DevX: Debating Open Source As a Secure Methodology
Feb 14, 2004, 07:00 (3 Talkback[s])
(Other stories by A. Russell Jones, Ladd Angelius)
Open Source Is Fertile Ground for Foul Play
[ Thanks to Jason
Greenwood for this link. ]
"An old adage that governments would be well-served to heed is:
You get what you pay for. When you rely on free or low-cost
products, you often get the shaft, and that, in my opinion, is
exactly what governments are on track to get. Perhaps not today,
nor even tomorrow, and not because open source products are less
capable or less efficient than commercial products, but because
sooner or later, governments that rely on free open source software
will put their country's and their citizens' data in harm's way.
Eventually—and inevitably—an open source product will
be found to contain a security breach—not one discovered by
hackers, security personnel, or a CS student or professor. Instead,
the security breach will be placed into the open source software
from inside, by someone working on the project.
"This will happen because the open source model, which lets
anyone modify source code and sell or distribute the results,
virtually guarantees that someone, somewhere, will insert malicious
code into the source. Malevolent code can enter open source
software at several levels. First, and least worrisome, is that the
core project code could be compromised by inclusion of source
contributed as a fix or extension. As the core Linux code is
carefully scrutinized, that's not terribly likely. Much more likely
is that distributions will be created and advertised for free, or
created with the express purpose of marketing them to governments
at cut-rate pricing. As anyone can create and market a
distribution, it's not far-fetched to imagine a version subsidized
and supported by organizations that may not have U.S. or other
government interests at heart..."
Who's Guarding the Guards? We Are
"The editorial published on February 11, 'Open Source Is Fertile
Ground for Foul Play,' suggests three areas where security might be
a concern for governments when considering open source software.
However, all three arguments are flawed 'straw men' when subjected
to rational analysis. Indeed, some of the author's own arguments
demonstrate the strengths of open source when weighed against any
closed source alternative.
"First, the author, DevX Executive Editor A. Russell Jones,
suggests that security breaches could be inserted into open source
software by an insider, perhaps hidden in code submitted as a fix
or an extension. While there is a remote possibility of this
occurring (this is conceded as 'not terribly likely' even by the
author), there is a far greater possibility of this occurring when
patching closed source software..."