View
1.666
Download
1
Embed Size (px)
DESCRIPTION
This presentation originally developed as part of FOSSSL 2006 (FOSSMil), was recently slightly updated and delivered at CERT SL Conference. In my talk, I discuss why FOSS is generally considered to be more secure than proprietary software.
Citation preview
By Buddhika Siddhisena
CTO & CoFounder ThinkCube SystemsMember of LKLUG
Free & Opensource Softwareand
Security
“Opensource software lets anyone to look at the blue print source code”
“What happens if these blue prints got into the wrong hands?”
Can you achieve securitythrough Openess?
NSA
NSA = No Such Agency
NSA = National Security Agency
“NSA is famous for keeping secrets, including their existence”
“NSA releases SELinux, a security enhanced version of Linux as
Opensource Software”
“Hey wait a second !”
#1 org to keep secrets releases their blueprints?
"Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few
loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and
have a few beers” --Larry Loeb
Source: http://www.ibm.com/developerworks/library/s-selinux/?n-s-381
So whats going on @ NSA?
Why did the most security conscious agency in the US do this?
"The Information Assurance Research Group of the NSA is responsible for
carrying out the research and advanced development of technologies needed to
enable NSA to provide the solutions, products, and services to achieve
Information Assurance for information infrastructures critical to U.S. National
Security interests.”
Source: http://www.nsa.gov/selinux/info/faq.cfm
critical to U.S. National Security interests
critical to U.S. National Security interests
All computer software, whether Open Source or proprietary...
Has had bugs...
Currently has bugs...
And will continue to have bugs...
“Given enough eye ballsall bugs are shallow”
- Eric S. Raymond
EnglishTranslation : Given the fact that many people are constantly looking
at the source code, and because anyone can improve it (by reporting or fixing bugs for eg.), it is less likely to
contain many bugs.
“So how secure is Linux?”
A four-year study released by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6
Linux production kernel, now being shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million
lines of code, far below the industry average, said Seth Hallem, Coverity's CEO.
Source: http://www.internetnews.com/dev-news/article.php/3448001
Commercial software contains 20 to 30 bugs for every thousand lines of code, according
to Carnegie Mellon University's CyLab Sustainable Computing Consortium. That is the equivalent to 114,000 to 171,000 bugs in
5.7 million lines of code.
Opensource vs Proprietary
985 bugs vs 114,000+ bugs
Defect density declined by 2.2 percent as the total lines of code in the Linux kernel
continues to grow from 5.76 million in December 2004 to 6.03 million in July 2005,
which represents a 4.7 percent increase.
"Although the size of the Linux kernel increased over the six-month study, we
noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, CEO of
Coverity, in a statement.
Free & Opensoure software is transparent
“Did you someone say Free?”
“Free as in Freedom not as in
Free Beer!” - Richard M. Stallman
By using FOSS you have 4 types of freedom
Freedom 0
The freedom to run the program for any purpose
Freedom 1
The freedom to study how the program works and adopt it to your
need
Freedom 2
The freedom to redistribute copies
Freedom 3
The freedom to improve the software and release the
improvements to the world
Many Governments are adopting or have completely migrated to FOSS
Brazil
Source: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
Germany
Source:
France
Source: http://www.technewsworld.com/story/36886.html
China
Source : http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
South Korea
Source: http://news.com.com/2100-7344-5084811.html
To name a few...
but what aboutSri Lanka?
Why are they adopting or migrating?
Its not always because of the lower price of acquiring FOSS
Its not always because of the lower Total Cost of Ownership (TCO) of
using FOSS
Though they alone are good reasons!
Some Chinese officials are convinced that having an American government dominate the market compromises national security. Secret security flaws in Windows can be
used to access Chinese networks. Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working
with the US government on intelligence issues.
Source: http://www.g4tv.com/screensavers/features/39528/China_The_Republic_of_Linux.html
“Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues?”
Conspiracy Theory?
http://en.wikipedia.org/wiki/NSAKEY
Kraft points to an ongoing public battle between the Commonwealth of
Massachusetts and Microsoft. The state is trying to pass legislation that would have the state adopt an open source document policy
by January 2007 in order to better protect the accessibility of its digital documents.
Source:http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1180306,00.html
The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its
platforms, thousands of the state's archived documents could be rendered useless.
Imagine during an emergency or after a disaster, governmental
organizations not being able to work effectively because they relied on a
closed document format
And finally...
Why aren't there a lot of Linux viruses?
A computer virus, like a biological virus, must have a reproduction rate that exceeds
its death (eradication) rate in order to spread.
If the reproduction rate falls below the threshold necessary to replace the existing
population, the virus is doomed from the beginning
The reason that we have not seen a real Linux virus epidemic in the wild is simply
that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities;
the reality is that there is no viable Linux virus.
Source: http://librenix.com/?inode=21
And finally finally finally ...
True security comes NOT from OBSCURITY
True security comes fromTRANSPARENCY
~ the end