Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Study: Open source poses security risks
ZDNet ^ | May 31, 2002, 9:30 AM PT | Matthew Broersma

Posted on 05/31/2002 3:15:28 PM PDT by Bush2000

A conservative U.S. think tank suggests in an upcoming report that open-source software is inherently less secure than proprietary software, and warns governments against relying on it for national security.

The white paper, Opening the Open Source Debate, from the Alexis de Tocqueville Institution (ADTI) will suggest that open source opens the gates to hackers and terrorists.

"Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose," ADTI said in a statement released ahead of the report.

Open-source software is freely available for distribution and modification, as long as the modified software is itself available under open-source terms. The Linux operating system is the best-known example of open source, having become popular in the Web server market because of its stability and low cost.

Many researchers have also suggested that since a large community contributes to and scrutinizes open-source code, security holes are less likely to occur than in proprietary software, and can be caught and fixed more quickly.

The ADTI white paper, to be released next week, will take the opposite line, outlining "how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems," the institute said.

"Computer systems are the backbone to U.S. national security," said ADTI Chairman Gregory Fossedal. "Before the Pentagon and other federal agencies make uninformed decisions to alter the very foundation of computer security, they should study the potential consequences carefully."


TOPICS: Business/Economy; Technical
KEYWORDS: opensource
Navigation: use the links below to view more comments.
first 1-5051-100101-150151-178 next last
This should be fun...

but before you post "this study was bought and paid for by Microsoft", try providing some references ...

or be prepared to be labelled an idiot.
1 posted on 05/31/2002 3:15:28 PM PDT by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000
Bush2000..... Reports and decides! LOL!

You Go Girlfriend!
2 posted on 05/31/2002 3:21:36 PM PDT by cmsgop
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
but before you post "this study was bought and paid for by Microsoft", try providing some references ... or be prepared to be labelled an idiot.

Um, shouldn't one be labelled an "idiot" for assuming it was not bought and paid for or otherwise influenced? That's what these think tanks mostly exist for. So your statement about references is not well taken.

BTW, plug in the name of the "Institution" and "Microsoft" into a web search engine. Hundreds of hits - many of which deal with some paper the "Institution" created "proving" how Microsoft's training programs and degrees are better than others. A favorite topic of Alexis D.T., no doubt. < /sarcasm>

3 posted on 05/31/2002 3:30:26 PM PDT by Shermy
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Propriatary software can be disassembled.

Security by obscurity has not worked. But nothing else has yet.

Solaris, HPUX, FreeBSD, Linux, NT, XP etc all have exploitable flaws. All non-trivial code will.

When the feature set settles down it might be possible to reach a state of reasonable security by using time/hacker tested OSs. For now all you can do is keep up your patches and run a heterogenius network (so one flaw will not take the whole thing down).

I quote:

Diversity:

Replacing a position because some guy back in '83 decided to use the odd-ball programming language : $120k

Maintaining 17 different operating system at once : $225k

Answering calls from 200 end users with slightly different desktops : $57k

Having your entire network, the networks of all your end users, and your entire array of backup systems turned into incomprehensible mush overnight due to an advanced virus that could easily target and replicate in your undiversified computer systems : Priceless

And yes this study was paid for by the propriatary OS vendors.

4 posted on 05/31/2002 3:31:02 PM PDT by Dinsdale
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose

wow, it might? so it follows that it might not.

after they release the white paper, there might be enough details to discuss. then again, maybe not.

5 posted on 05/31/2002 3:31:14 PM PDT by danelectro
[ Post Reply | Private Reply | To 1 | View Replies]

To: Shermy
Um, shouldn't one be labelled an "idiot" for assuming it was not bought and paid for or otherwise influenced?

Do yourself and others a favor: Don't attempt to work in any job that requires logical reasoning.
6 posted on 05/31/2002 3:39:50 PM PDT by Bush2000
[ Post Reply | Private Reply | To 3 | View Replies]

To: Dinsdale
And yes this study was paid for by the propriatary OS vendors.

Prove it ... idiot. /sarcasm
7 posted on 05/31/2002 3:41:18 PM PDT by Bush2000
[ Post Reply | Private Reply | To 4 | View Replies]

To: Bush2000
Do yourself and others a favor: Don't attempt to work in any job that requires logical reasoning.

Touchy, aren't you? Did you try out the web search yet, or are you just a paid poster spamming disinfo and testing the waters?

8 posted on 05/31/2002 3:46:53 PM PDT by Shermy
[ Post Reply | Private Reply | To 6 | View Replies]

To: danelectro
Terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to 'open source' as some groups propose

wow, it might? so it follows that it might not.

after they release the white paper, there might be enough details to discuss. then again, maybe not.

It's intuitively obvious. Open source for a hacker / terrorist is analogous to having the blueprints for Fort Knox, the US attack plan for Iraq, or the schematics on how our missile targeting systems work. Yes, as someone posted above, it can be decompiled and deduced. But that's a pretty tedious and difficult process. You can also deduce our missile targeting systems with adequate access and time.

9 posted on 05/31/2002 3:47:12 PM PDT by gitmo
[ Post Reply | Private Reply | To 5 | View Replies]

To: Bush2000
Hmmm ... this has very much the feel to me of the liberal vs. conservative discussions I see.

My initial reaction to Clinton-supporting liberals who deny any liberal bias in the main stream media is a bit of angry frustration and then wondering how and why any otherwise apparently mentally competent person would continue to so delude themselves so greviously. And my initial reaction to defensive Microsoft apologizers, among whom I include the otherwise good Mr. Bush2000, is almost identical.

But then my reactions diverge. In the case of Liberals, I see that they have been a major scourge for at least the last couple of centuries, and I feel compelled to continue trying to make sense of this failing of the human condition.

In the case of Microsoft ... oh well ... their time will come ... the wheels of justice may grind slowly, but they grind exceedingly fine.

That's a nice boat you've got (on your FR homepage), Mr Bush2000. Is that Seattle in the background? I take it that Microsoft has been good to you. Congratulations on your good fortune.

10 posted on 05/31/2002 3:58:11 PM PDT by ThePythonicCow
[ Post Reply | Private Reply | To 1 | View Replies]

To: Shermy
Touchy, aren't you? Did you try out the web search yet, or are you just a paid poster spamming disinfo and testing the waters?

Sorry, bub. Debate doesn't work that way. You make an assertion, you prove it. I don't do your research for you.
11 posted on 05/31/2002 4:01:22 PM PDT by Bush2000
[ Post Reply | Private Reply | To 8 | View Replies]

To: ThePythonicCow
That's a nice boat you've got (on your FR homepage), Mr Bush2000. Is that Seattle in the background? I take it that Microsoft has been good to you. Congratulations on your good fortune

A. It's not my boat. I rented it for a day.
B. It's Miami Beach, not Seattle.
C. Stuff your congratulations.
12 posted on 05/31/2002 4:03:12 PM PDT by Bush2000
[ Post Reply | Private Reply | To 10 | View Replies]

To: gitmo
You also don't the get programmer comments when you decompile/ deduce. Assuming the programmer actually commented his code (sometimes a big assumption) you get that in open source. Having done bug fixes on code by long gone programmers I know how much comments can help, easily a 50% reduction in "figure out how it doesn't work" (remember I was fixing bugs) time.
13 posted on 05/31/2002 4:04:50 PM PDT by discostu
[ Post Reply | Private Reply | To 9 | View Replies]

To: cmsgop
Bush2000..... Reports and decides! LOL! You Go Girlfriend!

:-p
14 posted on 05/31/2002 4:04:53 PM PDT by Bush2000
[ Post Reply | Private Reply | To 2 | View Replies]

To: discostu
You also don't the get programmer comments when you decompile/ deduce...

Yep, and knowing the size of buffers and how they're parsed makes it that much easier to launch a buffer overrun attack on open source code...
15 posted on 05/31/2002 4:07:07 PM PDT by Bush2000
[ Post Reply | Private Reply | To 13 | View Replies]

To: Bush2000
I'm glad somebody is doing a paper on this. It's always made sense to me. I remember Mitnik's big obsession was always getting the source, now why in the world would a hacker want to get the source code? Maybe to figure out how the security is written?! Nah couldn't be.
16 posted on 05/31/2002 4:09:54 PM PDT by discostu
[ Post Reply | Private Reply | To 15 | View Replies]

To: discostu
You also don't the get programmer comments when you decompile/ deduce. Assuming the programmer actually commented his code (sometimes a big assumption) you get that in open source.

Having done bug fixes on code by long gone programmers I know how much comments can help, easily a 50% reduction in "figure out how it doesn't work" (remember I was fixing bugs) time.

Good point. You also don't get the technical documentation that is available for Unix.

I was in a meeting today discussing the Pros & Cons of NT/Win2000 vs. Unix. A techie stated the Microsoft platforms were more vulnerable to intrusion attempts. I had to think of all the Abbie Hoffman's hacker newsletters. These early hackers were all Unix people. They knew Unix inside and out and had the source and documentation to fully exploit it. Of course, their biggest targets at the time were IBM and AT&T.

17 posted on 05/31/2002 4:11:58 PM PDT by gitmo
[ Post Reply | Private Reply | To 13 | View Replies]

To: Bush2000; ThePythonicCow
Let me get this, you think your logical? Ad hominem and other defections seem to be your forte.
Touchy, aren't you? Did you try out the web search yet, or are you just a paid poster spamming disinfo and testing the waters?

Sorry, bub. Debate doesn't work that way. You make an assertion, you prove it. I don't do your research for you.

"Debate doesn't work that way... Hmmm, where you learn this? And why is this a debate? Aren't you curious to find out if your premises are correct? I understand that "debate" generally is not intended to promote understanding or discussion and examination, but dualities, often false, for advocating a position, the face of specific interests.

You intiated this thread with a demonstrative assertion. Yes, I do understand that in "debate" deflection and lying are acceptable, but some here don't want to sink to that level. We're here to learn.

Though I do enjoy your web page, it's fair game, you posted it. You have my vote for most narcissitic FR profile! A masterpiece in simplicity.

18 posted on 05/31/2002 4:16:43 PM PDT by Shermy
[ Post Reply | Private Reply | To 11 | View Replies]

To: gitmo
Now in open source's defense (just to show I play fair, there are people that think I'm an MS apologist and my answer is they aren't complaining about the right parts of MS) because it's open source it's a lot easier for the administrator to change his security and put his own stuff in there; and all the Unix dogs I know do just that. But out of the box I'd have to think that even though on a technical level Unix security is better than WinX security (it is, no way to dodge that) the fact that any geek in the world (including hackers) can DL the code that wrote that out of the box security (and install it and run it through a debugger... all without breaking a single law) has to be considered a big check in the minus column.
19 posted on 05/31/2002 4:17:33 PM PDT by discostu
[ Post Reply | Private Reply | To 17 | View Replies]

To: Bush2000
Just when it was getting boring around here. You had to go and post this. ;-)
20 posted on 05/31/2002 4:17:44 PM PDT by TomServo
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomServo
Tags off?
21 posted on 05/31/2002 4:18:06 PM PDT by TomServo
[ Post Reply | Private Reply | To 20 | View Replies]

To: Bush2000; ThePythonicCow
That's a nice boat you've got (on your FR homepage), Mr Bush2000. Is that Seattle in the background? I take it that Microsoft has been good to you. Congratulations on your good fortune

A. It's not my boat. I rented it for a day.

B. It's Miami Beach, not Seattle.

C. Stuff your congratulations.

I do realize that in a "debate" one needs to cavil with minor faults of the other side so as to deflect examination, but you haven't denied that you work for Microsoft, but I'll assume that since you don't want the congratulations for Pythonic, you do indeed work for Microsoft.

The Miami Beach thing is a small mistake, your profile page has "Location: Seattle" and a flag of Washington.

22 posted on 05/31/2002 4:23:23 PM PDT by Shermy
[ Post Reply | Private Reply | To 12 | View Replies]

To: Bush2000
Prove it ... idiot. /sarcasm

Funny thing is they don't disclose their funding.

I can only infer it. They seem to wuv micosoft and MCSEs. At least half the MCSEs I've delt with are oxygen thieves (about the same ratio as CNEs and, I'm sorry to say, only slightly worse then BSEEs). Theirs study 'shows' that MCSEs are good at what they do. Ergo their credibilty is suspect.

Another interesting quote found on slashdot. Senior MS exec. 'We can't disclose source because some of it is so flawed (Message queing and others not listed,) that is would be a national security issue to release it.'

23 posted on 05/31/2002 4:29:20 PM PDT by Dinsdale
[ Post Reply | Private Reply | To 7 | View Replies]

To: gitmo
It's intuitively obvious. Open source for a hacker / terrorist is analogous to having the blueprints for Fort Knox, the US attack plan for Iraq, or the schematics on how our missile targeting systems work. Yes, as someone posted above, it can be decompiled and deduced. But that's a pretty tedious and difficult process. You can also deduce our missile targeting systems with adequate access and time.

if it was intuitively obvious there would be no need for a report from a think tank, now would there?

[anyone care to wager that gregory fossedal of adti will have an op-ed in the wall street journal in the next two weeks about this?]

24 posted on 05/31/2002 4:35:26 PM PDT by danelectro
[ Post Reply | Private Reply | To 9 | View Replies]

Comment #25 Removed by Moderator

Comment #26 Removed by Moderator

To: danelectro
if it was intuitively obvious there would be no need for a report from a think tank, now would there?

Sort of like the Time article reporting the scientists who recently discovered there are differences between men and women and in fact they may even be born different?

27 posted on 05/31/2002 4:49:05 PM PDT by gitmo
[ Post Reply | Private Reply | To 24 | View Replies]

Comment #28 Removed by Moderator

Comment #29 Removed by Moderator

To: Dinsdale
Funny thing is they don't disclose their funding.

Yeah, but somebody else does.

30 posted on 05/31/2002 5:00:43 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 23 | View Replies]

To: Bush2000
You also don't the get programmer comments when you decompile/ deduce...

Yep, and knowing the size of buffers and how they're parsed makes it that much easier to launch a buffer overrun attack on open source code...

Aha,, so explain how all of those buffer exploits in Microsoft's closed code get discovered.

31 posted on 05/31/2002 5:08:36 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 15 | View Replies]

To: Bush2000
Study: Open source poses security risks

Ah. That would explaing the Klez.H phenomenon.

32 posted on 05/31/2002 5:29:46 PM PDT by B Knotts
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
BSA and Microsoft have new partners in the fight against copyright violation: Islamic clerics and anti-Semitic pop singers

"Copyright is my right. Buy a license or you'll have trouble with the police," croons Egyptian pop singer Shaban Abd el-Reheem on his latest album.

For those that don't remember, this is the guy who sang that catchy tune "I Hate Israel."

In February, the Business Software Alliance, the group that represents Microsoft, Adobe, and other software makers concerned about piracy, signed up another unusual partner -- the grand muftis at Al Azhar in Cairo. The highest religious authority in Sunni Islam, Sheikh Ibrahim Atta Allah, issued a fatwa, or edict, against piracy. "Piracy is the worst type of theft and is prohibited by Islam," Atta Allah declared.

This is unrelated to the current thread, but it's just too funny that they're actually signing up Islamic clerics to issue fatwas against unauthorized copying!

33 posted on 05/31/2002 6:08:04 PM PDT by B Knotts
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #34 Removed by Moderator

To: Bush2000
Why don't you post the study when it comes out and we can see if there is anything to it. Until then you are just wasting bandwidth.
35 posted on 05/31/2002 6:20:23 PM PDT by Dan Cooper
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #36 Removed by Moderator

To: discostu
You also don't the get programmer comments when you decompile/ deduce.

That takes the top-end proprietary package!

+=<)B^)

37 posted on 05/31/2002 6:46:12 PM PDT by Erasmus
[ Post Reply | Private Reply | To 13 | View Replies]

To: Bush2000
but before you post "this study was bought and paid for by Microsoft", try providing some references ...

Who can say that until the paper is released? All you can go on is what they've published previously and they seem to have a very sympathetic attitutde towards MSFT.

As for the underlying issue of open vs closed source, most tech people realize that closed source is no more or less secure than open source. Either approach has its drawbacks.

38 posted on 05/31/2002 7:00:27 PM PDT by bobwoodard
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
DoD, NSA, CIA etc, use plenty of open source sw. BIND, Apache, ssh, perl, gcc, to name a few. These tools are bundled into even the most secure "proprietary" platforms like trusted solaris, tru64 that are staples for secret/SCI systems.

"Cyberterrorism" is on overplayed threat, imo. Fortunately our enemies tend to be primitivists with little education or love for technology. The possibility of these yoyos mounting a orchestrated attack of a magnitude to do serious damage to national security is probably pretty remote.

my two cents: the trick to good data security is not necessarily the tools you use, but the staff/policy implementing them. Good security procedure is something that tends to get overlooked when one starts obsessing over the tools.

Watch your network!

39 posted on 05/31/2002 7:07:05 PM PDT by mikenola
[ Post Reply | Private Reply | To 1 | View Replies]

To: discostu
Assuming the programmer actually commented his code...

Microsoft programmers don't comment their code. Take a look at the CRT source. Take a look at winnt.h if you have a copy of Visual C++. Of course that's just a header file.

40 posted on 05/31/2002 7:29:26 PM PDT by gcraig
[ Post Reply | Private Reply | To 13 | View Replies]

To: gitmo
It's intuitively obvious. Open source for a hacker / terrorist is analogous to having the blueprints for Fort Knox, the US attack plan for Iraq, or the schematics on how our missile targeting systems work.

Maybe it's 'intuitively obvious', but that doesn't mean it's correct. If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

41 posted on 05/31/2002 7:38:52 PM PDT by bobwoodard
[ Post Reply | Private Reply | To 9 | View Replies]

To: discostu
My thought, and I'm far from being a security expert, is that anything sensitive should be in a closed system with no outside access (or at least minimal) and with lots of guards. Armed guards, of course, as well as people that can keep a close eye on activity. Networking is sometimes overrated.
42 posted on 05/31/2002 7:40:08 PM PDT by meyer
[ Post Reply | Private Reply | To 19 | View Replies]

To: Z.O.B.
"working half-days" (12-hours), "

Well, that caught my eye. I work 12's and never called them "half days". :^) To me, half days would be 4 hour shifts and I could really learn to enjoy that if it paid as well.

43 posted on 05/31/2002 7:43:07 PM PDT by meyer
[ Post Reply | Private Reply | To 36 | View Replies]

To: bobwoodard
If you follow the logic of people supporting security through obscurity, how could any secure open source app or os exist? With the source for some apps or oses being in the wild for years or decades, any system using those products should be as wide open as the Grand Canyon. Right?

The biggest issue with open source is the erratic configuration management. It ranges from outstanding to abysmal, and since CM is a joint effort between the development team and the end user, it has LOTS of opportunity to break down.

44 posted on 05/31/2002 7:46:52 PM PDT by Poohbah
[ Post Reply | Private Reply | To 41 | View Replies]

To: Bush2000
Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)
45 posted on 05/31/2002 8:42:51 PM PDT by Wisconsin
[ Post Reply | Private Reply | To 1 | View Replies]

To: all
As a system, 'open-source' development almost always makes higher-quality code faster than 'closed-source' development. I have seen exceptions, but they are just that.

And it's obviously so. No possible suggestion otherwise. The sun is hot and open-source wrings the bugs out of code faster than closed-source.

It's a matter of eyeballs.

46 posted on 05/31/2002 9:16:25 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 45 | View Replies]

To: Bush2000
Anyone who thinks that highly classified systems are off the shelf knows nothing of such systems.
47 posted on 05/31/2002 9:53:19 PM PDT by PatrioticAmerican
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dinsdale
Funny thing is they don't disclose their funding. I can only infer it.

If you can't prove an assertion, you should state up front that it's your opinion. In all honesty, I set you up for failure because I've never read anything which describes the source of de Tocquville's funding. But merely asserting your opinion as fact doesn't fly around here.
48 posted on 05/31/2002 11:01:24 PM PDT by Bush2000
[ Post Reply | Private Reply | To 23 | View Replies]

To: B Knotts
Ah. That would explaing the Klez.H phenomenon.

No, what would explain Klez.H are (a) morons who can't seem to patch their email client despite all warnings to do so, and (b) morons who click on any executable attachment because it promises to show them animated breasts...
49 posted on 05/31/2002 11:04:02 PM PDT by Bush2000
[ Post Reply | Private Reply | To 32 | View Replies]

To: Wisconsin
Guess the government better dump Microsft OS's pretty fast since they are in part based on open source code (Yeah, MS took and used the open cource ip stack inter alia)

Of course, since MS has made modifications to the source and you lack the source code, your theory isn't worth dick.
50 posted on 05/31/2002 11:05:05 PM PDT by Bush2000
[ Post Reply | Private Reply | To 45 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-100101-150151-178 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson