Applications Management Engineer Sr (NYC) Next Step Systems US-NY-New York Post A Job | Post A Resume

Open Source Is Fertile Ground for Foul Play

"An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually—and inevitably—an open source product will be found to contain a security breach—not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.

"This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart..."

Complete Story

Who's Guarding the Guards? We Are

"The editorial published on February 11, 'Open Source Is Fertile Ground for Foul Play,' suggests three areas where security might be a concern for governments when considering open source software. However, all three arguments are flawed 'straw men' when subjected to rational analysis. Indeed, some of the author's own arguments demonstrate the strengths of open source when weighed against any closed source alternative.

"First, the author, DevX Executive Editor A. Russell Jones, suggests that security breaches could be inserted into open source software by an insider, perhaps hidden in code submitted as a fix or an extension. While there is a remote possibility of this occurring (this is conceded as 'not terribly likely' even by the author), there is a far greater possibility of this occurring when patching closed source software..."

Complete Story

Related Stories:
SecurityFocus: Standardizing on Security(Jan 16, 2004)
TheStreet.com: Linux Reality Doesn't Match Hype(Dec 04, 2003)
CyberNautix: Why People Write Open Source Software(Apr 29, 2003)

Index Mode   |   Flat Mode   |   Thread Mode   |   Thread Flat     Talkback(s) Name  and Date   How Seucre is it ???    GH Feb 14, 2004, 16:43:40     open or closed    rjsaarikko Feb 15, 2004, 17:11:51     Give me a break    phil Feb 16, 2004, 14:28:28     Home | Search Talkbacks | Customize View    Top of Page   Enter your comments below: * Your Name: * Your Email Address: * Subject: CC: [will also send this talkback to an E-Mail address] * Comments: Tags allowed:<I>,<B> and <U>. See our talkback-policy for more about talkback content. Fields marked with * are required!