Free software brings transparency
- Thread starter bogz
- Start date
RainmanTime
Super Moderator
Hi bogz,
Here is a question I have about open software when it comes to security of an "open" OS. How do you ensure security of an "open" OS since the code is available for anyone to view and thereby identify means to potentially compromise security in any instance of the OS... or even introduce a change to the OS which provides their own "back door"?
I think about this not only from the OS level, but also from application level when it comes to data encryption. How can we be CERTAIN we are secure when using open source products?
Thanks for any thoughts you can shed on this...
RMT
Here is a question I have about open software when it comes to security of an "open" OS. How do you ensure security of an "open" OS since the code is available for anyone to view and thereby identify means to potentially compromise security in any instance of the OS... or even introduce a change to the OS which provides their own "back door"?
I think about this not only from the OS level, but also from application level when it comes to data encryption. How can we be CERTAIN we are secure when using open source products?
Thanks for any thoughts you can shed on this...
RMT
My opinion is that since closed source software typically prohibits people from examining binaries and hunting for exploits, only malicious users will attempt to find weaknesses. A case of if guns are outlawed, only outlaws will have guns. With open source software, law abiding citizens get to participate in the hunt for flaws. They also get to review any code they use to their satisfaction to make sure it is safe before they compile it.
Most users do not run applications that listen for connections from the outside world. The most popular way to deliver malicious payloads to this group is through their web browser or email client. Most of the time the delivery mechanism has to be customized to the browser or email client so I am more a fan of security through diversity than obscurity. Not running the most common software has it's benefits, making it harder for hackers to deliver their code to you.
This leads me to allowing 3rd party content onto the website you are viewing. I block as much 3rd party content as possible when I browse so I only load content from the server I visited, not from 3rd party sources. I generally trust the sites I'm visiting, just not content that can be added to the site without the owners approval such as some types of banner advertising services. Using Firefox + AdBlock I have not seen a banner advertisement on my PC in over two years. When I sit down on someone elses PC that doesn't block ads, I'm just so surprised at how different the experience looks.
Changes to open source products are tightly controlled. People submit patches and they are carefully merged by someone closely associated with the project. The general public doesn't have write access to the source code so it's safe from tampering.
Encryption is sometimes compromised when mathematical discoveries are made that expose a weakness in an algorithm making it easier(faster) to decrypt something using brute force. MD5 for instance was a good way to give a data a tamper proof seal. Methods have recently been discovered to find collisions in the MD5 algorithm and so by adding certain bytes to the end of a file you can give it any desired MD5 signature.
Open source projects tend to be more proactive and close source proprietary software can get away with being reactionary. Anyone using MD5 in an open source project is suddenly pressured to upgrade their code the instant knowledge of a weakness surfaces. A race ensues that anyone can join and the winner gets recognition for their efforts, they can even receive financial compensation ( see Sun Microsystems recent open source initiatives). Any closed source proprietary commercial software using MD5 doesn't have to spend any money to fix their old code until the general public discovers they are affected.
The peer review process is the best way to be CERTAIN that your software is secure.
Bogz,
I may sound like a "wacko" but have you ever heard of "RTC" as in Remote Transmission Control?
I have reviewed some laboratory documents a long time ago which dictates that people with 'extreme' scientific methods are/were building "RTC" machines in 1999 and earlier. These people claim these machines initiatly scans computer frequencies from all over the world and attempts to "merge" with those frequences in order to successfully "hack" computers.
Any idea if that could be true? IF so, then its going to be a one heck of a scary world. I do know for a fact that the FBI has a "RTC" machine that picks up monitor transmissions. Thought this would be a interesting topic to discuss after reading this PDF file from UK.
http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf
SAVE this FILE FAST AS YOU CAN before IT GETS DELETED. /ttiforum/images/graemlins/smile.gif
open sourced OSes and closed sourced OSes wouldnt matter if this type of technology were to be continously developed. HMM... just IMO! /ttiforum/images/graemlins/smile.gif
I may sound like a "wacko" but have you ever heard of "RTC" as in Remote Transmission Control?
I have reviewed some laboratory documents a long time ago which dictates that people with 'extreme' scientific methods are/were building "RTC" machines in 1999 and earlier. These people claim these machines initiatly scans computer frequencies from all over the world and attempts to "merge" with those frequences in order to successfully "hack" computers.
Any idea if that could be true? IF so, then its going to be a one heck of a scary world. I do know for a fact that the FBI has a "RTC" machine that picks up monitor transmissions. Thought this would be a interesting topic to discuss after reading this PDF file from UK.
http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf
SAVE this FILE FAST AS YOU CAN before IT GETS DELETED. /ttiforum/images/graemlins/smile.gif
open sourced OSes and closed sourced OSes wouldnt matter if this type of technology were to be continously developed. HMM... just IMO! /ttiforum/images/graemlins/smile.gif
RainmanTime
Super Moderator
Hey bogz,
I was just made aware of these folks who have developed an open Real Time Operating System (RTOS).
http://www.openlicensesociety.org/drupal55/node/39
We at Northrop-Grumman are looking at it. If it can meet stringent industry standards (ARINC 653 is the industry standard for ApEx) it could very well be a big benefit!
RMT
I was just made aware of these folks who have developed an open Real Time Operating System (RTOS).
http://www.openlicensesociety.org/drupal55/node/39
We at Northrop-Grumman are looking at it. If it can meet stringent industry standards (ARINC 653 is the industry standard for ApEx) it could very well be a big benefit!
RMT
RainmanTime
Super Moderator
Hey bogz,
Perhaps when I finally take the leap into semi-retirement (no more direct employee, bur rather consulting), we might be able to combine forces and work together on something? In my biz when you put together a good systems engineer with a good software engineer, you've got a combination that becomes very attractive to big customers. And the model-based systems engineering development paradigm that I use can lead to some strong AI implementations of semantic reasoners that will allow a system to reason about itself! Cool stuff.
RMT
Perhaps when I finally take the leap into semi-retirement (no more direct employee, bur rather consulting), we might be able to combine forces and work together on something? In my biz when you put together a good systems engineer with a good software engineer, you've got a combination that becomes very attractive to big customers. And the model-based systems engineering development paradigm that I use can lead to some strong AI implementations of semantic reasoners that will allow a system to reason about itself! Cool stuff.
RMT
I'd be very excited about working on any kind of project with you. Should I start reading up on realtime programming sooner rather than later? /ttiforum/images/graemlins/smile.gif
Does that imply a system that has a fault occuring can look at various sources of information (error logs, performance metrics for instance) and figure out not only what is broken, but try to fix it, autonomously?