February 13, 2004

Who's guarding the guards? That would be us

Author: Ladd Angelius

Editor's note: The following essay is a response to Russell Jones' "open source vs. closed source" article Thursday in DevX. It is written by one of Jones' own colleagues at DevX, software engineer Ladd Angelius, in the spirit of free and open discussion.

The essay "Open Source Is Fertile Ground for Foul Play" suggests three areas where security might be a concern for governments when considering open source software. However, all three arguments are flawed "straw men" when subjected to rational analysis. Indeed, some of the author's own arguments demonstrate the strengths of open source when weighed against any closed source alternative.

First, the author suggests that security breaches could be inserted into open source software by an insider, perhaps hidden in code submitted as a fix or an extension. While there is a remote possibility of this occurring (this is conceded as "not terribly likely," even by the author), there is a far greater possibility of this occurring when patching closed source software.

For example, all software is constantly being updated, whether it is open source or closed source. The same malicious code insertion danger applies to closed source software -- except that no one, except the software vendor, sees the code changes. It's like they have the keys to the hood of your car and only they get to see the engine. No one can tell if there is malicious code being added, since no one can see the source code. If Microsoft wanted a back door into anyone's network or PC (assuming they don't have one already; only they know), they could roll it out in the next Windows Update, and there is absolutely no way (beyond a whistleblower in their organization) that anyone would find out. Viola! Instant access to your private information; it's the perfect crime, because no one could find out.

Open source software, on the other hand, is transparent -- the integrity of the code can be verified by anybody. You can open the hood and verify, with your own eyes, that the mechanic really did install the new generator he installed. Even more beneficial is that, since the source code is openly readable by anyone, a lot of other people have already verified it before you.

The built-in ability for reviewing the code keeps everyone honest. There is an old Russian proverb, "Trust, but verify." Open source allows us to do that. In the closed source world, however, you cannot verify; you're just relying on blind trust.

Secondly, the author suggests that "distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing." Firstly, what does this have to do with open source? Any "malicious vendor" would be much more able to conceal malicious code in a closed source software package.

However, let us concede the point: There could be a malicious group that could create an open source distribution and attempt to sell it or give it away to the government. And, who knows -- maybe the government would be stupid enough to buy it instead of using a common, tested, distribution. And, maybe the government would not have its own people look under the hood and examine the code. (This is assuming that this malicious program is even open source. If the government is going to be so ridiculously dense, it might as well rely on closed source as well.)

And, while we're at it, the government also will use this software to protect America's most valuable assets. Hmm. Even in this extraordinary case, if the software is open, this hypothetical government at least could examine the goods, if it did its homework. Using a closed source distribution (which is the case today, since the move to open source is only beginning), it would be impossible.

Lastly, and of most concern to the author, "an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so." This, once again, is not a security concern that applies solely to open source. Any group of IT insiders in an organization that has the administrative network access necessary to accomplish this already has the access needed; they could install any code on any machine.

It reminds me of the old saying, "You can catch a bird with your hand, if you first put some salt on its tail." If you're close enough to the network to have administrative access and influential enough to control the specific patches applied to all the servers, then you can add a back door in any number of ways regardless of any open source software. In other words, if you can get close enough to put salt on the bird's tail, just reach out and grab it. You don't need any open source software.

It's hard to believe that an opinion criticizing the security of open source software would attempt to use the phrase, "Quis custodiet ipsos custodies" as a defense of that position.

"Who's guarding the guards?" We are; all of us -- in government, corporate America, and the software that increasingly runs our lives -- are the guards, only because of the transparency that we have built into those systems. If we do not insist on that transparency, then we remove all capability for oversight, and then no one can "guard the guards."

Ladd Angelius is a software engineer at DevX.com in San Francisco.


  • Open Source
Click Here!