Study: Open source poses security risks

ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

[Bush2000]

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."

[Bush2000]

This type of "secret" exploit would affect closed source as well, maybe even more. Atleast with open source, there is a lot of code review by the community. Who is reviewing Microsofts code? The FBI? The CIA? The NSA? So, this does not make open source "less" secure than closed source.

MS Windows source code is available under license. This is not surprising since the DoD, NSA, and other similar agencies require access to source code. Have a nice day.

[Bush2000]

For obvious reasons, I don't believe you.

Are you so insanely self-centered that you think people actually care about what you believe?

[Bush2000]

Now, in a discussion about security, you claim this?

I'd be very wary of waving your security thing in the breeze, Mr. Public-Key-Encryption-Is-Inherently-Insecure...

[PatrioticAmerican]

Harr, while you were in your mother's basement playing hacker and reading Star Trek comics, some of us were out in the real world doing things with our hands that didn't involve our zippers.

[PatrioticAmerican]

" twice now, in other threads, you claimed to have been things you weren't"

Nice attempt at disinfomration, Harr. I guess you have to have the practice with your anti-Microsoft propaganda. I'll match my bona fids to yours anyday.

[chilepepper]

I have no doubt Open Source is a securities risk!

Microsoft securities will be worth MUCH less as Open Source software eats away at its monopoly...

[chilepepper]

More seriously, this is BULLSH*T.

When I took a SANS course,they brought up the *best practices* way of developing an security software: PUBLISH THE ALGORITHM and take on all comers, often with a monetary prize to whoever breaks the algorithm. Letting peers ALL OVER THE WORLD see the code has TWO effects:

(1) Those who write the code are MORE CAREFUL because they know their PROFESSIONAL REPUTATION is on the line for everyone to see

(2) Their peers will ACTUALLY FIND THEIR MISTAKES.

As a direct example of why the technique of security through obscurity (Microsoft's way of doing things) DOES NOT WORK, the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...

[PatrioticAmerican]

"SANS Institute instructor "

Yep, I knew it. A SANS Institute instructor is the world's expert on security. That's why the DoD uses him to help them publish our national security infrastructure. Not!

Peer review is one thing; publishing your system's specifications is another. Remember, when you publish your system's source code, if your peers do not find all the holes, your enemy will.

[B Knotts]

Yep, I knew it. A SANS Institute instructor is the world's expert on security.

Obviously not! We should always look to an MCSE for advice on cryptanalysis! </SARCASM>

[PatrioticAmerican]

Hey, I ddin't hear an MCSE make reference to being an expert on security, but there was a post on the SANS instructor. Keep it real, dood.

[B Knotts]

OTOH, we have here a whole thread based on a study, which hasn't even been released, from a non-technical ideological "think tank."

I'd even take advice from an MCSE before this group.

[PatrioticAmerican]

Totally agree. Neither group is an expert at security. Although Windows NT did get a security rating, it wasn't all that high, and the rest of Microsoft developers are not experts at security. The whole industry needs security experts throughout it.

[B Knotts]

Yes. The whole open-source vs. closed-source thing is a red herring. Security is a process, not a product.

[Bush2000]

the SANS Institute instructor (Eric Cole) pointed out the debacle with the DVD encryption done by Hollywood (by a closed group which let no one else see their work). The DVD encryption was broken almost immediately...

The encryption wasn't broken, and your instructor did you a disservice by describing it as such. Every DVD player (software and hardware) is equipped with a key which allows it to decrypt the video and audio streams on a standard DVD. The key is burned into every player. It has to use this method because there is no key-distribution scheme. The problem was that somebody discovered the key. It's like you left the key to your front door in the lock. That's not breaking the encryption.

That said, it is correct that security through obscurity generally doesn't work. It is possible to sift through collections of data (located in memory or on disc) looking for very random streams. When you find one, it is often a key or some kind of secret that someone doesn't want you to know. Depending on someone not finding your secrets is a fundamentally flawed design. That is the case with DVD encryption.

[Bush2000]

Yes. The whole open-source vs. closed-source thing is a red herring. Security is a process, not a product.

Agreed. That's why this study has some value. There are people out there who believe that open source security will save their asses. That's an awfully big check to write...

[Dominic Harr]

I guess you have to have the practice with your anti-Microsoft propaganda.

Ah, yes, any criticism of MS or your skills is "propaganda". And any critics of MS are 'bigots'.

*Yawn*.

You're a salesman, and you have several times now claimed things I know for certain to be untrue. Which is, I suppose, about the only chance you have of selling MS solutions . . . fraud is the only tactic left, now that coercion has been taken off the table!

[PatrioticAmerican]

"... I know for certain to be untrue..."

Harr, you are so full of slander against Microsoft and anyone who uses them that as an attorney for them, I'd recommend a nice lawsuit so you have to put up or shut up. You have made more remarks about how Microsoft products and technologies do not work, always fail, yadda, yadda, and, yet, you make claims that you want to use them. I'd say, considering your serious bias against Microsoft, that you are not employed by CSC, but by Sun. I work for Ciber, and, as I said, I'd match my bona fids against yours, any day.

[PatrioticAmerican]

BTW, I have been getting Business Continuity opportunities, mostly centered around security; intrusion detection, firewalss, etc. Many companies already understand that security is not a product but a process. I just submitted a proposal to an organization notorious for their lack of security. The result usually is a small engagement to find the problems followed by massive changes to their systems and business, with the business end being the most comprehensive.

[PatrioticAmerican]

"fraud is the only tactic left, now that coercion has been taken off the table!

Sure, Harr. $40+ billion in revenue and Microsoft products and technologies are sold only to those it can coerce or defraud. Harr, you are scared that .NET will uproot Java. Scared that Oracle will no longer dominate in the Enterprise. You hate to have to compete, and Microsoft is giveing your sector of the industry serious competition. I know you don't think so, but keep thinking that. You guys at Sun need a good nap, you're a cranky bunch.