Secure Coding mailing list archives
Re: Open source fertile ground for foul play?
From: "Jean-Francois Poirier" <jeff () horslimites org>
Date: Fri, 13 Feb 2004 21:15:38 +0000
As a proponent and firm believer in Open Source as a long-term development model, I would even pose the following point: even though such subversion of the source code tree is possible (and *has* happened, most notably with the Linux kernel v2.4, if I recall) the incentive for full disclosure and transparency is much less in a closed source environment; Microsoft, for one, would definitely be reluctant to come out in the open and recall Windows 2000 or XP, publicly declaring that their source repository was corrupted. referring back to aforementioned break-in in the Linux community, when the backdoor was found through code audit and removed, it was instantly disclosed and as much information as possible was circulated on it, to insure that everyone concerned got a chance to update and remove the vulnerability. so I would counter that although the openness of the codebase makes it *somewhat* more vulnerable to attack (I would believe that mr. Russell has never tried submitting patches to open source software such as the Kernel), closed source would be even *more* dangerous from this point of view, as other incentives (business rules, reputation and so on) would make the vulnerability go by unknown to most up until the flaw was exploited. and even then, it might take months for a vendor to respond to a disclosure (as is seen frequently seen from reports on bugtraq). therefore, i contend that the situation exposed by mr. Russell exists in both environments, but that the potential risk to end customers is magnified in closed source environments due to business and human factors, and the "better protected" claim is definitely open to debate.
Date: Thu, 12 Feb 2004 16:58:26 -0500 From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> Subject: [SC-L] Open source fertile ground for foul play? There is an interesting article over on DevX.com (see the full article at http://www.devx.com/opensource/Article/20111). In the article, DevX Executive Editor, A. Russell Jones says that, "Eventually--???and inevitably--???an open source product will be found to contain a security breach--???not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project." He says that this is true because open source "lets anyone modify source code and sell or distribute the results". Now, I sure don't doubt that it's possible to deliberately insert a vulnerability into a software product, but I fail to agree with Mr. Jones that open source is more vulnerable to this _because_ it is open. IMHO, if a particular open source product is vulnerable to an insider attack, it is because of the processes in place for protecting the code from attack. I would think that a closed source product could also be susceptible to that if the code tree is not adequately protected. Further, I don't see any reason why an open source project couldn't follow good sound practices in protecting its src tree from attack. Admittedly, Jones does say that a closed src product could also be subverted like this, but that it is less likely, "because the source is better protected". In any case, that's just my opinion on the matter, fwiw. (Oh, and I should probably also point out that I'm referring to processes in my comments, not to any particular products.) Cheers, Ken - -- KRvW Associates, LLC http://www.KRvW.com
::: ----------- jean-francois "jeff" poirier icq 4172055 [EMAIL PROTECTED] http://www.horslimites.org/whitenoise/ properllerhead / project lead :: horslimites http://www.horslimites.org -------------------------------------------- "there ain't a problem that I can't fix... cause I can do it in the mix"
Current thread:
- Open source fertile ground for foul play? Kenneth R. van Wyk (Feb 12)
- Re: Open source fertile ground for foul play? Crispin Cowan (Feb 15)
- Re: Open source fertile ground for foul play? Kenneth R. van Wyk (Feb 15)
- <Possible follow-ups>
- Re: Open source fertile ground for foul play? Jean-Francois Poirier (Feb 13)
- Re: Open source fertile ground for foul play? Crispin Cowan (Feb 15)