Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source a National Security Threat

CmdrTaco posted about 10 years ago | from the so-are-coke-cans-and-plastic-knives dept.

Security 921

n3xup writes "Dan O'Dowd, CEO of Green Hills Software, suggests that open source software has the capability of being sabotaged by foreign developers and should not be used for U.S. military or security purposes. He likened Linux with a Trojan Horse- free, but in the end a lot of trouble. O'Dowd thinks that unfriendly countries will attempt to hide intentional bugs that the Open Source community will have no chance of finding."

cancel ×

921 comments

Sorry! There are no comments related to the filter you selected.

Understand the Source Perspective (5, Insightful)

stecoop (759508) | about 10 years ago | (#9811405)

Understand the source perspective before you draw opinions. Green Hills is under threat from Linux due to the embedded software being integrated in more Government system. GreenHills is (was?) a large player in government based Embedded Operating Systems. I imagine you will see a similar stance by WindRiver maker of the popular Realtime Embedded OS VXWorks.

The threat comes from the length of time on some large government projects. Some systems have been around longer than you and me. In the proprietary world, your whole project is dependent on a set of companies staying in business for 30+ years. Now with Linux, you're no longer dependent on that string; you can leverage off the community providing updates or if necessary you as the developer can make the changes. Most people fail to say this with Linux; everyone just says hey it's free and cheap. But if you really want to sell Linux, try saying that your entire project doesn't fall on another proprietary solution, we will have the source code in hand - people will listen.

It's easy to retort GreenHills FUD by saying all changes will be baselined and a change control board will review any updates (easy enough huh).

Re:Understand the Source Perspective (4, Insightful)

proj_2501 (78149) | about 10 years ago | (#9811431)

do we even need another comment on this story?

Re:Understand the Source Perspective (5, Funny)

drinkypoo (153816) | about 10 years ago | (#9811567)

No, but that's never stopped slashdot before :)

Re:Understand the Source Perspective (0, Redundant)

bhima (46039) | about 10 years ago | (#9811438)

Yep, he's in the same boat as SUN and SCO

Re:Understand the Source Perspective (4, Insightful)

danheskett (178529) | about 10 years ago | (#9811556)

It's easy to retort GreenHills FUD by saying all changes will be baselined and a change control board will review any updates (easy enough huh).
Actually, not easy enough.

Can you honestly tell me that the government is going to hire a panel of people to check in in-depth source changes on OSS projects? People who are familiar enough that they can catch an exploit that may only take 3-4 lines of code to perform?

Let's say I knew that DoD used a certain package in gunnery firmware. Let's say a math library that would be used to make calculations to calibrate the weapon. How hard would it be to build in a small tiny bit of error that would only be useful in cases of calibration of high-tech weapons? If 3000 lines of dense mathematically rich C were checked in and a dozen lines acted in concert to create a miscalculation, how much expertise would be needed to catch that?

I think that having experts able to review each line of code checked in and put into production defeats the whole idea of using Open Source: at that point, you might as well just hire the experts to write the code in the first place and eliminate the vector all together.

Re:Understand the Source Perspective (2, Interesting)

torpor (458) | about 10 years ago | (#9811608)


I'm a developer, working for a relatively successful hardware company in a non-U.S. land, and I have every intention of hiding all sorts of stuff in any Open Source code I may (or may not, thats freedom) contribute to! :P

Whether what I hide will be nefarious is one thing, whether or not Easter Eggs can still exist on Open Source Island is another thing entirely ...

Elmer FUDD strikes again! (1)

Roadkills-R-Us (122219) | about 10 years ago | (#9811618)

That was my first reaction upon reading the opening sentence on /. - reading the article didn't change it one bit.

Correction to the OP's assertion that this is what the GH CEO thinks. We have no iea what he really thinks about this; we only know what he says. And what he says seems as likely to be about protecting GH's interest as protecting the national interest.

I'm not accusing him of being treacherous or anything. I don't doubt that he thinks GH software is good, and therefore good for the nation, you, me, our families, pets, neighbors, fire ants, and everyone else.

And he could really think what you think he thinks, but there's no way to know from this article. It just tells us what he says.

Well, here's the obvious (imho) response. (1, Interesting)

RLiegh (247921) | about 10 years ago | (#9811406)

While he has some great points, I think it's unlikely that al qaeda is likely to be able to plant a dibilitating bug - much less a backdoor or other serious security malware (mal-feature?) into anything that we have the NSA look over.

So that puts it down to Osama Bin Laden doing his best to fuck up linux, and only succeeding in placing a few periods where commas should be in the documentation. Yeah, that's worth his time and trouble. Ya sure Ya betcha.

Re:Well, here's the obvious (imho) response. (3, Interesting)

Jim_Hawkins (649847) | about 10 years ago | (#9811524)

Hate to break it to you, but there are a lot of other places that would *love* to have US information than good ol' Osama. These other governments have money. They have the resources to hire someone to insert this code into any open source project.

As for the NSA inspecting this code -- that's all well and good. But, how often do hundreds of individuals look over OpenSource code and miss a big for awhile. "Awhile" is all it takes for a foreign government to download A LOT of information that they shouldn't have.

Contrary to popular belief, a lot of places do not like America. It's not the big lovable teddy bear that it likes to think it is. It's a great country, but it should do everything it has to do to protect itself.

Re:Well, here's the obvious (imho) response. (1)

orzetto (545509) | about 10 years ago | (#9811531)

I do have this feeling that Osama might more easily become a script kiddie and trash the world's Windows systems with the computer equivalent of the Ebola virus. Most virii until now have focused on spreading itself or collecting information for spammers - but at some time, someone will use it for destruction of data.

Just imagine the results: ok, the military might be savvy enough to avoid microsoft, but what about all the businesses that use Windows in their offices?

Re:Well, here's the obvious (imho) response. (1, Interesting)

Anonymous Coward | about 10 years ago | (#9811538)

and the flipside.

its just as easy for a unscrupilous person to get a job at xyz software company and put that "feature" in too.

its already happened (not terrorism, but thats why i said unscrupilous (and spelled it wrong to im sure ))

not to mention the NSA atleast has the option of a source audit. i doubt they could ever attempt to audit winXP, even if they had access to the source.

not to mention, guns and bombs are what terrorists use, not software. they want carnage, not financial problems, people tend to forget that. terrorism is about casualties, not just causing major problems.

the rest world chooses linux for the same reasons. (4, Insightful)

beh (4759) | about 10 years ago | (#9811412)

Shouldn't this article immediately point back to other articles on
how governments OUTSIDE the US are choosing open source for exactly
the same reason (who knows what M$ + NSA put in the closed windows
source that might hurt other nations)?

[World Govs Choose Linux For Security & More]
http://slashdot.org/articles/01/12/11/0132213.shtm l

Re:the rest world chooses linux for the same reaso (1)

Black Parrot (19622) | about 10 years ago | (#9811468)


> Shouldn't this article immediately point back to other articles on
how governments OUTSIDE the US are choosing open source for exactly
the same reason (who knows what M$ + NSA put in the closed windows
source that might hurt other nations)?


Also, are they assuming that they should just trust whatever's in a closed source package?

What makes FOSS harder to check than ECSS?

Re:the rest world chooses linux for the same reaso (4, Interesting)

bit01 (644603) | about 10 years ago | (#9811576)

(who knows what M$ + NSA put in the closed windows source that might hurt other nations)?

Cryptographic code [heise.de] for a start.

---

It's wrong that an intellectual property creator should not be rewarded for their work.
It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
Reform IP law and stop the M$/RIAA abuse.

First Post? (1)

newend (796893) | about 10 years ago | (#9811414)

How could you keep the bug from ever being found? I'm sure someone would eventually see it.

Re:First Post? (0)

Anonymous Coward | about 10 years ago | (#9811607)

yeah, you try looking through a couple of million lines of piss-poor documented code!!

its highly possible to hide an entire program in every other line and simply have a function or two put it back together and dump it into a bin on the targeted machine and/or execute it in memory...

TCP (2, Funny)

danormsby (529805) | about 10 years ago | (#9811415)

Better replace that open source nasty TCP ASAP then.

repost (0)

Anonymous Coward | about 10 years ago | (#9811418)

We've seen this topic here before.

remember this guy? (5, Informative)

jabella (91754) | about 10 years ago | (#9811419)

Remember this guy? He also wrote "Linux Security: Unfit for Retrofit" ( http://www.ghs.com/linux/unfit.html [ghs.com] )

This was covered by LWN back in May: http://lwn.net/Articles/83242/ [lwn.net]

IIRC, GHS does development on embedded XP stuff? I don't remember the details...

Totally! Lets OUTSOURCE instead! (4, Funny)

mekkab (133181) | about 10 years ago | (#9811424)

Yeah, can't trust those commie FOSS developers. Instead, lets invest in "America", lets give money to companies who develop software overseas anyway!*

*We wanted to buy software from only American developers, but we couldn't afford it.

Re:Totally! Lets OUTSOURCE instead! (1)

Spock the Vulcan (196989) | about 10 years ago | (#9811486)

Yeah, and while we are at it, make sure that we don't use closed source software from companies that hire developers who are citizens of foreign countries, because they might be planting bugs in the software too. I'm sure Green Hills software has top security clearance for each one of its developers, right?

lol (1)

nFriedly (628261) | about 10 years ago | (#9811425)

" bugs that the Open Source community will have no chance of finding"
LOL yea, right

Have the former members of the ADTI ... (1)

burgburgburg (574866) | about 10 years ago | (#9811427)

already found new places to spread their FUD, now that everybody just starts laughing when they open their mouths?

FP (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#9811428)

FP! Booya!

No news here... (1)

bobthemuse (574400) | about 10 years ago | (#9811429)

suggests that open source software has the capability of being sabotaged by foreign developers and should not be used for U.S. military or security purposes

This is just a variation of the same old anti-OSS argument, being tied in to the anti-terrorism paranoia by some schmuck looking for his 5 minutes of fame.

Nothing to see here, move along....

FUD. (4, Insightful)

garcia (6573) | about 10 years ago | (#9811435)

Some embedded Linux providers even outsource their development to China and Russia.

GASP! Some XYZ providers even outsource their development to ABC and DEF (insert your favorite company and terrorist sponsoring country where necessary).

It would be incredibly naive to believe that other countries and terrorist organizations would not exploit an easy opportunity to sabotage our military or critical infrastructure systems when we have been doing the same to them for more than 20 years!

I think it has been proven that closed-source development doesn't help to change the possibilities that a "mole" has been planted or that a "hole" will be discovered.

One of the greatest misconceptions about Linux is that the free availability of its source code ensures that the "many eyes" with access to it will surely find any attempt at sabotage. Yet, despite the "many eyes," new security vulnerabilities are found in Linux every week in addition to dozens of other bugs. Many of these flaws have eluded detection for years. It is ridiculous to claim that the open source process can eradicate all of the cleverly hidden intentional bugs when it can't find thousands of unintentional bugs left lying around in the source code.

And it is ridiculous to claim that a closed development enviornment will make it any different.

In addition, under the internationally recognized Common Criteria for IT Security Evaluation (ISO 15408), Windows has been certified to Evaluation Assurance Level 4 (EAL 4), a higher level of security than the EAL 2 that Linux has achieved.

According to this [com.com] article, obtaining EAL2 certification typically costs between $400,000 and $500,000. Looks like it is more money than security. In their infancy, why would Linux vendors decide to shell out large sums of money when the government wasn't interested in using Linux anyway?

This whole article is FUD. He's annoyed because Linux is making leaps and bounds and will possibly affect his market-share in the lucrative Defense and Aerospace industries. At least he came out and said it on his own legs and not by paying off a third party to "investigate" the "problems" with Linux and post their results to the world.

Re:FUD. (1, Informative)

Anonymous Coward | about 10 years ago | (#9811525)

... and actually, both SuSE and Red Hat have products headed towards EAL4 certification.

Re:FUD. (0)

Anonymous Coward | about 10 years ago | (#9811555)

Yup. IBM claims in the same article he linked to about the certifications that it hopes to have SuSE certified by the end of 2004.

Re:FUD. (5, Informative)

nemaispuke (624303) | about 10 years ago | (#9811612)

In Dan O'Dowd's mentioning of Linux "only" receiving CC EAL 2 is somewhat incorrect. RedHat Enterprise Linux Advanced Server got CC EAL2, SuSe Enterprise Linux was evaluated at EAL 3+. This is roughly the equivalent of TCSEC C2, and can be deployed in a classified environment. I guess he needs to check http://niap.nist.gov/cc-scheme/vpl/vpl_assur_lvl.h tml more regularly and actually read it!

Pure FUD, indeed (3, Interesting)

krygny (473134) | about 10 years ago | (#9811614)

Well, he said it all, so it must be true; even though he backs it up with nothing. This is so wrong on so many levels I don't even know where to begin. His assetions are hardly worth addressing. Therefore, pure FUD.

Ok, I'll bite just once: I doubt there is a single weapon system procured by the DoD in the last 10 years that does not have a subsatantial portion of it outsourced overseas. Most procurments now require some % of it, by contract.

History Shows... (0)

Anonymous Coward | about 10 years ago | (#9811439)

History shows that closed-source applications are not immune to tampering by third parties. For example, viruses exist for all major closed-source operating systems.

Compared to MS (1)

Himring (646324) | about 10 years ago | (#9811440)

O'Dowd thinks that unfriendly countries will attempt to hide intentional bugs that the Open Source community will have no chance of finding.

At least the bugs will have thought and purpose behind them. Unlike Windows, where the bugs are the result of a complete lack of competency....

Of course, I disagree with the supposition in any case....

The whole idea of open source (2, Interesting)

abrotman (323016) | about 10 years ago | (#9811445)

Isn't that the whole idea of open source? The guys working for our government can see the source code. Either this guy is clueless or working for someone with a vested interest.

On the flipside, what is to prevent our government from doing the same thing? If the "enemy" can insert malicious code, why can't our government?

vs. Proprietary (0)

Anonymous Coward | about 10 years ago | (#9811447)

So a closed source, proprietary OS, probably written overseas, is better how?

Or is everyone working for Redmond a US Citizen with a security clearance?

Haha, a Trojan horse (1, Informative)

Anonymous Coward | about 10 years ago | (#9811448)

Maybe a Trojan horse with windows(not windoze) all over it, so you could see inside and see what (if anything) is waiting for you.

Remember you have the source and all bugs are shallow with enough eyes, this applies to evil code as well.

M$ windoze is the real trojan horse. The one you cannot see inside and not only that, is being forced upon you.

I agree (1)

YAJoe (740850) | about 10 years ago | (#9811451)

About Green Hills Software, they develop "various avionics systems for commercial and military aircraft."

I would believe in the security threat too if my company was competing against open source software for military contracts. Follow the money. Does he also believe that hardware will be free too? Give me a break. Open source is proven and reliable. See Linux, Apache, Sendmail, et al.

sure.... (0)

Anonymous Coward | about 10 years ago | (#9811452)

Yeah - Because we should let our own homegrown idiots hide bugs in the software. I guess they never heard of Tim McVeigh over there in the green hills.

Governments should not use OS without a proper... (3, Insightful)

WiKKeSH (543962) | about 10 years ago | (#9811457)

Governments should not use OS without a proper security audit. Once you can verify the nature of the code, there should be no obstruction to using it.

Re:Governments should not use OS without a proper. (1)

tomhudson (43916) | about 10 years ago | (#9811577)

Governments should not use OS without a proper security audit. Once you can verify the nature of the code, there should be no obstruction to using it.
... yeah, sure, right, whatever. The same standard should then be applied to closed-source software. Oops, sorry, can't do that - its that darned constipated closed-source disadvantage. Guess according to yor standards, only open-source is acceptable from a security standpoint. Darn :-)

Open Source is more like a Trojan Horse... (2, Insightful)

Anonymous Coward | about 10 years ago | (#9811461)

...with really big glass windows. All you need do is open your eyes to see what's inside.

Re:Open Source is more like a Trojan Horse... (1)

pchasco (651819) | about 10 years ago | (#9811593)

If it were that easy, then backdoors wouldn't exist anywhere and we wouldn't be having this discussion.

I wish my mod points hadn't expired! (1)

sindarin2001 (583716) | about 10 years ago | (#9811601)

I wish my mod points hadn't expired!

Um, and what about the source China has seen? (5, Insightful)

InThane (2300) | about 10 years ago | (#9811463)

IIRC, China has seen the source code to Microsoft Windows, whereas the U.S. government hasn't.

I think that's a pretty large security threat right there...

have a little dose of propa.... (0)

Anonymous Coward | about 10 years ago | (#9811464)

...ganda

Yes we should all have know this (1)

sucker_muts (776572) | about 10 years ago | (#9811465)

Another man who speaks the awfull truth...

It's time we all put our superior software and ideologically correct ways of doing things to rest.

(We don't want them to find out we have been joking all along, do we?)

Terrorists in Microsoft (3, Insightful)

shobadobs (264600) | about 10 years ago | (#9811467)

What if a terrorist gets a job at a software company? Where's the hope of catching the bugs then? It seems to me that closed-source software is more susceptible than open-source.

Re:Terrorists in Microsoft (0)

Anonymous Coward | about 10 years ago | (#9811611)

>What if a terrorist gets a job at a software company?

I think our programmers are already doing fine on their own, thanks.

Bill G.

Military Industrial Complex (0)

Anonymous Coward | about 10 years ago | (#9811470)

Eisenhower warned us about these chumps.

Open Source will sabotage Green Hills Software (1)

hoggoth (414195) | about 10 years ago | (#9811473)

I think it is much more likely that open source software will sabotage Green Hills Software.

How about M$? (0)

Anonymous Coward | about 10 years ago | (#9811479)

Didn't people find jabs taken at Netscape by IE devs? If they could have hidden their jabs, how easy would be to hide a simple buffer overflow vulnerability? Very easy. Of course, no one but the malicious programmer would know! Not to mention how safe is to outsource your development to India. Is a n underpaid dev in (insert random outsource target country here) safer in a closed source system than an open source dev who's work can be and will be seen?

NSA (2, Interesting)

codepunk (167897) | about 10 years ago | (#9811480)

One Word NSA....If it was so bad the NSA would not have their own version.

Right (1)

subrosas (752277) | about 10 years ago | (#9811485)

Of course, tricky agents of foriegn governments would never slip purposeful bugs into closed source software, only open source, since no one foriegn works on closed source, erm. Uh, Nevermind.

Yeah, we do that (0)

Anonymous Coward | about 10 years ago | (#9811490)

All your desktop microphones, webcams and email programs are belong to us if you use Linux. Use Windows for your military. (I'm having a hard time keeping a straight face, so I'll stop right here.)

Smart thinking! (1)

JoeWalsh (32530) | about 10 years ago | (#9811493)

And "unfriendly countries" would never be able to get one of their agents hired at a commercial company?

If they did, how would we (the buyers) know whether our closed source software was trojaned?

There are risks either way. At least with open source there's a much greater chance that such shenanigans will be caught.

Outsourcing & H1B (1)

RickHunter (103108) | about 10 years ago | (#9811494)

Of course, Proprietary Software is, again, under the same risks. Especially given the massive trend towards outsourcing (which has few quality controls and little oversight) and replacing skilled employees with H1Bs. In fact, with proprietary software, it's even worse - you don't have a community of eyes that can look over the code and possibly find the trojans. They'll never get found.

Not shocking. (1)

hot_Karls_bad_cavern (759797) | about 10 years ago | (#9811502)

It's not terribly shocking that a CEO of a software company might say this. What i'm worried about is when Microsoft is against the wall and pumps billions of dollars into congressional lobbying to get Open Source labeled "terrorist tool". Think they won't? Put an animal against the wall and in danger and you will see ferocity never imagined from that animal. See also: Survival Instinct. Write your congress persons now. Do not wait. Be polite. Get your facts straight. Do not rant and rave. Write and write again. Call. Now is the time.

Hmm Microsoft VS geeks? (2, Insightful)

Turn-X Alphonse (789240) | about 10 years ago | (#9811503)

Now then.. last time I checked alot of the new bugs found in Windows were revealed by geeks... the type of geeks who make open source in many cases.

I think I'd rather put my trust in someone doing it for the pure love (hate) of (bad) software, then someone doing it for money and no love at all.

Don't Trust Linus! (3, Funny)

Noksagt (69097) | about 10 years ago | (#9811504)

The U.S. government and military will be brought to their knees by...Finland?!

He's Right (1)

emtboy9 (99534) | about 10 years ago | (#9811505)

O'Dowd thinks that unfriendly countries will attempt to hide intentional bugs that the Open Source community will have no chance of finding

He's right. The Open Source community will not find these "terrorist bugs"... ...for all of about 15 minutes... but by then someone will have released a patch.

The only way I could see this happening would be through apps... but if ANY military groups were to use random apps without checking them out first, then they probably get what they deserve.

The main things to worry about would be the kernel, driver modules, x.org, and the rest of the things that make up the "Core" functionality of Linux. And those have such stringent (usually) controlls over what goes into the actual released product that the possibility of that sort of rampant code corruption is negligent...

Then again, this was never about facts or truth...
he did it all for the nookie... tha nookie...

Come out of the cave! (4, Insightful)

polyp2000 (444682) | about 10 years ago | (#9811508)

Dan O'Dowd, CEO of Green Hills Software, suggests that open source software has the capability of being sabotaged by foreign developers and should not be used for U.S. military or security purposes.

Urmm , so what operating system do you use then Dan O'Dowd? and which newspapers and websites do you read?

You're obviously using a closed source operating system that is free of viruses, worms, holes and other security problems. What might this mystery closed source operating system that you are using that doesnt pose a threat to the nations security?

Duh!! (1)

sameerdesai (654894) | about 10 years ago | (#9811509)

Is he trying to tell that terrorists are better programmers than rest of the world?!?!? Is the non open source software any better if we are also getting thousands of exploits on that? I think he should seriously reconsider his analysis (if he did any).

The potential is certainly there. (0)

Sheetrock (152993) | about 10 years ago | (#9811511)

Remember the surreptitious 'patch' to the mainstream Linux kernel that was luckily discovered by BitKeeper? Or the change to the C compiler that would compile a backdoor into binaries that was completely undetectable in the source (get clean source, compiler detects it's compiling another compiler, inserts backdoor)?

While people argue against security by obscurity, the limited access to closed software makes it much easier to vet the contributions of the developers. It's practically impossible to take something that wasn't explicitly designed for security and make it secure. Windows got a rewrite -- perhaps it's time for Linux to get one too?

He has one point that is valid (1)

LWATCDR (28044) | about 10 years ago | (#9811512)

"Until Linux is certified to DO-178B Level A." Notice the Until. There is no reason that Linux could not be certified DO-178B Level A. If Linux is going to be used in "Life critical" situations it should be certified just the same as any other OS. Frankly Windows NT should have been held to that standard. If it had the Yorktown would not have been dead in the water because of an error in a SQL server. Yes the SQL server should also be test to that level as well is peoples lives depend on it.
The other question is with a closed source program how can you be sure that it does not have a backdoor in it? At least with Opensource you can check the code. I would hope that the people in the NSA and DOD do check the source for their build of Linux.

In other news... (1)

hardgeus (6813) | about 10 years ago | (#9811526)

The CEO of ACME Coal Power thinks that Nuclear Power Plants could be sabatoged by terrorists and pose a national security threat.

And proprietary software is safe from this how? (1)

ignoramus (544216) | about 10 years ago | (#9811528)

As if those same evil people couldn't just as easily have someone working within a closed-source software vendor... Only difference is how long it would take to uncover the hidden bug.

Open Source his toupe (1)

gatkinso (15975) | about 10 years ago | (#9811529)

It would have to be an improvement.

A REAL National Security Threat! (1)

Cro Magnon (467622) | about 10 years ago | (#9811532)

Imagine a large company making critical software for 95% of boxes. Imagine a major attack on that companies HQ! Imagine the chaos when there's nobody to issue patches for the next big virus/worm/trojan to attack said system!!

First class hypocrite (1)

hotspotbloc (767418) | about 10 years ago | (#9811534)

From the article:
It is ridiculous to claim that the open source process can eradicate all of the cleverly hidden intentional bugs when it can't find thousands of unintentional bugs left lying around in the source code.

Yet OSS is good enough to run his web site on [netcraft.com] ?

That's funny, secure apps have that issue now! (0)

Anonymous Coward | about 10 years ago | (#9811535)

I have worked with one of the large government labs in the US that does development on weapons systems. One of the things that they have to do before they deploy a software system is go through the object code byte-by-byte to make sure their compiler did not insert any trojans into the compiled system.

Tell me again how having the source for the compiler and OS you're using would make that job harder?

Groklaw destroyed this FUD...long ago (4, Informative)

FunWithHeadlines (644929) | about 10 years ago | (#9811537)

Huh? Where's slashdot been? Groklaw [groklaw.net] answered [groklaw.net] this FUD [groklaw.net] months ago, repeatedly and definitively.

Truly nothing to see here, folks. Just empty FUD that has been discredited.

Foreign Developers (0)

Anonymous Coward | about 10 years ago | (#9811541)

Open Source is no more vulnerable to foreign developers sabotaging the code than closed-source software. After all, closed-source companies offshore to other countries, and hire foreign-born developers here.

Are all of Green Hills Software's developers born in the U.S.? Were their parents born in the U.S., too?

Gotta be careful about divided loyalties...

This reminds me of an old saying (4, Funny)

C_Kode (102755) | about 10 years ago | (#9811543)

This should be from the "If-you-can't-with dazzle-them-brilliance-baffle-them-with-bullshit" department.

O'Dowd thinks that unfriendly countries will attempt to hide intentional bugs that the Open Source community will have no chance of finding.

If the source is open how can there be no chance in finding bugs or whatever else they wish to put in the source?

This is clearly FUD to protect their market from the steam-roller known as FOSS. Security through obscurity is already proven faulty.

Re:This reminds me of an old saying (1)

C_Kode (102755) | about 10 years ago | (#9811580)

Doh, thats what I get for not previewing my post. :(

Summary (1)

MosesJones (55544) | about 10 years ago | (#9811545)


I create RTOS OSes and Tools. Linux is moving into the RTOS market. That sucks. Most of my key clients are goverment, that also has the best margin. If Linux was insecure then I'd be okay, therefore I need an reason it is insecure.

Oh I know, because anyone can edit the code then anyone can put in a patch that could be compramised. Just look at the MyDoom virus today, that is a classic example of how closed source is much better from a security perspective.

Personally I'm not sure Linux would be a good RTOS at the very real time edge, there are some pretty specialised threading and timing elements down there. But he couldn't say that because no-one would bother listening.

This is an old story, and FUD anyway (5, Interesting)

Bruce Perens (3872) | about 10 years ago | (#9811546)

Green Hills is a failing company that is seeing its market go to Open Source. In contrast, Wind River, which is in the same market with the same customers, embraces Linux.

The fact is that Green Hills products are no more secure, and may well be less secure, because they don't have the "many eyes" looking at their source code. We've had trojan horse attempts in Open Source software. They get caught quickly. But even if the source is disclosed, nobody outside of their tiny company has an incentive to do productive work on the internals of a Green Hills operating system in the way that people who modify GNU/Linux do. And security audits by such a small company can't catch everything.

The best example of this has been the Borland Interbase database. This was used for airline reservations, and had a trojan horse buried in it for 6 to 9 years while it was a proprietary product. The door could have been found by anyone who did an ASCII dump of the product, but those who did kept it secret, and probably took a lot of free flights. An Open Source coder found the door some months after the database went Open Source, and had an incentive to report it - at that point he was one of the people doing productive work on the database and only wanted it to work better and more securely.

This "black hats" (people who are motivated for bad purposes) vs. "white hats" (good purpose) phenomenon is important to consider when you evaluate the security of Open Source. Generally the only people who would look for vulnerabilities in proprietary software, outside of its manufacturer, are looking to exploit them! This is hardly the case with Open Source.

Thanks

Bruce

Sounds like a vendor lost a bid and is playing FUD (1)

kabocox (199019) | about 10 years ago | (#9811547)

I took a brief look at their website. It looks like the company specilizes in embeded systems. Mainly military systems. I have to think that this wouldn't be an objective article.

I understand that the military needs to be protectionist with its weapons. I'd think that OSS would make them feel more secure. I don't want the US military to be using Red Flag Linux on all its servers. (I'd hope that they'd be a little brighter than that.) It's the main reason that other countries don't want US MS to be in their military's computers.

Closed source safer? (3, Informative)

bigbigbison (104532) | about 10 years ago | (#9811548)

I seem to remember a few years ago (possibly after 9/11, but I'm not sure) there was an incident where an employee of a company that has a governement contract to write software that manages government infrastructure was suspected of terrorist links and so they had to spend tonds of time seaching through the code to make sure the suspect had not programmed a back-door into the system. (I might be misremembering the details here, but that was the gist of it) it seems that closed source is a lot easier to hide things away than open source.

Wait a minute (1)

Exmet Paff Daxx (535601) | about 10 years ago | (#9811554)

The Department of Homeland Security told me not to use closed source Internet Explorer [internetnews.com] , or else I'd be leaving my computer open to terrorists. Now Green Hills is telling me that by using open source Mozilla, I'm leaving my computer open to terrorists!!!!

WHAT CAN I DO!

It seems like everywhere I go people are using the politics of the moment as a crutch.

FUD FUD FUD (1)

TheCarp (96830) | about 10 years ago | (#9811557)

Standard FUD.

CEO of a software company eh? Well he must be on the up and up then! No way he could possibly be badmouthing linux because he has a vested interest in seeing more windows boxen eh?

Theres really nothing new here. First he talks about the "number of Linux vulnerabilities", of course no distinguishing between core "linux" and the plehtora of other applications out there. Maybe we need to look at the ratio of security issue exposed software, daemon applications and the like, to the number of vulnerabilities? lets face it, for every network service, everybody and his brother has written a server for linux that speaks it. Guess what, yah thats alot, probably even alot more than windows by far.

Then he goes on to what sound to me like obviously embedded systems. Aircraft controls etc. So we are going to count security bugs in ftp servers against a system thats never going to be connected to a network, much less run an ftp server in the first place?

I agree with him of course, Linux should not be used in applications that require certain certifications until it has those certifications. Wow, big revelation there. Earth shattering even.

All in all this is a stupid article written by someone who is either a) stupid enough to not realise that his arguments are pointless or b) someone trying to attack linux for his own financial interest or maybe c) both of the above.

Thats a good poll, What is it, a, b, or c?

-Steve

Still better (0)

Anonymous Coward | about 10 years ago | (#9811559)

Having the "capability of being sabotaged" is still better than already beeing sabotaged (like MS-products, obviously, are).

Titus

Many Eyeballs (1)

GoPlayGo (541427) | about 10 years ago | (#9811560)

Dan O'Dowd doesn't have a clue. He is ignorant (willfully or otherwise) of the Open Source truism that "many eyeballs make all bugs shallow" (Eric Raymond).

Contrast this with proprietary closed source. In that environment, it is easier for a terrorist mole to introduce a trojan horse that won't get much inspection on its way onto millions of systems.

Another M$ sponsored FUD ? (0)

Anonymous Coward | about 10 years ago | (#9811562)

The number of companies and "research" groups against Open Source seem to have spiked suddenly. Perhaps these companies are facing threat of extinction already ?

intentional vs unintentioal bugs (1)

hashmap (613482) | about 10 years ago | (#9811572)

it says:
It is ridiculous to claim that the open source process can eradicate all of the cleverly hidden intentional bugs when it can't find thousands of unintentional bugs left lying around in the source code.
Heh, I would argue that the reason that bugs are hard to find is because they are unintentional.

Historical and empirical evidence suggest that hiding intentional bugs a.k.a backdoors is in closed source software is far more dangerous and easier to get away with...

i.

How did he find out??? (1)

elucubra (685819) | about 10 years ago | (#9811573)

I thought we had covered our tracks completely while making windows dangerous for data...

Windows is really a much bigger threat (0)

Anonymous Coward | about 10 years ago | (#9811574)

With M$ allowing foreign countries access to the windows source code through their policies, I see windows as a much bigger threat. China, India and the former USSR have all signed up under their developers program. Coupled with the increased use of outsourcing in the aforementioned countries you'll see windows programs that are more likely to contain back doors and such so that if we ever get into a conflict with India or china, one command and all these windows programs will come crashing down. Kind of like the USN ship that was using NT 4.0 for their engine controll software. One divide by zero error and the ship had to be towed back in to port (true story). Just look at how fast vulnerabilites in the open source community are addressed compared to how long it takes M$ to correct theirs. Just a thought!

this article is complete crap! (1)

benny_lama (516646) | about 10 years ago | (#9811575)

I think that the DoD should treat open source the same way as it treats ALL software, regardless of the where it comes from.....untrusted until it is reviewed and the risks are identified and mitigated. Why the analysis process would be any different for a proprietary app vs. an open source app makes absolutely no sense to me.

I'd also like to see these so-called "DO-178B Level A" certified operating systems. I wonder what kinds of software has been written to run on them? Is there a GUI toolkit, basic tools, etc? Or maybe Mr. O'Dowd would prefer that the government pay his company to provide that?

Ok..lets stop Linux from.. (1)

cOdEgUru (181536) | about 10 years ago | (#9811579)

becoming the tool for foreign born terrorist geeks to bring our defense down, because we all know how dangerous young pasty white geeks with glasses..

But lets give Accenture billions of dollars to build [cnn.com] a major federal IT contract to secure the nations boundaries when they happily turn around and outsource the project to pasty white (or brown for us poor indians) geeks with glasses and pocket the rest of the profit.

Because we all know, Bermuda based Accenture is obviously an honest corporation with its best interests that are aligned with the rest of the nation.

Louder Please! (1)

gmac63 (12603) | about 10 years ago | (#9811584)

O'Dowd, Could you yell that a little louder. I can't hear you over all ther _rest_ of the FUD.

Thanks!

Open source? How about GHS? (1)

mustafap (452510) | about 10 years ago | (#9811588)

Who needs to sabotage code when we have GHS tools to do it for us?

I spend more time re-writing their code than writing my own.

hmm. (0)

Anonymous Coward | about 10 years ago | (#9811590)

I am glad the government throws so much trust into Microsoft... *cough*

This is a test (1)

John Harrison (223649) | about 10 years ago | (#9811595)

testing!

Notice GHS.com OS/web server (1)

theinfobox (188897) | about 10 years ago | (#9811599)

Makes it sort of ironic when ghs.com runs

NetBSD/OpenBSD Apache/1.3.29 (Unix) PHP/4.3.3 7-Nov-2003 63.102.70.69

according to Netcraft.

Design News (1)

Singletoned (619322) | about 10 years ago | (#9811606)

The website is apparently Design News yet the background is one of the worst pieces of design I've seen. A very thinly striped background that strobes horribley when you scroll.

Yuck!

Missing the point (1)

MarsDefenseMinister (738128) | about 10 years ago | (#9811609)

The author compares Linux to the Trojan horse. But the story of the Trojan horse isn't meant to point out the risks of accepting gifts. It's meant to point out the risk of accepting a gift, and failing to inspect it properly. It's ironic that the Chinese are adopting Linux because of the threat of a trojan horse in Linux. They seem to have learned the lesson of the horse, because they have picked an OS that can be inspected properly. Windows can't be inspected in the same way. Yes, I know about "shared source" but I haven't read where MS C++ .NET is a part of that. You have to be able to examine the entire tool chain, or you haven't looked inside the horse.

What about outsourced closed-source? (2, Informative)

G4from128k (686170) | about 10 years ago | (#9811610)

If this is a security issue, then the government should definitely not buy closed source from any software company that uses any offshore (non-U.S.) programmers. Who knows what those offshore programmers are inserting into the closed code. Of course, that rules out just about every large closed source maker in the world as I'm sure most have some non-U.S. development groups.

you are stupid (1)

unics (741003) | about 10 years ago | (#9811613)

um, okay. lets see....Microsoft's operating system is probably developed in India. So, the problem is?

Yes, it's preferable to have your site DoS'd!! (1)

Lord Bilbo (765419) | about 10 years ago | (#9811619)

Absolutely,
We all know that the programmers and testers of
MS products goes through and bug-proofs their code
much better than Open-Source can ever hope.
{Lord Bilbo is choking on his tongue just for "saying" such a thing.} :)

Turn About... (1)

fatgeekuk (730791) | about 10 years ago | (#9811626)

Forgetting the obvious bias that the authors of this article have.

Lets turn the logic of this argument around for a while.

Why should any non-US government trust M$ o/s or tools for this very same reason. And indeed because the source is closed, how would we know.

If opensource software is not safe for US companies, then closed source software is not safe for ANYONE but MS to use.

There have been significant conspiracy theories in the past about how lightly M$ got off after being found culpable by the DOJ. Could there be some deal to undermine other countries by embedding spyware into the Operating System?

Sounds like the plot for "Pelican Brief II" (I want my part to be played by Jack Black!)

Oh no..... (1)

shri (17709) | about 10 years ago | (#9811627)

The same could be said with immigration, out sourcing, overseas internet connections etc etc...

Can we get someone to send a fresh piece of FUDge sent over to the hills?

FUD, methinks (0)

Anonymous Coward | about 10 years ago | (#9811628)

The article rightly points out, Windows isn't going to be any better than Linux in this regard - one could argue that it might be a lot easier to buy a Microsoft developer to insert a trojan into Windows unnoticed than to get one into an open source system.

However, the problem with the article is that it just assumes that embedded Linux systems are being deployed in the military without appropriate checks on the companies supplying the code, and without any adequate testing or source review; this just sounds like uninformed FUD to me.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>