Re: Open source fertile ground for foul play?

["Jean-Francois Poirier" <jeff () horslimites org>]

  As a proponent and firm believer in Open Source as a long-term development
  model, I would even pose the following point:

  even though such subversion of the source code tree is possible (and
  *has* happened, most notably with the Linux kernel v2.4, if I recall)
  the incentive for full disclosure and transparency is much less in
  a closed source environment; Microsoft, for one, would definitely be
  reluctant to come out in the open and recall Windows 2000 or XP, publicly
  declaring that their source repository was corrupted.

  referring back to aforementioned break-in in the Linux community, when
  the backdoor was found through code audit and removed, it was instantly
  disclosed and as much information as possible was circulated on it, to
  insure that everyone concerned got a chance to update and remove the
  vulnerability.

  so I would counter that although the openness of the codebase makes
  it *somewhat* more vulnerable to attack (I would believe that mr. Russell
  has never tried submitting patches to open source software such as the
  Kernel), closed source would be even *more* dangerous from this point
  of view, as other incentives (business rules, reputation and so on) would
  make the vulnerability go by unknown to most up until the flaw was
  exploited.  and even then, it might take months for a vendor to respond
  to a disclosure (as is seen frequently seen from reports on bugtraq).

  therefore, i contend that the situation exposed by mr. Russell exists
  in both environments, but that the potential risk to end customers is
  magnified in closed source environments due to business and human
  factors, and the "better protected" claim is definitely open to debate.


> Date: Thu, 12 Feb 2004 16:58:26 -0500
> From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
> Subject: [SC-L] Open source fertile ground for foul play?
>
> There is an interesting article over on DevX.com (see the full article at
> http://www.devx.com/opensource/Article/20111).  In the article, DevX
> Executive Editor, A. Russell Jones says that, "Eventually--???and
> inevitably--???an
> open source product will be found to contain a security breach--???not one
> discovered by hackers, security personnel, or a CS student or professor.
> Instead, the security breach will be placed into the open source software
> from inside, by someone working on the project."  He says that this is
> true
> because open source "lets anyone modify source code and sell or distribute
> the results".
>
> Now, I sure don't doubt that it's possible to deliberately insert a
> vulnerability into a software product, but I fail to agree with Mr. Jones
> that open source is more vulnerable to this _because_ it is open.  IMHO,
> if a
> particular open source product is vulnerable to an insider attack, it is
> because of the processes in place for protecting the code from attack.  I
> would think that a closed source product could also be susceptible to that
> if
> the code tree is not adequately protected.  Further, I don't see any
> reason
> why an open source project couldn't follow good sound practices in
> protecting
> its src tree from attack.  Admittedly, Jones does say that a closed src
> product
> could also be subverted like this, but that it is less likely, "because
> the source
> is better protected".
>
> In any case, that's just my opinion on the matter, fwiw.  (Oh, and I
> should
> probably also point out that I'm referring to processes in my comments,
> not to any particular products.)
>
> Cheers,
>
> Ken
> - --
> KRvW Associates, LLC
> http://www.KRvW.com


::: ----------- jean-francois "jeff" poirier
icq 4172055             [EMAIL PROTECTED]
      http://www.horslimites.org/whitenoise/

properllerhead / project lead :: horslimites
                  http://www.horslimites.org
--------------------------------------------
  "there ain't a problem that I can't fix...
   cause I can do it in the mix"