Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Think tank questioning Open Source security runs Apache on its Web site, but author defends study
Share
Print
CommentsIf using Open Source software makes government computer systems susceptible to terrorists as a forthcoming white paper by conservative think tank Alexis de Tocqueville Institution claims, then ADTI's own Web site is at risk. ADTI.net runs a version of ... Apache.
ADTI president Ken Brown, whose white paper says Open Source software provides hackers/crackers its "blueprint," volunteers the fact that the site runs on Apache before I can ask him about it during a chat earlier today. "We're pro-Open Source here at de Tocqueville," he says.
My response to Brown: "Huh?"
Brown answers that his white paper specifically questions the security of the GNU General Public License, not other BSD-like Open Source licenses, such the Apache Software License, although the white paper's press release doesn't make the distinction. "[Open Source] is great for experimentation, and it's great for research," Brown says. "We're talking about national security, and when it comes to the whole issue of hacking a system, we conclude and we will defend to the end, that more information is better [for hackers/crackers]. If you provide more code, you're giving a [hacker] person more information. At the end of the day, you're educating people about what you've done, and we don't see any real benefit to that, especially if it's a bad person."
Editor's note: Here's a link to the study [DPF], apparently released June 10.
So BSD good, GPL bad? That sounds exactly like Microsoft's position lately, although I'm not sure what a big difference that makes in this case, because both licenses allow access to the source code. So the issue apparently is that seeing the source code, or the blueprint, isn't really the problem, but making the your changes available to others suddenly opens up all kinds of new security holes. Last time I checked, the GPL doesn't require you to share your passwords or upload your SSH key to Richard Stallman.
So we have a think tank that doesn't put its money where its mouth is. Smith, on Politech, also says the Alexis de Tocqueville Institution has gotten funding from Microsoft in the past, and a a story at Wired.com today confirms that. The think tank has been a Microsoft antitrust apologist in the past. (That's just one of more than a half dozen pro-Microsoft papers on ADTI.net, pointed out by OSDN programmer Jamie McCarthy on Politech.) Why isn't that a surprise?
Of course, Microsoft doesn't always put its money where its mouth is, either. Remember Microsoft's anti-Unix site Wehavethewayout.com, which was originally running FreeBSD?
I ask Brown about Microsoft funding for this specific study, and he says it's against ADTI's policy to comment on who funds its studies. I suggest that not disclosing the paper's financial backers may cause people to question the validity of the study.
Brown answers: "I have a lot of faith in the American people. If somebody wrote something tomorrow that everyone should move to California, people aren't going to get up and move to California. It has nothing to do with a travel organization funding the study, it has to do with common sense. We think that something should be challenged on its merits."
So Brown and I move on to the merits of the white paper's conclusions. He agrees when I suggest Microsoft products have a long history of security problems. "Our position is not that one system is better than another," Brown adds. "We never said that. Our paper is about Open Source, that's it."
Still, I press Brown on the Microsoft alternative to Open Source, given Brown's theory that Open Source can be exploited by terrorists. He claims "volunteer" organizations like Open Source projects don't have much of a chance of competing with huge corporate initiatives.
His reasoning: "You get 10 smart people together in a room, and they'll come up with some pretty good code. You get 100 smart people together, and they'll come up with some even better code ... and on and on from there, assuming there's some break-off point and somebody can't make it any better." He continues: "Now, let's change the model from numbers of people to accountability, warranties, customer service, manuals, that kind of thing. You take an organization that doesn't have any accountability, that provides no warranties, no guarantees for its services, is not financially rewarded necessarily for providing its fixes, I don't think it can compare in efficiency to an organization that does. You can't say a volunteer group is necessarily always going to as efficient as a group that's contracted."
I don't even know where to start to respond to that statement. The hundreds of horror stories about getting tech support from Microsoft and other large computer companies run through my head. Brown has limited time to talk, so instead I suggest that people often do better work for volunteer organizations than their employers, because they're doing what they love, not what they're getting paid for.
"The fact is, I want a guarantee as a businessman, I want accountability," Brown answers.
Brown should talk to Microsoft about guarantees. One NewsForge reader points out something I'd nearly forgotten: The Windows End User License Agreement specifically disclaims any obligation of a warranty. It seems that Brown's holding Open Source up to a standard he doesn't expect from his past financial backer. And, besides, if you find a software company willing to sell you a system it guarantees can never be cracked, ask if it can add some snake oil to your order.
Okay, I point out, in the case of security, it appears as if the Open Source model somehow works better, especially when compared to Microsoft. Even when I take into account that many Microsoft products are used by millions of people, many of whom shouldn't have gotten a license to operate a computer in the first place, Open Source products seem to have fewer serious security problems, not to mention that Open Source bugs seems to get fixed a whole lot faster.
The "many eyes squash many bugs" explanation seems to hold water, and although most Open Source projects aren't created by 100 smart people sitting in a room together, the model Brown likes, they are created by hundreds of people talking on the Web together, and these are generally people who care as deeply about their projects as Boston Red Sox fans care about another late-season choke. No, most Open Source coders aren't paid, but neither are the rabid Red Sox fans.
"In the case of security, it appears that Open Source products have fewer security vulnerabilities," I say to Brown. "So somewhere, there's an efficiency there."
Brown seems to back off: "What we've been suggesting in our study ... is that this deserves more study. And that's where we stand. We think there should be a commission to do a rigorous test and do a study. We didn't do a [security] study comparing proprietary software to Open Source, and I'd like unbiased community of people to do this kind of study."
I point to studies like a recent one from Gartner Group that suggests Microsoft security would benefit from an Open Source-style review. But, I add, the Open Source community would probably welcome an unbiased study of that sort. So Brown and I finally find some common ground.
The white paper, which has gotten unquestioning coverage at places like ZDNet, is scheduled to be released Friday and will also include critiques about Open Source attitudes about intellectual property and Open Source. Brown, who says he has four years of experience writing about technology, authored the study with help from several others after more than six months of interviews about Open Source, he says.
I remain intrigued by Brown's assertion that showing the source code "blueprint" makes Open Source software more vulnerable to terrorists. That theory leaves out the assumption that sysadmins have a variety of tools at their disposal to make systems more secure. Most people who know much more about information security than I do would advise people worried about security to never install a default Web server or operating system, whether its Open Source or proprietary. You need to take the precautions available and keep up with the security updates, and you need to realize that no system is totally invulnerable.
As Brown says he has to get off the phone, I give him another blueprint scenario:
Let's pretend you and I are burglars, I tell him. We're considering breaking into two houses. We have the blueprint for the first house, let's call it the Open Source house. We know how the house is laid out, we know where the doors are, but we also know that there are locks on the windows, there are dead-bolt locks on all the doors, there's a burglar alarm installed, there are two 100-pound Rottweilers living inside, and the owner keeps a loaded double-barrel shotgun somewhere in the house.
Let's call the second house the Microsoft house. We don't have a blueprint, but we know the owner doesn't have locks on the windows, has no dogs, guns, or burglar alarm, and tends to leave the back door unlocked.
So, I ask Brown, which house are we going to break into? Does the blueprint really help us?
Brown doesn't have much of an answer to that.
Comments
on Think tank questioning Open Source security runs Apache on its Web site, but author defends studyNote: Comments are owned by the poster. We are not responsible for their content.
That last analogy really doesn't work all that well, when it comes down to it.
My advice to you: Don't consider a life of crime.
Your life of crime would be a short one.
Grant
What I'm getting at here is that the proprietary programs *ARE* known quantities because no system is completely opaque. You still have access to general software behavior (which can't be modified by the target) because all of the API's have to be available (or at least accessible) and documented for development on that system.
Since behavior can be guessed or assumed, security holes can be found.
That's the corner that you take here. Source is not the end all or be all of security violation tools and the "black box" has many hooks and holes.
It's also important at that point to note that the GNU GPL does *NOT* require release of source code if the code is not distributed. Which means a site can modify software and never release the source code. This means that the "Open Source house" would also, most likely, not be entirely known by the intruder.
In short, under analysis, Grant's example generally holds.
So you're a bank robber. You have 2 banks in your town.
One is well documented, with publicly available blueprints. It's excellent security measures, that have been publicly testing and perfected as part of a community initiative, are very well documented and again publicly available. The other doesn't disclose anything, but a trip inside provides easy evidence of a complete lack of security.
The first one, despite it's transparency, is nigh impossible to rob. The second relies on obscurity for security, and although a bit of a gamble it would be easy to get out should there be any trouble.
"But the quantities of the first bank are known."
I think you need to redefine your notion of security. Do you not password your servers, but instead put them in a hard-to-find corner of your office building? Personally I password them and tell my colleagues that they are passworded.
Do you need the architectural plans, and construction details of a building to be able to break into it? (In other words, do you need to know what construction materials they used, and what support methods, etc...?) No, you only need to know the "standard API" for the building, such as where the doors are, how they are locked, and where the security measures are. I suggest that anyone with access to standard Microsoft APIs and information can figure out most of the analogous information above. And the rest can be found just by snooping, the same as a common burglar would snoop around a bank before attempting a break-in.
So the argument is really not about access to the source code, but access to the operating systems's own interfaces. In this sense, the 1500-page industrial blueprints for a building are far more than any burglar could ever use to gain entry to a building. Instead, they would want to just look for the standard points of entry common to all buildings, and the simplified "overview" blueprint, (the API) to figure out how to break in.
Let's face it: an operating system that is completely obscured is completely useless. There is no such thing. And lack of source code does NOT prevented hackers from understanding how Microsoft operating systems work.
So - my suggestion is this - if indeed he's truly "concerned" about security - put AIX or other form of Unix (Solaris?) as the desktop - it's proprietary and a whole lot more secure than Windows will EVER be.
If as he is saying Open Source software is more vulnerable due to the source being available to anyone who wants it, then it shouldn't make a difference how said software is licensed. BSD or GPL or whatever, if the source is available, you would think it would be the same situation.
I fail to see how GPL'd software is more vulnerable that BSD'd software. Linux compared to NetBSD; there isn't a huge difference in security between them if you look at their histories.
When this 'white papaer' is released it shall be interesting to tear it apart looking for FUD and lies.
And this study seems to have been funded by Microsoft, hmm... intersting.
I fail to see how GPL'd software is more vulnerable that BSD'd software.
The difference is that Microsoft has admitted to using BSD'd code in their software, so they can't make MS look insecure. Of course, MS does a good enough job of doing that...
That reminds me of this story. Now, all I have to do is wait for the 72-point headlines from some rich man's newspaper or Internet site:
STUDIES PROVE LINUX IS INSECURE!!!!!
Then, of course, there'll be the 8-point retraction on page 78 below the right-hand corner of the auto ad, just abouve the 72-point heading for a sale on Microsoft products....
Maybe there'll even be some video bites on TV with some bad-hair guy mumbling about how his Line-ux box was infected by a virus....
Funny thing is, I keep getting these e-mails that want to open Media Player, and do bad things to my Microsoft Outlook, and the anti-virus product makers wring their hands. Because Media Player *has* to be able to run arbitrary code, allowing markerters to "provide" synchronized video, sound, and web pages.....
...in my E-mail?
"the more things change, the more they stay the same."
the blueprints. Damnit, he can't even find his way
from one room to the next, let alone be certain no
one can break into it!
And then he has to pay $35 for a technician to
change a stupid light bulb. Of course, we can't
tell you how to do that; that's Proprietary!
Someone might figure out how to break in!
Duuuuhhhhh!!!!
And soon after the light bulb has been 'upgraded',
the damn toilet won't flush anymore!!!
Etc., etc., etc., etc., etc.....
Reminds me of a Frank Zappa song "Flakes"
I think that comparing the security of a physical structure like a building and software is misleading.
The idea that a building is (debatably) more secure because the blueprints are secret does not hold up for software.
Here's why. If a house was like software, then anyone who wished to could download an exact copy of your house at no cost or little cost. They could then use this copy to practice breaking in.
Furthermore, they could scan the copy of your house to see what is inside the walls. And they could even take it apart to see how it is built. This may not give them the blueprints, nor would it provide them with the information that they need to build another house, but as Microsoft has proven again and again, and again, it provides enough information to break in to your house.
Having the source code to software only helps you to break into it if there are obvious flaws, or hidden backdoors, or hardcoded passwords.
An excellant explanation of this can be found in the "Secure Programming Howto"
Rick
There is a difference.
Closed software is actualy in much worster position than open source. While closed source can be maintained only by people that made it, open source is getting security proofers in much wider variety of people. People concerned about projects they run (and hackers too). Closed source on the other hand is being proofed mainly only by hackers with no good intentions.
In a perfect world your theory would be 100% correct. But having closed source backdoors, who says that some employee won't sell them to some other party.
Let's put it other way.
If I would bought a house without security blueprint, how would I know where are security risks. I don't know even where the damn toilet is, while on the other hand the lowest worker knows that leaks better than I, and I own the damn building.
....They could then use this copy to practice breaking in. ?????
With a closed source on the other hand there is a handfull of time to test security flaws between releases and no one really cares (and has troubles testing quality of patch) if patch to one hole opens another one. Main security bug of all patches.
....it provides enough information to break in to your house.
Yes, and to few for me, to be careful and try to avoid the holes in my security
Difference I intended to show is the testers intentions between blueprinted and closed software and owners knowledge compared to some people involved in building it. Open source at least forces builders to build it more secure
Don't relate to papers, relate to REAL LIFE instead. Everything can be bought
An excellant explanation of this can be found in the "Human psychology and Human greed for money - Howto"
If BSD software allows companies to take Open Source and make it "secure" by closing it, why does Windows still have the "libz" buffer overrun hole? It couldn't be because Microsoft doesn't change the Open Source it uses but just uses it "as-is," could it?
I can look past the bias and hypocritcal aspects of this study. That's all viewpoint and PR spin as far as I'm concerned. But to say GPL and BSD differ on source code availability and that "closed" versions of BSD code are better? Com'mon! That's outside reality! Just look at Windows!
"You get 10 smart people together in a room, and they'll come up with some pretty good code.
You get 100 smart people together, and they'll come up with some even better code."
It's obvious to me that this person has never worked on a real software team.
The bigger the team, the greater the chance that someone's going to screw up and put something stupid in the code. This is especially true when you've got a mix if experienced and inexperienced programmers on a project.
letter, quoted herein, was sent to him at ADTI.
(I posted a copy of my letter in the first newsforge announcement of this study.)
Here is his response. My responses to him are
in followup posts.
-------------------------------------------
Subject: RE: Terrorists and open source software
Date: 2002.06.02 09:35
From: Ken Brown
To: Karl O . Pinc
Karl,
Our position is as follows:
1: No software is invulnerable. Thus all software has inherently security
problems
2: Those with motivations to crack a software for bad reasons, etc. will do
so, regardless whether the product is os or proprietary.
3: OS is a sound, credible approach for creating systems for the Internet,
etc. however, its basis is upon sharing. While we understand that all OS
does not have to be shared a majority of it whether it is commercial or
non-commercial is shared. GPL license, and GPL applications are over 80% of
popular OS products today. GPL and LGPL stipulate that sharing must occur.
4. National security systems must be secret. Anything or anyone that poses
any type of indiscreet sharing is an inherent threat.
Therefore:
Due to increased interest by bad people to our national security system's
vulnerabilities, we should avoid use of systems which enable, require or
mandate indiscreet sharing.
Microsoft and people's hate for Microsoft is irrelevant. True patriots will
come to grips with the reality that really bad people want more information
about our nation's computer systems. True patriots would insist that giving
them anything about our systems is reckless.
kb
-----Original Message-----
From: Karl O . Pinc [mailto:kop@meme.com]
Sent: Friday, May 31, 2002 11:44 AM
To: kenbrown@adti.net
Subject: Terrorists and open source software
Hello,
I just saw an announcement
(http://newsvac.newsforge.com/newsvac/02/05/31/101 7224.shtml?tid=52)
on a paper you are said to release next week "Opening the Open Source
Debate".
Based on the content of this announcement, it appears you could look
pretty silly when someone points out that the Internet itself is run,
now, on open source software. The core fabric of the domain name
system, which provides domain names like adti.net, uses the open
source software "bind", from the Internet Software Consortium
(http://www.isc.org). More than half of the existing domains, an even
larger percentage if you count only domains that are being used, serve
web pages using the open source Apache web server. (See
http://www.apache.org and http://www.netcraft.com/survey.) Most
e-mail is delivered with the open source mail transfer agents
sendmail, postfix, and qmail. (See http://www.sendmail.org,
http://wwww.postfix.org, and http://www.qmail.org.) The list goes on.
This open source infrastructure has proven itself to be secure and
reliable. It has withstood the attacks mounted against it by all
comers, hackers, terrorists, and idle vandals, for years. Quite
arguably it has a _far_ better performance record when it comes to
protecting this increasingly vital national resource than it's closed
source equivalents. I hope your paper considers the record of open
source software has vis a vie securing the infrastructure of the
Internet, a resource which by it's very nature is constantly open to
attack. Any paper on the risks of open source which does not examine
this proven performance record is fatally flawed.
Regards,
Karl
Date: 2002.06.02 21:45
From: Karl O . Pinc
To: Ken Brown
On 2002.06.02 09:35 Ken Brown wrote:
> Karl,
>
> Our position is as follows:
>
> 1: No software is invulnerable. Thus all software has inherently
> security
> problems
> 2: Those with motivations to crack a software for bad reasons, etc. will
> do
> so, regardless whether the product is os or proprietary.
> 3: OS is a sound, credible approach for creating systems for the
> Internet,
> etc. however, its basis is upon sharing. While we understand that all
> OS
> does not have to be shared a majority of it whether it is commercial or
> non-commercial is shared. GPL license, and GPL applications are over 80%
> of
> popular OS products today. GPL and LGPL stipulate that sharing must
> occur.
> 4. National security systems must be secret. Anything or anyone that
> poses
> any type of indiscreet sharing is an inherent threat.
>
> Therefore:
>
> Due to increased interest by bad people to our national security system's
> vulnerabilities, we should avoid use of systems which enable, require or
> mandate indiscreet sharing.
>
> Microsoft and people's hate for Microsoft is irrelevant.
I quite agree.
> True patriots
> will
> come to grips with the reality that really bad people want more
> information
> about our nation's computer systems. True patriots would insist that
> giving
> them anything about our systems is reckless.
Ah, that's your argument. Thanks for the reply.
No. It doesn't matter what's revealed about our systems workings, so long as
the resulting systems have the best security. End result is what
counts, not how you get there. I don't buy your point 4. Also, while
it's important to analyze how secure any piece of software is, we must
remember that our overall goal is security for the American people.
Regards your 3rd point. It's not factually correct as stated. (No
problem there, the point is subtle and you were kind enough to respond
to my note.) While any software _may_ have it's internals revealed,
OSS (Open Source Software), by and large, including the GPL, does
_not_ mandate or require that it be shared with anybody who does not
have access to the working program. So, unless the U.S. is planning
on sending working software to terrorists, licensing which reveals
our government's computer code is not an issue.
To address the substance of your point, what makes "software for the
Internet" different from any other kind of software, such that OSS is
good for Internet infrastructure and not other software? Especially
as Internet infrastructure is especially susceptible to security
vulnerabilities? If nothing else, doesn't national security require
a good network infrastructure? You haven't addressed these questions.
(It's worth noting that OSS has only just begun to
_produce_ much software that isn't "software for the Internet". There
was a sudden market demand for Internet software, and OSS spent it's
resources meeting that demand. This demand was partly driven by the
early success of OSS's Internet software and the utility this software
gave to computer networking. With this success, OSS has begun to
branch out into other areas of software development.) Your point 3
doesn't fly, although it does spotlight the public nature of OSS
internals. Of course, much OSS source code is publicly available
already, which brings us to the crux of the issue. Theory says OSS is
secure or it isn't, depending on who you listen to. Practice (the
Internet's infrastructure) says it's secure. That's all we really
need to know. I don't think you can win point 3 with academic
arguments either, except in special cases. There _will_ always be a
need for secrecy in _some_ cases.
How can OSS be secure? The general consensus among security experts
interested in secure systems seems to be that, while each security
issue must be individually considered, as a whole, software that's
designed to be secure is _more_ secure when the security aspects of
the software is subject to public scrutiny. The classic cases are in
cryptography. It's well known that cryptographers are loath to
guarantee new and, thus untested, algorithms. The overall problem is
that security tends to be such a complex matter than unless you have
lots of smart people looking at the problem, you don't really know
you've got the answer. Of course, you'd _like_ to have both good
secure systems and secrecy as to how they work, but this appears to be
infeasible except when you're willing to spend a large amount of
effort for a very narrow application. We're not talking about narrow
applications here, we're talking about running a government.
(Government use of cryptography may be one case where it's worth
spending enough money in a narrow field to ensure reliability and be
able to enhance the security of the result through secrecy.)
There are always those willing to argue on the other side of this
issue, mostly manufacturers of proprietary systems. The record
shows that problems just do not get fixed until enough of the public
knows of the security problem that the manufacturer finally feels the
pressure. These people are running businesses, why should we expect
them to expend their resources until they have to? I don't think that
regulating these companies into compliance with some desired standards
is either right or practical.
I'm not the person to make the above analysis as to why OSS is secure,
that's just the crux. I've tried to pay attention to both sides of
the argument, and the winner seems clear -- when you're talking about
general purpose software. I'm sure others will refer better arguments
to you from security professionals and other experts. I'd like to
hear of your conclusions. But I trust mine, as a computer and math
geek. (I'll be reading your paper in any case, in the event you've
already responded to these points.)
I don't argue that OSS is _always_ secure, or _always_ better, just
that it clearly _can_ be both and so it's a disservice to our country
to banish it, from security sensitive areas or otherwise.
On to broader issues.
The other factor that always needs to be balanced against security is
functionality. Obviously, the e-mail program that resides on a
computer which is never connected to any network is most secure, and
entirely useless. Less obviously, the program that you spend ten
years time making secure is also less useful. You could have spent
that time improving program utility. Further, additional
functionality always leads to decreased security, if for no other
reason that the system becomes larger and more difficult to audit. If
our government has systems that work well, our country will be more
secure because our government will work better. (Reminds me of the
shoe boxes that used to hold the Chicago City Police records for
parking violations -- until the mid 90's as I recall! The result was
that until they switched to a computerized system, many people didn't
pay attention to parking tickets at all.)
(You're probably fighting a losing battle no matter what your
conclusions. There was a time in the 80's when the federal government
mandated a Unix standard for all computer systems. Look how well that
worked.)
So, no. Giving out nothing about our systems would cripple us, as the
only way to ensure that would be to insist that our government
procured software written only by U.S citizens with appropriate
security clearances. The bureaucracy would be enormous, the expense
ruinous, and the software pathetic. We both know better than that.
We need to find the right balances and the equation is complex. I
don't think you're going to make an argument fly vis-a-vie banning OSS which
focuses on the benefits of secrecy and excludes considerations of
expenditure and functionality in the analysis of the security our
Government provides. Not to mention the direct impact public review
has in improving system security.
Sorry about the long reply. I feel strongly protective of our country.
Best wishes in your analysis.
Karl
I suspect he believes that open source software means that attackers can pore through the code looking for vulnerabilities. But is it not more frequently the case that attacks are run from the outside, looking for holes in the firewall, poorly-chosen passwords, etc? In that case, actual test attacks against MS XP, OS X, on the one hand and GNU/Linux on the other take place to determine the states of relevant security?
Date: 2002.06.02 22:00
From: Karl O . Pinc
To: Ken Brown
> 4. National security systems must be secret. Anything or anyone that
> poses
> any type of indiscreet sharing is an inherent threat.
Again, secrecy is not security. (It _can_ be, but isn't always.)
The USSR had lots of secrets. So much so that they had guards on
every xerox machine. Did this secrecy strengthen or weaken their national
security?
Karl
How did I know that *THAT* would come up?
If you can't win an argument factually, try to shame your opponent until they give up... that is the rule at play here.
They can't win logically because they know that they were wrong, so they invoke modern McCarthyism. Pathetic.
If I were a patriot (and in many ways I am) I would want our infrastructure to be as secure and heterogeneous as possible. As a patriot, I demand that Free Software be our backbone. As a patriot, I know that proprietary software will destroy this nation -- since all that Al Queda would have to do is combine 5 currently existing virus'/worms and they could wipe out the majority of our e-commerce infrastructure. Of course, those worms only work on (you guessed it) a very popular (popular == OEM's sell it to people) operating system...
Stick that in your pipe and smoke it Mr. "patriot".
He is advocating the creation of a monoculture the likes of which any ecologist will tell you is of disasterous proportions. If all of our foodstuffs were of a monoculture like the proposed "for security" - then we all would have died long ago of starvation as blight wiped out our base crop.
How can anyone writing such a white paper be so utterly clueless about such basic issues? Perhaps it's a consequence of having one's mind rotted away by the "true patriot" meme.
1. Software isn't the only system that is vulnerable. In fact, no *system*
is invulnerable. We die, machines break down, the sun will someday stop
shining, most likely. However, having security problems and being
vulnerable are two different things. Any system is vulnerable to internal
failure or external attack. The security, however, may not be compromised.
If someone cuts the power lines to my house, they have denied me the use
of my computer. But no information has been compromised. In that sense, my
system is vulnerable, but secure.
2. Those with motivations to crack software, will only *attempt* to do so.
Their success is not guaranteed. Their "failure" is defined as their
stopping the attempts, for boredom or whatever reason.
3. 80%? That's a very high number, higher than any I've heard. If you
meant "80% of products on the Internet", I can verify that, in late 2000,
open source did run about 80% of the Internet.
http://www.netcraft.com/survey/ But not today.
4. If "all generalizations are bad," this blanket statement is the weakest
individual point. First, it denies me the right, to verify *for myself*,
as the taxpayer who bought those systems, that they are properly
programmed, configured, and maintained. Second, even without that right,
it depends on centralized security, which is the #1 weakness of any
security system. With a single point or cluster of failure, the whole
system can be brought down. Cut off the head, the body will die.
Your conclusion contains an implicit assumption that anyone interested in
our national security systems is "bad". Why am I "bad", if as an ordinary
citizen I take an interest in our national security? Depending on someone
else for our security is guaranteed to fail. The police etc. can't be my
bodyguards 24/7.
I would also like to point out the inherent contradiction between point #1
and the conclusion. If all software has inherent security problems, why
not make it available for public scrutiny? Many eyes, with the same skill
levels as those we want to guard against, can examine the software and
point out the weaknesses and vulnerabilities, and get them fixed quickly.
This, as opposed to closed systems, which the "common man" is denied
access to, but criminals WILL get and examine.
You also contradict your conclusion with point #2. If crackers will crack
regardless, why not give away all those secrets? After all, that's how to
defeat a blackmail attempt. If we, the citizens, know where the national
weaknesses are, we will be better prepared to defend them.
Finally, your appeal to patriotism is insulting, to me personally, and to
three of my friends who are right now sworn and prepared to lay down their
lives in defense of our nation. Your use of the phrase "true patriots" in
particular is a plain attempt to set yourself up as the judge of what a
"true patriot" is. In the words of Ambrose Bierce:
"In Dr. Johnson's famous dictionary patriotism is defined as the last
resort of the scoundrel. With all due respect to an enlightened but
inferior lexicographer I beg to submit that it is the first."
--
Mark
just a quickie on your "open source used to be 80% of the internet" comment. when you quote netcraft, you're only looking at http servers.
the vast majority of the internet's infrastructure uses key open source software like bind, sendmail, and then of course there's tcp/ip. i don't think you can use a falling apache graph to make the massive generalization that open source is losing ground in internet infrastructure.
They assume that a "BAD" person won't hired by MS
Posted by: Anonymous Coward on June 16, 2002 12:51 AM True patriots will
come to grips with the reality that really bad people want more information
about our nation's computer systems. True patriots would insist that giving
them anything about our systems is reckless.
Don't get me start on the jingoist, "love it or leave it" attitude expressed here. I'll just start with the technical inadequacies:
Here is the cipher text: 0000011001111000110
I will tell you that I created this cipher text by XOR the plain text with a 1 time pad equal to the length of the plain text, so there are no patterns to look for.
I challenge ay one from ADTI, or any other posters, to tell me what the plain text was. And if you know that, you'll know the pad.
If I did the math right, there are 2^19 different plaintext/pad combinations. The first number is 0, so you know that you are looking at either 0/0 or 1/1 for the first number.
This is a perfect example of how a well written security feature can be extremely secure even if the encryption method is completely known. This is also a good example to use with people who aren't familiar with computers because the idea of XOR and a 1 time pad are pretty easy to explain.
After having said that, I sure hope I got everything right. I don't normally work with encryption and the classes were several years ago.
Fine, Open Source gives people access to the sourcecode, but how much more secret is Closed Source software actually?
How many people keep probing and prodding MS-Windows? How many parts of it are getting reverse engineered? How many parts of it come from different people (MS developers, developers from manufacturers who create drivers, developers from software companies like Oracle and Adobe or whatever software a supposedly secret machine is going to run).
University students can get access to (at least parts) of the Windows sourcecode. Developers can get access to parts of the Windows sourcecode. Parts of the Windows sourcecode have been stolen from Microsoft and been put on the world wide web.
Sun Microsystems also has got licenses allowing people to take a peek at the sourcecode of Solaris. What if other vendors who supply software for the "secret national security systems" decide to give away the sourcecode of their products (old versions for example).
I think trusting on the secrets and bugs in Closed Source software staying hidden is a bad thing. Bugs causing security problems will be found and in fact are being found constantly. There is no way a customer can verify the quality of the Closed Source code or the supplied fixes. You have to take the word of the software vendor they are taking security serious.
You cannot trust on the fact the sourcecode will remain closed forever. What if at some point Microsoft is legally required to open parts of their sourcecode? What if Microsoft in a PR ploy decided to release the sourcode of officially end-of-live software? What if evil computer criminals get hold of the sourcecode?
Does Microsoft (or any other supplier of Closed Software that is supposed to be used in situations where security is a prime concern) have to formally declare they will under no circumstances release any part of the sourcecode, not in the past and not in the future? Do they have to formally declare to rewrite the entire software based on that sourcecode from scratch if the sourcecode does get out in the open?
I'd rather trust software that doesn't rely on the uncertain method of trying to keep the sourcecode a secret (OpenBSD for example, pro-actively auditing the sourcetree for possible trouble).
The truth... er... source is out there!
Oh well, I'm preaching to the choir, I suppose...
If MS' software allows someone to break into your business, you're just as helpless to sue as when running Free Software...
The "warranty and accountability" line is an old piece of FUD that uses emotional reactions in support of a lack of personal responsibility for one's (lack of) action.
Now, maybe you just couldn't find that darned security hole or you just didn't have time.
Legally, it doesn't matter -- it would only be a stupid company/developer that would put a complete warranty on the software. Almost nobody does it, and Microsoft certainly doesn't do it.
There's no debate on that issue -- it's black and white in the MS EULA. Mr. Brown might take an interest in reading it someday.
We've also been watching the house/studying the blueprints. We know that the shotgun is either in the bedroom or living room from past experience, more than likely in the bedroom.
We also know from our surveillance jaunts that the Rottweilers have free roam of the first floor, stairs, and hallways of the second floor. This means there are no motion sensors or mats with pressure sensitive switches in these locations.
We schedule the job. The parents normally work until about 6:00, and haven't gotten back home at night until about 7:00. The single child stays with his girlfriend until dinnertime, at which point he normally drives home around 7:30. It's winter. Short daylight hours. We schedule the job for a night around the new moon, for even less daylight. Tomorrow night looks like it. It's going to rain. Perfect. No eyeballs on the street, and the rain will cover us if we make a little noise.
Step 1. Use a van that will hold the safe we're going to hoist from the second floor window to the floor outside the side of the house. We use a second floor window because through previous experience, and previous tests on the house, we know that the alarm company has not installed magnets on the second floor bathroom windows. They never dreamed we'd come in from there, and listening to the owners, against the alarm company's better judgement, the second floor bathroom window contacts, and several other second floor windows have not had magnets/sensors installed yet. The owners don't place a high priority on this, they just want to relax when they get home from work, and have no time right now to stay home to watch the house while the alarm company finishes the job. The house is well protected, who would be dumb enough to try and come in through a second floor window? That window is at least thirty feet up, and is on a side that can be seen from the side of the house. Besides, the owners have the dogs...
Step 2. We're dressed like servicemen in case of anything. We have a lookout position near the front of the house in a car, with a radio. A second lookout is parked five blocks away, at the entrance of the area. The third lookout is parked across the street from where the parents work. Everyone has radios. We know the parents are still hard at work.
Step 3. We open the second floor window, after scaling to the roof with our portable equipment. We toss in the drugged food for the dogs. Five minutes later, the dogs are out. The safe is easy. Bedroom. Bypass the plunger switch near the base of the bedroom door. It's wood, so that takes less than 30 seconds. Check for button triggers under the safe wheels, none, roll it out to the second floor hallway. Attach the straps, hoist it up to window ledge, out the window, down to exterior first floor with the special portable hoist we rigged up that is now on the roof of the house, positioned above the second floor bathroom window.
Step 4. Problem. The couple's kid (he's 17) drives home. We've got the safe on the floor, outside the side of the house. He drives up the driveway at the front of the house. Therefore he doesn't see the van parked at the back.
Tense moments...
He enters the first floor, picks up a schoolbook at the base of the stairs, then exits, and drives away. Unknown to us, he notices the lookout at the front of the house through his rearview mirror. Fortunately, the windows of the lookout car are heavily tinted, so he sees no one inside. Unfortunately, and unknown to us at the time, he memorizes the license plate on our lookout car because its not a neighborhood car, and drives away. While driving away, he writes the license plate down just in case.
We stop sweating, and get back to work. We wheel the safe to the van, and get the *#$! out of there.
Our haul: One grandfather's pension money that was cashed out the previous week, and is well into 5 figures. Money that was about to be repaid to relatives for personal loans they provided to help build the house. Money to buy furniture for the living room and dining room. All the gold and silver jewelry that was passed down from many generations. All the bank, retirement, pension, health, and insurance paperwork. Enough personal info to haunt the homeowners for the next ten years, and still haunts them to this day. All together, the hauls is in the six figures, and all liquid, untraceable. We could sell the personal info, and get a couple more grand, or try cashing out the policies, but we're professionals. We know that such a move could finger us.
What we find out later, however, and how the homeowner knows about all this, is that the license plate trace that the police did on the suspicious car in front of the house comes back to a two bit punk with a long rap sheet. He's hauled in for questioning, but clams up, and a very expensive lawyer shows up to spring him. He's out the same day. Tests are done on the stomach contents of the dogs (actually dobermans in this case, not rotweilers) and the tests confirm that the dogs were drugged. The part time maid is extensively questioned, and her backgound is checked. The alarm company owner personally installed the alarm, and he has the highest security clearances in the country, due to his work for various government agencies. He has a profitable business, low debts, and has everything to lose if he's tied to this operation. He is also personally known for over ten years by another relative, and is completely trustworthy. He checks out. Several others are checked, and everyone passes. A truly professional job.
Did I mention that about a dozen other houses in the vicinity have been recently hit with the same M-O? Something the homeowners only find out after they are hit.
Good thing we had those blueprints. They helped us with the info we needed most. We wouldn't waste our time with anything else.
Sound far-fetched? This really happened to my relatives around 1990. The loss was such a setback to them that they still do not have new living room furniture. Their two couches are at least twenty years old now, and just in the last few years did they finally get around to buying a dining room set to replace the one they originally purchased in the 1960's.
The info on how the burglary was pulled off was pieced together by my friend who installed the alarm. He was also devastated over the break-in. He could barely talk to me because I had recommended him to my relatives, and I had relied on him to protect my relatives. This was his first major breakin that he lived through for his business. He was used to his systems working, and catching the burglars, or driving them off. He was not prepared for what happened to my relatives, and the effect that it had on them. He was present during the on-site investigation by the police. He took the info from the half-assed job the police did, and the lab results from the dogs' stomach contents, plus previous burglary info, some evidence the police missed, the eyewitness info my cousin provided on the lookout car, another eyewitness info on the lookout car in front of the business where my relatives worked, and contacted a few friends in high places to look into the background of the lookout fingered in front of the house. We know who he is, and who he's connected to. If my relative who returned to the house during the burglary would have been harmed in any way, justice would have been already extracted. He was not harmed, so justice for now will wait.
1) The company not wishing to be held accoutable => Microsoft, if anyone. OSS developers regularly release security warnings when found.
2) Previous similar robberies => Microsoft take weeks, months to fix security holes, and ignore some altogether. Would be fixed in OSS.
There's several more but I'm getting bored now... I don't think I'll continue to waste my time like you did.
I could tear the house apart, I may not get enough information to build a copy of your house, I would get the information I need to break into your house.
A better analogy is crytographic algorithm. Good algorithm depend on sound mathematical principles, not secret decoder rings. You could have the algorithm, and still have an exteremly hard time cracking the code.
Likewise, secure software depends on sound software engineering and the use of secure programing techniques, not hiding flaws and hoping no one will find them.
If source code is necessary for software to be cracked, then somewhere there must be copies of all of microsofts' source code; how else could you explain their abysmal security record.
Furthermore, in your story the theifs were sucessful because of flaws in the security design of the house. If you knew that your security plan was going to be made availabe to everyone, wouldn't you expend more effort to make sure that it was soundly designed. If you share your security design with other people who had similar houses, they could help you to improve it and use your good ideas to improve their security.
Hiding security problems does not make them go away (and the crackers find them anyways), only prevents others from help you to fix them.
Rick
Seems it is much easier to bash OpenSource than to prove your statements. Knowlegde is power! :-)
People are the lowest-common security denominator
Posted by: Anonymous Coward on June 06, 2002 08:17 PMYou can run the "most secure" closed or open-source software in the world. In the hands of a sloppy administrator, you're vulnerable irrespective of which you choose.
Ok, the first definitely describes commercial software, but it's rare that free software provides any of it either, so I dont quite get what he's trying to compare to what.
This guy must have missed reading his licenses the last 20 years. And I've yet to see any guarantee ever translate into a payout when it fails.
Bruce Schneier say it better than I can, and he's an expert in the security and cryptography areas. So I'll point <A HREF="http://www.counterpane.com/crypto-gram-0205.html#1">here</a counterpane.com>, to his latest explaination of the subject.
The benefit is peer review. Cryptography is hard, and almost all cryptographic systems are insecure. It takes the cryptographic community, working over years, to properly vet a system. Almost all secure cryptographic systems were developed with public and published algorithms and protocols. I can't think of a single cryptographic system developed in secret that, when eventually disclosed to the public, didn't have flaws discovered by the cryptographic
community. And this includes the Skipjack algorithm and the Clipper protocol, both NSA-developed.
... Kerckhoffs' Principle is just one half of the decision process. Just because security does not require that something be kept secret, it doesn't mean that it is automatically smart to publicize it. There are two characteristics that make publication so powerful in cryptography. One, there is a large group of people who are capable and willing to evaluate cryptographic systems, and publishing is a way to harness the expertise of those people. And two, there are others who need to build cryptographic systems and are on the same side, so everyone can learn from the mistakes of others. If cryptography did not have these characteristics, there would be no benefit in publishing.
Since when is M$ financially rewarded for providing fixes? If anything, they've proved that it is _not_ financially rewarded, so in response, it takes a two-pronged approach:
1) Take a frustratingly long time to even _acknowledge_ a fix is necessary, then take forever to provide that fix, since a fix is typically no-charge, being it was your mistake to begin with, which leads us to:
2) Distribute the fix as part of an _upgrade_, which you then charge for and force people, who need the fix for business/security purposes to have to pay for. This is just as unethical as intentionally and unnecessarily changing the binary format of a document for each release of the same application. Built-in obsolescense. And we're not talking 4 generations back, this is done with basically sequential upgrade.
I hope M$ has enjoyed the ride, because IBM was a monopoly, AT&T was a monopoly, etc. All the fools think they're smarter than the other poor saps that preceeded them. It's sad to see over and over again how greed eventually corrupts. Well, I can see, by reading the latest press over the last 6 months, that M$ is now on the decline. Licensing rebellion, whole governments (national and local), school districts, corporations, etc. evaluating/moving to open source., changing their business model (companies don't do this lightly, they have to see an inevetable end to their revenue streams).
Sheesh, ask this guy, if distributing open source code is such a bad idea, why is the NSA even contributing source to Linux to make it more secure?
Kudos to Grant Gross for asking pointed and relevant questions.
The answer to the question about funding pretty much wrapped up the interview for me.
It is clear from the response that the author of the study is not a reputable researcher, and should, in fact, perhaps change his title from whatever it is to something with the word "marketing" in it.
I wonder how much it costs for this author to produce a study? Are the prices based on billable hours or do they also reflect the relative implausibility of the conclusions?
I was also amused by the response, "What we've been suggesting in our study ... is that this deserves more study. And that's where we stand." This seems to be the standard response from those trying to defend indefensible positions.
Is my memory fading, or was it the tobacco companies who were taking the position that the link to smoking and tobacco "needs more study" and simultaneously funding "scientists" whose studies questioned the statistics.
And correct me if I'm wrong, but wasnt the strongly pro-oil Bush administration, in stark contradiction to majority of the best climate scientists on the planet, stating that any link between human activities and climate change "needs more study" while at the same time big oil was funding "scientists" to refute the statistics? (This <A HREF="http://www.cnn.com/2002/ALLPOLITICS/06/04/bush.climate.change.ap/index.html">story</a cnn.com> gave me a good chuckle.)
Who knows. Maybe his study has some good points. But his affiliation and his rhetoric make it clear that the study is a joke.
I think the article was really interesting. With so many different software programs available today and some of the logistics not that easily understandable, I can see where some people might be a bit concerned.
My idea: if the computer is a stand alone and not connected to a network or the internet, than there cannot be a risk. If the computer has a unique IP address, then why don't these great designers, put together an IP address firewall program? It may prevent hackers from getting what they want.
I'm less afraid of terrorists and more afraid of
Posted by: Anonymous Coward on June 07, 2002 12:28 PMOpen source vs Closed source in security camras
Posted by: Anonymous Coward on June 08, 2002 01:39 AMResult.. Standard 7/11 crook finds camras (the mirrored domes) and avoids them. Place is picked clean.
Just becouse the avrage person (who wouldn't know how to hack in the first place) couldn't find the security holes dosen't mean an expert crook (who would actually use this information) couldn't.
To make matters worse the crook makes a hack tool and gives it around. Eventually weeks later it lands in the hands of an avrage jo who wouldn't have any hope of hacking into a system normally.
Net result.. your ripped off by a crook who learnned how to hack into your website from a 10 year old text file.
Your closed source.. nobody could fix it except the company that made it...
Apple pretended the Mac powersuply defect didn't exist before repairing it simply becouse so many Macs were dead.
Microsoft pretended all the defects in Win 3.11 didn't exist untill Windows 95.. then pretended the defects were fixed untill otherwise was proven.
IBM and Intel had to be sued before they'd fix the Pentium and Os/2 warp.
This is what your trusting your survival on...
In fact text files on how to terrorise K Mart I downloaded 10 years ago probably still work today.
Vs Open source...
Radio Shack has a habbit of placing a consummer video camra in the store for security.
Crooks spray paint the lens... sorry already cought on tape...
Crooks steal camra.. ok that works...
Crooks steal camra.. ok this time the camra transmits to a VCR located in a back room.
Crooks look for VCR... get cought still in store.. VCR well hidden...
If some day they find the VCR then they'll probably go even higher tech and stream it over the net to a video bank located elsewhere.. or sevral elsewheres...
No security is perfict eventually crooks find a way to break it. You need the blueprints so you can make the changes yourself.
GPL vs BSD... Just means BSD = I can make a commertal product...
GPL = I can't make a commertal product with out giving source code.
Quite frankly for most programmers if somebody could make a commertal product out of the code they make.. they'll never release it.. code.. binrays.. anything.
Most programmers have to eat... the last thing any open source programmer needs is to be compeating against his own free software.
I'm all open to selling my work btw.. if you want to use my GPLed code for commertal projects just call me and we'll hangle a price...
And you get to see the code before hand... you'll never get this sort of deal from your avrage commertal develuper...
If the government wants to share its super secure software with the public, however, it must also offer source code.
So, really, if the government wants to develop internal tools based on GPL'd software, it can treat it as an internal closed source product, right?
On the other hand ...
Posted by: Anonymous Coward on June 06, 2002 02:51 AM#