Proprietary OS vendor Green Hills and its CEO Dan O’Dowd have launched a broadside against the use of Linux in military and defense applications.Green Hills has issued a press release based on O’Dowd’s anti-Linux remarks at a speech to the Net-Centric Operations Industry Forum in McLean, Va.
“The open source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems.“
I wonder if this is the same Dan O’Dowd that dismantled the Colorado Rockies Blake Street Bombers as the GM? Back to the topic though, it seems to me that if the NSA sees fit to produce a specific security enhanced patch for Linux…the US Gov’t ought to mandate (and fund) that any Linux deployments take advantage of US Gov’t developed version of Linux? I don’t think the NSA would make that patch for giggles though, so our DOD probably already has it in place. Just a thought I could be wrong….
Not just everyone can contribute to the Linux Kernel for example. It will be thoroughly checked and tested before it will be merged into the kernel. And what third party software you trust and want to install, is fully up to you. And if you don’t trust third party software, write you own program that nobody can contribute to(closed source).
Those “highjackers”, as you put, had been preparing for such an event for most of their life. IMO its way easier to get such an “highjacker” into a company producing proprietary software than to get patches into linux, as the recent attempt showed.
Yeah, don’t use Linux in government. Use BSD! Made in the U.S.A. in California at Berkeley (well, at least originally). =D
Yeah, basically it would have the same problems but if my tax money goes to fund it then I want to make damn sure I can use that code for whatever purpose I like afterwards without any restrictions. Otherwise, my tax dollars gets used to fund a project where the end result would have limitations on it’s use. I can’t close it up and sell it, and neither can anyone else who’s tax dollars went to fund it.
well lucky them then that they can check the source to see if anyone has messed with it right?…
and if they want to save themselves from doing that all the time they can just take 1 kernel and maintain it themselves if they feel safer then…
“The open source process violates every principle of security. It welcomes everyone to contribute to Linux.”
Why is it that people who know nothing of the Linux kernel development process and procedures so often feel compelled to state how insecure it is?
Please change the title. The actual article title is “Linux a national security risk, competing RTOS vendor claims”
I was expecting an editoral by somebody respected in the world. Not a report of a press release by the owner of a company that solely wants to sell more copies of their OS.
“One ‘back door’ in Linux, one infiltration, one virus, one worm, one Trojan horse, and all of our most sophisticated network-centric defenses could crumble.”
And that is why we should only run Microsoft products!!
You know, its easy to get a pirated version of windows server off the internet. So the idea that linux makes it worse is stupid.
FreeBSD was made by the government anyway (Berkley is a gov’t inst.)
You think some “high and mighty OS” is going to jep. nat. security? hah. just an idea to try to stop linux from competeting. Oh my hommies are gonna hook me up wit’ SCO UnixWare so I can operate a nuclear facility!heh
Regarding export laws….. IT still applies. However.. It can be exported to countries that dont have laws against some countries that the US does. so the laws are kinda pointless. (regarding open source software)
I highly doubt there is open source software that directly aids in military things other than the OS.
eh, I think BSD is more of a threat since its more powerful 😀 (DONT ARGUE WIT THAT! YAHOO OWNZ YOU!) (I’m trying to be funny now, but i still believe bsd is cooler)
Please since it’s open source the government can take it, vet it for problems, customize it for ther use and make it different then any version of Linux on the market. LOL!
With eveyone including homeless people using the same versions of Windows and other OS’s that is what I would worry about. I mean if you are using Windows 2000 (Like we do in the government office I work for) Someone finds a hole EVERY 2000 machine can be affected! (Until MS puts out and users update patches) While with open source the Government can see the problems and patch the problems themselves whenever they want to.
Also I wonder how old the source code is that goes into Windows these days. Crap there are still files in Windows XP that came from OS2! LOL!
Just another company trying to save their outdated business model.
why would anyone use.. linux or windows for military purposes other than desktops?….
How do we know closed source software don’t have backdoors in them and aren’t a security risk?
The best reasons to have multiple systems on any defense platform is to #1 avoid the possibility that the system is compromised, #2 to delay the enemy the useage of captured equipment. Keep the country secure from both 9 year olds and evil doers.
plain and simple. O’Dowd is just trashing Linux to try and boost his own products. His comments suggest someone who has no understanding of how Linus and the kernel developers work. I believe that many eyes do prevent back door exploits, and if people are concerned, then they have the source and can check it out for themselves. You can’t do that with proprietary systems.
“How do we know closed source software don’t have backdoors in them and aren’t a security risk?”
Yeah, has anyone seen the movie “The Net”. They did that didn’t they?
The world is already to globalized. If this guy want everything to be used from USA, than he is dreaming. It is almost impossible to do that.
In each electronical system you find normaly parts from all around the world.
No system is 100% secure against the problems he is mentioning in his document.
And that thing with the additional username and password added to every Unix system is today not so easy. Today we have much much much more people looking at the source and they have QA processes set up to check the code and serval people are diging into the code to search for security problems. It is much diffrend then 10 or 20 years ago.
Have we forgot that Microsoft is touting its `Shared Source’ initiative, and allegedly some of the Windows source code was leaked to the web. MS Code shared with China mind you, a communist country.
Apple has also taken some of it’s code from the BSD projects.
And let’s not forget that Mr. O’Dowd is the CEO of Software company who produces RTOS.
If I were a CEO of X Software company I’d be sure to rub salt in my competitors wounds, every chance I got. Well not really I’d like to think that my time would be better spent developing my product rather than playing `Softwars’ against some other company.
Just some thoughts.
but he is right in one small way. We should NOT trust the “many eyes” approach as our only means of ensuring secure code. There needs to be a real industry standard certification process, in which EVERY piece of code is examined and tested for exploits in systematic way. And to be effective, we need to realize that open and closed source code is essentially the same, and we need to review and certify BOTH. Of course, its not like any proprietary vendors are going to be jumping on that bandwagon anytime soon.
Just because its open doesn’t mean its secure. Just because its expensive doesn’t mean its secure either.
That is why it’s open source. The government can come up with it’s own standards for what they want and need no matter what the rest of the indudtry does. Or they can take the source and make their own OS etc.
You can’t do that with closed source. The government has NOOOO clue what is in Windows or RTOS. What if some rogue employee put a backdoor in Windows. Would anyone outside of MS really be able to find it??
You make a good point, whos to stop some of those underpaid foreign employess from introducing `backdoors’ into commercial OS’s and selling them to the black market.
Trust me I’m sure that Terrorist/Organized crime cartels would pay alot better than MS/IBM/Apple.
Dag on right!
I mean please show us an example where open source used on the net (Millions of servers are running on Linux) In companies (1000’s of companies are using Linux for file, print and web) Has caused some crazy melt down for the internet or of some company?? I can name 1000’s of times it’s happened using Windows.
Also isn’t a LOT of code in Free BSD also in Unix. So is BSD a national security risk also? And by default Unix? (And if SCO is right then Unix would be a risk because Linux is!)
If this guy is correct then all you would be able to use is RTOS and Windows?
simple: linux is making a big move on the embedded market. Dan is the CEO of one of the companies which competes on this market. he’re afraid (and rightfully so) that linux might steal the market from his RTOS (called Integrity). Also, he might think that Darl McBride got away with throwing mud, so why can’t he do it too, right?
Green Hills compilers should be considered a severe performance risk!!!
O’Dowd: “A big one in Moscow and we just opened one in Beijing — so much for the cold war.”
Could someone please get this guy up-to-date with the present reality, he seems to still live in a different century.
cause everyone know’s its more secure (wink wink).
It really seems that people are missing the point of O’Dowd’s article. If you look at it carefully, you will see that it’s actually and encrpted message to Moscow. Using RSA, a common communist encryption method, I was able to deciefer the actual message. “They bought it. The think communism is dead. Let the invasion begin.” After that was just some random garbage about troop movements, and getting thier people in the right places. However, I was able to find out that There are 57 card carrying communists in the whitehouse. Honestly.
(If you missed the Manturian Canidate reference.. go rent to movie.. funny as hell.) Seriously. There are standards, and review processes for anything that goes into military applications. To give you an idea about how this works, I have a very good friend who has done some government contracting. All he was writting was the software to run a piece of testing equipment; a glorified portable pressure sensor. He had to print out, and document every slight change he made, AND it had to be reviewed. The master epprom he ended up programming had to be thier chip, and he was supervised. They handed him a disk, with the last reviewed code on it, and he loaded it on, then he authenticated it. Mind you, this was for a glorified portable pressure sensor. Granted, he didn’t tell me the entire review process, and I didn’t see how secure it really was, but it gives me a warm fuzzy feeling inside to know that the military isn’t all blithering idiots. However, this article also confirmed my worst fears:
Somebody cloned McCarthy. (Pictures the Emperor from Star Wars in a hooded cloak)
And whats to stop a foreign government from putting a spy into microsoft to code in backdoors? It’d probably never get revealed either.
“Ken Thompson, the original developer of the Unix operating system — which heavily influenced Linux — proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later,”
**BINARY** code. What?! this guy don’t know the difference between binary code and source code?
There are so many qualified people in and out of the military that can screen for this stuff that it’s non-issue.
More of a rebuttal here: http://www.blindmindseye.com/bmeblog/archives/000132.html
“According to Green Hills, “Advocates of the Linux operating system claim that its security can be assured by the openness of its source code. They argue that the ‘many eyes’ looking at the Linux source code will quickly find any subversions. Ken Thompson, the original developer of the Unix operating system — which heavily influenced Linux — proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, ‘The moral is obvious. You can’t trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.'””
Now isnt Unix a closed source (yes). Please site one example in the Linux kernel.
Binary code is exactly right. Ken Thompson modified a compiler so that when it compiled Unix the back door was installed, and when it compiled a compiler the code to put the backdoor into Unix was injected. None of this would ever show up in the source code.
Now isnt Unix a closed source (yes). Please site one example in the Linux kernel.
First, a disclaimer. I realize that suit is just out to make money, and thet he’ll bad mouth anything that might get in the way of that, like Linux.
Now on to you, and your comment. What Thompson did with Unix could just as easilly be done to Linux. For crying out loud, READ UP ON WHAT HE DID and learn something. Unless you wrote your very own C compiler to build the verified source code for Linux, YOU CANNOT BE ASSURED OF ANYTHING, as the trojanned C compiler he used built trojaned C compilers out of non-trojaned source code!
Not that it’s impossible to verify compiled code, it’s just an order of magnitiude more difficult, and the number of people who could do it is relatively small, and it would still take them quite a bit longer to both see and understand what was going on.
A buddy of mine can almost read that stuff like a novel (exageration, sure), even though its probably forever beyond my abilities.
Yer, some people are very, very worried now.
Should a security-critical sytem like the defense systems ever be connected to the internet? Heck, no….
So whats the point????
If they use Linux, there ought to be a reason and I think the reason is because it’s OSS so they can modify an fix things in it.
Just my 0.02 €
“Binary code is exactly right.”
my point is, what has the binary code has to do with the insecurity of open source? the compiler was not open sourced, was it?
Kingston: “What Thompson did with Unix could just as easilly be done to Linux.”
why linux? anyone developing to any OS with a trojanned compiler is at risk. who is to say that the proprietary compilers are not trojanned?
why linux? anyone developing to any OS with a trojanned compiler is at risk. who is to say that the proprietary compilers are not trojanned?
Because the poster I was responding to was alluding to the fact that Linux (specifically) was immune becuase it is open source, which of course offers absolutely no protection here. I am well aware of the fact that any system can be compromised this way, and I certainly did not mean to imply that this sort of trickery could not be done to any system.
>I mean please show us an example where open source used on the net (Millions of servers are running on Linux) In companies (1000’s of companies are using Linux for file, print and web) Has caused some crazy melt down for the internet or of some company??
Well, I know a company named Debian that was hacked by they don’t know who had access to they don’t know what files for they don’t know how long.
Now, change that name to US Army or any other similar name, and you might get the point.
The point is: open source is not secure by miracle.
>I can name 1000’s of times it’s happened using Windows.
You asked for one example: Debian it is. Gnome could be another. Well, I’ve heard some others were not immune.
>So is BSD a national security risk also?
It is possible.
>And by default Unix?
Yes, it is possible too. Name any UNIX protocol well known for 10-20 years, and there was at least one exploit for UNIX applciation supporting this protocol. Starting with finger not so popular today than decade ago, ending with SMTP, HTTP and SSL that you must agree are very much popular today.
>If this guy is correct then all you would be able to use is RTOS and Windows?
Did he say anything good about Windows? Why the heck die hard Linux advocates always see Linux as a solution to every problem and suspect Windows praising in every critical statement made about Linux? What is that unhealthy obsession?
YAFUDA = yet anoythor FUD article…?
After seeing these sorts of articles quite often nowadays, I’ve gradually started to get tired to even read them. Same old poor reasoning and blaming combined with very few relevant and valid points. Open source, and especially Linux, and particularly everything that has to do with GPL…, is said to be poor because of security, it kills the sofware industry etc.etc.etc.
“Every day new code is added to Linux in Russia, China and elsewhere throughout the world. Every day that code is incorporated into our command, control, communications and weapons systems. This must stop,’ said O’Dowd.”[i]
What stops people like the army from checking the open source code for potential security issues? But how do you check the source code of a closed source OS if you don’t even have access to the source?
[i]”Linux in the defense environment is the classic Trojan horse scenario
The Trojan horse metaphora is the classic FUD scenario.
What makes e.g. MS Windows or some other popular closed source OS any less vulnerable to REAL Trojan horse software? How many serious Trojan horse threats are there for MS Windows and for Linux or BSD on the other hand?
If some security conscious organizations like a governments and an army wants to develop their own proprietary closed source high-security OS, that might be a good plan in theory, but maintaining and developing that OS and its security means a lots more work than when most of the pieces are already available.
And by the the way, and as a comment to those who always find joy in supporting BSD and blaming Linux after these kind of articles: BSD and Linux are in the same boat here again like they usually always are. I must admit that BSD variants tend to be more secure than Linux usually – but not always and necesssarily so.
Anyway, the guy is talking about open source, not just Linux. The GPL license may make some people to hate Linux especially much. But if Linux wouldn’t be the most popular open source OS today but some BSD variant instead, you would see similar FUD articles about BSD much more too.
Security is a myth. It is not computable, nor it can be measured. You just trust, or not.
Computers don’t make mistakes, people do. So it is not the operating system to blame for insecurity, but its developers, reviewers (QA), users. People are always the weakest parts of all security systems.
(Sorry for not getting the italics OK in my comment above.)
The article, though it talks about Linux, is really about open source operating systems and software in general (Linux just happens to be the most popular open source OS at the moment, and thus the main goal of such articles). So if the writer has any truth in his words, the same applies to any open source BSD OS (FreeBSD, OpenBSD, NetBSD), which you BSD zealots should remember.
Anyway, the main message of the article – that open source would be a security risk- can be criticized simply by this question alone: What is considered the most secure server and desktop OS at the moment? The usual reply is OpenBSD. Although SELinux advocates might put SELinux first? Both OpenBSD and SELinux are open source. Enough said?
which you BSD zealots should remember
Over zealous Linux people are a far bigger problem both here, and in the larger communities. IME they’re generally more knowledgable to boot, and are well aware of BSD’s shortcomings.
Because they are trolls. Or ms lovers or something like that, put fear into the mind, screw Linux that way. You know the tricks………that’s why.
Lets hope that all their antics fail miserably, as the law is not on our side.
Over zealous Linux people are a far bigger problem both here, and in the larger communities.
Well, maybe so, I don’t know. That was not the point.
My point was simply that Linux and BSD advocates should both understand that the two opertaing systems have much in common, they have largely the same goals, same fights and enemies too, even largely exactly the same software too etc.
When people attack Linux on the basis of defending proprieatary, closed source software over open source, the same arguments can be applied to open source BSDs as well.
Why laugh with your enemies when your friends are attacked?
A good reply by Adam Doxtater (of MadPenguin.org, and co-author of Snort 2.0 Intrusion Detection and MCSE Designing Windows 2000 Directory Services) to the article here:
Forget the messenger, the message remains clear.
Read the paper, what do you bet he know what he’s talking about.
” The many eyes” Linus refers to is bugs.
He’s read this paper and is no fool.
Most everyone want Linux to be trusted, there is no silver bullet.
“Ken Thompson, the original developer of the Unix operating system — which heavily influenced Linux — proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, ‘The moral is obvious. You can’t trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.'”
Reflection on Trusting Trust
Red Flag Linux
Do you think an “oldglory-linux” authored by the US government would be trustworthy for France ?
Twirl your beenie on that.
As if the US government would implement it without analyzing every line.
OK… what are 13 year olds? STOP with the “What Distro or OS is better! You know that you choose your os depending on how you intend to use it! As for the government… well they’ve been using open source for well over 4 years now! I don’t care whether it’s linux or bsd even solaris… it’s still open.
OPEN-SOURCE… for the people, by the people.