×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is Open Source Fertile Ground for Foul Play?

CmdrTaco posted more than 10 years ago | from the something-to-think-about dept.

Security 723

jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

723 comments

Sounds like someone trying to by controversial... (5, Insightful)

yar (170650) | more than 10 years ago | (#8261746)

I wish people would use any kind of proof with this type of article... but I suppose they can't.

"Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public."

And of course there just CAN'T be any guard against the actual program being implemented differing from the publicly available source... :P

"I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."

And when those holes are discovered, they aren't published at all. And the proprietary owner has a far more difficult time finding these existing holes themselves. And most of all, there's NOTHING STOPPING THE PROPRIETARY OWNER from implementing this same type of worst-case scenario the author of this piece describes, and an even smaller chance of discovery by outsiders. Sheesh.

Re:Sounds like someone trying to by controversial. (5, Funny)

Anonymous Coward | more than 10 years ago | (#8261802)

Wow, an insightful first post.
This day will go down in history.

Re:Sounds like someone trying to by controversial. (-1)

Anonymous Coward | more than 10 years ago | (#8261832)

Second one today, whew.

Re:Sounds like someone trying to by controversial. (-1, Troll)

October_30th (531777) | more than 10 years ago | (#8261829)

And when those holes are discovered, they aren't published at all.

Uhhuh? So? They'll be fixed in the next release?

And the proprietary owner has a far more difficult time finding these existing holes themselves.

Hardly. They have the source code, after all.

Re:Sounds like someone trying to by controversial. (5, Insightful)

LostCluster (625375) | more than 10 years ago | (#8261837)

Yeah, OSS software is at risk of exploits, but he's neglecting the fact that once geeks realize that they can't compile the open source version to the binary, a red flag goes next to the binary. And if the binary starts doing malware things, then that binary goes down in flames, and the project will immediately fork with the last released source.

Re:Sounds like someone trying to by controversial. (4, Insightful)

thegrommit (13025) | more than 10 years ago | (#8261838)

I wish people would use any kind of proof with this type of article... but I suppose they can't.

Who needs proof when you have FUD? See also SCO.

Re:Sounds like someone trying to by controversial. (5, Insightful)

Rev.LoveJoy (136856) | more than 10 years ago | (#8261903)

Bingo.

The author completely ignores the storied history of exactly this kind of thing in closed source software -- only these backdoors are called 'features' or 'easter eggs.'

We need a new term for this kind of journalistic troll.

-- Cheers,
-- RLJ

Re:Sounds like someone trying to by controversial. (3, Interesting)

theboy24 (687962) | more than 10 years ago | (#8261922)

You're Absolutley right. People going around trolling about open source without any plausible reason is a major detriment to the cause and the software. Companies/corps are going to pick whatever works best for them and adapt/change with it to their needs and Gov't should do the same. if the security was as bad as the article implies it to be, then why havent we seen any catastophic security failures on any of the open source systems currently being used by fortune 500 and Gov't. Hell, it couldn't be any worse than the MS systems in use.

Russell seems a bit dated (5, Insightful)

Raindance (680694) | more than 10 years ago | (#8261764)

'You get what you pay for'?

Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.

There might be security concerns with Open Source (he, most interestingly, doesn't go into security concerns with closed source or compare track-records); however, Russell is trying to pull a fast one as this is a different (and, I'd argue, wrongful) criticism of OS.

RD

Re:Russell seems a bit dated (1, Funny)

Anonymous Coward | more than 10 years ago | (#8261841)

Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.

Holy crap. I thought 'no way could someone sum this up fast' but you did it in one sentence! Bravo!

Let's also apply his adage to his opinions (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8261935)

His article and his opinions are also quite cheap. I guess we got what we paid for too :)

Sort of (4, Interesting)

gerf (532474) | more than 10 years ago | (#8261938)

His criticism reminds me of a speaker at a recent IEEE meeting at my school. She talked about the work environment, and some nuances of how to act or not to act.

One interesting thing about her contracting company she runs, is that if you charge more, you get more business. The thought here is that companies think that since this certain company costs more, it must be better. Obviously though, she did not get smarter by charging more, only richer.

That is the thinking that this fellow is using: chargine more must mean it's a better product. Sadly, he is in a large part of the population that does not understand the Open Source community, or business models. His view is outdated, and frankly, wrong.

Besides, what other companies besides M$ find a huge hole in all of their flagship products, but fail to patch it for close to a year?

Wow (5, Funny)

daeley (126313) | more than 10 years ago | (#8261766)

Igniting flame war in 5...4...we have main engine start...3...2...ignition!...1...

Seriously: Who is W. Russel Jones? (0)

Anonymous Coward | more than 10 years ago | (#8261929)


Whis is this guy at all relevant? Ask my grandmother if open source software is a Good Thing ... she'll say, yes, my grandson makes his living with it, and BAM. You've got a good counterpoint.

Ahhh.. (5, Funny)

Jeremiah Cornelius (137) | more than 10 years ago | (#8261768)

An article-length Troll.

The whole thread that will light-up in response to this old chestnut!

So much for any karma I had going... (-1, Troll)

deadlinegrunt (520160) | more than 10 years ago | (#8261858)

I looked back at the editor who posted this article and was surprised to find that it wasn't Micheal. Go figure.

Re:Ahhh.. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8261940)

Actually, judging from the comments, I would mod the article -1, flamebait.

And this is very true (0)

Anonymous Coward | more than 10 years ago | (#8261769)

I am a small business owner, we deal mostly with office supplies. Last week we fired our two software guys and switched to open source, which is free, and I don't have to pay a dime.

Re:And this is very true (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8261786)

Yes, software developer eating their young.
RMS's goal is being achieved one job at a time.

Re:And this is very true (0)

Anonymous Coward | more than 10 years ago | (#8261926)

Yes, but RMS has created a lot of opportunities for open source Gurus and you don't even need to write any software.

hrm... (2, Insightful)

xao gypsie (641755) | more than 10 years ago | (#8261770)

i disagree....if there is a security hole, those implementing the software would ideally know enough to pick up on it fairly quickly. i mean, they do have the source, after all...

Re:hrm... (1)

dnahelix (598670) | more than 10 years ago | (#8261948)

Correct! As opposed to closed-source where a company (ahem) sits on a security hole without fixing it or telling anyone about for months and months.

What a sellout (5, Insightful)

dtfinch (661405) | more than 10 years ago | (#8261771)

Everything he claims can go wrong with open source can go wrong with closed source, but with closed source you have fewer people watching to catch malicious code additions before stable release.

Re:What a sellout (1, Interesting)

DR SoB (749180) | more than 10 years ago | (#8261846)

True, but with closed source, at least you know who exactly is responsible.. I support open source, but come on guys, would you really want Linux supporting your nuclear arsonal? Or anything else to do with Bombs? Not _all_ closed source is bad, just because you don't like microsoft.
I would feel much better knowing that they were using z/OS or some type of source from IBM. Or if they are going to use open source, hire the man power, to double check all the security related code...

Re:What a sellout (2, Insightful)

Dionysus (12737) | more than 10 years ago | (#8261941)

I support open source, but come on guys, would you really want Linux supporting your nuclear arsonal? Or anything else to do with Bombs? Not _all_ closed source is bad, just because you don't like microsoft.

I want whoever controls my nuclear arsenal to have the source and expertise to the software they use, so that they can fix it themselves. I'm almost certain that the military and org. like NASA get the source to the software they use. And then the question becomes, how is that not open source?

"Anyone who cares to join" (5, Insightful)

tcopeland (32225) | more than 10 years ago | (#8261772)


Worse though, I don't think that security testing can be made robust enough to
protect against someone injecting dangerous code into the software from the
inside--and inside, for open source, means anyone who cares to join the project
or create their own distribution.

Bosh. Open source project leaders - especially the leaders of popular projects - don't let just anyone have write access. Also, commits almost always go to a mailing list to be reviewed by the other committers and lurkers.

And of course, there's no way a commercial product could be infiltrated by someone who wants to inject harmful code. Impossible!

Fertile? HA! (-1)

Kathleen Malda (566054) | more than 10 years ago | (#8261775)

My Rob's been shooting blanks for at least five years. Hemos and a couple of his friends have vasectomies they got in a heavy bondage session a few years back. RMS can't get it up (don't ask me why I know that). Even Linus' kids aren't his.

So what's so fertile about Open Source?

PLOFIT! (3, Funny)

Anonymous Coward | more than 10 years ago | (#8261778)

1) Write bogus article that will enrage slashdotters. Slashdot, being knee-jerk as it is, posts it to the front page.
2) Get a bazillion hits.
3) PLOFIT!

Why is this a troll? (0)

Anonymous Coward | more than 10 years ago | (#8261886)

He's 100% correct.

Microsoft irony is not lost (5, Insightful)

uqbar (102695) | more than 10 years ago | (#8261784)

Releasing this kind of rhetoric just days after the latest MS security fiasco would be funny - if the reality wasn't so sad...

Closed source is fertile ground for foul play (5, Insightful)

Eric Smith (4379) | more than 10 years ago | (#8261787)

Closed source software, because of its very closedness, will inevitably lead to security concerns. This makes adoption of closed source software by governments particularly worrisome. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get if they fail to switch to open source software.

Fear Outlook Express for Linux... (5, Insightful)

LostCluster (625375) | more than 10 years ago | (#8261789)

I doubt Microsoft will ever write software for Linux, but it's inevitable that that things like Lindows will forever strive to make Linux as easy as Windows because that's essential for Linux to take over the desktop market.

However, with that, some of the inherent security of Linux fails. Imagine an e-mail client that will execute a binary attachment with no questions asked because the user double-clicked on the pretty icon. That's how MyDoom spread on Windows, and basically, it's the fact that the current setup for Linux makes it hard to execute something new that makes people realize what they have before they run it...

As soon as we have pretty looking greeting card executables that run on Linux, the downfall will be what comes next...

Re:Fear Outlook Express for Linux... (1, Informative)

Anonymous Coward | more than 10 years ago | (#8261896)

Windows Media Player for Linux will be announced in April by bill himself.

You heard it here first, anon. for a reason.

Um, yeah (5, Insightful)

Cthefuture (665326) | more than 10 years ago | (#8261790)

Please cite some specific examples Mr. Jones.

I mean, there is a whole friggin lot of open-source out there, there's bound to be a few examples of the problem? Right? Right???

In that case you can't win (0)

Anonymous Coward | more than 10 years ago | (#8261792)

When you rely on high cost Microsoft products, you often get the shaft, and that, in my opinion, is exactly what governments are getting.

"You get the shaft" (0)

Anonymous Coward | more than 10 years ago | (#8261798)

Right, as opposed to what they've been getting with expensive Microsoft products.

Which is of course a quality and secure user experience which allows their IT staffs to concentrate on implementing the needs of the users rather than having to waste time running around and dealing with testing and implementing frequent patches and plugging security compromises and cleaning worms off of users' machines.

Right?

He might be right. (2, Funny)

AtariAmarok (451306) | more than 10 years ago | (#8261799)

He might be right. If governments switch from Windows to open-source OS, they might open their computers to the possibility of being infected by worms, virii, and trojans.

'You get what you pay for' (4, Funny)

Raindance (680694) | more than 10 years ago | (#8261801)

Netcraft says that his server (running IIS) has only been up for 2 days.

I wonder if he's getting what he paid for.

Take action (5, Informative)

Strudleman (147303) | more than 10 years ago | (#8261803)

All these great reply's, these reasons why Russell is wrong, will never be read by the public because they're stuck in /.

Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."

after reading this... (1)

rebewt (588158) | more than 10 years ago | (#8261805)

after reading this article only one thing comes to mind... CRACK IS WHACK!

DevX is a little slow these days (1)

Pinball Wizard (161942) | more than 10 years ago | (#8261811)

and what better way to draw techies to your website, write an article disparaging Open Source so Slashdot will pick it up!

Get what you pay for. (1)

rmadmin (532701) | more than 10 years ago | (#8261814)

You get what you pay for? Ok, if they think they NEED to pay for proven software, then they can pay Redhat for their Enterprise line of products. Pay or not, its 100% better than running windows in my opinion. Of course, the site that hosts my online banking runs Windows 2000 servers, and I haven't seen them have a problem yet, but I'm guessing if they did, they wouldn't let anyone know anytime soon. :-/

Interesting article... (1)

freerecords (750663) | more than 10 years ago | (#8261816)

..open source has always been a controversial issue.. here [monkey.org] is an interesting article on the debate "GPL Good, Commercial Bad..." It cites GCC as an example of how destructive OS can be in that it removed the market for any other type of compiler. Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world? It is now almost an integral part of any distrib.
Thoughts?
Tim

Re:Interesting article... (0)

Anonymous Coward | more than 10 years ago | (#8261839)

Can it be said that Mozilla has in effect done an "Internet explorer" with the open source world? It is now almost an integral part of any distrib.

Considering that the Konqueror browser is still going very strongly and is in fact gaining customers-- for example, Apple chose to base their new browser off of KHTML instead of Gecko-- I'd say no.

My God! (5, Insightful)

shystershep (643874) | more than 10 years ago | (#8261818)

He's a genius! This is actually a clever critique of the very dangers of closed source software, just disguised as a moronic attack on open source.

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public.

I mean, this can't actually be an argument that closed developed by a "core group" that "won't make the corrupted version public" is more trustworthy than open development where anyone can see the code. Right? Right?

Who's paying DevX to write this shit? (4, Insightful)

JohnGrahamCumming (684871) | more than 10 years ago | (#8261819)

This is simply the worst piece of FUD concerning Linux and OSS in general that I've ever read. And it's coming from the "Executive Editor" who should have taken a look for some actual examples of what he's talking about. The entire article is random speculation that "bad things can happen" with OSS because people can modify the source and he should be ashamed of having written it: unless of course he's being paid to write propaganda.

During a week when Microsoft admits it sat on the worst flaw ever for 6 months, and MyDoom and friends are rampaging around it's shameful to see an article written with so much fear and so little substance. He even manages to say that OSS might be used by terrorists against the US (although he doesn't use the word).

An absolutely disgusting piece of "journalism".

John.

He lost all credibility in the first paragraph. (1)

Bikini Kill (678047) | more than 10 years ago | (#8261820)

From the article:
"Instead, the security breach will be placed into the open source software from inside, by someone working on the project."

That's just as likely to happen in a closed-source project as an open source project. It is, however, much more likely thatthis kind of activity will be discovered in an open-source product since anyone and everyone can look at the source to see it.

Not as much of a differences. (3, Insightful)

Godeke (32895) | more than 10 years ago | (#8261821)

While the article mentions that the exact attacks that you say could happen in open source software could also happen in closed commercial software, I find the "barriers to implementing them are much higher" concept to be absurd. Just as the articles sasy the core Linux kernel is tightly monitored, so is the software from Microsoft. However, when it comes to smaller products, products that I have worked on, I would have to chuckle at the naive view that somehow closed source is "better protected". Most smaller companies that I have worked with are *far* more interested in getting a product to release than checking for backdoors. Testing is for failure modes, not for subtle pointer errors that open the code to obscure exploits.

In open source software, the maintainers vet patches by peer review before admitting them into the main product line. Likewise, closed source products are peer reviewed, but by a much smaller team, who probably have much more similar agendas than people flung across the globe. Either could be compromised. This exact same article could have been entitled "Software Is Fertile Ground for Foul Play". The concern that backdoors exist is the reason Asian countries have been suspicious of Microsoft's closed source software. To assuage those fears, Microsoft provided the source code for review. If this review is successful in showing that no backdoors exist (and I have no idea how they can tell that some unobtrusive code isn't deliberately flawed) then surely open source can be equally reviewed, if not suffer a more stringent review by opening the question to the open source community within the country in question.

The security that closed source promises by "protecting the source" is security through a promise by a potentially hostile vendor. The security open source promises is the vigilance of those who review the code. I don't see how one is better than the other, but I surely don't see how closed source is going to make a potential target feel better than if they could review the source.

Beware the Luddites! (4, Insightful)

joshamania (32599) | more than 10 years ago | (#8261822)

This is the type of argument you get from a lawyer, a technophobe or someone with a vested interest in being anti-open source. Arguments generally center around "security" "support" and "accountability".

One, Microsoft software, the most popular "closed source" software in the world, is rife with security holes. While the most popular (arguably) open-source software in the world, Apache, doesn't strike me as being terribly buggy *or* full of security holes. For instance, I don't have to update my apache software once a week.

Two, often for popular open-source products there is plenty of free and timely support. Advantage is also to the qualified technophile, who can support his or her own software, and not rely on the timetables of vendors.

Three, accoutability. What has Microsoft *ever* been accountable for? Viruses? Bugs? Data loss?

Patchy vs Apache (1)

AtariAmarok (451306) | more than 10 years ago | (#8261870)

"One, Microsoft software, the most popular "closed source" software in the world, is rife with security holes. While the most popular (arguably) open-source software in the world, Apache, doesn't strike me as being terribly buggy"

It all comes down to a choice between Apache and patchy, doesn't it?

If by 'foul play' you mean... (-1)

Anonymous Coward | more than 10 years ago | (#8261824)

...Satanic worship, mass murder, and child sacrifice, then the short answer is yes.

Muhahahahahaha (0)

Anonymous Coward | more than 10 years ago | (#8261825)

I, for one, welcome our new open source overlords.

Whos to say what someone implements? (2, Funny)

lake2112 (748837) | more than 10 years ago | (#8261826)

The problem with Open Source is that there are no controls as to what someone may program. You know I've seen WarGames I know what a back door is. Also a question of accountability. I hate to say it but for some things I am forced to trust Microsoft, not because of the quality of the work but for the accountability that they are held to. They have to make a semi-reliable and safe system or else they got out of business. This insures the proper cycle of software development and testing.

Re:Whos to say what someone implements? (0)

Stumbles (602007) | more than 10 years ago | (#8261866)

Accountable? Microsoft? Well buddy you for sure have not read any of their EULA's.

Re:Whos to say what someone implements? (1)

phrostie (121428) | more than 10 years ago | (#8261891)

that's great to know that you've been able to hold MS and other closed venders accountable.

btw, how much did you get from MS for the down time from this past years viri?

It's like Fred Moody all over again (5, Insightful)

Phaid (938) | more than 10 years ago | (#8261828)

Mod story down (-1, troll).

Can we please stop letting people use slashdot to increase the hit rate on their articles in order to make themselves seem relevant to their bosses?

Fred moody, the infamous anti-Linux ABC News columnist, was doing the exact same thing [linuxtoday.com] four years ago. In fact, he was writing on pretty much the same subject, that Open Source is insecure and untrustworthy by its very nature.

Those who do not study history are doomed to repost it.

figures... (1)

tomstdenis (446163) | more than 10 years ago | (#8261830)

lynx --head www.devx.com

produces

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:07:24 GMT
Content-type: text/html
Page-Completion-Status: Normal
Page-Completion-Status: Normal
Page-Completion-Status: Normal

[Yes, that last bit repeated three times].

I can only wonder why they would write an article like this, oh, I know, they're full of shit MCSE "developers" getting pissed off at all the attention OSS has been getting lately.

Tom

Here's the article, site has been slashdotted (4, Informative)

W2k (540424) | more than 10 years ago | (#8261833)


Open Source Is Fertile Ground for Foul Play

The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.

by A. Russell Jones February 11, 2004

An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.

This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.

How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)

So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust.

Can Self-Policing Work?
The open source model does a good job finding and winnowing out malicious code submitted as part of a project when the people in charge of the true project source are both actively looking for potential security problems and also not actively attempting to subvert the model. For example, it's likely that someone will find and notice such obvious attempts at any of the large, well-run projects. Still, I'd be very surprised if some open source software doesn't already contain well-hidden malicious code. It's an onerous thought, but many programmers will tell you that the temptation to build in special debugging and monitoring capabilities or to write back door code is powerful. The temptation for businesses is, in my opinion, even more powerful. If businesses think that they can gain a competitive advantage by altering their software to provide reports on other, competing products within an organization, marketing pressures will eventually force them to do exactly that.

This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid. That means that many of the advantages that individuals have gained by using open source software, specifically, those of choice and the possibility of altering their software to better suit their own needs, won't and can't apply in a secure government situation. To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.

Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.

I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected. I think such a scenario is far less likely than finding a group of people willing and able to create and market a malware open source distribution.

Who's Watching the Watchers?
This problem isn't new. In fact, it's far older than any computer technology. The Latin phrase Quis custodiet ipsos custodies, which translates to Who will guard the guards? shows that people have been struggling with the same problem for centuries. You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves.

In short, open source free and low-cost software products are likely to be widely adopted in governments, where spending public money for licenses is a difficult justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify.

Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com [mailto] for more information.

What the hell is this guy talking about... (0)

Anonymous Coward | more than 10 years ago | (#8261840)

RedHat, SuSe, and others have gotten certifications from the top security certification givers (as previously covered on slashdot, can't remember the specifics ATM), and those distributions are progressing towards getting better and better.

Besides that, Open source in government doesn't necessarily mean using the latest homebrew word editor from the guy down the street. It means governments can make their own applications, or their consultants can do so, and that source will be available to the government so that if they don't want the current consultant and want another group to come in, they can easily have the source code of the existing project available for the new team.

Certain aspects of Open Source just make sense for governments. If tax payers are paying for the development of systems, shouldn't the government (hence the taxpayers) own what's developed with their money? They shouldn't be under the yoke of some proprietary consultant firm or vendor.

Remember, open source doesn't always mean sharing the code with EVERYBODY.

I mod this article +1, Flamebait.

Vulnerable? (3, Funny)

Anonymous Coward | more than 10 years ago | (#8261843)

He argues that open source software, because of its very openness, will inevitably lead to security concerns.

Well, thankfully Windows is closed-source, or else there'd be security issues wi-- oh, hang on a sec.

At least they seem to practice what they preach (5, Funny)

morelife (213920) | more than 10 years ago | (#8261844)

devx.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:06:06 GMT
X-Powered-By: ASP.NET

In other news, the devx.com website was found lying in its own blood and excrement after being linked from Slashdot.ORG today.

You can rate his article (2, Interesting)

xutopia (469129) | more than 10 years ago | (#8261852)

it currently has a score of 2/5. Once the /. effect is done we should all create an account and rate it as low as it can go.

Microsoft stooge? (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8261853)

How long before someone discovers this guy is BillG's bitch?

flight simulator in excell (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8261857)

I seem to remember there was an easter egg flight sim program that got into Excel somehow.

If closed source is so safe, how could this have happened?

Further, if that happened, how do you know that other more dangerous items haven't also been included in the windows products??

Yada Yada Yada (0)

kinnell (607819) | more than 10 years ago | (#8261860)

Why has this even been posted? It's been accepted for a long time that security through obscurity doesn't work, and this is effectively what he's arguing for. -1 Clueless.

Really? (0)

Anonymous Coward | more than 10 years ago | (#8261862)

I wonder just how much Microsoft and SCO paid him to write that article! :)

Elequence personified (2, Funny)

mccalli (323026) | more than 10 years ago | (#8261865)

" When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get"

Aah, the sweet sweet tones of language in the hands of a master. What subtlety, what charm, what wit. Prithee kind sir, wherefore is thy prose, thy grasp upon the fundamentals comprising the very art of speech itself?

English Grade: C-, should learn not to use informal language when making a formal argument.

Cheers,
Ian

Open Source and Proprietary have the same cost (2, Interesting)

haystor (102186) | more than 10 years ago | (#8261871)

You may pay nothing for Linux (for example).

But you also pay $0 to MicroSoft to insure you against bad things happening to your computer/network.

The only thing you pay for with MS is basically that it will install an OS on your system. Read the EULA, they don't guarantee much else, and they certainly take no responsibility for things going wrong.

Before the flaming starts (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8261875)

Just remember before the flamewar starts,

* You are not allowed to agree with the article.

* You are not allowed to disagree with any of the opinions of OSDN.

* Any comment not approving of Linux or OSS will be considered harmful and modded down so as not to infect the minds of others.

* Anything the Slashdot Ministry of Truth sees as false will be modded down or deleted.

Thank you all, now please begin the flaming of the article, regardless of whether any truth exists in it.

You're too late (0)

Anonymous Coward | more than 10 years ago | (#8261910)

You're too late. You wasted your opportunity with your GNAA post. Because of the lost opportunity, your troll arrived long after "the flaming started". One troll at a time.

New choise for us.... (-1)

Anonymous Coward | more than 10 years ago | (#8261877)

I'm going to release a ClosedBSD release. No source, no gui, no prompt... but updating itself is simple.

I can poke some big holes in this argument... (3, Insightful)

tekiegreg (674773) | more than 10 years ago | (#8261883)

Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be.

*Deletes 40 zillionth mydoom attachment in his inbox*, and I suppose other operating systems are more secure...what exactly are you suggesting we do about the lack of security in today's OS's? Linux, Windows, Unix even have all identified security flaws in their time...

What can we trust in code? You mention it right there Mr. Author, we can trust the latest and greatest stable Linux kernels, but if install a test kernel, or some hobbyist lil' app on the remote corners of the open source world on a production server, you get what you deserve. Incidentally the same goes for windows, WinXP latest Service pack is definitely more secure than any test versions of their OS's, or even the initial RTM builds of their operating systems. What gets deployed in a production environment...well duh....

The author says:

[Snip] Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.

I suppose we trust Microsoft, SCO and IBM more? Puh-leez, if you need a totally secure OS, you're best off hiring your own programmers and starting from scratch, and hoping they're as secure as anyone else, oh wait can't trust them either...never mind just build an OS yourself then...

Ok I'm done ranting, everyone else's turn :-).

The Value of Transparency (1)

G4from128k (686170) | more than 10 years ago | (#8261884)

What the original article misses the incredible value of transparency. That anyone can examine the code for potential exploits makes open source far more secure.

Until the public can obtain a copy of the source of Windows, voting system software, etc. under FOIA (Freedom of Information Act), I suggest that governments (and others) consider the hidden insecurity of proprietary software. For closed source, it is too easy and too tempting for companies to attempt to hide exploits, bugs, and backdoors.

Backdoor (0)

Anonymous Coward | more than 10 years ago | (#8261888)

I always put back doors in the commercial software I write... but never the open source... I don't want to get caught!

I know guys who laugh at this argument. (1)

crovira (10242) | more than 10 years ago | (#8261890)

Anybody who knows how to crack a DLL can peel away all functionality and NOT having the docs actually helps.

You see what the people really wrote instead of what they neant to write.

His argument is old and worthless.

Getting what you pay for (2, Interesting)

JaredOfEuropa (526365) | more than 10 years ago | (#8261895)

An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.
So far, I think the track records of currently existing operating systems speak for themselves: one particular popular commercial operating system (yes, that one) makes the news almost weekly with another gaping security hole, exploit, or worm doing the rounds. On the other hand, you don't hear a lot about security issues with (wonderfully-free) Linux systems, despite their widespread use as servers.

A number of governmental institution have chosen Linux not because it is free, but because of another distinct advantage: because it is open-source, they know what they pay for.

"You get what you pay for" (1)

ArmenTanzarian (210418) | more than 10 years ago | (#8261897)

What an hilarious opinion. It brings up the point of who really pays for open source software... The concept behind it being, that everyone pitches in and does their part. The cost of these projects is TIME. People are spending time for minimal or no pay and with major distros, many many many more people put in time than any software company can afford to put out. Here's another cliche for you, "Time is money".

As for security concerns, yeah, malicious parties can view the source. But so can interested parties that are probably smarter than the script kiddies who can discover a bug and hammer away on it.

This article should be modd'ed "Flamebait"

News??? (0)

Anonymous Coward | more than 10 years ago | (#8261900)

This problem isn't new. In fact, it's far older than any computer technology.....You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves.


In other news, there is no news.

--AC

IT Insiders (1)

jdhutchins (559010) | more than 10 years ago | (#8261902)

From the article: "IT Insiders could put their own malelovent code in the product and ship it." Well, that's not much of a concern right now. They just ship windows, and they don't have to worry about placing security holes. They come by default!

Anyone can modify an open-source project. That means I can modify it for my own needs, and even release that code. He fails to understand that that concept does NOT mean that everyone in the world has write-access to the project's CVS server. Sounds like a MS "unbiased survey" article.

Already a Good Rebuttal (3, Informative)

doomicon (5310) | more than 10 years ago | (#8261906)

Joe Barr, already has an article [newsforge.com] responding to this FUD. I personally feel these sorta FUD articles are outdated. With IBM, HP, and others already showing large profits from taking advantage of opensource, you would think they would come up with something that isn't drudging up arguments from 1998.

The Shaft (0)

jiffah (685832) | more than 10 years ago | (#8261914)

You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.
Is he implying that there is room up there for another shaft?

you get what you pay for... (2, Informative)

caino59 (313096) | more than 10 years ago | (#8261915)

or with closed source, it really should be - you pay for what you get.

c'mon, this article has to be a joke.

closed source has all the problems of OS, and more, not vice-versa. you can at least review the code of a program before implementing it, and even if you don't know how to code, there's thousands of other users surveying the code as well for errors. the OS community wants OS to look good - sure there are some people in it that probably would/have coded a backdoor here and there, but that's few and far between - especially compared with the people writing exploits for commonly used closed source applications...

Best Troll Ever. (4, Interesting)

DaveJay (133437) | more than 10 years ago | (#8261919)

From the article, annotations added by me:

>Malevolent code can enter open source software at several levels.

1. >First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely.

Not likely indeed. Moving on.

2. >Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Organizations using Open Source Distributions generally purchase a vendor-supplied copy as well as a support contract.

As an aside, do you suppose non-US countries that use Microsoft products are concerned that Microsoft may not have their country's best interests at heart?

3. >Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines."

This isn't limited to Open Source itself. The same possibilities (and probabilities) exist for any company that uses customized software AT ALL -- at some point, you have to trust those doing the customizing, or get a third party to audit. I mean, after all, I can wreak havoc throughout an organization just by clever use of login scripts on Windows XP machines, and if everyone in the IT department is in on it, nobody else would be the wiser.

Now that I think of it, even if you're not customizing the software, you're trusting the people who make it. Does Microsoft have your best interests at heart? Does SCO? Does RedHat? Does anyone? That's why it's nice to be ABLE to scour the code -- the smartest, safest groups will obtain source code from those who write it, and have it audited by another group, and then again perhaps by another. Unless they're all in league with one another. [Insert tinfoil hat here]

So. Who's paying this guy?

You really have two choices: (2, Informative)

Bendebecker (633126) | more than 10 years ago | (#8261920)

1. Use open source products which you can modify if need-be. For example, you can have your tech support modify it to make it better fit your business needs (compared to trying to modify your business to fit around a microsoft software solution) or if a bug is doscovered you could either wait for the developement team that orginally made it to fix it or you could fix it yourself. Heck, you could even have your tech guys go through the code themsleves looking for security holes to fix.

2. Use closed source. If a bug appears, your at the mercy of Microsoft to fix it. That may mean months waiting while your system is vulnerable. No way to find the bugs, no way to fix them yourself. Your business could be relying on a time bomb and not even know it. And of course, with only the MS guys looking for holes, the chance they'll miss them is greater. More eyes scanning code usually means less bugs. And any time Microsoft could decide to drop the product or force you to upgrade or pay overcharged rates for licenses, all at Balmer's whims. Going with closed source is putting your business at the mercy of Microsoft (yes, I know closed source != just microsoft but what is easier: to type closed source or to simply type MS?)

WTF? (3, Informative)

jjp5421 (659783) | more than 10 years ago | (#8261932)

You get what you pay for? Examples: SCO UNIXWARE, Windows, MS-DNS, IIS, bea weblogix, etc.. Realization: I paid for crap!!! You get MORE THAN what you pay for! Examples: Linux, *BSD's, BIND, Apache, gcc, etc. Realization: Why did I pay for that crap??? The code from Diebold was closed, and how secure was it? Windows code is closed and I had to install a server just to keep the hoard of daily patches up to date. I think that the key to secure code is not a debate of open v. closed it is about having a programmer/company that cares about security and knows what they are doing. Hell NetBSD is open and very secure (read:unusable). This guy is a moron.

His points are valid (5, Insightful)

maroberts (15852) | more than 10 years ago | (#8261937)

...but governments and organisations should be exercising a modicum of care over who they get their source and binaries from. Thats what MD5 checksums and trusted sources are there for.

Open source development is not truly open to everybody; it is normally open to everyone who you allow to contribute code to your project. They've normally proved themselves by offering bug fixes and mionor changes directly to you beforehand.

The barriers to inserting malicious code in closed source are lower, not higher. Many an engineer has inserted a backdoor in his code which he surrepticiously used to help customers who lose passwords or setup info. However, a backdoor is just another way for a cracker to break into the system. Also bored engineers often leave Easter eggs in their closed source, something hard to do when several thousand people may review your code to see what makes it tick. In mainstream projects like Linux kernel, the bar to being allowed to contribute code is quite high, and your initial attempts are likely to be looked on with scorn by other project members.

As for costing huge amounts of money, one wonders what cost MyDoom has been costing owners of that wonderful example of closed source software - Windows.

You Get What You Pay For. (0)

Anonymous Coward | more than 10 years ago | (#8261939)

Kinda like Kazaa huh?

Quis custodiet ipsos fosses? (3, Insightful)

rmassa (529444) | more than 10 years ago | (#8261945)

Quoth the author:
  • This problem isn't new. In fact, it's far older than any computer technology. The Latin phrase Quis custodiet ipsos custodies, which translates to "Who will guard the guards?" shows that people have been struggling with the same problem for centuries. You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves. In short, open source free and low-cost software products are likely to be widely adopted in governments, where spending public money for licenses is a difficult justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify.


Where exactly is the logic in this? In the open source world, at least there are "watchers", and you have the ability to "watch" yourself, or at least pay someone to review the code for you if you don't have the abilty. This isn't the case with almost all commercial software. This reeks of FUD and is poorly written.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...