Posted on 07/25/2003 7:16:17 PM PDT by HAL9000
You mean to say you sometimes say stupid things? ;-)
Yes, but most if not all of these components (TCP/IP etc) are managed by a large professional organization founded in the US known as the IEEE. Conversely the Linux kernel is controlled by a foreign national, Linus Torvalds, and his self-titled "loosely-knit team of hackers from across the net" (kernel.org).
Bottom line is that both opensource and proprietary are equally vulnerable, the question as to whether they are exploitable has to be considered by looking at the system as a whole (as well as the competence of the folks running said system)
Yes, very well true, both models are vulnerable, however there are some key advantages that proprietary offers, such as the non open nature of the source as well as the vetting of coders AND their contributions by a liable employer, something Linux currently does not offer.
I plead ignorance regarding PHP. But Perl has had remarkable staying power, due IMO to a very active developer community.
I describe Perl as "the type of language that no self-respecting computer science program would ever teach, but that every computer programmer should know." :-)
From your various posts I deduct that you are an IT "professional" who does a bit of programming on the side when the need arises. I believe that most of the computers that you oversee in your capacity as an IT "professional" are Windows based.
I work as the security architect for one of the largest internet security companies in the US with government and intelligence agencies from all over the world as customers. Since I am not speaking for my company I will not mention its name.
My company works closely with MS and all other OS and software vendors to help make systems more secure. MS has made great strides toward becoming more secure in the past year or so. Having said that, open systems have the ability to be much more secure than closed systems for all of the reasons already mentioned on this thread.
I can find you hundreds of articles/papers from private and government sources that show why security through obscurity does not work.
Here is one http://slashdot.org/features/980720/0819202.shtml
Do a quick search on google and you will find many more.
If I were an executive at the company where you work I would be concerned with the security of your network if someone like you made the security decisions. People with your line of thinking tend to leave portions of the network vulnerable because "how is anyone ever going to find out about this phone line connected to this machine behind my firewall?"
Sorry, but I certainly know enough about the industry to immediately classify any links to hacker hangout "slashdot" as questionable. Members of that "community" routinely posts anti-American rhetoric as well as completely false and misleading information, ultimiately making the Linux campaign that arrises from there primarily one of disinformation.
I know who Bruce Perens is, and went ahead and read your piece, but found it to be nothing more than an attack on proprietary code based on a flaw that exists within his OSS products as well - the fact that not all vulnerabilities are reported.
Somehow though, he can't seem to come to grips that by publishing his entire source code contents make this even more likely to happen in open source products, especially when he continues on to make the unsubstantiated claim that his peer review model of volunteers can successfully scale with a growing code base that becomes widely utilized.
Please take your personal attacks back to slashdot, where you people can continue to group speak and attack and mod down those who actually know about computer security from experience in DoD environments or other large scale business enterprises, who rarely waste their time there.
I provided more than just that, and know for a fact there is a lot more where that came from. Seems like I also exposed you, based on some of your previous comments, which you have been unable to successfully refute either.
http://www4.gartner.com/5_about/news/sec_sample.pdf
Immediately dismissing an article from slashdot only shows your closed mindedness about anything non-MS. Why can't you just look at technology a piece at a time and recognize that some good comes from outside of Redmond as well?
I use MS products much more often than not. Their software is pretty good for most of my needs. I also recognize that there is better software out there for some tasks and use the best software for those tasks.
Microsoft also believes security through obscurity does not work. I have seen the source code for many of their security products. There has been talk about opening up portions of Windows for peer review very recently.
Try drinking something besides MS Koolaid every once in a while.
That's not what I did. I immediately called it's credibility into question, but carefully read it anyway.
Microsoft also believes security through obscurity does not work.
I believe you are going by only the strictest definition of "security by obscurity", which assumes "security by complete obscurity" and further confirmed by your Gartner link that referred to it as "small presence in cyberspace". Microsoft rightfully recognizes that a slight modification of the strictest "security by obscurity" for their model, which in explanation SOUNDS like SBO but is not, and is the correct approach.
Try drinking something besides MS Koolaid every once in a while.
As I've previously stated, my experience goes back to text only terminals and includes command line driven servers and workstations in the past. M$'s lastest operating systems and applications use sophisticated GUI's and seamlessly integrate with one another and have made my job much easier than it has ever been, so the M$ hatred of the Linux User Groups who currently expouse for use my former configuration consisting of countless 3rd party apps that don't behave well together often naturally falls upon my deaf ears.
When the 'alternative' crowd is able to better deliver points that have validity, and without such vile anti-M$ hatred, many of us might be willing to listen more. If you've actually not been to slashdot, I would recommend you check out the ignorant and hate filled comments of the majority of its members for further corroboration of my point.
That is a true statement. More specifically...
Never Depend On Security Through Obscurity Alone
Always assume that an attacker knows everything that you know - assume the attacker has access to all source code and all designs. Even if this is not true, it is trivially easy for an attacker to determine obscured information. Other parts of this book show many examples of how such information can be found. Obscurity is a useful defense, so long as it is not your only defense. In other words, it's quite valid to use obscurity as a small part of an overall defense in depth strategy.
- P. 66, Writing Secure Code, 2nd Ed., by Howard & LeBlanc (Microsoft Corporation)
This "Security Through Obscurity" strawman that you and others are arguing against, while amusingly easy to criticize, has no basis in reality. MS doesn't hide its code to enhance security. It was hiding its code long before security was a big issue. Closed source is part of their overall strategy as a proprietary software vendor. They're acting no differently than other closed-source vendors.
In theory this is partially true, but does not play out in practice, given the EULAs of most commercial software which, if I remember, provide little warranty.
Did the Navy recover any damages for this incident?
Even though Linus is a foreign national , don't overestimate his "control". There are hundreds of American developers, and well as US corporations involved in Linux and other opensource software , that have a vested interest in maintaining a secure codebase. The chances of a backdoor being slipped into the core kernel, while not zero, are very low indeed.
With proprietary software, you have to accept the vendors word, without any independent verification. With OSS, you have the verification of thousands of coders and endusers with full access to the source.
If your basic premise were true, I would seem to me it would have happened by now.
Again we track back to the human element here. I can imagine in the future Linux being certified for TS,SCI, and FRD type systems, if the government performs appropriate due diligence (something they've been highly irresponsible in doing in the past).
But there's signs of efforts to move towards this.
Also, I can tell you as someone responsible for security on a mixed bag of proprietary and opensource operating systems, when I'm asked to sign my name verifying security of these systems, I am much more confident of my OSS boxes, precisely because of the transarency of their development process.
In theory this is partially true, but does not play out in practice, given the EULAs of most commercial software which, if I remember, provide little warranty.
Some warranty is certianly better than NO warranty. And this type of protection continues to grow:
http://news.com.com/2100-1012-5050986.html
Also I followed your link to the potential problem with NT for the Navy. Looked like there was one Unix guy on staff quick to point the finger at NT? This seemed to pretty much sum up the article (from the bottom of it):
Installing a control system on a warship and resolving problems as the project progresses is a costly and naive process,” DiGiorgio wrote in the Proceedings article. “Now, with the top people rotated off the Smart Ship Project, it would be wise for the Navy to investigate this fiasco more fully.”
Until that's done, I'd say the jury is out, wouldn't you?
With proprietary software, you have to accept the vendors word, without any independent verification. With OSS, you have the verification of thousands of coders and endusers with full access to the source.
Well let's see. I can trust M$ corporation, the largest software company in the world, an American company traded openly on the NYSE, or I can trust Torvald's self-titled "loosely-knit group of hackers from across the net" (kernel.org), along with WHOEVER ELSE downloaded the source directly. Easy choice, in my book, especially when viewed with other factors such as compatibility and availability of apps.
I can tell you as someone responsible for security on a mixed bag of proprietary and opensource operating systems, when I'm asked to sign my name verifying security of these systems, I am much more confident of my OSS boxes, precisely because of the transarency of their development process.
That is your perrogative, but unless you live up to the responsibility of constantly peforming inspections of all your exposed code vulnerabilities the "bad eyes" might find, you aren't doing your own personal part to make sure your model works. Isn't that what Saturdays in the Linux world are all about?
1st of all, that ain't exactly correct. For example, the algorthim for Rijndael is published publically, and you can download source code versions to create your own implementation. Yet Rijndael (usually pronounced "Rhine Dahl" or "Rain Doll" is now the official Advanced Encryption Standard of the United States, having replaced the previous standard, DES or triple-DES.
Rijndael uses a 256 bit key, whereas DES used a 168 bit key. Go here for a C++ implementation of Rijndael. Go here for a bunch of Rijndael info, including other programming language implementations.
You are basically making an argument for "security by obscurity". I won't say that the argument is invalid, but I will say that many security experts do not agree with it. Now you may disagree with them but your opinion is not a consensus opinion even in the security field.
Basically, because it is an important element of security. Just not in total, because nothing is ever completely "obscure".
I can post a sign in front of my house that I have an alarm system and it would deter most burglars. But if I rely on that sign to protect me then I would be making a big mistake. (I could use it to beat them over the head I suppose)
The fact is, the more people can see a piece of code and can study it for vulnerabilities, the better. At our company we force engineers to have all of their code peer reviewed before it becomes part of the product. This is because other people can see problems that we cannot obviously see.
Many of our customers employ "ethical hackers" to look for vulnerabilities in our products. The "ethical hackers" will first try everything in their playbook to probe for vulnerabilities. They then ask for source code to look for areas to try to exploit. This is very valuable in finding issues.
Open source by its nature encourages this without even having to pay anyone to do it :-) Again, I agree with you that obscurity has a place in security but it cannot be the base for your security strategy.
I even agree with Golden Eagle on most of the things he has posted even though they are slanted toward "If it is MS it must be good, if its open source then it must be vulnerable since everyone can see it"
Thanks, I appreciate that as I usually only endure personal attacks by those who are extremely anxious over they fact they may be using stolen property in their businesses and homes. My 'like' (certainly not love) for M$ has definitely been an aquired taste. As far as PC/GUI's go, I was originally an Apple freak, but running off your founders and hiring the CEO from Pepsi to run your tech company is never a good idea. They are thankfully starting to recover now, and their new ventures into online music etc could eventually surprise.
I would bring one item to your attention I have previously posted on, that you may not agree with, and as you are a respectful person I am interested in why. You said:
The fact is, the more people can see a piece of code and can study it for vulnerabilities, the better.
Does this model not assume your quantities of volunteer "good eyes" will always exceed "bad eyes"? If this is not simply an assumption, how can it ever be verified? What if the ratio tilts completely in reverse?
Also, can the 'volunteer force' scale equally to increases in code size and multiple distros as well as versioning? Software written under a GLP type licience, does not leave room for profits from the actual software. Ad-hoc services can only go so far to support an entire development effort. Who pays the developers for thier hard work, if the volunteers can't keep up? Leading Linux vendor Red Hat recently announced it is completely retreating from the 'shrink wrap' retail market, so profits are definitely not there to support more "good eyes" in my estimate. Yours?
If you run all MS, you are in a small shop. It's not a matter of UNIX playing nicely with MS, It's a matter of MS not playing well with UNIX and MF. Hence why we have all the security holes today.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.