As a proponent and firm believer in Open Source as a long-term development model, I would even pose the following point:
even though such subversion of the source code tree is possible (and *has* happened, most notably with the Linux kernel v2.4, if I recall) the incentive for full disclosure and transparency is much less in a closed source environment; Microsoft, for one, would definitely be reluctant to come out in the open and recall Windows 2000 or XP, publicly declaring that their source repository was corrupted. referring back to aforementioned break-in in the Linux community, when the backdoor was found through code audit and removed, it was instantly disclosed and as much information as possible was circulated on it, to insure that everyone concerned got a chance to update and remove the vulnerability. so I would counter that although the openness of the codebase makes it *somewhat* more vulnerable to attack (I would believe that mr. Russell has never tried submitting patches to open source software such as the Kernel), closed source would be even *more* dangerous from this point of view, as other incentives (business rules, reputation and so on) would make the vulnerability go by unknown to most up until the flaw was exploited. and even then, it might take months for a vendor to respond to a disclosure (as is seen frequently seen from reports on bugtraq). therefore, i contend that the situation exposed by mr. Russell exists in both environments, but that the potential risk to end customers is magnified in closed source environments due to business and human factors, and the "better protected" claim is definitely open to debate. > Date: Thu, 12 Feb 2004 16:58:26 -0500 > From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> > Subject: [SC-L] Open source fertile ground for foul play? > > There is an interesting article over on DevX.com (see the full article at > http://www.devx.com/opensource/Article/20111). In the article, DevX > Executive Editor, A. Russell Jones says that, "Eventually--—and > inevitably--—an > open source product will be found to contain a security breach--—not one > discovered by hackers, security personnel, or a CS student or professor. > Instead, the security breach will be placed into the open source software > from inside, by someone working on the project." He says that this is > true > because open source "lets anyone modify source code and sell or distribute > the results". > > Now, I sure don't doubt that it's possible to deliberately insert a > vulnerability into a software product, but I fail to agree with Mr. Jones > that open source is more vulnerable to this _because_ it is open. IMHO, > if a > particular open source product is vulnerable to an insider attack, it is > because of the processes in place for protecting the code from attack. I > would think that a closed source product could also be susceptible to that > if > the code tree is not adequately protected. Further, I don't see any > reason > why an open source project couldn't follow good sound practices in > protecting > its src tree from attack. Admittedly, Jones does say that a closed src > product > could also be subverted like this, but that it is less likely, "because > the source > is better protected". > > In any case, that's just my opinion on the matter, fwiw. (Oh, and I > should > probably also point out that I'm referring to processes in my comments, > not to any particular products.) > > Cheers, > > Ken > - -- > KRvW Associates, LLC > http://www.KRvW.com ::: ----------- jean-francois "jeff" poirier icq 4172055 [EMAIL PROTECTED] http://www.horslimites.org/whitenoise/ properllerhead / project lead :: horslimites http://www.horslimites.org -------------------------------------------- "there ain't a problem that I can't fix... cause I can do it in the mix"
