Study: Open source poses security risks

ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

[Bush2000]

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."

[bobwoodard]

It's intuitively obvious. Open source for a hacker / terrorist is analogous to having the blueprints for Fort Knox, the US attack plan for Iraq, or the schematics on how our missile targeting systems work.

Maybe it's 'intuitively obvious', but that doesn't mean it's correct. If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

[meyer]

My thought, and I'm far from being a security expert, is that anything sensitive should be in a closed system with no outside access (or at least minimal) and with lots of guards. Armed guards, of course, as well as people that can keep a close eye on activity. Networking is sometimes overrated.

[meyer]

"working half-days" (12-hours), "

Well, that caught my eye. I work 12's and never called them "half days". :^) To me, half days would be 4 hour shifts and I could really learn to enjoy that if it paid as well.

[Poohbah]

If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

The biggest issue with open source is the erratic configuration management. It ranges from outstanding to abysmal, and since CM is a joint effort between the development team and the end user, it has LOTS of opportunity to break down.

[Wisconsin]

Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)

[Dominic Harr]

As a system, 'open-source' development almost always makes higher-quality code faster than 'closed-source' development. I have seen exceptions, but they are just that.

And it's obviously so. No possible suggestion otherwise. The sun is hot and open-source wrings the bugs out of code faster than closed-source.

It's a matter of eyeballs.

[PatrioticAmerican]

Anyone who thinks that highly classified systems are off the shelf knows nothing of such systems.

[Bush2000]

Funny thing is they don't disclose their funding. I can only infer it.

If you can't prove an assertion, you should state up front that it's your opinion. In all honesty, I set you up for failure because I've never read anything which describes the source of de Tocquville's funding. But merely asserting your opinion as fact doesn't fly around here.

[Bush2000]

Ah. That would explaing the Klez.H phenomenon.

No, what would explain Klez.H are (a) morons who can't seem to patch their email client despite all warnings to do so, and (b) morons who click on any executable attachment because it promises to show them animated breasts...

[Bush2000]

Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)

Of course, since MS has made modifications to the source and you lack the source code, your theory isn't worth dick.

[Bush2000]

DoD, NSA, CIA etc, use plenty of open source sw. BIND, Apache, ssh, perl, gcc, to name a few. These tools are bundled into even the most secure "proprietary" platforms like trusted solaris, tru64 that are staples for secret/SCI systems.

And they'd love for everyone to use tools for which they have the source code. It just makes it that much easier to find and exploit holes in your systems.

"Cyberterrorism" is on overplayed threat, imo. Fortunately our enemies tend to be primitivists with little education or love for technology. The possibility of these yoyos mounting a orchestrated attack of a magnitude to do serious damage to national security is probably pretty remote.

Agree. Few critical systems are hooked up to the Internet. Defacing a website or stealing a few credit cards is hardly a threat to national security.

my two cents: the trick to good data security is not necessarily the tools you use, but the staff/policy implementing them. Good security procedure is something that tends to get overlooked when one starts obsessing over the tools.

Absolutely, but you have to understand something: Many of the same people pushing *nix as a "superior" solution are the same fools that believe their systems are invulnerable.

[Crispy]

"Yep, and knowing the size of buffers and how they're parsed makes it that much easier to launch a buffer overrun attack on open source code..."

The thing with open source is that if a buffer overrun was discovered or another major exploit, you can pretty much rest assured that there will be a patch within hours.

I am not a big Microsoft basher but I think the whole premise that open source is less secure is rediculous.

[Bush2000]

Who can say that until the paper is released?

That's the point, bob: Until the paper is released, none of the ABM *nix trolls should be making accusations; otherwise, they're a bunch of slanderous, lying, sacks of sh*t.

All you can go on is what they've published previously and they seem to have a very sympathetic attitutde towards MSFT.

No, bob. Wrong. If you want to state your opinion, fine. But if you want to assert that opinion as fact, uh uh. No way. Nonsense. Evidence is based on fact. If you don't have evidence, don't bother unless you want to be labeled an idiot.

As for the underlying issue of open vs closed source, most tech people realize that closed source is no more or less secure than open source. Either approach has its drawbacks.

I agree with you. For example, it's easier, in a lot of ways, to start feeding really long strings to servers and web browsers than it is to slog through the code and find buffer overrun errors. So, in a purely mechanical, trial-and-error fashion, closed source will always be vulnerable to that sort of random attack. But open source permits very price attacks based upon a close reading of source code. As you say, each has its drawbacks. But asserting one as "superior" is a religious issue.

[Bush2000]

The thing with open source is that if a buffer overrun was discovered or another major exploit, you can pretty much rest assured that there will be a patch within hours. I am not a big Microsoft basher but I think the whole premise that open source is less secure is rediculous.

Of course, such a thesis rests upon the proposition that the attacker wants to make the exploit public. In the case of the NSA, CIA, FBI, and foreign governments, it might well be their objective to exploit the hole without revealing the problem. Keep in mind: That's precisely the issue that the FBI is lobbying Congress for legislative approval. They want to be able to collect data from your machine -- using attacks which you won't be informed about -- with minimal involvement with judges and other safeguards. I'm amazed how people in the open source community tend to believe that hackers targeting *nix always wear white hats and have the best interests of the community at heart. Not the case. The sooner that people realize this and stop touting it as a benefit, the better off they'll be.

[Bush2000]

Microsoft programmers don't comment their code. Take a look at the CRT source. Take a look at winnt.h if you have a copy of Visual C++. Of course that's just a header file.

You're using header files included with the compiler as the basis for such a determination? What a joke. Did it ever occur to you that those files are specifically scrubbed to eliminate offensive and inaccurate comments?

[Bush2000]

A Google search of "ADTI Microsoft" and "Alexis de Tocqueville Institute" shows a long history of stupid press releases parotting the Microsoft totalitarian line. It's not a receipt or check or bank statement, but it's pretty damning evidence.

ZDNet has a lot of press about Linux. That doesn't mean that RedHat owns 'em. Simple logic, Toddy. You might try it sometime.

[PatrioticAmerican]

On highly secured systems, the DoD has the source. A code review is a requirement of such systems.

[PatrioticAmerican]

"Microsoft programmers don't comment their code. Take a look at the CRT source."

Two things. The CRT code is for study and personal use. Its comments have been removed for a variety of reasons. Second, Unless you work at Microsoft or have seen the source to their 200+ products, I'd say that was a very ignorant comment.

[mikenola]

And they'd love for everyone to use tools for which they have the source code. It just makes it that much easier to find and exploit holes in your systems.

I guess that's the part of the argument I have a hard time buying. If it were true, why don't we hear about more about it? Reading the DoD-CERT monthly incident reports , 90% are microsoft systems.

But then again, I'm sure there are plenty of incidents that never see the light of day.