Network Magazine: Open Source Software: Is it Really Secure?
Sep 05, 2002, 22:00 (6 Talkback[s])
(Other stories by Rik Farrow)
" People often ask me if they should trust Open Source Software
(OSS). This question predates the emergence of Linux and the
various Berkeley Software Distribution (BSD) OSs, as popular
security software for Unix systems, such as COPS
(www.fish.com/cops/) and Tripwire (www.tripwire.com), began showing
up in the early 1990s. Organizations accustomed to paying big bucks
for any software they planned to use were understandably cautious
about free software that didn't come from well-known vendors.
"And recent events have added a scary twist to OSS. Several
sites, one with a program designed for stress-testing Intrusion
Detection Systems (IDSs), had backdoors added to installation
scripts, so that anyone who installed the software risked having
his or her system compromised. The perpetrators had disguised the
backdoors, so they appeared to be part of a normal configuration
"OSS has proved to be as secure as, if not more secure than,
proprietary software from big software vendors. You can take steps
to assure that the software you've downloaded hasn't been tampered
with, simply by verifying the digital signature that many
distributors include at their download sites..."