Study: Open source poses security risks

ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

[Bush2000]

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."

[Bush2000]

I guess that's the part of the argument I have a hard time buying. If it were true, why don't we hear about more about it? Reading the DoD-CERT monthly incident reports , 90% are microsoft systems. But then again, I'm sure there are plenty of incidents that never see the light of day.

Ah, but you do hear about it -- if you know where to look. http://online.securityfocus.com/archive/1. There are plenty of flaws in *nix and OSes other than Windows. It's just that Windows is the most widely used desktop OS; therefore, it is the one that makes headline news.

[Bush2000]

Incidentally, a favorite game for *nix advocates is to criticize MS for flaws in IIS and other OS middleware as "flaws in Windows" -- and then turn around and say that stuff like WS-FTPD and other components provided with Linux aren't "flaws in Linux". It's a stupid game, frankly, and those who follow security issues understand that all OSes are (and will continue to be) plagued by security problems.

[Dominic Harr]

Bush2000, I'm sorry, but please answer the question that was asked. Do you work for Microsoft? (Y/N)

The standard MS paid-poster response is "I used to work for MS, now I'm just a stockholder". We had six or seven of them here until several others got banned for making threats to people who criticize MS.

I call them "The Ex-es".

Do a search of threads posted by Mr. Bush2k here. It's a long list of MS press releases.

[ThePythonicCow]

Do a search of threads posted by Mr. Bush2k here. It's a long list of MS press releases.

Yes, Bush2000 is well known in my book for scoring every debating point he can that's pro-Microsoft, and apparently being totally deaf to anything to the contrary, no matter how clear and self-evident, except in so far as he can mutate it into another opportunity to score.

If we had kill-files on this forum, he would be perhaps the sole occupant of mine, even if it did mean that upwards of 50% of the Linux relevant threads were blacked out.

The persona he presents here is not that of a truth seeker, but of an agenda pusher. Sad.

[Dominic Harr]

Yes, Bush2k is the 'James Carville' of the MS/Freeper scene.

But he doesn't bother me much, I mainly feel sorry for him.

The ones that were *really* annoying were banned. InnocentBystander threatened to beat up people who criticized MS. Don Joe would post 5, 10, 15 insults an hour in a thread, never once discussing the actual topic -- and often threaten 'libel' lawsuits against anyone that criticized MS. MacAttack was another prize.

My personal favorite tactic of theirs was the lawsuit threats. I feel that's an automatic 'win' on these boards. When your opponent threatens to sue you, you've gotten to him!

From what I understand, the main goal of the paid posters is two-fold:

1. Post a stream of stories with pro-MS slants, making sure the headline is a pro-MS spin line.

2. Bump that story as often as possible, typically by making outrageous inflamatory comments and insults that are certain to elicit responses.

3. Count on the fact that 95% of the readers will never click on the thread, but will only see the MS 'spin' line.

4. Finally, and perhaps most importantly, shout down and insult any criticism of MS. If they can annoy MS critics enough to drive them away, they can effectively silence criticism of MS.

   Were you around when MS started all this paid-poster stuff to trash OS/2 online, a million years ago? Thru usenet to the web to here, this is literally the 15th or 20th time I've seen the same M.O.

   Pathetic, yes. But typically the paid posters have no actual skills, and paid liar is about the best they can aspire to in life.

[ThePythonicCow]

The ones that were *really* annoying ...

I missed out on most of these really annoying Microshills here. From your description, just as well.

Back in the hay days of OS/2 Warp, I was too busy enjoying using it to be posting on bulletin boards, about that or anything else. Though I do recall vaguely spending many hours posting on some board (Usenet? ... no ... CompuServe) concerning JPSoft's 4DOS.

[gcraig]

The CRT code is for study and personal use.

All the more reason to have included comments. I really don't appreciate you calling me ignorant. I don't work for Microsoft, and never have.

[ThePythonicCow]

Calm down, you two. The charge of "ignorant" was leveled at the comment, not the commentator, though it was said in a way that I'm not surprised that the other person found annoying.

The original claim, that "Microsoft programmers don't comment their code" was too broad, and was also said in way that I'm not surprised that others found annoying.

Any large body of code written by many people will have a variety of commenting styles, short of some effort to systematically strip comments or some other mass enforcement. One or two published examples prove little.

Since I don't work at or for Microsoft, and by his own admission, neither does gcraig, neither of us can claim knowledge of such systematic stripping. Indeed such seems unlikely to me.

[eraser X]

"...as long as the modified software is itself available under open-source terms."

I think the above is the important point with respect to national security. Why would anyone that cares about national security promote the idea of releasing all modifications back to the open source community?

[dyed_in_the_wool]

This is unrelated to the current thread, but it's just too funny that they're actually signing up Islamic clerics to issue fatwas against unauthorized copying!

They'll probably have as much luck with the Egyptian clerics as the Brits did in unifying Islam and bringing peace to the Middle East...

[ThePythonicCow]

Why would anyone that cares about national security promote the idea of releasing all modifications back to the open source community?

For certain security applications, it's actually good to publicize the code and get more eyes looking at the implementation. Algorithms for things like encryption and checksumming obtain their security from provable mathematical properties, not from keeping their mechanisms obscure. Their greatest weakness lies in unrealized bugs, which public review can help thwart. For general purpose computer facilities and utilities, such as a command to copy a file, the portions of such a command that are just dealing with moving bytes around is also helped by public review, in that it reduces the chance of bugs (or planted code) that has undesired side affects.

Do you avoid buying padlocks from the popular commercial lines, because I could buy the same padlock, learn its flaws, and thereby gain illegal access to your property? No, having a market for padlocks increases the quality of all such padlocks, and reduces their price. What you don't do is tell me what you have padlocked, where, with what brand of lock, and what of value lies behind that lock. Obscurity as to the particulars of your situation helps you stay safe, even as you use widely distributed and publically available means to padlock it.

[Nick Danger]

before you post "this study was bought and paid for by Microsoft", try providing some references ... or be prepared to be labelled an idiot.

Dunno about that one. What do you think about this one?

---

New Study Shows Widespread Acceptance of Microsoft Training Program (MCSE)

For immediate release
December 15, 2000
Contact Kenneth Brown
kenbrown@adti.net

The Alexis de Tocqueville Institution, a public policy think tank located in Arlington, Virginia recently completed a study on the impact of the Microsoft Certified Systems Engineer (MCSE) training program.

In a survey of human resource managers and specialists from Fortune 500, Inc. 500 and new NASDAQ listed tech start-ups, AdTI found:

• 72% of H.R. managers and specialists are familiar with the program
• 55% of surveyed companies had MCSE's on their staff
• 87% of H.R. managers surveyed believed that MCSE's are equally or more successful than college graduates.

"Companies are educating and graduating their own class of engineers for the technology revolution," says AdTI research fellow Jeffrey Hogg. "The success of this program is more far-reaching than we expected."

[AndyJackson]

A Google search of "ADTI Microsoft" and "Alexis de Tocqueville Institute" shows a long history of stupid press releases parotting the Microsoft totalitarian line. It's not a receipt or check or bank statement, but it's pretty damning evidence.

It is really damning given that most of us - even technically sophisticated ones - spend most of our lives not giving much though to MS except ocasionally to curse the latest really enduring "feature" of their software.

[PatrioticAmerican]

"Indeed such seems unlikely to me"

First you say you don't know, but then you say it seems unlikely? Is that really logical? whadda cheap shot.

[PatrioticAmerican]

"I really don't appreciate you calling me ignorant."

Then stop making such ignorant accusations. If you don't like the reality that you made an ignorant statement then only you can change it.

[general_re]

Don Joe was never banned. He left of his own accord, and given the circumstances, I'm not sure I blame him.

[ThePythonicCow]

First you say you don't know, but then you say it seems unlikely?

Well, yeah. Stuff like that happens all the time. For example, I don't know if you're a 78-year Catholic nun, but it seems unlikely.

77 maybe, but not 78.