Home » Blogs » ernest.park's blog

Is FOSS ready for USA?

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

ernest.park's picture
Posted January 27th, 2009 by Ernest M. Park

Following the recent innaguration of our 44th president, it is fitting that we focus on our nation and the security of it through open source. The United States was founded on principals of freedom, so it makes sense that now we look towards "free software" to protect her. However, a question that beckons to be asked is, is open source ready to protect the United States' networks, or is the democratic development and decentralized distribution potentially a downfall? There are obvious benefits to open source software, but at the same time there are flaws to it that need to be addressed before it can be considered secure enough for government's systems.

The recent Debian OpenSSL issue has brought much needed attention to the security of open source software. For those of you unfamiliar with the Debian OpenSSL security problem, on May 13th, 2008 http://www.metasploit.com/ announced that OpenSSL distributed in Debian-based systems had a line of code removed with drastically reduced the number of encryption keys and made them predictable. "Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID." This affected releases that were distributed between September 2006 and May 13th, 2008. The code was removed because of incompatibility issues between Valgrind and OpenSSL. This security bug would have large repercussions if the government was using one of those Debian releases. Imagine our nation's security reduced to only 32,767 possible encryption keys that were also guessable.

Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.

With proprietary software, there are fewer people looking over the code, but they are more obligated to find bugs since they are being paid by their employer to do so. I am not saying that proprietary software is necessarily more secure than open source software. The Debian OpenSSL bug could have gone by for two years in a proprietary model just the same, since the number of eyes on the code is drastically less due to the closed source code. So perhaps the solution to open source being used by the organizations are bounty systems, such as the $500 dollar bounty Mozilla offers for bug discovery, for bugs that are found in OSS that they are using. Another solution would be to have proprietary third party software analysis to review the security of open source code. Ultimately using open source code has many time and functionality benefits that would be foolish to ignore, but seeing as it is America's security on the line, extra steps must be implemented to ensure the code is safe to use in exchange for the "free" software.

References

http://gpl3.blogspot.com

http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/2008/dsa-1571
http://www.linux.com/feature/135270
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html

 

 

This work is licensed under Creative Common By SA 3.0

Bruno Cornec's picture

"Within the past two years,

Submitted by Bruno Cornec on Wed, 2009-01-28 14:15.

"Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time." 

I don't see what is different with proprietary software here ?

IMHO, *if* the US government (or whatever government WW BTW) wants to use Open Source in security sensitive context, then they need to dedicate resources to do the scrutinising of such software, try to break it,report bugs, potentially with fixes, and thus improve it. Which you can't do with close software, even if you dedicate the same resources.

And it doesn't cost more, it's just that it gives technically savy people the opportunity to protect themselves as soon as a problem is dedected, compared to where you have to wait for a fix from your closed software provider.

So IMO no special need for bounty for such a usage. Their own security is already the bounty ! And if they want to preserve it, they just have to look at it closely and help improving the global security of all their users. In a truely community fashion.

Bruno. 

--

Linux Profession Lead EMEA & Open Source Evangelist

http://opensource.hp.com - http://hyper-linux.org

Bounty

Submitted by Anonymous on Tue, 2009-02-03 06:52.
'they are more obligated to find bugs since they are being paid'... and if they want to keep being employed by that employer, they better not make too many errors so they probably more inclined to shut up about it. Other than that, access to source code is not necessary to have to find flaws in a system. Plenty of them have been discovered in closed systems and have been exploited for a considerable time before the vendor supplied a patch. In that respect, I think that if you want to pick low hanging fruit, start by asking if Windows is ready for government work. I would suspect that the number of steps as well as the amount of time and resources necessary to get it right is larger.
kozuch82's picture

FUD

Submitted by kozuch82 on Tue, 2009-02-03 17:41.
This is lartely a FUD article.

Where's the FUD???

Submitted by Anonymous on Tue, 2009-02-03 23:51.
Hi kozuch82 - There is a convenience with posting random noise without validating it. You reference FUD, yet you fail to identify where this might be. I referenced a well documented factual occurence in the recent history of open source software. Fear, uncertainty and doubt? I wish it was as simple as that. I made the point that despite a wide community review, without centralized and constrained processes to audit and document the process of security review, there is no assurance that it is done in the correct way, or done at all. In summary, my point is strong that without associating process to security audit, open source software does not inherently become more secure. I am a proponent for the use of FOSS to rapidly develop and produce software solutions. It is evolved and mature, but with its benefits come reasonable responsibilities. The CWE (http://cwe.mitre.org) currently lists 755 weaknesses - basically bad practice in programming and implementation that can introduce a design weakness into software. Such weaknesses, once introduced, could be exploited. As software continues to be more complex, and FOSS projects become more interdependant, control of code, interprocess communications, APIs, all shift from a proprietary vendor to a community of users and developers. A vendor with closed software has a financially driven interest to debug their software and resolve issues. The FOSS community has a personal interest, and a sponsored interest through commercial companies that support FOSS, to discover and resolve issues. Internet Explorer had over 450 vulnerabilities in the NVD database, with an average overall risk of about 6. Firefox has over 320 issues, with an average risk score of 5.9. In summary, data available at http://nvd.nist.gov confirms the fact that both FOSS and commercial have a relatively equal number of issues reported, based on application type and market share. FOSS has the "ability" to be more secure and diligent than commercial, but aside from a few select examples, there still needs to be a unifying process. In practice and as can be seen at NVD, FOSS is no more or less secure than commercial. FOSS can do better. FOSS represents opportunity for improvement in security controls, but no execution yet. Perhaps CWE, improvements in CVE and great work done by Dept of Homeland Security and NIST will help, but we, the FOSS community need to accept the responsibility to adopt a strict process around the audit and review of security issues affecting FOSS going forward.
Bruno Cornec's picture

 "data available at

Submitted by Bruno Cornec on Thu, 2009-02-05 17:16.

 "data available at http://nvd.nist.gov confirms the fact that both FOSS and commercial have a relatively equal number of issues reported"

So what ? IMO, FOSS will always have *more* security issues reported as everybody can loook at it and find them. That's not the case of a Closed Source Software (CSS). So the fact that FOSS is at parity with CSS in that report, is already a *proof* that FOSS is more secure.

 "In practice and as can be seen at NVD, FOSS is no more or less secure than commercial."

This is wrong. FOSS *is* more secure, because each time a security flaw is reported, everybody with the relevant knowledge will be able to work on a fix for its own organisation, which you can't do with CSS. you have to wait that your editor fixes it (so rely on their resources, agenda, constraints). And people are then able to *share* the fix, which reduces the time to get one for everbody, which again you can't do with CSS. So this greatly improves security of the SW planet and that's why FOSS usage is more secure than CSS usage.

" FOSS can do better."

We all can ;-) And thereare probably improvements to do as you point out. However, from a pure philosophcal standpoint, there is no debat possible on the fact that OSS is more secure for a government.
 

--

Linux Profession Lead EMEA & Open Source Evangelist

http://opensource.hp.com - http://hyper-linux.org

FOSS security - do it

Submitted by Anonymous on Thu, 2009-02-05 18:10.
E - FOSS currently does not have a unifying process, a method, a system by which the community as a whole becomes our own active and armed defense force, following an agreed set of rules, and all working together to defend our code. Large well funded distros have remarkable and impressive security practices, but no different than diligent security management efforts at commercial companies. What is lacking is the community taking an active responsibility to set the rules, processes and governance for the auditing, review and reporting of security issues for ALL FOSS. So what ? IMO, FOSS will always have *more* security issues reported as everybody can loook at it and find them. That's not the case of a Closed Source Software (CSS). So the fact that FOSS is at parity with CSS in that report, is already a *proof* that FOSS is more secure. E - In practice, FOSS applications by type do not have MORE issues or less, just the same, as reported to NVD. Having issues reported is not a bad thing, it is an indication thyat people are looking. The point that I see is that FOSS is in exact PAR with commercial by application type. Therefore, nobody is looking beyond the immediate user base, and only as much is being looked at relative to user base in FOSS as looks at issues in commercial. E - Another way of saying this is that issue reporting in FOSS is incidental and merely a residual byproduct of use of the software. There is no organized and diligent, transparent and trusted review process for FOSS, any more so than there is for commercial. There is no larger user group that is auditing FOSS and resolving issues that can be objectively measured by publication. Security management processes for FOSS is governed as can be seen by observation by funding available, not volunteers. E - If FOSS users were truly exploiting the advantage offered by access to the code, we would see a greater number of issues reported for FOSS, and a faster and more reliable rate. Additionally, FOSS issues would be resolved at a rate consistently faster than commercial. Neither of these represent fact. "In practice and as can be seen at NVD, FOSS is no more or less secure than commercial." This is wrong. FOSS *is* more secure, because each time a security flaw is reported, everybody with the relevant knowledge will be able to work on a fix for its own organisation, which you can't do with CSS. E - You state that when there is an issue with FOSS, everyone (para) works on it. How can we verify this, and verify that this differs significantly from what is done in commercial companies? Issue resolution processes for large distributions are funded and in some cases managed partially or fully by commercial companies. The practices put in place at resolve commercial issues are the same as those used for the FOSS distros, and visa versa. Security issues for large FOSS projects are sosolved by employees, not volunteers. . . . you have to wait that your editor fixes it (so rely on their resources, agenda, constraints). And people are then able to *share* the fix, which reduces the time to get one for everbody, which again you can't do with CSS. E - Aside from a bad PHP file, if you want to FIX a Linux distro, you submit the fix, it has to be reviewed and make it into the build process. If you want to put your own patch on the web outside of the distribution process, this is likely to not be used, and does not serve the community well. What if 5 people, or 500, release their own patches? Which one do we use, and trust? So this greatly improves security of the SW planet and that's why FOSS usage is more secure than CSS usage. E - FOSS provides "freedom", freedom to use, explore, improve. It is not better, it can be, by our unrestrained effort. Freedom is a responsibility which comes with effort. If we choose to accept the effort, we can make software, all software, more secure, trusted, verified and trasparent. We can PROVE it with FOSS, and then drive our proven methods to FOSS. We all can ;-) And thereare probably improvements to do as you point out. However, from a pure philosophcal standpoint, there is no debat possible on the fact that OSS is more secure for a government. E - If there were no debate, government would have no problem adopting FOSS. A socialist environment still needs centralized rules and constraints to avoid disorder and anarchy. Again, FOSS offers us freedom to do it better. We must accept the responsibility to put actions where our FOSS rhetoric is and prove that FOSS is better. President Obama asked for a white paper from Scott McNealy regarding a discussion of security around FOSS. It is not a foregone conclusion - it is a daunting question that is as yet unanswered from the perspective of the US government. E - FOSS has just as many issues per type on NVD as commercial, no more, no less. Issue resolution takes just as long. If FOSS truly were more secure, we would actually have less issues, and those issues would be of a lower individual criticality. This is currently not happening, but could. Why leave making a secure process to the commercial vendors? They will sponsor these innovations for FOSS, and the FOSS community will brag about how safe FOSS is, but such innovations will be driven, and currently are being driven, by commercial vendors for financial benefit. We can either define the standards, or eventually be ruled by them. Do you think I am making this up? The US government is trying to build standards, and trying to drive compliance - CWE, CVE, CPE, SCAP, OVAL, and more. Why is the community not embracing standards for audit, review, testing, reporting and resolution? Why are we not defining how security should work? Conclusion - FOSS is a specific implementation of copyright. It affords "freedom", not safety, not improvement. For those of us that appreciate our freedom, we must be willing to protect it with more active and organized involvement. E - Just because lots of people can look at stuff does not mean that it will be better. It only means that it "can" be better, but it can also be worse. Just as good guys can look at the code and processes, bad guys DEFINITELY are looking at the code and the processes. They are using diligent, documented and organized strategies to exploit FOSS and commercial. We need to be as organized to protect it. Apathy is NOT security. If we each fail to actively participate in a program to drive more secure processes and procedures into FOSS, someone will actively continue to undermine it.
Bruno Cornec's picture

Some answers

Submitted by Bruno Cornec on Wed, 2009-02-11 12:12.

"FOSS currently does not have a unifying process"

FOSS will *never* have that. Take it for a fact. Freedom is freedom. You'll have to *convince* communities of what you want to work on and have an adaptable process that may fit in various way of managing software develpments. (The same as multiple commercial actors do not manage security the same way. Not all of them have a Patch Thursday e.g.)

Also generalizing from some security ossues on a couple of apps to the overall FOSS production is probably wrong.

"There is no organized and diligent, transparent and trusted review process for FOSS"

So Why aren't you creating a new poject with exactly that goal, recruiting volunteers to do security bug squashing ? I'm pretty sure the overall FOS community will benefit from such an effort and will be grateful for you to lead that initiative. Could be a Linux Fundation sub-group.
In FOSS things do not appear because people analysing FOSS do critics. It happens becasue some volunteers jump on the issue and want to see it solved. If that's your case, then fine. If not, you'll be able to lengthly rant without any real change. And what I'm saying for you is valid for a government. If they see something missing they eally want, FOSS brings them all the latitude to *do* it the way they want, not the way an editor wants them to do. As a citizen, for me it's a huge difference. I know where my  tax is then going.

"If FOSS users were truly exploiting the advantage offered by access to the code, we would see a greater number of issues reported for FOSS, and a faster and more reliable rate. Additionally, FOSS issues would be resolved at a rate consistently faster than commercial. Neither of these represent fact."

Ask yourself: who is paying to make such reports ? How a volunteer community could pass time and efforts to create such statistics ?
For those such as RedHat, who can afford working on this you may find that reading interesting:http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/  and look close at the time it takes to fix acritical security issue ! Or to see how it's improving version after version: http://magazine.redhat.com/2009/01/20/enterprise-linux-52-to-53-risk-rep...

These are concrete facts, and do support the fact that FOSS is more secure due to its process.

"You state that when there is an issue with FOSS, everyone (para) works on it. How can we verify this, and verify that this differs significantly from what is done in commercial companies?"

Well I can give you my own example:A bug was found in MondoRescue which I'm developing (Cf: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633) In fact, if you look at stats coming from CVE, you may have non-working measures !!

This bug was in fact reported by the Debian project to upstream (myself), and I fixed it ASAP, as I consider security seriously, and the project should always be improved concerning those topics). 

So collaboration in FOSS *is* working. Distro report to upstream, and upstream do their best to fix bugs, especially security ones.

"Aside from a bad PHP file, if you want to FIX a Linux distro, you submit the fix, it has to be reviewed and make it into the build process."

Yes, but in the mean time you're *SAFE* !! You can fix yourown security issue, and be SAFE. For a Government that's invaluable !!!

How can you do that with CSS ?

" If there were no debate, government would have no problem adopting FOSS."

A lot of organizations have adopted FOSS. At least in EMEA. It's just a matter of time (and probably of a new political orientation) before the US do the same. Cf:  http://www.osor.eu/ for latest FOSS news inthe EU, and you'll see the impressive increasing adoption of FOSS in the EU governments entities.

 

--

Linux Profession Lead EMEA & Open Source Evangelist

http://opensource.hp.com - http://hyper-linux.org