Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Study: Open source poses security risks
ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

Posted on 05/31/2002 3:15:28 PM PDT by Bush2000

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."


TOPICS: Business/Economy; Technical
KEYWORDS: opensource
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 161-178 next last
To: gitmo
It's intuitively obvious. Open source for a hacker / terrorist is analogous to having the blueprints for Fort Knox, the US attack plan for Iraq, or the schematics on how our missile targeting systems work.

Maybe it's 'intuitively obvious', but that doesn't mean it's correct. If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

41 posted on 05/31/2002 7:38:52 PM PDT by bobwoodard
[ Post Reply | Private Reply | To 9 | View Replies]

To: discostu
My thought, and I'm far from being a security expert, is that anything sensitive should be in a closed system with no outside access (or at least minimal) and with lots of guards. Armed guards, of course, as well as people that can keep a close eye on activity. Networking is sometimes overrated.
42 posted on 05/31/2002 7:40:08 PM PDT by meyer
[ Post Reply | Private Reply | To 19 | View Replies]

To: Z.O.B.
"working half-days" (12-hours), "

Well, that caught my eye. I work 12's and never called them "half days". :^) To me, half days would be 4 hour shifts and I could really learn to enjoy that if it paid as well.

43 posted on 05/31/2002 7:43:07 PM PDT by meyer
[ Post Reply | Private Reply | To 36 | View Replies]

To: bobwoodard
If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

The biggest issue with open source is the erratic configuration management. It ranges from outstanding to abysmal, and since CM is a joint effort between the development team and the end user, it has LOTS of opportunity to break down.

44 posted on 05/31/2002 7:46:52 PM PDT by Poohbah
[ Post Reply | Private Reply | To 41 | View Replies]

To: Bush2000
Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)
45 posted on 05/31/2002 8:42:51 PM PDT by Wisconsin
[ Post Reply | Private Reply | To 1 | View Replies]

To: all
As a system, 'open-source' development almost always makes higher-quality code faster than 'closed-source' development. I have seen exceptions, but they are just that.

And it's obviously so. No possible suggestion otherwise. The sun is hot and open-source wrings the bugs out of code faster than closed-source.

It's a matter of eyeballs.

46 posted on 05/31/2002 9:16:25 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 45 | View Replies]

To: Bush2000
Anyone who thinks that highly classified systems are off the shelf knows nothing of such systems.
47 posted on 05/31/2002 9:53:19 PM PDT by PatrioticAmerican
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dinsdale
Funny thing is they don't disclose their funding. I can only infer it.

If you can't prove an assertion, you should state up front that it's your opinion. In all honesty, I set you up for failure because I've never read anything which describes the source of de Tocquville's funding. But merely asserting your opinion as fact doesn't fly around here.
48 posted on 05/31/2002 11:01:24 PM PDT by Bush2000
[ Post Reply | Private Reply | To 23 | View Replies]

To: B Knotts
Ah. That would explaing the Klez.H phenomenon.

No, what would explain Klez.H are (a) morons who can't seem to patch their email client despite all warnings to do so, and (b) morons who click on any executable attachment because it promises to show them animated breasts...
49 posted on 05/31/2002 11:04:02 PM PDT by Bush2000
[ Post Reply | Private Reply | To 32 | View Replies]

To: Wisconsin
Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)

Of course, since MS has made modifications to the source and you lack the source code, your theory isn't worth dick.
50 posted on 05/31/2002 11:05:05 PM PDT by Bush2000
[ Post Reply | Private Reply | To 45 | View Replies]

To: mikenola
DoD, NSA, CIA etc, use plenty of open source sw. BIND, Apache, ssh, perl, gcc, to name a few. These tools are bundled into even the most secure "proprietary" platforms like trusted solaris, tru64 that are staples for secret/SCI systems.

And they'd love for everyone to use tools for which they have the source code. It just makes it that much easier to find and exploit holes in your systems.

"Cyberterrorism" is on overplayed threat, imo. Fortunately our enemies tend to be primitivists with little education or love for technology. The possibility of these yoyos mounting a orchestrated attack of a magnitude to do serious damage to national security is probably pretty remote.

Agree. Few critical systems are hooked up to the Internet. Defacing a website or stealing a few credit cards is hardly a threat to national security.

my two cents: the trick to good data security is not necessarily the tools you use, but the staff/policy implementing them. Good security procedure is something that tends to get overlooked when one starts obsessing over the tools.

Absolutely, but you have to understand something: Many of the same people pushing *nix as a "superior" solution are the same fools that believe their systems are invulnerable.
51 posted on 05/31/2002 11:09:05 PM PDT by Bush2000
[ Post Reply | Private Reply | To 39 | View Replies]

To: Bush2000
"Yep, and knowing the size of buffers and how they're parsed makes it that much easier to launch a buffer overrun attack on open source code..."

The thing with open source is that if a buffer overrun was discovered or another major exploit, you can pretty much rest assured that there will be a patch within hours.

I am not a big Microsoft basher but I think the whole premise that open source is less secure is rediculous.

52 posted on 05/31/2002 11:12:24 PM PDT by Crispy
[ Post Reply | Private Reply | To 15 | View Replies]

To: bobwoodard
Who can say that until the paper is released?

That's the point, bob: Until the paper is released, none of the ABM *nix trolls should be making accusations; otherwise, they're a bunch of slanderous, lying, sacks of sh*t.

All you can go on is what they've published previously and they seem to have a very sympathetic attitutde towards MSFT.

No, bob. Wrong. If you want to state your opinion, fine. But if you want to assert that opinion as fact, uh uh. No way. Nonsense. Evidence is based on fact. If you don't have evidence, don't bother unless you want to be labeled an idiot.

As for the underlying issue of open vs closed source, most tech people realize that closed source is no more or less secure than open source. Either approach has its drawbacks.

I agree with you. For example, it's easier, in a lot of ways, to start feeding really long strings to servers and web browsers than it is to slog through the code and find buffer overrun errors. So, in a purely mechanical, trial-and-error fashion, closed source will always be vulnerable to that sort of random attack. But open source permits very price attacks based upon a close reading of source code. As you say, each has its drawbacks. But asserting one as "superior" is a religious issue.
53 posted on 05/31/2002 11:16:37 PM PDT by Bush2000
[ Post Reply | Private Reply | To 38 | View Replies]

To: Crispy
The thing with open source is that if a buffer overrun was discovered or another major exploit, you can pretty much rest assured that there will be a patch within hours. I am not a big Microsoft basher but I think the whole premise that open source is less secure is rediculous.

Of course, such a thesis rests upon the proposition that the attacker wants to make the exploit public. In the case of the NSA, CIA, FBI, and foreign governments, it might well be their objective to exploit the hole without revealing the problem. Keep in mind: That's precisely the issue that the FBI is lobbying Congress for legislative approval. They want to be able to collect data from your machine -- using attacks which you won't be informed about -- with minimal involvement with judges and other safeguards. I'm amazed how people in the open source community tend to believe that hackers targeting *nix always wear white hats and have the best interests of the community at heart. Not the case. The sooner that people realize this and stop touting it as a benefit, the better off they'll be.
54 posted on 05/31/2002 11:20:12 PM PDT by Bush2000
[ Post Reply | Private Reply | To 52 | View Replies]

To: gcraig
Microsoft programmers don't comment their code. Take a look at the CRT source. Take a look at winnt.h if you have a copy of Visual C++. Of course that's just a header file.

You're using header files included with the compiler as the basis for such a determination? What a joke. Did it ever occur to you that those files are specifically scrubbed to eliminate offensive and inaccurate comments?
55 posted on 05/31/2002 11:23:13 PM PDT by Bush2000
[ Post Reply | Private Reply | To 40 | View Replies]

To: toddhisattva
A Google search of "ADTI Microsoft" and "Alexis de Tocqueville Institute" shows a long history of stupid press releases parotting the Microsoft totalitarian line. It's not a receipt or check or bank statement, but it's pretty damning evidence.

ZDNet has a lot of press about Linux. That doesn't mean that RedHat owns 'em. Simple logic, Toddy. You might try it sometime.
56 posted on 05/31/2002 11:25:19 PM PDT by Bush2000
[ Post Reply | Private Reply | To 26 | View Replies]

Comment #57 Removed by Moderator

To: jsr fded
On highly secured systems, the DoD has the source. A code review is a requirement of such systems.
58 posted on 06/01/2002 8:01:58 AM PDT by PatrioticAmerican
[ Post Reply | Private Reply | To 57 | View Replies]

To: gcraig
"Microsoft programmers don't comment their code. Take a look at the CRT source."

Two things. The CRT code is for study and personal use. Its comments have been removed for a variety of reasons. Second, Unless you work at Microsoft or have seen the source to their 200+ products, I'd say that was a very ignorant comment.

59 posted on 06/01/2002 8:04:03 AM PDT by PatrioticAmerican
[ Post Reply | Private Reply | To 40 | View Replies]

To: Bush2000
And they'd love for everyone to use tools for which they have the source code. It just makes it that much easier to find and exploit holes in your systems.

I guess that's the part of the argument I have a hard time buying. If it were true, why don't we hear about more about it? Reading the DoD-CERT monthly incident reports , 90% are microsoft systems.

But then again, I'm sure there are plenty of incidents that never see the light of day.

60 posted on 06/01/2002 8:46:27 AM PDT by mikenola
[ Post Reply | Private Reply | To 51 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 161-178 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson