Is Open Source Fertile Ground for Foul Play? 723
jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
Re:What a sellout (Score:1, Interesting)
I would feel much better knowing that they were using z/OS or some type of source from IBM. Or if they are going to use open source, hire the man power, to double check all the security related code...
You can rate his article (Score:3, Interesting)
Open Source and Proprietary have the same cost (Score:2, Interesting)
But you also pay $0 to MicroSoft to insure you against bad things happening to your computer/network.
The only thing you pay for with MS is basically that it will install an OS on your system. Read the EULA, they don't guarantee much else, and they certainly take no responsibility for things going wrong.
Re:What a sellout (Score:4, Interesting)
Tom
Getting what you pay for (Score:3, Interesting)
A number of governmental institution have chosen Linux not because it is free, but because of another distinct advantage: because it is open-source, they know what they pay for.
Best Troll Ever. (Score:5, Interesting)
>Malevolent code can enter open source software at several levels.
1. >First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
Not likely indeed. Moving on.
2. >Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
Organizations using Open Source Distributions generally purchase a vendor-supplied copy as well as a support contract.
As an aside, do you suppose non-US countries that use Microsoft products are concerned that Microsoft may not have their country's best interests at heart?
3. >Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines."
This isn't limited to Open Source itself. The same possibilities (and probabilities) exist for any company that uses customized software AT ALL -- at some point, you have to trust those doing the customizing, or get a third party to audit. I mean, after all, I can wreak havoc throughout an organization just by clever use of login scripts on Windows XP machines, and if everyone in the IT department is in on it, nobody else would be the wiser.
Now that I think of it, even if you're not customizing the software, you're trusting the people who make it. Does Microsoft have your best interests at heart? Does SCO? Does RedHat? Does anyone? That's why it's nice to be ABLE to scour the code -- the smartest, safest groups will obtain source code from those who write it, and have it audited by another group, and then again perhaps by another. Unless they're all in league with one another. [Insert tinfoil hat here]
So. Who's paying this guy?
Re:Sounds like someone trying to by controversial. (Score:3, Interesting)
Sort of (Score:5, Interesting)
His criticism reminds me of a speaker at a recent IEEE meeting at my school. She talked about the work environment, and some nuances of how to act or not to act.
One interesting thing about her contracting company she runs, is that if you charge more, you get more business. The thought here is that companies think that since this certain company costs more, it must be better. Obviously though, she did not get smarter by charging more, only richer.
That is the thinking that this fellow is using: chargine more must mean it's a better product. Sadly, he is in a large part of the population that does not understand the Open Source community, or business models. His view is outdated, and frankly, wrong.
Besides, what other companies besides M$ find a huge hole in all of their flagship products, but fail to patch it for close to a year?
You get what you pay for... (Score:3, Interesting)
Open Source projects, on the other hand, are usually formed with the express goal of giving something away. They have every incentive to make their products valuable and no incentive to produce shoddy loss-leaders.
"You get what you pay for," even with respect to for-sale products, doesn't mean "you get value commensurate with your expenditure". Commercial enterprises are strongly incentivized to give the least possible value for the highest possible price. Extra quality and value, above and beyond the expectations of the customer, is an unnecessary expense to a business. Competition alleviates this somewhat, but companies are still only playing to the level of the competition. Doing the very best possible will seldom if ever be their goal, in contradistinction to Open Source projects, where it is frequently the main goal.
Re:Not as much of a differences. (Score:3, Interesting)
Re:What a sellout (Score:2, Interesting)
Would you rather have every GWB hating geek scrutinize the voting machine code with his self assembled electron microscope or some "security" company Diebold do it with closed source software which they CLAIM is "safe"
Gujju
Review process (Score:2, Interesting)
Obviously A. Russell Jones is unfamiliar with the review process that happens in most open-source development. It is ridiculous to believe that malicious code would just make its way into an open-source application.
Really what it seems like he is trying to do is demonize open-source developers...suggesting that it is likely that the group governing an open-source project would deliberately infect their own apps.
I can see the Apache Group chuckling at his assertions.
Re:'You get what you pay for' (Score:5, Interesting)
The quote is misapplied in this case. (Score:2, Interesting)
This is indeed true, but it depends upon how you define 'pay'.
In the case of the government using open-source software, 'paying' to me means that the underlying code gets reviewed by govenrment employees or trusted subcontractors prior to being deployed, rather than paying cash for closed-source software. It is inconceivable to me that someone could argue that you have this option with closed-source software, or that you are more protected somehow because people getting a paycheck to write code would never do anything malicious. Even if you get to peek at the underlying closed-source code, how do you know that was the code used to compile the application? With open source you can guarantee it 100% by compiling it yourself. How does it get any better with closed-source? (rhetorical question of course...)
- Leo
this has been said too many times (Score:2, Interesting)
basically the argument for closed source was that nobody could read through the code and exloit weaknesses or add trojans without anybody knowing and once linux becomes more mainstream the same virus woes will be the same for both platforms.
I waas going to remind him that linux users are stastictally (spelling???) more security concious (how many linux/unix users spend the bulk of there productivity time running as root?) than windows users but i didnt want to bring it up because he was the leader of our church.
And also more work is put into the linux kernels than in the NT5-5.1 kernels when it comes to the weaknesses that viruses rely on.
I was then going to remind him of OpenBSD [openbsd.org], an open source OS that has had only 1 hole in the default install in the last seven years.
maybe next time when i get enough courage I will enlighten him some more.
Spyware (Score:2, Interesting)
When Windows XP starts phoning home, the MS EULA doesn't allow me to do anything about it. Bill Gates knows that and is looking for ways to get more dollars out of his Windows licenses.
Re:Sounds like someone trying to by controversial. (Score:3, Interesting)
At the whip of the vendor. Which, in Microsoft's case can be never, unless the "hole" gets publicity on the evening news. There are serious--and well-documented and submitted--bugs in Word that have been there since the early '90s, with no obvious intention from MS to ever fix them.
Re:Sounds like someone trying to by controversial. (Score:2, Interesting)
[From FUD-Induced Diatribe of an Aritcle:]
Malevolent code can enter open source software at several levels.
[1] First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.
[2?] Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.
[3]Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. [...]
[...] Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
internal code carries the same risk as open source (Score:3, Interesting)
I have this argument with my clients all the time. Many of them do not trust open source. They say, 'It is unsupported! We can't run production on unsupported software!'
My argument is that it is no different from internally developed application. None of the code I write is 'supported' any more than the open source code out there. If something breaks they have to pay me to fix it. If something breaks with some open source code, they still have to pay me to fix it.
Also, the advantage of open source is that even if the author's slipped something 'nefarious' into the code, you have a chance to see it. What do you do when someone slips spyware into a proprietary application you use?
Challenge... (Score:2, Interesting)
Re:Beware the Luddites! (Score:2, Interesting)
MS software IMO has really improved security-wise, down to sensible, secure-by-default installs (look at the default installs for Windows 2003 or Services for Unix 3.5). Today I rate typical MS *users* are more of a security threat (the kind who spread MyDoom) than MS software itself.
Would closed source be better? (Score:1, Interesting)
"... an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so."
Ok, what if we rule out open source as insecure, as the author does, and rewrite the above:
Modified quote:
"... an individual or group of IT insiders could target a single organization by licencing a closed-cource kernel, and then customizing it for an organization, including malevolent code as they do so."
Ahh, much better! The author sure is right that closed source gives much better security.
Re:Fear Outlook Express for Linux... (Score:1, Interesting)
Typical, Slashdotters close ranks... (Score:3, Interesting)
Instead of actually discussing the story, any presumed insult of open source is immediately flamed into oblivion. Look - I love open-source as much as the next geek, but how about we talk about this type of article like adults, and provide examples of our own?
Sure the guy could've taken a less flamatory tone, and could've provided a few specific examples, if there are any, but riddle me this, all you smarties, he does have the grain of an issue here.
Lets assume that open software becomes ever more mainstream, to the point where grandma can't tell or doesn't care the difference in method by which her email client was developed. What's protecting her against malicious or incompetent open-source developers? Or are we saying that all programmers are by nature 'good' people and also brilliant at their craft?
Sure, geeks can compile source, compare binaries, review code line-by-line, but it may shock you to know that normal people don't know or care how to do this.
You're next argument is that the 'good' geeks will discover and root out the 'bad' geeks. But in a world where OSS is mainstream, this will only happen after thousands, hundreds-of-thousands, or even millions of mainstream users are already compromised.
I'm not saying that commercially developed software has proven itself better, in fact usually its much worse, so far anyway, but OSS does have some of the same problems in a world where not every user is also a programmer.
OK, discuss...
those md5 files are bullshit (Score:2, Interesting)
Exactly. Nothing.
That's why people with more than one brain cell upload
Of course there are also caveats (some dark three-letter agency could have cracked the key with their Roswell quantum computers, or someone could have stolen the secret key), but those are far less likely than some asshat uploading a md5 sum. Everyone can create matching md5 files for any content, but only I can create sign files matching my secret key.
So please someone hit those GNOME idiots with a clue stick, those md5 files must go. Now.
Oh, and while you are at it, please also tell the gnome people to use a directory structure where mirror programs (and people!) can see whether there were new uploads without having to recurse through the monstrous moloch directory tree from hell. Thanks.
Sheesh. Now that wasn't so hard, was it?
Re:Take action (Score:3, Interesting)
forum [devx.com]. No replies yet as of this posting. Somebody should write a well thought retort.
"Think Russell is dead wrong? How does the open source community prevent against the issues raised in this opinion? Tell us in the Talk to the Editors discussion forum."
Re:What a sellout (Score:3, Interesting)
Heh. Even as I wrote that, it looked like the closed-source version of this trick became a lot easier with the leak of NT source. What a coincidence.
Re:Sounds like someone trying to by controversial. (Score:2, Interesting)
Re:Sounds like someone trying to by controversial. (Score:1, Interesting)
Was this guy hired by Micro$oft? Seriously.
His arguments were so unconvincingly and universally applied to both open and closed source software that the whole article seemd like a joke.
I have yet to see even a *small* example of what he's talking about, but on the other had there's numerous examples of proprietary software having back-doors, exploits and vulnerablities that were not fixed for YEARS after the release of a product.
Examples:
1. Pix firewalls. These things have had numerous problems from day one and many were not fixed for many months.
2. I think it was 3com that had a default password on their switches/routers that anyone could use to access them. This was put in place by the company to allow technicians to service any unit.
3. The meta-data hidden in M$ Office documents. It has now even been documented by the government (and eventually Micro$oft) how to reduce the amount of meta-data in those documents. Hmm, I don't think this would have been an issue with open-source software.
There's many, many more examples, but these are they only ones I can think of off the top of my head.
He also said Linux was riddled with about the same amount of security problems as Windows. In what world? If you look at sheer numbers of vulnerabilities, yes a copy of Windows 2000 (56) has less than a copy of Red Hat Advanced Server 2.1 (109). But look at the actual exploits; most of the Windows problems will allow REMOTE administrative access or complete DOS. The Red Hat/Linux vulnerabilities are largely local application DOS issues and local privilege escalation in an application that usually isn't even running. Not to mention it may not even be installed (oh no! they've compromised mutt!). Conversely, how many Windows machines have been affected by worms compared to Linux machines?
Additionally, there are many programs on Linux that have their vulnerabilities found and fixed because the source is freely available. How many holes still exist in Windows and are waiting to be discovered?
All of the real-world proof completely refutes all of his pretenses.
Bah.
Security Audits??? (Score:2, Interesting)
Just my $0.02
Re:Sounds like someone trying to by controversial. (Score:4, Interesting)
Re:Not as much of a differences. (Score:4, Interesting)
I think the govt would take the time to check (Score:4, Interesting)
I think the government might just have the time to make this sort of check, and as others have said, it only takes one person to notice. Your second point is valid, as is born out by the Debian/micq dispute [markpasc.org] (also mentioned previously in these comments), but that ironically isn't a point that Jones attempted to make in the article - he seems to be concerned with unpublished back-doors that don't appear in the source.
And they see nothing wrong with this! (Score:4, Interesting)
No problem there. But the kicker was that he would build back doors into the programs that only he knew about, so if they changed the front door passwords or otherwise screwed it up, he could still get in.
The big problem was that he wouldn't tell his customers about these back doors. This is financial and tax data we're talking about. He saw no ethical problem with this. None at all. Fortunately he's not a malicious guy,
This isn't a suprise to anybody, right? I was just shocked at the total and complete lack of guilt over doing this. And he's otherwise a normal guy. That's scary.
note sent (Score:2, Interesting)
So, a major Closed Source OS vendor including specific checks for software that competes with that vendor's other software offerings and refuses to work or crashes when the competing software is launched is not a possibility? No, its a fact, and Microsoft did it. Articles like these simply allow Open Source Software users and authors to ignore their writers indefinately actually, since it is obvious that authors such as yourself do not understand the core principles of Open Source.
I have a large number of analogies that might make sense to you, here is one.
Closed Source:
I like to work on cars. I have an idea for a car that I would like to build. I build my car. I show it. Painfully over a period of years, from looking at other custom cars, I come up with one that I really like and then maintain it because I enjoy it.
The Closed Source Analouge:
I like to code. I have an idea for some code that I would like to write. I write the code and distribute as closed source shareware. Painfully, over a period of years, from user observations and using other code, I come up with something that really serves my needs, that I maintain because I enjoy it.
Open Source:
I like to work on cars. I have an idea for a car that I would like to build. I build a prototype of my car. I show it to the world and explain my idea. Other people who like to build cars may or may not help by randomly showing up in my garage and wrenching, bringing cool tools, paint, parts, etc. Other people will suggest improvements or point out flaws. In a matter of months, the initial build is done and I get to use the car I like and copies of my car are available to anyone who wants to test drive it or use it everyday. Further improvements arrive and I oversee their addition to the car. It weighs less, goes faster, is more comfortable, and does things I couldn't have dreamed of because it leverages the skill, talent, and needs of everyone who liked the idea. I maintain it, or allow others to maintain it, because its is a tour de force in the automotive realm and suits my needs better than any other car in existence.
Open Source Analogue:
See above, inserting code for car.
Now, I ask you, would we let anyone run a grinder over my beautiful car? Would we be any less observant of the additions being made than the single shareware author? Would anyone else working on the car allow a malcontent to destroy the engine?
Once it is out of my hands and in the community, the probability of changes you describe occurring are lost in the noise compared to the probability that a major vendor will try to handicap its competitors. As has been SEEN in the past and will be SEEN in the future. You really shouldn't comment on things you don't truely understand.To believe that people whose hearts and souls are intwined in something have less motive to maintain the purity of their code compared to people who are punching a timeclock and subject to the whims of managers, deadlines, competition, and cost containment is a manifest misunderstanding of the nature of man.
Stop playing chicken little and take off the tinfoil hat.
andy
Re:Sounds like someone trying to by controversial. (Score:1, Interesting)
The DOD figured a few decades ago how to deal with that, so don't worry too much about them and computers from China and India... worry about the home machines of their employees, and about yourself tho.
Btw, eventho it is outdated somewhat, the DOD Orange Book on secure systems is a good read, and is required reading for anyone who has to deal with security.
Re:Sounds like someone trying to by controversial. (Score:4, Interesting)
The guy that wrote the original article is definately trolling. Unless he really is a fool. I think anyone with even a little insight into how OSS works understands why it's inherently MORE secure than close source. This "closed source is more secure" meme gets floated and shot down several times a year.
Well, I do gov't IT and we pay for vendor screwups (Score:3, Interesting)
The federal department I work for is rapidly moving towards open source because we cannot afford to be constantly screwed by the traditional commercial vendors. We simply couldn't afford to keep paying for screw ups by HP, Cisco, Unisys, MCI, Teleglobe, and Dell. Nor could we afford the upgrade cycle recommended by commercial software vendors like Microsoft.
So we are increasing our in house staff by 3 full-time people - no expensive contractors, and adopting open source to reduce cost, and take control over our infrastructure and in the process improving reliability drastically, saving the taxpayers big dollars on reduced overtime for operational costs, drastically reduce software maintaince costs, and make nearly everyone but Microsoft and friends happy.
Why is it just a problem for Open Source? (Score:1, Interesting)
The article would have served a better purpose by discussing the vulnerability of ALL code bases. I don't see how he can justify saying it's a problem specific to open source.
Re:And they see nothing wrong with this! (Score:3, Interesting)
if ($long_variable_name == "long string") {
mysql_query("DELETE FROM important_table1");
mysql_query("DELETE FROM important_table2");
mysql_query("DELETE FROM important_table3");
}
I can only assume it was put there by the original author to use in case he wasn't paid or saw the script copied or something like that. Regardless, I consider it a gross negligence to allow anyone with the right magic phrase to delete an entire site (I removed it, of course).
Re:Sounds like someone trying to by controversial. (Score:1, Interesting)
say today, i am a rogue developer. i implant some bad code into my part of the tree.
i leave it dormant...for 3 years. An accomplice then uses it to hack 5 servers (which have the 3 year old exploit compiled in).
>>They _know_ when the compromises took place
that's right. they think the compromise happened just recently. they'll never think to check far into the past for WHEN the original bad code was implanted. and no one will go back 3 years to check md5sums. they won't even know to check that time frame.
they'll just compare the md5s before and after the 5 servers were RECENTLY infiltrated...and they'll match, unless they go back 3 years.
this of course would include closed source just as well as open source. i see no reason why OSS would be any more susceptible to this kind of thing. closed source would be just as susceptible, imho.
Re:Sounds like someone trying to by controversial. (Score:3, Interesting)
How do we know they didn't plant malware in OpenOffice? What geeks will have access to this binary? Geeks won't even know this mini-distro exists. How much do you know about the Linux being used by Burlington Coat Factory, for example?
I'm not saying this argument is airtight, just that you didn't really address it.
99% of the time OSS is better. (Score:1, Interesting)
Re:Sounds like someone trying to by controversial. (Score:4, Interesting)
Open Letter to Ron Jones at devX (Score:3, Interesting)
I'm going to discuss some of the more glaring issues with your article below:
"An old adage that governments would be well-served to heed is: You get what
you pay for. When you rely on free or low-cost products, you often get the
shaft, and that, in my opinion, is exactly what governments are on track to
get."
Much hullaballo has been caused by the use of the word Free in Free Software.
Please remember it's free as in freedom, not cost. Also remember that major
players such as IBM, HP, and Dell and numerous smaller companies are actively
involved in the creation and maintainence of Linux. It's not just a hobbyist
OS anymore.
"Eventually--and inevitably--an open source product will be found to contain a
security breach--not one discovered by hackers, security personnel, or a CS
student or professor. Instead, the security breach will be placed into the open
source software from inside, by someone working on the project."
There are known cases where this has happened on closed-source projects.
Microsoft Windows, in fact, has many "easter eggs" which are basically hidden
suprises for the user if he/she hits a certain combination of keys. Even
these relatively minor "jokes in the code" and potential "security problems"
wouldn't fly in an open source project since, in order to succeed *all of the
people involved in the project* would need to be in on the breach.
Case in point: there was some code which was committed to the Linux kernel a
while back which would have introduced a security flaw. Within hours of it's
commit to the repository it was caught by the other maintainers, who determined
it was a mistake, not a deliberate breach.
"Because anyone can create and market--or give away--a Linux distribution,
there's also a reasonably high risk that someone will create a distribution
specifically intended to subvert security. And how would anyone know?"
Because they can check the source, and most of us who do use Linux would check
the source. Any "subversive" distribution would quickly be detected by the
community at large.
"I'm not naive enough to think that proprietary commercial operating system
software doesn't have the same sort of vulnerability, but the barriers to
implementing them are much higher, because the source is better protected. I
think such a scenario is far less likely than finding a group of people willing
and able to create and market a malware open source distribution."
Your assertion here is incorrect. Since there are fewer people in a company
to actually vet the software out before it gets released, it's much more likely
that a problem will get out into the wild before anyone catches it.
Case in point: Microsoft Window's numerous security bugs. A bug in the IP
stack of Microsoft Windows is what allowed the CodeRed worm to work it's way
into so many corporate networks all over the world year before last.
"Who's Watching the Watchers?"
All of us.
In summary, I find your article to be another piece of FUD from someone who is
either unwilling or not capable of fully understanding Free Software or Open
Source Software. I find it sad that it passes for news on an otherwise
respectable site.
Good day,
GJC
=====
Gregory John Casamento -- CEO/President Open Logic Corp.
-- bheron on #gnustep, #linuxstep, & #gormtalk ----------------
Please sign the petition against software patents at:
http://www.petitiononline.com/pasp01/petitio
-- Maintainer of Gorm (featured in April Linux Journal) -------
DevX is a division of Jupitermedia Corporation (Score:3, Interesting)
Now where have we heard of them before?
Oh, yes. They're the ones associated with Darl McBride's infamous code presentation at CDXPO. So I guess if you can't impune open source development by supporting McBride's inane ramblings, encourage one of your publications to sling a little mud with old, outdated theories that being able to see source code means that the criminal element will be writing exploits for it or infiltrating the kernel develpoment team and inserting backdoors.
Yes, sir! At DevX and Jupitermedia, security through obscurity is alive and well.
I couldn't find a single idea in this ``piece'' (oh, it's a piece alright) that was original or to be taken seriously. I suspect that the author just had a flash (``Ooh! Ooh! "Who will guard the guards?" That's clever now I can write an anti-Linux article!) and saw a chance for his employer to get some web page hits.