[LINK] Building trust into open source

Rick Welykochy rick@praxis.com.au
Thu, 21 Mar 2002 13:53:29 +1100 

Bernard Robertson-Dunn contributed:
 
> Building trust into open source
> By Robert Lemos, Special to ZDNet
> 21 March 2002
> http://www.zdnet.com.au/newstech/os/story/0,2000024997,20264153,00.htm

[SNIP]

> With Microsoft launching a major security initiative in response to recent
> criticism, some fear that Linux and open-source developers have become
> complacent in the commonly held belief that open-source programs are more
> secure.

Non sequiter. *If* MS is ramping up on security, it is only playing catchup.
Open source software developers have consistently and transparently reported
and fixed the bugs/exploits (as listed in the article) within TWENTY
FOUR hours of detection of the flaws. This can hardly be called complacency.

 
> In February, a flaw found in the popular scripting language PHP left as
> many as 9 million Web sites vulnerable to attack. Though the number of
> vulnerable sites could be as low as 100,000 and the flaw is hard to
> exploit, the software bug resembles the Web software slipup that left
> Microsoft servers vulnerable to the Code Red virus.

*shrug* PHP is on par with ASP (MS's VB-based web scripting language), and
is eschewed by software developers who require reliability, scalability and
best class software architecture. It is basically the 'script kiddies' web
language of the open source community.


 
> In March, another flaw, in the omnipresent Zlib compression library, left
> Linux systems potentially vulnerable to attack, though no program
> exploiting the hole has surfaced.

Announced and fixed within 24 hours. I have read the plethora of Zlib
security announcements on BUGTRAQ. Many of them concern Windows/NT.

An omission was made in the article: many Windows O/S components as well as
third party apps use Zlib as well. And since Windows software is "black box"
(i.e. closed) no-one really knows where and how the Zlib bug will eventually
appear in Windows and be exploited. It will be impossible to fix in Windows
programs that have statically linked in Zlib, since those programs can not
take advantage of an updated shared library to fix the problem.


> "Open-source programs are subject to much more scrutiny and, in case of
> problems, fixed much more quickly than closed-source programs," Gailly
> said. "Apache is not more popular than Microsoft IIS (Internet Information
> Server) by accident; one of the reasons is that it is more secure."

:) I can count the number of exploits found in Apache on one hand. Not a bad
track record for a web server that has been out in the wild for over seven years.
How many limbs/fingers are required to count the IIS exploits of recent years?


> [Thorvalds] continued: "In the open-source community, the community has so far been
> pretty good at policing itself without the embarrassment. Do bugs happen?
> Yes, of course. But do they get found and fixed without a new virus of the
> week that costs a few billion dollars of user time? You bet."

I have seen no estimates on the cost of open-source exploits, but absolutely nothing
on the scale of Code Red, Nimda, Melissa or I Luv You has ever been experienced by
the Unix/Linux/Mac platforms. The estimates of damage caused by ravaged Windows servers
and clients is in the BILLIONS of dollars.


-rickw


-- 
_____________________________________________
Rick Welykochy || Praxis Services Pty Limited

Immediately before the big bang occurred, a loud voice was heard saying 'Oh, shit!'