[liberationtech] A Walled Wide Web for Nervous Autocrats
Chris Palmer
chris at eff.org
Fri Jan 14 16:59:24 PST 2011
> http://online.wsj.com/article/SB10001424052748704415104576065641376054226.html
As usual, Evgeny is right on target. There are two minor nits I'll pick, however. (I meant this email to be brief, but I failed! Sorry.)
1. """Free open-source software, by its nature, is unlikely to feature secret back doors that lead directly to Langley, Va."""
"Unlikely", perhaps, but not impossible. Although the alleged OpenBSD back door appears to have been a hoax, it was a good hoax because it was plausible. We can't quantify these things, so I wouldn't want to make an argument about relative likelihood.
More importantly, I find it strange that anyone (government or otherwise) would expose themselves to discovery by planting a back door. Both open and proprietary platforms and applications are so riddled with *front* doors (that is, exploitable vulnerabilities) that there's really no need to go to the trouble.
http://www.google.com/search?client=safari&rls=en&q=month+of+kernel+bugs&ie=UTF-8&oe=UTF-8
http://www.google.com/search?client=safari&rls=en&q=month+of+browser+bugs&ie=UTF-8&oe=UTF-8
http://www.google.com/search?client=safari&rls=en&q=pwn2own+contest&ie=UTF-8&oe=UTF-8
jailbreakme.com
(And remember, this is for software that has had its change in the 1990s to being to grow an institutional immune system. Closed systems haven't had that salutary exercise and are likely to be even weaker; that has seemed true in my limited experience with non-internet/COTS software.)
You can even outsource the work of discovering vulnerabilities and developing exploits, with "reputable" companies:
http://www.immunitysec.com/products-canvas.shtml
http://www.coresecurity.com/content/core-impact-overview
The real way to go about it is the way the Stuxnet attackers did: With 0-days in the target OS. You'll burn up your 0-day in the attack, but there are always plenty more. Just like cruise missiles, except way less expensive...
There is no empirical reason to believe that either proprietary or open source software have more or fewer vulnerabilities than the other class. Experience in the field shows that Raymond's "Linus' Law" does not really hold for security vulnerabilities. Neither Linux, Android, Windows, or iOS/OS X can go a month without some critical vulnerability being discovered --- the rate of bug creation is astounding. Entities with enough cash can also buy source license to Windows, by the way; I don't think it matters much because attackers seem to find bugs at a fast enough rate without source. (From an attacker's point of view, source code vs. object code is a bit of a red herring.)
2. """The embrace of open-source technology by governments may result in more intuitive software applications, written by a more diverse set of developers."""
I'm not sure what Evgeny means here. I'm certainly not used to seeing open source hailed as having better usability. :) And of course usability and security intersect in a critical way, and neither proprietary nor open suppliers have really figured it out yet.
Ultimately, these governments that want to switch are likely to find that they haven't achieved much in the way of improving their national software security posture, and it's likely to be an expensive lesson. Not paying Redmond might still make plenty of ideological and/or economic sense for them, of course.
Anyway, the real fun is in malicious hardware (OS independent!):
http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBMQFjAA&url=http%3A%2F%2Fwww.cs.uiuc.edu%2Fhomes%2Fkingst%2FResearch_files%2Fking08.pdf&ei=cuQwTejvLJC4sAPI8oXcBQ&usg=AFQjCNG9MyYqxeamvLWWkcWrjPdzyyjYBQ
This is why you should only to buy hardware made in countries whose governments you trust... ;)
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the liberationtech
mailing list