Archive for the ‘Open Source’ Category

So welcome back from the break! I hope you all had a great new year, and a good season.

So, to kick us off on a new season, I came across an article today talking about the biggest threat to open source security for 2009. In case you don’t feel like reading the whole thing, the point of the article is basically that “most open source lacks update services” and that that represents a huge risk to enterprises.

Now, I can tell what you’re thinking – you’re probably thinking that open source does have update services (rpm, apt-get, yum, etc.) and you’re probably wondering what this guy’s been smoking to write this. I wondered that too at first – and heaven knows I’m not an open source fanboi (I don’t subscribe to the belief that just because you publish the source that it all of sudden means that you have legions of interested and skilled security tested auditing your code for you.) But then I got to thinking about it a little bit and realized that there is a issue underlying it all that bears some thinking about. The article touches on an interesting point – even though it sails right by it to make another point that’s dubious.

Which is that (no matter how much some people might extol the virtues of RPM), keeping some open source software up to date requires a bit of knowledge – in other words, to make sure patches get installed properly, you sort of have to have a vague clue about what you’re doing. Not that you can’t do it, not that any open source project should do anything differently – just that some projects are harder to update than others. Compare that to Windows which – no matter what you say about it – doesn’t really require much skill to keep updated and patched.

And it also begs the ultimate question which is who’s accountable for there being a patch in the first place? In general, most open source communities have a good track record for delivering timely patches (some might even say faster than many commercial software vendors) – but who’s accountable? Will an enterprise have an assurance that they’ll get a patch? Whether or not it gets automagically installed, companies need to know that they’ll get a patch in place – and at the end of the day, they feel less confident when there’s no assurance.

So what’s the bottom line? Is it the case that open source will be chock full of holes in 2009 and get run over by a freight train of malware, trojans, and worms? Doubtful. Will open source users all of a sudden start getting bombarded by “Antivirus 2009″ popups telling them they’re infected? Not likely. But is it the case that admins need to have a higher degree of a clue to keep open source software patched and is it the case the companies are afraid to use it because they want greater accountability? I happen to think so.

Thanks to Diana for the hilarious picture and the suggestions on the edits.

As you may or may not remember, last week I commented that I think we need to rethink whether open source is or is not de facto more secure; if I had but waited a few days to go there, I could have used this article as an example of the kind of think I’m referring to. The article, originally from Infoworld, basically makes a case for why open source security tools are more popular than closed-source ones; however, I think that quite a few of the premises on which the argument is founded require further justification. To see what I mean, take a look at this quote:

Although no OS is truly secure, security tools offered on a Windows platform are immediately suspect, due to well-documented security issues of the underlying OS. Linux, FreeBSD, NetBSD, or OpenBSD-based products have a much better security track record (OpenBSD claims to have had only one remote hole in the default install in more than eight years).

OK, so Windows tools are immediately suspect. Why? The article says it’s because of “well documented security issues” and that other OS’es have a “better track record” but I’m not sure what he means. What metric is he using to quantify this better track record? Is it because of number of vulnerabilities? CERT says that Windows has less. Is it because of some other features of Windows? If so, which ones specifically? The point is that the article doesn’t say – the premise that other OS’es have better security is implied. I don’t buy it; at least, I won’t buy it without further justification.

Now people are going to say that I’m pro-Microsoft, but really the opposite is true. I’m not pro-anybody; in fact, at the house I run a number of different OS’es: OS X, Windows 2003 Server, Solaris on Sparc, and even Windows 98 (since it’s the only thing around that’ll still run Merchant Prince 2.) So I’m pretty much impartial – with the exception that I usually like to see the underdog win (so if anything I guess I lean toward supporting other platforms.) But I don’t agree that “because it does” is acceptable supporting evidence for an argument outlining why Microsoft’s security sucks. Maybe their security sucks and maybe it doesn’t – but I don’t think we can put a stake in the ground one way or the other until we decide on some evaluation criteria and actually do some analysis about it.

Look, I’ve used nessus and nmap professionally – on Linux if you’re curious – but the reason for that has nothing to do with better security… It has to do with the fact that nessus is free, it provides about the same level of value as commercial scanners, and it doesn’t run on Windows (until the 3.0.3 beta, that is.) If it ran on Windows, I’d use it on Windows. So at least in my case, the reason I use nessus has nothing to do with the (in)security of the OS – it has to do with what OS the tool supports (and please don’t mention NeWT).

Did you know that for quite a long time, individuals believed that living creatures could just magically appear out of thin air? It’s true. Up until the middle ages, folks believed that things like mold, maggots (ewww), and mice would just “pop” into existance from other substances like rotting meat and old bread. The theory was called Spontaneous Generation, and if you think about it, it makes sense: you put a piece of bread out on the table and watch it for a while. Magically, the bread “turns to mold”. Amazing. Mystical, even. Nowadays we know that there is more going on behind the scenes that accounts for the mold, but they didn’t know that then.

So where am I going with this? I was reading with interest Klocwork’s analysis of Firefox over at their blog (always interesting reading, by the way.) The background story is that Klocwork ran their source-code analysis tool on Firefox and found a bunch of (potential) programming issues. Now, of course there was a bunch of static in the comments from individuals on both sides of the “are these really issues” side of the fence, and I don’t really have an opinion on that one way or the other. However, it was one of the comments that really got me thinking. Here’s the comment, from an individual going by “clover”:

Actually I do find Firefox to be more secure than IE. Since it’s open source it is easier to audit because you don’t have to reverse engineer it. So far the Mozilla team has been good about fixing vulnerabilies as they arise, compared to Microsoft’s speed in handling these issues…

So that’s the traditional wisdom, right? Open source is easier to audit, ergo it is less likely to have vulnerabilities. But as we know, just because something is a widely held belief (like spontaneous generation) doesn’t mean it’s true; after all, if nobody re-evaluated the assumptions about where bread mold comes from, we’d still all think that it appeared by magic. So is this traditional wisdom true? For a long time, I thought it was. But now I’m starting to reconsider.

Why am I reconsidering this basic premise? Because I have yet to come across anybody except vendors like Klocwork (and to be fair Coverity and others) as well as the occassional researcher (HD Moore comes to mind) who actually do any auditing… No, it’s true: I’ve worked in a broad cross-section of the industry and I can say with experience that I have yet to find anybody who’s doing this seriously: the feds aren’t doing it, industry isn’t doing it, academia isn’t doing it. Who is? Researchers? Researchers only audit code to the extent that it gets them props (trust me, I speak as an ex-researcher) – and the biggest props correspond to the most popular software. So researchers aren’t necessarily auditing open source tools more. So where is all this auditing happening?

Look, if I use an open-source product like Firefox (which I happen to use by the way – because I like tabbed browsing, not for any security reason) instead of IE, does that mean I’m more secure? Maybe, maybe not. What about if I use an open-source browser that’s less popular like Konqueror? Does the fact that it’s open source de facto mean that more people have audited the code just because they have the ability to do so? I think if we think about it logically that we’d have to say “no”. Now I’m not saying that Firefox isn’t more secure than IE (or vice versa by the way), but I am saying that the statement that it’s more secure because it’s open source needs some more justification than a perceived increase in eyes on the code…