Is open source software more secure? To most Linux enthusiasts, the answer is obvious: open source means more people can look for bugs and a faster dissemination of bug fixes. Obviously, yes. But noted security expert Gene Spafford says that this may not necessarily be true. According to the Purdue professor of computer science and co-author of Practical Unix & Internet Security, good security begins with good design and neither Windows nor Linux have much to brag about in that category.
Security Expert Gives OSes Poor Security Grade
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
It is nothing new.
We have known about this for decades.
Look Snyder et al paper where capability systems are being introduced.
Open Sources system in general (there are some minor exceptions such as simple inet server for which FreeBSD is an acceptable solution) are good only when you need lots of boxes but do not what to pay per seat license fees. It would including putting NetBSD in latest microwave oven or dryer and building linux or better OpenBSD based $29 home router.
Other than that, it’s only for MS hating geeks. Or at least that’s the way it was until Sun started charging money for x86 solaris.
Why free software is free? Nobody sane enough to have money would pay for it.
Fact that many enterprise customers started buying linux does not in any way contrudict that. People who are in charge of purchasing usually know very little about technology.
I just skimmed the article. It seemed like a major theme for him was degrees & training. He is indirectly making the point that anyone without a computer science degree does not understand computing and is a big security risk. That the software they write is very likely to have major security problems such as ‘buffer overflows’. (I’m not discounting that ‘buffer overflows’ are a serious security risk, but just the idea that formal training and college degrees are the end all be all.)
I suppose it is to be expected from a CS professor tho.
/RANT
I don’t think Spaf was concerned with degrees per se. I belive that he was trying to get the point across that if a whole bunch of untrained (could be self training, or on the job training, etc…) people build a software solution, they may or may not have security in mind. In addition, the group may not have *consistent* security awareness in that scenario, which could lead to a misdesigned and misimplemented software tool, at least from the standpoint of secure software.
Spaf is widely considered one of the formost acadamians in the study of computer security, and I think that his suggestions are quite well thought out. The basic point he is trying to make, from my perspective anyway, is this, just because we can do something doesn’t mean we should.
The basic point he is trying to make, from my perspective anyway, is this, just because we can do something doesn’t mean we should.
Or, more to the point: just because everyone can look at the code doesn’t mean that anyone that is looking at the code knows what to look for.
I’ll agree with the professor in that something like a standard Redhat install is not altogether secure. But unlike Windows systems you can install a very minimal set of software on Linux, which can make for a very secure system if you choose wisely. Also there are quite a few Linux distributions out there which are built from the ground up with security in mind. So to say Linux is no more secure than Windows, I don’t buy it.
…Why shouldn’t one program if one know how to and has the tools for it?
Would you starve, because you have a fishing cane, know how to fish and have worms, but aren’t a “professional fisherman”?
I don’t think so…
Other then that, it’s just FuD that doesn’t solve anything… as is usual from the academic types…
When you need a solution… you design one… if it’s insecure, may happen you hadn’t need for security at the moment… or had other needs more important then security…
Just look at the prime example of Microsoft…
…Why shouldn’t one program if one know how to and has the tools for it?
Would you starve, because you have a fishing cane, know how to fish and have worms, but aren’t a “professional fisherman”?
I don’t think so…
Other then that, it’s just FuD that doesn’t solve anything… as is usual from the academic types…
When you need a solution… you design one… if it’s insecure, may happen you hadn’t need for security at the moment… or had other needs more important then security…
Just look at the prime example of Microsoft…
Frist: a comment about secuirty ,
ALL DAC based system are lacking in security (NT/win2000/Unix/Linux what ever)
an exception might be openBSD.
DAC = Discretionary Access Control
a link about it here:
http://www.nsa.gov/selinux/doc/ottawa01/node1.html
but i think the big difference is Linux openness and fexiblity gives admins the ability to secure it and or
add a MAC (LSM patch) and really be secured
MAC = Mandatory Access Control
***see above link:
free software;
just becasue software is free does not mean it is bad…
look at non free software, how many secuirty holes and useabilty patchs are needed?
for example the latest DAT file from mcCaffe if loaded onto a 4.0.X Engine will hose a machine,
and i PAID for this?
there are plenty of really good opensource /free software outthere just like some really bad stuff, just like paid software.
you must evaluate each on its own….
Nex6
Why don’t you actually name a distro that is built with security in mind, instead of referring to some fictitious non-entity? And quite frankly no linux is not more secure than windows. It just gets patched faster and has less people looking for holes to exploit. Your using the same justification that would dictate that AtheOS is a thousand times more secure than Linux because there haven’t been any security flaws in it.
The article was an interesting read and I pretty much agree with it. There really is no difference between having a 100 people who really know they are doing reviewing code internally and having millions of people with access to the code if only 0.1% of them know what they are doing. In my opinion the only OS that does this right is OpenBSD and you can see that in how religious they are at having code reviewed by a competent panel of programmers.
> instead of referring to some fictitious non-entity?
what does this mean???
Nex6
>>…Why shouldn’t one program if one know how to and has the tools for it?
Would you starve, because you have a fishing cane, know how to fish and have worms, but aren’t a “professional fisherman”?
I don’t think so…
Other then that, it’s just FuD that doesn’t solve anything… as is usual from the academic types…<<
So basically your argument is that its ok to be insecure if your not a large company or feel like you have more important things to do? So then why castigate MS for doing exactly what you just said? Unless you want to be hypocritical and say its ok for linux to be insecure but MS shouldn’t be able to.
As for FUD, try reading the article. He gave a definite solution. Have people who know what they are doing review your code. That eliminates your need to be perfect – although the better you are the less work you reviewers have to put in.
Fictitious non-entity would be using an argument in which you say that something obviously exists but you don’t give any evidence to support that it really does exist like pointing out and actual example. So in essence its making up something that sounds good and hoping that no one will call you on it.
For instance: “I know there are linux distrobutions out there that are built from the ground up with security in mind.”
Thats referring to a fictitious non-entity, I didn’t actually present you with something real – non-entity. And gave no proof that my statement was valid.
Distributions will filter.
As the quantity of open source software continues to balloon, you are going to see distributions such as SuSE forced to filter a lot of software.
I believe anyway that because the code is subject to their review they will select the better (in this case more secure) solutions and go with those.
We are also already seeing an increase in the no. of different setups offered by the major players, like RH, SuSE, Mandrake. To me anyway they will tailor their offerings based on the needs of segments of users.
The real advantage GNU/Linux has in this regard is that different vendors can go down different paths and the winner will quickly become evident. Successful aspects of each distro are quickly made the standard and GNU/Linux continues to evolve hopefully in a more and more secure environment.
In this world(OSS) anyway regardless of your degree your contribution is open to inspection and if not good can be discarded. It just means that like Eugenia has pointed out time and time again the distros like SuSE, RH etc need to be responsible for the code they include. Business will hold them accountable.
whos post where you refering to,????
i was pretty clear? and posted about dac/mac i even posted a
link to more info and named the LSM patch?
*lsm(Linux security module) patch is a linux patch for mac and ACL a link here
http://lsm.immunix.org/
First, some fictitious non-entities
http://www.guardiandigital.com/products/software/professional/featu…
http://www.trustix.net/
http://www.nsa.gov/selinux/
http://www.distrowatch.com/firewalls.php?1
My opinion? Unix is not secure by design, but anything is more secure than Windows. And I won’t say that free software is inherently {more,less} secure than proprietary software until someone makes a serious, scientific study supporting the claim.
— Leonardo Boiko
Of course, I could be wrong.
Andrew, I think you nailed it. What I might add is:
When it comes to security, you will never be able to make secure drivers, patches, etc for all the different types of hardware out there. So, I am forecasting that we will see the likes of IBM and RedHat specifically tailor the software for their hardware and leave non IBM hardware unsupported in the security portion (i.e. Sort of like saying “you can run this version of Red hat on your own non-IBM hardware, but we make no statements as to how secure it is”)
Does that sound like an eventuality to any of you out there?
The title of the post said it was to Anonymous and the quote at the top came from his post. Its the post before Luis’ post. No I wasn’t referring to you. Your post was really informative.
Vince
Thanks for the links that was helpful.
However, I wouldn’t quite say that the NSA version is out there to be a secure solution from the ground up. Especially since this is on their homepage:
“Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux.”
Well, Leonardo beat me to the punch…but here’s a few more fictitous Linux distros for you vince:
ClarkConnect
EnGarde
HP Secure
Immunix
IP Cop
Securepoint
I could keep going…but I think you get the point. Next time it might pay to know what you’re talking about before you open your mouth.
The idea here is to change, Linux’s security model from that of DAC to MAC, and policey controled access.
This way if a request for information comes into the server the policey is checked before it excutes, if the policey says something other then excute. Then it drops the request;
the advantage being, even exploits and such would fall in the poliecys before excution and would be stoped cold.
so a fullyed secured and MAC ized system is far more secure then any normal system.
the only thing being that selinux/lsm patch is hard to setup becuase it is totaly different then what your used to and requires some Learning.
Nex6
I looked at the other links:
The astero link is for an all-in-one linux firewall. Its not a linux distro.
The other links are linux server distros:
Trustix
En Garde
However, only list that they support things like SSL, SSH, VPN, etc. The point of the article was to design security into the OS and none of these say that actually audit the code for security flaws. Instead, they merely say they support whatever security protocol happends to be trendy this week. The point is a secure OS is not one that doesn’t bother to make good code and then surround itself with firewalls, secure sockets etc. because the OS still just as insecure.
And yes while the NSA’s addition of MAC to linux is a nice feature – like I posted before they made no attempt to correcty any current design flaws in linux – they just added another security feature. Thats about the same effect as adding SSL to linux; its nice but in no way means the OS is built from the ground up to be secure.
the LSM and selinux patch is “supposed” to be included in the 2.5.X tree in build into the kernal itself.
it would be cool it this was built in instead of a “patch”
Nex6
When you said “build from ground up”, I thought you meant “packaged the Linux kernel with utilities” (that’s what a distro does) “taking care with security from the beggining”. If you were talking about “redesign the OS”, then of course we don’t have one – if we did, it would not be Linux, because you redesigned it! (-: That’s why OpenBSD is not NetBSD, for example.
I understand the point of the article – as I said before, in my opinion, Unix was not made to be secure. I believe also that Windows have even more design flaws than Unix.
When you said “build from ground up”, I thought you meant “packaged the Linux kernel with utilities” (that’s what a distro does) “taking care with security from the beggining”.
Actually, if you take ‘built from the ground up’ as it’s normally interpreted, no Linux distro will ever be built that way unless they build a new kernel. That’s not to say that the Linux kernel doesn’t have good security, it’s simply that the kernel was not built from the ground up that way, and therefore no distribution built upon it was, either.
Regardless, the best desktop-class security you can get comes from choosing carefully and knowing the OS and tools you use. A Windows admin can’t be expected to even choose a secure Linux distro, let alone make sure it’s secure once it’s up, and a Linux admin won’t always know how to make an NT-based OS secure. Either one could screw up an OpenBSD install if they didn’t do some reading first.
If you’re looking for top-level security, you’re going to end up going to a closed-source vendor that’s gotten their system rated, and you’re not going to end up with a hell of a lot of freedom as to what you can do on that system. The only way that’s going to change is if an open source system is certified.
Most of us here know that Linux is not graded to B-Level security, no does Windows. ACLs alone are not enough.
But then there are commercial products on the market that can make Unix/Linux and Windows really secure – I used to lock out ‘root’ a couple times with wrong configuration.
It’s a very simple idea – hook ‘open’ system call to make an additional lookup in the database for explicit user permissions. Then your system is as secure as rules in your database. Linux/*BSD people will make something like this open-sourced one day. Currently, the best solutions are not even using standard databases (Oracle, DB2 whatever), they use proprietary engines. “Security by obscurity” is still powerful enough.
I had impression that professor was complaining more about end-users stupid enough to make harm to themselves , doesn’t matter Linux users or Windows users. Well, if you tighten up security on desktop, end-user productivity will suffer. Imagine somebody would tell you – “you can only have 3 windows open on your desktop at the same time”. The same goes with security.
Linux in my view is more secure than Windows – you don’t have viruses. And only really damn users use XWindows being ‘root’ – these people deserve if their systems grok.
Breaking/hacking into computer systems is making 80% of the fuss in the press but in reality it’s only 20% of real computer security threats. The data loss due to bad software/hardware/human mistakes is the primary concern in business security. And here Linux is on somewhere on par with Windows+Good_Antivirus combo. Add a decent backup solution to any of them and you have a winner.
There certainly is a lot to dislike about VMS but IMHO, VMS is far more secure than any Un*x and certainly Windows.
I don’t remember which one (read it on the Net one day), but at a hacking contest recently, VMS was the only operating system running which didn’t get rooted. This was out of all the Unixes, Windows, etc.
And if one gets security in the fact that few people are using it, this is another plus in VMS’s favor.
>Most of us here know that Linux is not graded to B-Level security, no does Windows. >ACLs alone are not enough.
>But then there are commercial products on the market that can make Unix/Linux and >
>Windows really secure – I used to lock out ‘root’ a couple times with wrong
>configuration
I really liked this remark of yours, since it has been discussed within the computer security social networks about gradeing operating systems and software, it has been noted that you cant grade it due to the fact that it evolves every day, new attacks come and go Every DAY.
a reference just for the hell of it : http://www.counterpane.com/crypto-gram.html
>I had impression that professor was complaining more about end-users stupid enough to >make harm to themselves ,
>doesn’t matter Linux users or Windows users. Well, if you tighten up security on >
>desktop, end-user productivity will
>suffer. Imagine somebody would tell you – “you can only have 3 windows open on your >
>desktop at the same time”. The
>same goes with security.
and how many end-users know, and then I mean *REALLY* know how to configure a unice based system?
i can tell you that more than half of the joe_users dont… i mean even more than that cant even use ‘man’ command.
But you have a valid point as to what the professor is up to!
>Breaking/hacking into computer systems is making 80% of the fuss in the press but in >reality it’s only 20% of real
>computer security threats. The data loss due to bad software/hardware/human mistakes >is the primary concern in
>business security. And here Linux is on somewhere on par with Windows+Good_Antivirus >combo. Add a decent backup
>solution to any of them and you have a winner
>well i wouldnt want to have windows in that mix.
>otherwise i agree with you, I would probably be out of a job if windows didnt crash >the occasional Database servers harddrive and i had to recover it.
>There certainly is a lot to dislike about VMS but IMHO, VMS is far more secure than >any Un*x and certainly Windows.
>I don’t remember which one (read it on the Net one day), but at a hacking contest >
>recently, VMS was the only operating
>system running which didn’t get rooted. This was out of all the Unixes, Windows, etc.
I know i loved that comparison, we actually have a ancient vaxen running from time to time to play with
>And if one gets security in the fact that few people are using it, this is another >
>plus in VMS’s favor.
isnt openvms getting places ?
VINCE:
>The astero link is for an all-in-one linux firewall. Its not a linux distr
please get your linux lingo straight…
linux distro’s are called linux distro’s due to the way the are distributed repackaged and it’s called gnu/linux due to the fact that the gnu tools from http://www.gnu.org are included in it.
linux is just the kernel mate.
Cheers!
Robert
open source, closed source doesn’t matter…what matters is who is working on the project.
Most open source software is crap – but there are some gems. If open source people were honest they wouldn’t act as if apache is a typical example of open source software. They would point people to sourceforge (or a typical os distro) and tell them to randomly select 10 or 20 apps and try to use them.
It is really gay to say that open source somehow is better when you haven’t a clue as to WHO is really working on the particular projects. Open source isn’t magic.
Do people really think that all those open source scripts available around the net are really secure??? Sure the most popular projects might be but that’s not open source in general.
It would be like saying Americans are the smartest people in the word because we have the most Nobel prize winners…but when you actually talk to us you start to wonder
The few gems don’t represent the majority.
The only non-security related distribution that actually cares about security before releasing a stable distribution is Debian. But even as a Linux fan as myself, I do have to agree to a certain extend that many parts of Linux weren’t designed with security in mind. I think the best open source operating system in this case (thinking about security while making design plans) is that drastic man Theo’s OpenBSD….
It’s rather clear from reading your posts that you know little about Linux and other free unicees. Saying things like “The other links are linux server distros” only reinforces that.
-BeesT
That if a big corp like MS can scrap security and get away with it why should Joe “Programmer” Smith be bothered with it?
You can’t have two weights and two mesures… either you forbid all to programme insecure software and impose heafty fines if they don’t comply… you you just let things as they are and let the market decise which is “thrustworthy” or not.
As for the solution in the article… that is already in progress… unless of course, you refer to closed source software…
The major diference isn’t that specialists can evaluate the software for it’s security… but the final user be able to do so by their own means. And the governments are at a loss at that… They insist in using software from which they haven’t any warrantie that it will fullfill ANY USE… Not even national security…
But alas… be as it may…
LF
Your right. I have very little knowledge of linux. As shown by inapporpriate useage of “linux distro” (thanks for the heads up Robert.) However, trustix on their website refers to itself as a “linux server distro” so you may also want to inform them of its incorrectness. However I really don’t see how you jump from there to “other free unicees.” I do know the BSDs very well thankyou and don’t see how my lack of knowledge with linux vocabulary has any bearing on that.
The only secure machine was one that was locked in a A-class safe, and switched off. Once you connect a machine to any type of network, and switch it on, it’s no longer secure…
yeh i agree about linux, but that’s not new, cos i’ve never liked it …
but it says … “Well there’s clearly the benefit of open source; you couldn’t do that with proprietary source.” And the answer is, “Of course you could. If those same people had access to the proprietary source, they could have found it as well.”
errr how would ppl get access to the source ?
What I found a very interesting comment was that we should stop using C. Yes please. I really get sick of the buffer, stack and whatever overflow problems those C programmers are producing. Whether it be Windows or Linux, they use the same tools. So what’s the difference?
Oh, the number of eyes looking at the source. Really? MS has how many programmers? Maybe more programmers have looked at the Windows source than the Linux source. I can’t proof that, but nobody can proof the other side as well.
Perhaps Linux programmers are smarter. Could be, no proof either. So let’s assume both are equally smart. The M$ programmers making more money though 🙂
So in the end the same kind of guys are using the same tools equals the same number of bugs.
Very good point (Berend de Boer). And that includes (even more so) – C++. Unfortunatelly it does not seem, that switching to more sensible language would be possible in near future