By Grant Gross
Open Source systems aren't inherently more secure than propriety systems -- unless the designers make security a priority, according to several security experts speaking at a conference Monday.
Panel moderator Peter G. Neumann, from SRI International, argued that Open Source development, which he called "open box," presents both opportunities of "many eyes" finding software bugs that compromise security, and a challenge when some of those eyes aren't friendly.
"By itself, the open box paradigm is not a solution, but my contention is it affords us enormously more opportunity that the closed-source model," said Neumann, speaking at a panel during the 23rd National Information Systems Security Conference in Baltimore, Md. "The problem with [the many eyeballs concept] is if your system is lousy to begin with, the bad guys have a lot of eyeballs."
Open Source advocate Eric S. Raymond, a scheduled panelist, wasn't able to attend the session and defend the many eyeballs concept. But the message from the panel, including three people working on making Open Source systems more secure, was that Open Source developers shouldn't trick themselves into thinking that their systems are more secure just because they don't come from the company noted for its blue screen of death.
"I don't think that the many eyes will do the right thing, so I want to apply some tools to make sure the system is secure," said Crispin Cowan, CTO for WireX Communications and chief research scientist for Immunix Technologies, which is working security solutions for Open Source operating systems.
Many developers sacrifice security for functionality when they're building a program, the panelists said, and Cowan contended that if security is your top priority, you need to design for security first. It's a tradeoff depending on a developer's priorities.
"Does Open Source make a difference? No. If you're going to build an unsecure system, you're going to build an unsecure system," added Rick Smith, senior principal engineer for Secure Computing Corp. "You have to make money, and you take risks to make money, and sometimes the risks are in information security."
Jay Beale, lead developer for the Bastille Linux security project, said education of system administrators and users is part of the solution to the problem of system security. One audience member, a system administrator in a university setting, said, "All the secure operating systems in the world aren't going to stop these idiots who give away their passwords."
Beale suggested system administrators take active roles by warning users who do unsecure things such as use the outdated FTP to exchange files on the Internet. Back in the early, low-user days of the Internet, FTP worked fine, he said, but "the Internet's become a lot bigger neighborhood, and it's a lot more rough."
One advantage for users of Open Source products, Beale said, is they don't have to pierce a corporate bureaucracy to find someone to respond to bug-fix requests. "If you are the end user who's depending on your distribution to give you a fix you can easily install, then you've got to push them to do it," he said. "We've got to get the end users to start demanding it, and if we don't, then it's not going to be a priority for someone trying to get more features in."
One audience member questioned the commitment many Open Source vendors have to security. "I look at the Open Source environment, and there are people who are very concerned about security, and they're very vocal, but they don't seem to be the majority," he said. "Unfortunately, there doesn't seem to be a correlation between how security conscience the distribution makers are with how successful their products are."
Cowen and Beale argued that because users can see the source with Open Source products, they can fix the bugs instead of just relying on the documentation from proprietary vendors. "Documentation lies -- read the source," Beale said.
Open Source projects also have a community of programmers eager to provide solutions. Beale quoted a study saying the average time it took Red Hat Linux 11 days to fix a security problem, while it took Microsoft an average of over three months.
Added Brian Witten, program manager for information assurance at the U.S. Defense Advanced Research Projects Agency: "All Open Source does is it levels the playing field without the good guys having to haggle for the source code."
Witten announced at the discussion that DARPA was ready to make a substantial investment in Open Source development. No additional information was immediately available.