Horseshit on a stick "Can Open Source be secure" BCS riposte

Posted 27 Jul 2010 at 23:50 UTC by lkcl Share This

An article published by the BCS was brought to my attention, and it was full of such glaring omissions and implicit attacks on free software that it had to be dealt with. initially written as a comment, it quickly extended way beyond the length of the original article...

i am very confused. the BCS is supposed to be a reputable organisation, yet this article - every paragraph - is complete horse-shit. i thought about saying otherwise, so that the chances of this comment not being censored are reduced, but i cannot think of any other words to choose which express clearly enough what _really_ needs to be said.

let's go through it.

"Experts do not agree about open source security in terms of whether there is an advantage or disadvantage to its use in the business world."

which experts?

"Experts argue that keeping the source code closed provides an additional layer of security through obscurity."

... for about 5 minutes. ok, that's maybe an exaggeration. in three weeks, i reverse-engineered a binary linux kernel to the point where i could get a replacement running on a closed system. the "security" they added was a complete joke, relying on an EEPROM which, if you didn't read what was in it... well, an analogy is like asking someone to leave a key to the front door under the mat, with a note on the front door saying "if you are a robber, please don't look under the mat".

the only reason the reverse-engineering took three weeks was because it has been a while since i did ARM disassembly, and if it had been x86 and i had money, i could have bought hex-rays which is capable of disassembling x86 code _directly_ into c-code.

so the whole idea of adding security through obscurity is horse-shit for two reasons: a) skilled people have the tools to piss all over binaries as if they were source code _anyway_ b) obscurity usually means "we don't consult any _real_ security experts, we _think_ we know best, but we're not going to get this peer-reviewed 'for secuuuurity reasonns', we're just going to believe in our own arrogance".

even microsoft has some of the world's best cryptographers - they hired them so that nobody else could get them. they sit in their offices. does anyone actually come and consult them? of course not.

"However, just because the source code cannot by seen, it does not mean an application is secure."

hooray! a sentence i agree with. once you wrap your head round its similarity to "just because you're paranoid _doesn't_ mean that everyone isn't out to get you", it actually makes sense...

"Microsoft, as well as many other leading vendors, is well known for releasing regular patch updates to fix security vulnerabilities."

only on the issues that get found / reported. i presume you've seen the reports of underground sales on IRC channels, of "undiscovered" flaws, to the highest bidder? if someone _really_ wants to walk through to somebody's commercial secrets, they need not look very far, just have a lot of money.

"Although Microsoft has become very efficient and transparent with their security vulnerabilities, this still leaves a window of opportunity for anyone who has discovered a security flaw prior to a patch being issued to exploit the vulnerability."

yes. which usually means that someone made a mistake in going a biiit too far with the creation and spread of their virus, so that it ended up being detected (whoopsie) but that's ok, because they can always go back to that IRC channel and spend another $5k+ on yet another unknown vulnerability.

" On the upside, you can usually rely on the patches being dependable and generally not causing systems to crash as they go through a process of quality testing before being released. "

the implication being, because you never bothered to check whether there _was_ a process in the major free software projects, that free software teams are somehow irresponsible? sorry, but you either need to get laid or you need to get out more. take your pick, i don't mind which, but please ... *click*.... who allowed this article to be published in the biased state it's in???

"Alternatively open source applications can be updated via the community as developers release updates free-of-charge for the good of the open source users. However, there are no guarantees that the patch will be written and released at all, let alone the quality of the patch, as there is no overriding responsibility to provide a service level of any kind."

sentence 1 contradicts sentence 2. either that, or the implication is that "developers releasing updates free-of-charge for the good of the community is somehow... irresponsible".

it's worthwhile pointing out that if this is a problem, then PAY THE DEVELOPERS SOME DAMN MONEY for god's sake. your business saved enough money not having to pay for proprietary software, so damn well give some to the developers, contract them to do the required improvements, give them a maintenance contract _anything_.

concrete example also where this paragraph is horse-shit: the french government converted to OpenOffice. the french security services found a number of security vulnerabilities. they reported them to the openoffice team. the openoffice team fixed them.

i know a number of free software projects that have private mailing lists for the discussion of security vulnerabilities. samba is one of them. they do an extremely thorough job.

"When large numbers of corporate users are involved, IT departments will look at IT support contracts and SLAs, licensing costs and systems management, as well as system and user security."

most of the time they ignore the fact that they are totally locked-in, and cannot migrate, even if they wanted to: it's too late. there's no alternative. i've dedicated about four years of my life so far to bridging the gap, kick-starting projects that needed to even _begin_ to bridge the gap between the microsoft proprietary and the free software worlds, so i know what i'm talking about.

to discuss this entire issue _without_ even mentioning the yawning gap between the two technological bases (MS proprietary and Free Software) completely undermines the entire article.

"If a business chooses to run an open source system, IT system support is likely to be one of the biggest issues an organisation faces. Due to the lack of commercial responsibility and the un-managed nature of an open source system, established IT support offered by organisations such as Microsoft is rare and relying on a disparate team of developers who write open source code has obvious risks."

horse-shit. you've been taking too many drugs, again, naughty man. the samba team core members have been in the employ of one organisation or the other for nearly.... fifteen years. the apache team members longer than that. the top people in free software are rare but they make their living by being _the_ top experts in their field.

... and you are forgetting: google, IBM, HP, SGI, Sun, novell, redhat - all these companies rely _heavily_ for their success on having the "major" free software project developers happy, funded and taken care of. it's not exactly orchestrated, but they tend to "divvy up" the developers between them. jeremy allison quit novell in protest at their deal with microsoft over patent licensing, and went to work for google.

i'm kinda getting tired already of pointing out the flaws in this article, so won't attempt to make yet another point on this paragraph: it's too easy and a bit like kicking feathers.

"During an open source project’s lifetime, it usually forks off into a variety of different versions,"

err... no "it" doesn't. which ones are you referring to? and the other point: "welcome to free software! you have the _right_ to do that, if you think you have the skills _great_!".

... can you do the same thing with a proprietary software system? good luck with that...

" depending on what developers require of the new application or operating system. Commercial organisations can often get involved in this, forking off a version of the open source application and placing some commercial backing to the project, typically involving a more structured development approach, a licensing model and structured support services."

*sigh*. and then, equally, there are individuals who can do the same. the ruby-on-rails guy isn't a "company", but he's still the world's leading expert, and he _on his own_ gives a structured approach and structured support services, like... by writing a book and giving lectures and tutorials.

what _exactly_ is the point of mentioning this?? *spits out a feather*.

"This offers users the best of both worlds, where they can benefit from access to the open community of applications whilst still having someone to turn to if they have problems."

err... such as the core developers, as well? by emailing them direct, and offering them benefits-in-kind or, shock-horror, even some money? hellooo? can you even _remotely_ imagine a situation where you could gain direct access to the developers, the best people to solve technical issues, in a large proprietary corporate structure??

"The important part to note here is that the commercial organisation is still extremely keen to ensure the success of the open source project from where their commercial solutions have originated; thus giving something back to the community that has helped them become successful and to ensure future open source ideas have a chance to nurture and grow. Novell’s Suse Linux, Sourcefire’s Snort and Oracle’s OpenOffice are great examples of how successful this partnership can be."

what does this have to do with open source being "secure"? yes, great, you've just mislead readers into believing that the only way that free software can be funded is by paying novell or oracle instead of the developers themselves, but what in hell's name does this have to do with the main focus of the article: "security" in free software?

"The cost of maintaining open source applications is another important factor to consider."

the cost of maintaining insecure windows systems is another important factor to consider.

" An organisation with a 2,000 seat license for Microsoft Office faces significant licensing costs."

good god. the second sentence in this dog's dinner of an article which i can whole-heartedly agree with.

"Oracle’s OpenOffice offers an alternative option, allowing an organisation to use the familiar format of Microsoft Office, whilst making cost savings on the standard Microsoft license costs. However, companies should be aware of the hidden increased costs in support and training if an existing Microsoft house is going to change to a new application. "

1) OpenOffice doesn't _belong_ to Oracle. check the headers and the list of contributors and copyright holders: i think you'll find this "claim" to be false.

2) have you ever heard of "kitchen" support? companies that ban people from congregating in kitchens often experience a massive spike in internal IT support calls. perhaps this is merely a psychological issue: those people want _somebody_ to speak to, so they subconsciously "break" their machines. perhaps it's merely that people talk during their breaks, and find, especially in a very large organisation, that amongst their peers there are some people who tend to be more knowledgeable than others, and they help _each other_.

3) if you need "training" of people who can't move a mouse over an icon to activate the "tooltips", and who can't tell that there's no difference between a "File" Menu on MS Office and a "File" Menu on OpenOffice, then you REALLY need to get some less stupid employees. GUIs are there to help people who have no ability to "recall". they help people "recognise" - they help people use "recognition" over "recollection" as a means to get things done. the clue is in the word "recognise". "re-cognise". look up the word "cognize" in a dictionary some day. it's a real word. not made up or anything. unlike most of the article.

"The smaller company often has ..." "Through using open source solutions, ...."

good god - i take it all back. two whole paragraphs that i have nothing to criticise. well done! throw away the rest of the article, just leave those two paragraphs, and you'll have an informative readable article. hurrah! well done BCS.

"The reality of open source security Open source has advantages and disadvantages. The most widely used argument for not using open source is the additional layer of security through obscurity a closed source application provides."

you've clearly not actually read any free software source code, then, and probably haven't read much source code _at all_. try looking at fontforge's source code some day. i'm an experienced free software developer, and i swear it would take me _months_ to remotely understand how that code works, it's _that_ specialist.

but, joking aside: go get yourself a copy of hex-rays, run it on some windows DLLs that you have the source code for, and then sit the decompiled code side-by-side with the original. i think you'll be in for a bit of a shock.

"This argument is slightly misleading."

what argument?

" An open source operating system contains many thousands of lines of code, and the complexity of reading and understanding the entire open source code and then spotting and exploiting vulnerabilities in the code is an arduous task that is difficult and often requires highly specialist knowledge."

oh for fuck's sake. since when is that something that's _exclusive_ to free software? code complexity is due to users' constantly increasing expectations of computing, and it's NOT exclusive to free software. at least with free software, the discussions are invariably online, you can see what's going on, go back in time, find things, and _help_ the developers (if they want you to). you _certainly_ can't do that with proprietary software.

but - i have an apology to make: i actually seem to be agreeing with you about code complexity, and it would appear that you have actually read some free software source code.

who you probably _haven't_ met is some of the people i know from ISS X-Force Research (now IBM X-Force Research), who used SoftICE to decode x86 assembler (before hex-rays existed) and who just discovered vulnerabilities and flaws in software, directly from the assembler code.

you _don't_ need the source code to find vulnerabilities, and in fact it actually often gets in the way, because the flaws such as buffer overruns or stack overflows are to do with the language and/or the compiler as much as they are to do with programming errors. and if you don't know that, you're not a very good hacker (or security expert).

plus, why is this article making no mention of automated attacks and randomisation? i wrote rpctorture ten years ago, it basically did a network conversation up to a certain point and then started sending random crap instead (or inserting or removing random data). it was _great_ for detecting flaws, as it found things that a human could never reproduce, by quite literally overwhelming a remote system under analysis with possibilities.

such monte-carlo style testing _completely_ undermines this horse-shit "security through obscurity is best" argument, because simply through sheer overwhelming numbers, randomisation _will_ find that one bug that you would never find by "manual" testing or by looking for years at the source code.

monte-carlo testing basically levels the playing-field between free software and proprietary systems. well... more like nukes it.

why in god's name has this person been allowed to write this article, when even basic things like this aren't even mentioned??

"On top of that, when speaking to many open source users, penetration testers and hackers, you could count on one hand the number that would even be interested in reading and understanding such large applications. They prefer to use the open source operating systems and the plethora of tools that have already been written to test closed source applications. It’s just that much easier."

i don't even understand why this paragraph is here, because... i don't understand this paragraph. perhaps it contains some coded cypher. perhaps it contains the key to unlocking the secret message in nostradamus' prophecies. who knows. but anyway - i think this paragraph translates as: "i know - let's take the average person in the street, and let's take people with specialist skills, and let's ask them if they'd like to spend their time learning completely different skills that are of absolutely no interest to them. let's completely forget about the people coming out of university who want a bit of a challenge, who actually _decided_ to get a training in software development, and are wondering how to keep themselves occupied whilst looking for a job. let's completely forget about the google summer of code programme. let's forget about all the intelligent people in the world (such as myself) who excel at simply diving into massive random bits of source code and becoming familiar with it in weeks (except for fontforge - i reaallly don't get that code)". ok, enough with the sarcasm, i think you get the point.

"Although the argument for security through obscurity is a powerful one,"

HAHAHAHAHAHAH ahHAHAHAa. i'm sorry, couldn't help it. laugh? i nearly did.

" its significance is overplayed within the open source debate as a serious attempt to find a system vulnerability begins with the attacker writing a specific application to look for system vulnerabilities - a tactic that works equally well on open and closed source systems."

hooray! why the bloody hell didn't you say that earlier? and why insult the readers' intelligence by not mentioning the names of such techniques, so that people like myself don't rip this article to shreds??

so, you go to alll the trouble of making "security through obscurity" implicitly the main argument for favouring proprietary software, and _then_ towards the end of the article, _then_ you say "actually, security through obscurity isn't great"??? can i help you with that medication at all, sir?

"Open source in business can offer organisations a significant advantage and should not be overlooked because of concerns over security."

don't think of the pink elephant, don't think of the pink elephant! err... _what_ concerns? the entire article reads like an implicit attack on free software, only now i'm really confused.

" Although this is an important issue to any organisation, data and system security can be equally or more secure with an open source system than the alternative."

in other words, you're hedging your bets. you don't _actually_ have any clue, or any real advice for people, and decided that it's best to come up with an inconclusive conclusion. i thought conclusions were supposed to... conclude? i could be wrong, i'm learning new things all the time, especially here, wow.

"Both open and closed source systems have advantages and disadvantages. Although security experts are unlikely to unanimously agree on the best route for an organisation to take, it is critical that organisations protect their most important asset, their data, regardless of which path they take."

great! another paragraph i agree wholeheartedly with. it's such a pity that the rest of the article gives me absolutely _no_ good advice that i can make use of to make any decisions, one way or the other.

"Can open source be secure in business? Yes - but organisations should not rush into an open source system without considering all of the other issues that come as part of the package. Ultimately open source is a moving target, closed source is a stationary target - both are targets that need protecting."

you should have stopped at the previous paragraph. or maybe stepped out to the beach for the day and allowed the deadline for submission of the article to expire.

organisations should not rush into ANY software system without considering all of the other issues that come as part of the package, and you haven't really advised readers what those issues are. in fact, you've misled them quite a lot, on an authoritative web site such as the BCS, no less. oops.

Ultimately ALL software is a moving target for as long as users' requirements change. humans change their minds. shit happens. the world spins. it's just that you don't get to _see_ the process of development behind "closed proprietary doors". should you somehow feel "more comfortable" because you can't see what's going on?? read dilbert for the best answer to that one.

ultimately, the development models are just... different - radically different. free software is about returning to "software as a service" as opposed to a "boxed product" mentality, where back-handed ways to maintain monopolies, and obsolescence and _deliberate_ yes deliberate early-release and deliberately installed bugs are the only way to guarantee continued income.

these kinds of tactics are why i flatly refuse to use proprietary software, except in absolute absolute specialist areas where there is literally no alternative, and no way that "grass roots" would result in a free software project beginning, let alone taking over. modelling in 3 dimensions of gas / molecular simulations, for very large companies such as Boeing, so that they can do accurate jet engine simulations. real-time engine management software where absolute safety and a 5-man team doing line-by-line code reviews justifying and discussing absolutely every single line of code is paramount. google's massively distributed search engine. these are highly highly specialist software tasks that take incredibly intelligent people _years_ to get right, and you simply don't get the average kid out of university knocking together something like that "for free".

although, FlightGear did knock even its proprietary commercial competition off its perch, to the extent where the commercial competition abandoned their own product, they submitted their data and code as free software as a contribution to FlightGear and then started selling and supporting FlightGear instead!

i have to confess: it's easier to knock somebody else's article than it is to give you some concrete advice, especially unplanned at midnight, but let me try to regurgitate something:

* the author is right in one respect: you DO need to think seriously about what software you're going to deploy, and to properly plan ahead for protection of assets. first by working out which assets are most valuable - i.e. which ones earn you the most money. this is a _business_ evaluation, not an "IT" evaluation. i have a friend who specialises in this kind of analysis: he told me about one example where, in a room full of servers, _one_ machine which was unmarked, not backed up, and had _no_ redundancy of any kind, was responsible for 90% of the company's revenue. the rest of the servers were horse-shit.

* for the _average_ business, free software such as Firefox, OpenOffice, Apache, Ubuntu, PostgreSQL, MySQL and so on are _perfectly_ adequate replacements for the proprietary alternatives, and it's only because the proprietary software is "ingrained" into people's skulls that they complain. anyone _not_ exposed to microsoft software, when put in front of the free software alternatives, just "gets on with it".

* for _specialist_ tasks, it's a different story. there simply isn't the overwhelming statistical numbers (million monkeys) to result in the creation of specialist software as _free_ software. this doesn't mean that you should deploy an _entirely_ proprietary software stack throughout the entire business (baby, bath-water..) the key here is the word "specialist". does your business _really_ need specialist software?

* for free software, you are immune from windows viruses. at a quarter of a million new viruses per year and _exponentially rising_, the microsoft monoculture is, like any biologist will be able to tell you, imploding. get out while you still can is my best advice.

* for free software, the "diversity" which is sooo scary, actually _protects_ against virus attacks. it's simply not possible to write a virus which can simultaneously target 150 subtly different linux distributions, when you don't even know if some of those systems are going to be Intel x86 boxes or not: they could be increasingly MIPS or ARM-based. if the processor is an ARM processor, it simply _cannot_ run x86 code, and that's the end of it: any x86 virus is dead in the water on an incompatible processor. but because you have access to the source code, the application (firefox, openoffice etc.) can be compiled for that processor, and it will just work, regardless of the CPU it's running on. you cannot *get* microsoft windows 7 for ARM or MIPS (but you can get Windows NT 3.5 from 20 years ago, or Windows CE! try running your business on those!)

that's all i have time for - there is obviously more, but i'm not getting paid to write this, so i will stop. if anyone would actually _like_ to pay me for having written this, then great! look me up, i'm easy to find.

intriguing comments by other people on the BCS article, posted 29 Jul 2010 at 14:49 UTC by lkcl » (Master)

the comments by others on the original BCS article are quite... illuminating. mostly people are in shock. one is horrified and embarrassed that they're actually a paid-up BCS member.

overall, it seems that the article is designed around the assumption that users and I.T. departments are stupid, whereas the comments being received tend to demonstrate the complete opposite - that people are actually intelligent enough to follow the patch procedures for both proprietary and free operating systems. and, far from being unhappy and nervous of the "open" discussions behind free software, are getting sick to the back teeth of being dependent on are "closed doors" proprietary security-patching process where they have absolutely no idea what's going on until they're presented with a fait-accomplit.

also it's worth mentioning that the BCS itself has subtly edited my comments, removing all swearwords and sarcastic witticisms, removing entire paragraphs (you can compare for yourself) and is censoring attempts to provide links to the original, here. so i'd like to make a small streissand-effect request - namely that people post links on the original article, to demonstrate to the BCS that censorship is generally a bad idea. feel free to ignore me, of course, if you prefer.

There is a risk with using open source, posted 28 Oct 2010 at 08:14 UTC by chalst » (Master)

Namely, if it can be seen that you are slow in deploying patches to software with in response to the appearance of vulnerabilities, you are very at risk.

Now children, don't go using your Apple hardware running Apple's OSX on internet-visible machines, not until you're a bit older and know how to put up-to-date free software in your $PATH.

It is amazing that OSX comes bundled with Apache (advertising your OS, of course), Open SSH, and Postfix, and yet they ignore patches for vulnerabilities with proof-of-concept exploits with some weak talk of worries about the effect of these patches on other parts of their OS. How do these risks compare with having your machine added to a botnet? Tolerable UI latency issues, I suppose.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page