dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


DevX: Debating Open Source As a Secure Methodology

Feb 14, 2004, 07:00 (3 Talkback[s])
(Other stories by A. Russell Jones, Ladd Angelius)

Open Source Is Fertile Ground for Foul Play

[ Thanks to Jason Greenwood for this link. ]

"An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually—and inevitably—an open source product will be found to contain a security breach—not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.

"This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart..."

Complete Story

Who's Guarding the Guards? We Are

"The editorial published on February 11, 'Open Source Is Fertile Ground for Foul Play,' suggests three areas where security might be a concern for governments when considering open source software. However, all three arguments are flawed 'straw men' when subjected to rational analysis. Indeed, some of the author's own arguments demonstrate the strengths of open source when weighed against any closed source alternative.

"First, the author, DevX Executive Editor A. Russell Jones, suggests that security breaches could be inserted into open source software by an insider, perhaps hidden in code submitted as a fix or an extension. While there is a remote possibility of this occurring (this is conceded as 'not terribly likely' even by the author), there is a far greater possibility of this occurring when patching closed source software..."

Complete Story

Related Stories: