Defending Open Source Security 260
dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and
posted a response over on the O'Reilly Network. As previously
discussed on /. Jones' comments are too controversial to ignore."
Article rating and devx hosted rebuttal. (Score:5, Informative)
The rebuttal "Who's Guarding the Guards? We Are" [devx.com] , also hosted at devx. Average Rating: 4.9/5
Re:Article rating and devx hosted rebuttal. (Score:3, Informative)
Re:Best point is the last (Score:5, Informative)
can you trust a precompiled Apache HTTPD from ACME GPU/Linxu
Nope, but you also cannot trust Thugs R' Us Locksmiths.
OSS commoditizes software: it devalues code in exchange for freedom of collaboration, the ability to build on others' successes, probably a greater amount of software overall, and I would argue, a faster development cycle. The author of the original article apparently thinks that this is a detriment because it makes it easy to start a malicious company like ACME GPU/Linxu to sell a forked open source product with intentional security holes.
But we're used to this problem in other industries where products become commonly available and people can form their own businesses utilizing those commodities. And while there *are* scams, most of us accept that we need to exercise judgment in whom we trust. Anyone can go out and buy locksmithing equipment, but if you skip over a known, reputable and trusted vendor in favor of the cheaper 'Thugs' alternative, you get what deserve: a lock with more keys than you know about.
Great Security Article (Score:2, Informative)
One thing missed in the rebuttal. (Score:3, Informative)
GPL forces distributors to provide source code to their customer. Then the government is free to (and should) post the source to public audience. They can (and should, even for performance sake) recompile the binaries from the code provided. So...?
I think this guy didn't read GPL.
Re:Best point is the last (Score:3, Informative)
On a side note, it's happened with OSS, too - some enterprising asshole packaged the open source CDex ripper into an installer loaded with spyware.
Re:Laughable assertions (Score:4, Informative)
Always build the program from source code. Don't even consider running pre-compiled binaries.
This is just one item on a long list of how to build secure code.
Other items include:
Look over the source code to as great an extent as you can. .
Examine the archive before unpacking it. .
Examine the objects created by the build process with the strings command. .
There's no need for grandma to go through all of this, but in any situation where security is an issue you'd have to be pretty daft to simply trust a compiled binary. Especially if you're a government agency handling sensitive data. .
If you're a French diplomat using MS Word to write sensitive missives back home you're just begging for the CIA to to pour over the hidden information in the binary of your document.
KFG
Re:Laughable assertions (Score:4, Informative)
These jerks can, and do, break into developer's home machines and business machines and steal or modify code to plant bugs. The wonderful thing about open source is the open code review *finds* these damn things, and the huge variety of source repositories and approaches to checking them makes it almost impossible to slip in a back door un-detected. And the openness of the user community gets the warning out to the rest of us extremely quickly, rather than the typical corporate software problem where it gets described to the vendor and ignored for many months or even years until it starts being actively used for a wide-scale virus.
Unfortunately, the closed source also frightens people away from using patches to closed source software, because you can't verify what else was patched and it *does* often break core programs. So avoiding patches becomes corporate policy to protect the stability of your servers, as opposed to correcting issues when they are discovered.
And security issues *will* be discovered. No system as complex as a large-scale web server or mail-server can be created entirely without bugs.
Depends on the platform. (Score:1, Informative)
Whether that applies to any other platform on Earth, I don't know. My point is that you are making an assumption which is not necessarily true for all cases.
Re:Laughable assertions (Score:1, Informative)
This is the case; cperciva is a prominent and well-respected member of the FreeBSD community.
Indeed, those in the Linux community have also probably heard of him; they may not recognise the name, but once he's identified as the author of the famous Depenguinator I suspect a few bells might start ringing...
Re:Best point is the last (Score:3, Informative)
Actually, most locksmiths are bonded and advertise their bonded status. This provides stronger incentives for honesty than for breaking into your house.
Ross Anderson on Open Source Security (Score:1, Informative)
A recent posting on the Unlimited Freedom [invisiblog.com] blog took another look at Anderson's analysis and came up with some different results that were not as favorable. But either of these articles seem more convincing than this challenge by Russell Jones.