Defending Open Source Security

dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and posted a response over on the O'Reilly Network. As previously discussed on /. Jones' comments are too controversial to ignore."

Article rating and devx hosted rebuttal.

[FauxReal]

Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5

The rebuttal "Who's Guarding the Guards? We Are" [devx.com] , also hosted at devx. Average Rating: 4.9/5

Re:Article rating and devx hosted rebuttal.

[Anonymous Coward]

and the funny thing is that the first (anti-open source) article was written by the Executive Editor of DevX, and this rebuttal was written by "a Senior Engineer at DevX"

Re:Best point is the last

[thelen]

can you trust a precompiled Apache HTTPD from ACME GPU/Linxu

Nope, but you also cannot trust Thugs R' Us Locksmiths.

OSS commoditizes software: it devalues code in exchange for freedom of collaboration, the ability to build on others' successes, probably a greater amount of software overall, and I would argue, a faster development cycle. The author of the original article apparently thinks that this is a detriment because it makes it easy to start a malicious company like ACME GPU/Linxu to sell a forked open source product with intentional security holes.

But we're used to this problem in other industries where products become commonly available and people can form their own businesses utilizing those commodities. And while there *are* scams, most of us accept that we need to exercise judgment in whom we trust. Anyone can go out and buy locksmithing equipment, but if you skip over a known, reputable and trusted vendor in favor of the cheaper 'Thugs' alternative, you get what deserve: a lock with more keys than you know about.

Great Security Article

[mrmdls]

For those who want a great look at security, both in a closed source and open source OS, take a look at the March issue of Linux Magazine - Stephen J Vaughan-Nichols article on Security is a Process, not a Product. Mr. Vaughan-Nichols writes and quite correctly that security is every user's job, and that as Linux gains in popularity so does the threat of security concerns.

One thing missed in the rebuttal.

[SharpFang]

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust.

GPL forces distributors to provide source code to their customer. Then the government is free to (and should) post the source to public audience. They can (and should, even for performance sake) recompile the binaries from the code provided. So...?

I think this guy didn't read GPL.

Re:Best point is the last

[arkanes]

This _already happens_ in the world of closed source software. This is basically what mal/spyware is. It's totally true that open source doesn't prevent this, but neither does anything else. It's a straw man argument.

On a side note, it's happened with OSS, too - some enterprising asshole packaged the open source CDex ripper into an installer loaded with spyware.

Re:Laughable assertions

[kfg]

If I may be so bold as to quote from the Armadillo Book as to how to go about using Open Source code with minimal risk:

Always build the program from source code. Don't even consider running pre-compiled binaries.

This is just one item on a long list of how to build secure code.

Other items include:

Look over the source code to as great an extent as you can. . .

Examine the archive before unpacking it. . .

Examine the objects created by the build process with the strings command. . .

There's no need for grandma to go through all of this, but in any situation where security is an issue you'd have to be pretty daft to simply trust a compiled binary. Especially if you're a government agency handling sensitive data. . .and especially if that compiled binary came from outside your national borders and stores it's files in binary form.

If you're a French diplomat using MS Word to write sensitive missives back home you're just begging for the CIA to to pour over the hidden information in the binary of your document.

KFG

Re:Laughable assertions

[Anonymous Coward]

You've apparently never been a virus author or cracker or dealt with cleaning up a business site after them, have you? They break in because they *can*, partly as a proof of their "genius" or because they want to steal resources (such as big bandwidth and FTP space) for their own use.

These jerks can, and do, break into developer's home machines and business machines and steal or modify code to plant bugs. The wonderful thing about open source is the open code review *finds* these damn things, and the huge variety of source repositories and approaches to checking them makes it almost impossible to slip in a back door un-detected. And the openness of the user community gets the warning out to the rest of us extremely quickly, rather than the typical corporate software problem where it gets described to the vendor and ignored for many months or even years until it starts being actively used for a wide-scale virus.

Unfortunately, the closed source also frightens people away from using patches to closed source software, because you can't verify what else was patched and it *does* often break core programs. So avoiding patches becomes corporate policy to protect the stability of your servers, as opposed to correcting issues when they are discovered.

And security issues *will* be discovered. No system as complex as a large-scale web server or mail-server can be created entirely without bugs.

Depends on the platform.

[Anonymous Coward]

On Windows, the binary header contains a timestamp for when the file was compiled. So I could run the exact same build process twice, generating two "identical" binaries, but their checksums would still be different.

Whether that applies to any other platform on Earth, I don't know. My point is that you are making an assumption which is not necessarily true for all cases.

Re:Laughable assertions

[Anonymous Coward]

Does the FreeBSD community recommend your site to others as a source of FreeBSD binaries? Are you generally known within the community. I'm willing to assume that you are not unknown to those who use your services, and have thus garnered a reasonable sense of trust over time.

This is the case; cperciva is a prominent and well-respected member of the FreeBSD community.

Indeed, those in the Linux community have also probably heard of him; they may not recognise the name, but once he's identified as the author of the famous Depenguinator I suspect a few bells might start ringing...

Re:Best point is the last

[kirkjobsluder]

Nope, but you also cannot trust Thugs R' Us Locksmiths.

Actually, most locksmiths are bonded and advertise their bonded status. This provides stronger incentives for honesty than for breaking into your house.

Ross Anderson on Open Source Security

[Anonymous Coward]

There was a good paper by Ross Anderson [cam.ac.uk], a well known British security expert, that compared the security of open source vs closed source systems [cam.ac.uk] (sorry, paper is PDF). He set up a mathematical model for how quickly bugs would be found and fixed by the maintainers and testers, versus being found and exploited by attackers. His conclusion was that the two models would both be about equally successful.

A recent posting on the Unlimited Freedom [invisiblog.com] blog took another look at Anderson's analysis and came up with some different results that were not as favorable. But either of these articles seem more convincing than this challenge by Russell Jones.