Study: Open source poses security risks

ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

[gcraig]

Then stop making such ignorant accusations.

I didn't mean it as an 'accusation', I stated an observation.

[PatrioticAmerican]

Your #97 is not a bad idea. Writing an assembly routine to hack the BIOS and deliver the contents of an IO stream was actually how one system in 1989 was written. It was designed to read the hard drive and was inserted as an interrupt handler. It was used at a secured facility to find who was leaking classified information through an unsecured computer. The culprit was caught after writing a WordPerfect document with the information. It turned out that the culprit didn't understand what was and wasn't classified and was not prosecuted. The line was fuzzy as to classification, but he was also let go.

[PatrioticAmerican]

"So I take it you know for a fact that NSA has better stuff? I trust, for the sake of our countries security, that you have no such knowledge."

What I know, you never will. Needless to say, any argument that commercial cryptology is the best is ignorant of defense systems.

[PatrioticAmerican]

"highly secure"

true. They are secure, but not "the best", not by a long shot. Besides, the military systems I have used never used only cryptology to ensure security. They also had additional security through the transmission means, contents, etc. I was a DoD space systems specialist for many years, and used some of the most secured systems out there for satellite command & control. PGP, IDEA? I would expect the NSA already has those algorythms in silicon and can crack them at near real-time speed. I do not know that for fact, but that would be the NSA's MO. I have friends who are FBI and they say that the NSA does NOT cooperate with them. Unless the matter is a national security issue, they have to beg and pull strings to get anything so much as looked at. It seems the military feds have a distain for the commercial feds.

[PatrioticAmerican]

" Google search for "FBI Magic Lantern" , "

Ah, yes, Google, the source of all black projects. HA! Ya kill me. Disinformation is the best cover out there. Google search. Next time I need to know the the contents of China's next satellite, I'll check them out. Hell, maybe I'll check Google to see what information the FBI is keeping on me. Ya gotta be kidding. Google, the next best thing to actually knowing something.

[PatrioticAmerican]

The argument that secured systems should have the source code available is true. Most, if not all, DoD systems that process classified information, including mainframes using MVS, are required to have the source code reviewed. BUT, that is different from publicly available source code, such as with Open Source.

No system, including Windows NT, which was given a B2 level security classification, is closed. Windows NT required a code review. So does all flavors of trusted UNIX.

The idea that the code must be reviewed for backdoors and security holes is correct. The suggestion that the code should be Open Source is not. I do not want my enemies seeing the code that I am running. They may find a hole that I failed to find and plug. Most systems that I have worked on that had any links to the outside world, or outside the fcility, required a code review, and the code was highly modified from the public versions.

[Bush2000]

LOL. I worked as a contractor for MS about 7 years ago for a period of about a year. I still own a little MS stock (not a whole lot but something). If you want to suggest that that's the basis for being a "paid shill", go right ahead. But you will pardon me while I laugh at you.

Unlike some of you regarding me, I would never want you banned from FR, Harr. You provide too much simple entertainment; in fact, the more you post, the BETTER!

[Bush2000]

I can't connect them directly to the ADTI, but Microsoft does contribute to conservative think tanks. Its hardly idiotic to think that their efforts have influenced the think tanks.

Of course, Vince. You should be free to think anything you want, even if it is demonstrably wrong. I'm not saying that that is the case here. We don't know where ADTI's funding comes from, short of looking at their tax returns. And that's the point: Nobody should be throwing accusations as fact without some kind of evidence. Opinion? Fine. But nobody should masquerade opinion as fact without evidence.

[Crispy]

"Of course, such a thesis rests upon the proposition that the attacker wants to make the exploit public. In the case of the NSA, CIA, FBI, and foreign governments, it might well be their objective to exploit the hole without revealing the problem. Keep in mind: That's precisely the issue that the FBI is lobbying Congress for legislative approval. They want to be able to collect data from your machine -- using attacks which you won't be informed about -- with minimal involvement with judges and other safeguards. I'm amazed how people in the open source community tend to believe that hackers targeting *nix always wear white hats and have the best interests of the community at heart. Not the case. The sooner that people realize this and stop touting it as a benefit, the better off they'll be."

This type of "secret" exploit would affect closed source as well, maybe even more. Atleast with open source, there is a lot of code review by the community. Who is reviewing Microsofts code? The FBI? The CIA? The NSA? So, this does not make open source "less" secure than closed source.

[ThePythonicCow]

What is Fud?

Fear, Uncertainty and Doubt. First made (in)famous to my knowledge as being one of IBM's classic means of convincing customers to buy IBM - by casting FUD on their competition.

[Dominic Harr]

I worked as a contractor for MS about 7 years ago for a period of about a year.

For obvious reasons, I don't believe you.

I think you're like those people who surround Brittney Spears telling her, "Don't listen to the critics honey, you've got talent. After all, you've sold so much!"

Such yes-men are a dime a dozen, so I don't doubt MS has thousands of you on the payroll.

[Dominic Harr]

I was a DoD space systems specialist for many years, and used some of the most secured systems out there for satellite command & control.

Now wait a minute -- twice now, in other threads, you claimed to have been things you weren't, and claimed to have written systems that didn't exist.

Now, in a discussion about security, you claim this?

Uh hunh.