Skip to comments.Study: Open source poses security risks
Posted on 05/31/2002 3:15:28 PM PDT by Bush2000
A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.
The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.
"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.
Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.
Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.
The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.
"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."
That's a nice boat you've got (on your FR homepage), Mr Bush2000. Is that Seattle in the background? I take it that Microsoft has been good to you. Congratulations on your good fortune
A. It's not my boat. I rented it for a day.
B. It's Miami Beach, not Seattle.
C. Stuff your congratulations.
I do realize that in a "debate" one needs to cavil with minor faults of the other side so as to deflect examination, but you haven't denied that you work for Microsoft, but I'll assume that since you don't want the congratulations for Pythonic, you do indeed work for Microsoft.
The Miami Beach thing is a small mistake, your profile page has "Location: Seattle" and a flag of Washington.
Funny thing is they don't disclose their funding.
I can only infer it. They seem to wuv micosoft and MCSEs. At least half the MCSEs I've delt with are oxygen thieves (about the same ratio as CNEs and, I'm sorry to say, only slightly worse then BSEEs). Theirs study 'shows' that MCSEs are good at what they do. Ergo their credibilty is suspect.
Another interesting quote found on slashdot. Senior MS exec. 'We can't disclose source because some of it is so flawed (Message queing and others not listed,) that is would be a national security issue to release it.'
if it was intuitively obvious there would be no need for a report from a think tank, now would there?
[anyone care to wager that gregory fossedal of adti will have an op-ed in the wall street journal in the next two weeks about this?]
Sort of like the Time article reporting the scientists who recently discovered there are differences between men and women and in fact they may even be born different?
Yeah, but somebody else does.
You also don't the get programmer comments when you decompile/ deduce...
Yep, and knowing the size of buffers and how they're parsed makes it that much easier to launch a buffer overrun attack on open source code...
Aha,, so explain how all of those buffer exploits in Microsoft's closed code get discovered.
Ah. That would explaing the Klez.H phenomenon.
"Copyright is my right. Buy a license or you'll have trouble with the police," croons Egyptian pop singer Shaban Abd el-Reheem on his latest album.
For those that don't remember, this is the guy who sang that catchy tune "I Hate Israel."
In February, the Business Software Alliance, the group that represents Microsoft, Adobe, and other software makers concerned about piracy, signed up another unusual partner -- the grand muftis at Al Azhar in Cairo. The highest religious authority in Sunni Islam, Sheikh Ibrahim Atta Allah, issued a fatwa, or edict, against piracy. "Piracy is the worst type of theft and is prohibited by Islam," Atta Allah declared.
This is unrelated to the current thread, but it's just too funny that they're actually signing up Islamic clerics to issue fatwas against unauthorized copying!
That takes the top-end proprietary package!
Who can say that until the paper is released? All you can go on is what they've published previously and they seem to have a very sympathetic attitutde towards MSFT.
As for the underlying issue of open vs closed source, most tech people realize that closed source is no more or less secure than open source. Either approach has its drawbacks.
"Cyberterrorism" is on overplayed threat, imo. Fortunately our enemies tend to be primitivists with little education or love for technology. The possibility of these yoyos mounting a orchestrated attack of a magnitude to do serious damage to national security is probably pretty remote.
my two cents: the trick to good data security is not necessarily the tools you use, but the staff/policy implementing them. Good security procedure is something that tends to get overlooked when one starts obsessing over the tools.
Watch your network!
Microsoft programmers don't comment their code. Take a look at the CRT source. Take a look at winnt.h if you have a copy of Visual C++. Of course that's just a header file.