Following the recent innaguration of our 44th president, it is fitting that we focus on our nation and the security of it through open source. The United States was founded on principals of freedom, so it makes sense that now we look towards "free software" to protect her. However, a question that beckons to be asked is, is open source ready to protect the United States' networks, or is the democratic development and decentralized distribution potentially a downfall? There are obvious benefits to open source software, but at the same time there are flaws to it that need to be addressed before it can be considered secure enough for government's systems.
The recent Debian OpenSSL issue has brought much needed attention to the security of open source software. For those of you unfamiliar with the Debian OpenSSL security problem, on May 13th, 2008 http://www.metasploit.com/ announced that OpenSSL distributed in Debian-based systems had a line of code removed with drastically reduced the number of encryption keys and made them predictable. "Instead of mixing in random data for the initial seed, the only "random" value that was used was the current process ID." This affected releases that were distributed between September 2006 and May 13th, 2008. The code was removed because of incompatibility issues between Valgrind and OpenSSL. This security bug would have large repercussions if the government was using one of those Debian releases. Imagine our nation's security reduced to only 32,767 possible encryption keys that were also guessable.
Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.
With proprietary software, there are fewer people looking over the code, but they are more obligated to find bugs since they are being paid by their employer to do so. I am not saying that proprietary software is necessarily more secure than open source software. The Debian OpenSSL bug could have gone by for two years in a proprietary model just the same, since the number of eyes on the code is drastically less due to the closed source code. So perhaps the solution to open source being used by the organizations are bounty systems, such as the $500 dollar bounty Mozilla offers for bug discovery, for bugs that are found in OSS that they are using. Another solution would be to have proprietary third party software analysis to review the security of open source code. Ultimately using open source code has many time and functionality benefits that would be foolish to ignore, but seeing as it is America's security on the line, extra steps must be implemented to ensure the code is safe to use in exchange for the "free" software.
References
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/2008/dsa-1571
http://www.linux.com/feature/135270
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html
This work is licensed under Creative Common By SA 3.0
"Within the past two years,
"Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time."
I don't see what is different with proprietary software here ?
IMHO, *if* the US government (or whatever government WW BTW) wants to use Open Source in security sensitive context, then they need to dedicate resources to do the scrutinising of such software, try to break it,report bugs, potentially with fixes, and thus improve it. Which you can't do with close software, even if you dedicate the same resources.
And it doesn't cost more, it's just that it gives technically savy people the opportunity to protect themselves as soon as a problem is dedected, compared to where you have to wait for a fix from your closed software provider.
So IMO no special need for bounty for such a usage. Their own security is already the bounty ! And if they want to preserve it, they just have to look at it closely and help improving the global security of all their users. In a truely community fashion.
Bruno.
--
Linux Profession Lead EMEA & Open Source Evangelist
http://opensource.hp.com - http://hyper-linux.org
Bounty
FUD
Where's the FUD???
"data available at
"data available at http://nvd.nist.gov confirms the fact that both FOSS and commercial have a relatively equal number of issues reported"
So what ? IMO, FOSS will always have *more* security issues reported as everybody can loook at it and find them. That's not the case of a Closed Source Software (CSS). So the fact that FOSS is at parity with CSS in that report, is already a *proof* that FOSS is more secure.
"In practice and as can be seen at NVD, FOSS is no more or less secure than commercial."
This is wrong. FOSS *is* more secure, because each time a security flaw is reported, everybody with the relevant knowledge will be able to work on a fix for its own organisation, which you can't do with CSS. you have to wait that your editor fixes it (so rely on their resources, agenda, constraints). And people are then able to *share* the fix, which reduces the time to get one for everbody, which again you can't do with CSS. So this greatly improves security of the SW planet and that's why FOSS usage is more secure than CSS usage.
" FOSS can do better."
We all can ;-) And thereare probably improvements to do as you point out. However, from a pure philosophcal standpoint, there is no debat possible on the fact that OSS is more secure for a government.
--
Linux Profession Lead EMEA & Open Source Evangelist
http://opensource.hp.com - http://hyper-linux.org
FOSS security - do it
Some answers
"FOSS currently does not have a unifying process"
FOSS will *never* have that. Take it for a fact. Freedom is freedom. You'll have to *convince* communities of what you want to work on and have an adaptable process that may fit in various way of managing software develpments. (The same as multiple commercial actors do not manage security the same way. Not all of them have a Patch Thursday e.g.)
Also generalizing from some security ossues on a couple of apps to the overall FOSS production is probably wrong.
"There is no organized and diligent, transparent and trusted review process for FOSS"
So Why aren't you creating a new poject with exactly that goal, recruiting volunteers to do security bug squashing ? I'm pretty sure the overall FOS community will benefit from such an effort and will be grateful for you to lead that initiative. Could be a Linux Fundation sub-group.
In FOSS things do not appear because people analysing FOSS do critics. It happens becasue some volunteers jump on the issue and want to see it solved. If that's your case, then fine. If not, you'll be able to lengthly rant without any real change. And what I'm saying for you is valid for a government. If they see something missing they eally want, FOSS brings them all the latitude to *do* it the way they want, not the way an editor wants them to do. As a citizen, for me it's a huge difference. I know where my tax is then going.
"If FOSS users were truly exploiting the advantage offered by access to the code, we would see a greater number of issues reported for FOSS, and a faster and more reliable rate. Additionally, FOSS issues would be resolved at a rate consistently faster than commercial. Neither of these represent fact."
Ask yourself: who is paying to make such reports ? How a volunteer community could pass time and efforts to create such statistics ?
For those such as RedHat, who can afford working on this you may find that reading interesting:http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/ and look close at the time it takes to fix acritical security issue ! Or to see how it's improving version after version: http://magazine.redhat.com/2009/01/20/enterprise-linux-52-to-53-risk-rep...
These are concrete facts, and do support the fact that FOSS is more secure due to its process.
"You state that when there is an issue with FOSS, everyone (para) works on it. How can we verify this, and verify that this differs significantly from what is done in commercial companies?"
Well I can give you my own example:A bug was found in MondoRescue which I'm developing (Cf: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633) In fact, if you look at stats coming from CVE, you may have non-working measures !!
This bug was in fact reported by the Debian project to upstream (myself), and I fixed it ASAP, as I consider security seriously, and the project should always be improved concerning those topics).
So collaboration in FOSS *is* working. Distro report to upstream, and upstream do their best to fix bugs, especially security ones.
"Aside from a bad PHP file, if you want to FIX a Linux distro, you submit the fix, it has to be reviewed and make it into the build process."
Yes, but in the mean time you're *SAFE* !! You can fix yourown security issue, and be SAFE. For a Government that's invaluable !!!
How can you do that with CSS ?
" If there were no debate, government would have no problem adopting FOSS."
A lot of organizations have adopted FOSS. At least in EMEA. It's just a matter of time (and probably of a new political orientation) before the US do the same. Cf: http://www.osor.eu/ for latest FOSS news inthe EU, and you'll see the impressive increasing adoption of FOSS in the EU governments entities.
--
Linux Profession Lead EMEA & Open Source Evangelist
http://opensource.hp.com - http://hyper-linux.org