created and advertised for free, or created with the express purpose of marketing them to governments at cut- rate pricing. As anyone can create and market a vendor, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every proprietry software package installed and used on the machines.
How Can This Happen?
The products of the proprietry software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, a free open-source operating system, the free open-source Apache Web server, and proprietry office suites. There are several reasons that proprietry software and Windows in particular are seeing such a dramatic uptick in use, including IBM's extensive Windows support effort over the past several years, and the widespread perception that Windows is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)
So far, major Windows vendors such as Microsoft and others have been able to discover and remedy attacks on their core source- code servers. The vendors point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market or give away a Windows vendor, there's also a reasonably high risk that someone will create a vendor specifically intended to subvert security. And how would anyone know?
Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group
Re:figures... (Score:5, Informative)
http://www.amazon.com/exec/obidos/search-handle-u
Re:Who's paying DevX to write this shit? (Score:1, Informative)
Who can really trust a site that purports to be objective while taking money from one of the sides in the "controversy"? (Right, Slashdot?)
Re:Who's paying DevX to write this shit? (Score:2, Informative)
For explanation, we need look no further than the prominent Microsoft ad on the article. It wouldn't surprise me if the whole site was sponsored by Redmond.
Re:Russell seems a bit dated (Score:2, Informative)
Re:Sounds like someone trying to by controversial. (Score:5, Informative)
That's because the relevant teams _checked_ the code against known good code to see if there had been anything planted. If there were problems, you would have heard about them.
From other articels by the same author (Score:1, Informative)
The point is not so much that open source is copycatting Microsoft but rather that open source vendors understand that Linux users, especially the great mass of potential Linux users, aren't any different from Windows users. They want the same applications, with the same features, the same ease of use, and largely, the same look and feel. As Linux moves beyond the hobbyist and server space into the corporate and home desktop space, there will be an increasing number of Linux users who genuinely don't care whether their applications are open source, and in fact would probably rather use their familiar Microsoft applications, if they are available, than retrain on unfamiliar and less mature applications. "
On the other hand, he has a point concerning Linux while quoting Pavlicek's Top Ten list in yet another article [devx.com]:
The multiple-GUI problem illustrates a basic difference in Windows and Linux. Windows has one general GUI interface which has served many millions of people and works for many millions of different applications. The Mac (another successful consumer OS) is similar; one general GUI works across all Mac applications. Why is Linux different? [...]
Give them the real thing, Microsoft. Give them choice. Port the applications and development tools [to Linux]. Turn the millions of Microsoft developers loose on Linux, and let them build the future on both platforms.
Provided they do so with Open Source, that is!
Re:Um, yeah (Score:3, Informative)
Re:Sounds like someone trying to by controversial. (Score:5, Informative)
Hey Russel,
Just two obvious points of rebuttal.
1. Your question:
Who's Watching the Watchers?
Makes a cold chill run down my spine, when I think of closed source
software. In fact, many of your statements, such as the rogue coder,
holds just as true, for CSS. The difference? You (as a consumer)
cannot see the code. At atmosphere, which breeds closedness, and
non-disclosure of hacker attacks, is far more scary, then one (such
as Debian), which openly announces, that it has been hacked. Imagine
a hacker gaining access to Microsoft code. Imagine MS catching him,
and removing the malicious code. But
the hacker will ever know.
Your statement, that "core" members, will port the code, just doesn't
make sense. Assuming we're not into the old chicken and egg problem,
with the bootstrapping compiler, an Open Source project, is defined
as having the source open. If you compile a program, and it ends up
different, then the one you downloaded, then something is very
wrong indeed.
2. In academia, and security circles, full disclosure, to be able to
repeat trials, and be able to uncover weaknesses in software, is the
norm. Hiding behind binary code, does not a very powerfull brickwall
make. Hiding behind a wellthought out design, which is not open to
attacks (confirmed by peerreview), and relies on algoritmic
defences, makes a strong brick wall.
I am sorry, but all in all, a very poor article.
Regards,
Svend
Re:Sounds like someone trying to by controversial. (Score:5, Informative)
This attitude is EXACTLY what is making OS so popular and attractive. Even a small bug can drive someone out there eventually crazy enough to pick up the code and fix it. There's a famous feature in Word that pushes footnotes to subsequent pages if line spacing is anything other than single spacing. Only the footnote, mind you, not the anchor and the surrounding text. As it so happens, double-spaced text with footnotes is extremely prevalent in academia and other formal environments, making this feature very well known amongst grad students and such. But again, since this feature hasn't brought down entire computer networks and hasn't been mentioned by Tom Brokaw on the six-o-clock news, it's not worth Microsoft's time to fix. Even though it significantly impedes Word's primary purpose, that of creating documents.
Jones is a Microsoftie from way back (Score:3, Informative)
Re:Sounds like someone trying to by controversial. (Score:3, Informative)
This is why we have trusted vendors. I'd bet from here to Tuesday that IBM performs internal audits on the software that it redistributes. And before it gets to IBM, Redhat does it's own. Before that then it is the people writing the software. There are three layers of people, two of which there are responsible people behind. If you are not using software except from a trusted vendor,your risk is low.
The only argument this guy makes is that it is not good to use software from people you don't trust. Duh. That point is true wether you are talking about open source software or not.
Re:Sounds like someone trying to by controversial. (Score:2, Informative)
Re:Um, yeah (Score:5, Informative)
I think you're right. Here's [cert.org] the link.
"It was introduced by maintainers of the code within Borland."
So that just leaves the Sendmail trojan, which lasted how long? 8 days?
windows: as good as it gets? (Score:3, Informative)
Or is his point that it never gets any better than MyDoomA and MyDoomB and we better learn to live with it? 'Cause I think we already disproved that one...
Backdoor in Borland InterBase (Score:2, Informative)
Security by Obscurity is crap. (Score:3, Informative)
Has he no knowledge of the numerous papers that have pretty much torn apart the concept he proposed? Or did he think he invented the idea of Security by Obscurity???
Yes, not letting people see the holes in your software does make it harder to break into them. But it also makes it impossible for white hats (good guys/hackers) to find and correct them.
Open source has pretty much demonstrated that the number of white hats examining their software is greater than the number of black hats (criminals/crackers) and that the white hats tend to have more experience, creativity, and skill that then black hats.
Finally, when your stuff DOES get cracked open, the open source nature means it is far easier to figure out how it happened, to fix it, and to publicize the fix preventing additional break ins.
Q.E.D. Open Source is more secure than Close source.
Attempts at planting backdoor in Linux failed (Score:5, Informative)
The attempts failed because of the meticulous grooming given by the "many eyes" watching each open source release.
Any one can write a new kernel patch. But getting these patches accepted is a whole different story.
Conversely, years after the commercial, closed-source program Borland Interbase was released and used worldwide, it was found that it contained a back-door [cert.org].
So recent history proves the article is wrong. Facts demonstrate exactly the opposite of what the article rants about.
Conclusion: the article is an unsubstantiated troll written by a Microsoftie eager to fart FUD at the Penguin. Ignore.
Letter to the DevX editor (Score:4, Informative)
Dear Sir or Madam,
I am concerned that Mr. Jones's column of February 11th, "Open Source is Fertile Grounds for Foul Play," indicates a significant misunderstanding of open-source development processes. The argument presented is that all software development carries the risk that malicious code will be inserted by insiders, and that open-source is especially vulnerable because more people are insiders. The first part is absolutely true, and applies to both closed- and open-source development as Mr. Jones acknowledges, but the second part does not stand up to scrutiny.
Most open-source projects have only a small group of "core developers" who have the ability to modify the official source code, just as is the case with proprietary software development. Any malicious person could insert destructive code into his or her own copy, but not back into the official version. That leaves the possibility of intentional compromise by the core developers, or by subsequent distributors. The first is a risk, but less so than with proprietary software: The number of people in a position to corrupt the source is similar in both models, but the possibility of outside review reduces the danger for open-source software. Mr. Jones posits that core developers could avoid such scrutiny by not making the corrupted version public, but this is nonsensical: The version of the source code available for use is by definition also available for review.
The other concern raised is that distributors who re-package open source software could add vulnerabilities. Again, this is possible, but no more so than with proprietary software. It's easy for an attacker to add malicious code to compiled binaries; indeed much pirated software is reported to contain viruses or Trojan Horses. For both open-source and proprietary software, the solution is the same: Be careful who you get your software from. Downloading open-source software directly from the public sources or buying a packaged version from a trustworthy distributors is no riskier than buying e.g. Windows directly from Microsoft or a system integrator like IBM. If a consumer buys either open- or closed-source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.
Open-source is not the security panacea that some advocates make it out to be, but it doesn't incur the added risks which Mr. Jones attributes to it, either. A government or other user which applies common sense to its software acquisition is no more at risk from open-source software than closed-source, and may even be a bit safer.
Respectfully,
Eric Anderson
--
Eric Anderson - anderson@cs.uoregon.edu
University of Oregon Network Security Research Lab
PGP fingerprints:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12
9544 C724 CAF3 DC63 8CAB 5F30 68AE 5C63 B282 2D79
Why So Scared of open source?? (Score:2, Informative)
The Department of Defense Disagrees (Score:3, Informative)
Re:Sounds like someone trying to by controversial. (Score:2, Informative)
Indeed, even if they built their executable on the very computer the official binary was produced on, by executing the exact same commands as those used to produce the official binary, straight after the official binary was made, their binary's MD5 might well not match the official one, since many systems include the build time in their object files...
THE key flaw in this argument (Score:5, Informative)
Of course you can get the source code and modify it. However, 99.9% of the time you cannot commit it back to the tree without first getting to know the guys running the project. And what usually comes first is submitting patches to the project via a project member (uaully a high-level member since some level of oversight and accountability is needed).
Once that 'trial period' has passed, then a coder can usually check into the repository head. However, I don't see any major difference in that respect to someone working at [insert super software company here] and someone coming in and being a good person for a bit and then adding back doors to code.
The author assumes that as soon as you get the repository login set up on yr machine, then you're just able to start fucking things up. This is highly unlikely and since that, in my view, is the most fundamental piece of team programming, I find his argument to be dead right there.
As for distributing the results, that is also flawed but not by logic, but by market forces. Even if someone got a hold of the entire RedHat repository or Evolution for that matter, I don't think people would be using that product for a few reasons.
1. Lacks credibility. Forks have enough time gaining intrest from the project they forked off. So why would someone want to fork something just to insert back doors and take over the world. Seems like an awful waste of time and effort. And just because you fork it, doesn't mean they'll come.
2. Even if a 'malware' fork happened, it wouldn't stay afloat long. It would probably take less than a day for someone to figure out something was going down and to spread the word. Again, the OS community is the key here. You wouldn't see this happen behind closed doors.
This guy lives in the fairytale land of spooks and secrets and bad guys around every corner. While I'm sure there's plenty of falling outs of people in various projects and groups, it's highly unlikely that any of these scenerios the author plays out will ever come true. In any ecosystem, only the strong will survive. And I just can't seem some 'malware' being released and taking over everything. In fact, all the worst case infections and money losers to date have all happened in the ActiveX/DevX/.NET/M$ propreitary, closed door, secret world. Of course this guy has this opinion. He exists in a world where everone is paranoid and everything not yours is evil or doomed to failure or ripe for punishing.
Free your mind..
Re:Sounds like someone trying to by controversial. (Score:3, Informative)
First of all, it was Henry Luce. He and Charlie Soong were making an absolute fortune from printing and selling bibles in China. Charlie Soong was well connected with the Kuo Min Tang and eventually one of his daughters married Chiang Kai Shek, and another married Sun Yat Sen.
The Kuo Min Dang however was not really considered a 'brutal regime' until the communist movement arrived in the cities (ShangHai in particular) after which it cracked down brutally on Communist and the infant Trade Union Movement.
Before that however, the Kuo Min Dang was the political successor to a criminal organisation known as the Green Gang, who eventually came to distribute nearly half of the opium in China. Chang Kai Shek rose to a position of power in the Green Gang before joining the military. Once the Kuo Min Dang was in power, they assisted the Green Gang in distributing opium and eliminating competitors.
Later, when the Nationalist army was fighting the Communists, Henry Luce and Charlie Soong lobbied in Washington to support 'christian' Chang Kai Shek. Many millions of dollars were funneled from Washington, but very little of it reached the troops fighting on the ground. Most of the money appears to have ended in Charlie Soong's sons and Chang Kai Shek's bank accounts.
Chang Kai Shek and Charlie Soong were probably the richest and most successful 'rice christians' in history.
The rebuttal (Score:3, Informative)
rebuttal [devx.com]
Looking at the list of topics in their menu, and the predominance of MS products, it's obviously a biased site.
Who is guarding the guardians (Score:2, Informative)
You know, we had that, the NSA getting companies to put backdoors into products. Here in Switzerland:
http://jya.com/nsa-sun.htm [jya.com]
--
Re:Sounds like someone trying to by controversial. (Score:3, Informative)
what if there was someone to hold accountable? someone who knew about the software because they installed it themselves? Names and phone numbers covered.
Do you seriously think, that if you ever sued a Microsoft due to a software bug leading to a massive security breach, you'd ever see a red cent? No, there is terms in their EULA's that absovle them of any resonsibility. How is this different from the terms stated in GPL/BSD licenses? What accountability are you refering to?