Insecurity in Open Source? - A Rebuttal
Mr. A. Russel Jones is betraying a remarkable amount of dim thinking in his article "Open Source Is Fertile Ground for Foul Play" The following is my step by step rebuttal of his arguments: Mr. Jones begins by saying: "This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source." While I am sure many people try to do so such code doesn't get very far. Peer Review is a very powerful process. It has been repeatedly demonstrated to be superior to any commercial variant in identifying a threat. Jones goes on to give supporting statements for his premise shown above. His first supporting argument is Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies—and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust. Indeed? You are correct knowing which distributions to trust is a part of it. You forgot one other thing though. If the corrupted version isn't made public then it isn't really open source is it? Say said company did make a maliciouse version of say, Linux, then refused to make the source code available. Big warning flag there. The distro simply won't sell. If they release a fake version of the source code Peer Review suddenly kicks in. Someone tries them out. The notice that the kernel Binary that comes with the distro doesn't match up with a their compiled kernel. They raise the alarm. Serious Legal action takes place the again the Distro is no longer. Now take that same scenario in a Closed Source application. You don't have a way to know whether their is malicious code in the app. You have no clean apps to compare it against. You have no peer review. In short Open Source has an additional layer of protection in this scenario which Closed Source does not have. There are a number of very trustworthy distributions out there which have proved themselves. Stick with them and you will be fine.Jones goes on to say: Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside—and inside, for open source, means anyone who cares to join the project or create their own distribution. This one is either just outright lying, or an example of a massive lack of understanding. Such testing does not only work against known outside threats. It will also uncover malicious code in the source. Testers in open source don't just download the binary and run it. They download the source, look it over, compile it, and then run it. They may also do the same with the binary which only serves to point out differences in the binary versus their compiled version. The system of Peer review makes it practically impossible to hide parts of your source from the public without them knowing about it. Someone will notice believe me. Jones doesn't of course stop here though = "Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines. He seems to be saying here that the possibility exists that someone in the targetted organization's IT department could use their position to use modified Open Source apps maliciously. But seriously if you hired malicious IT personnel, Open Source is the least of your problems. Open Source can hardly be held responsible for your poor hiring practices. Such a person is a danger whether your running Windows and Office, or Linux and OpenOffice. He could release a Windows virus on the network, or write malicouse VBA code for the office suite, just as easily as he could distribute modified Open Source Apps. None of Jones suppositions hold any weight and as such I fear we must file his argument under file 13."