Following the recent inauguration of our 44th president, it is fitting that we focus on our nation and the security of it through open source. The United States was founded on principals of freedom, so it makes sense that now we look towards “free software” to protect her. However, a question that beckons to be asked is, is open source ready to protect the United States’ networks, or is the democratic development and decentralized distribution potentially a downfall? There are obvious benefits to open source software, but at the same time there are flaws to it that need to be addressed before it can be considered secure enough for government’s systems.
The recent Debian OpenSSL issue has brought much needed attention to the security of open source software. For those of you unfamiliar with the Debian OpenSSL security problem, on May 13th, 2008 http://www.metasploit.com/ announced that OpenSSL distributed in Debian-based systems had a line of code removed with drastically reduced the number of encryption keys and made them predictable. “Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID.” This affected releases that were distributed between September 2006 and May 13th, 2008. The code was removed because of incompatibility issues between Valgrind and OpenSSL. This security bug would have large repercussions if the government was using one of those Debian releases. Imagine our nation’s security reduced to only 32,767 possible encryption keys that were also guessable.
Now one of the arguments for open source is that their are more eyes looking over the code, since the code is openly available to be reviewed and changed by the community. This is true and one of the reasons that this bug was discovered. The open source system of discovering bugs is beneficial in that the number of people reviewing the code is far greater than proprietary software. But as the Debian OpenSSL case shows us, it might take up to two years before it is discovered or at least published. Within the past two years, this bug may have already been discovered and not published, with the finder exploiting the bug for all that time. The problem with community review is that it is a voluntary choice and not an obligation.
With proprietary software, there are fewer people looking over the code, but they are more obligated to find bugs since they are being paid by their employer to do so. I am not saying that proprietary software is necessarily more secure than open source software. The Debian OpenSSL bug could have gone by for two years in a proprietary model just the same, since the number of eyes on the code is drastically less due to the closed source code. So perhaps the solution to open source being used by the organizations are bounty systems, such as the $500 dollar bounty Mozilla offers for bug discovery, for bugs that are found in OSS that they are using. Another solution would be to have proprietary third party software analysis to review the security of open source code. Ultimately using open source code has many time and functionality benefits that would be foolish to ignore, but seeing as it is America’s security on the line, extra steps must be implemented to ensure the code is safe to use in exchange for the “free” software.
References
http://www.metasploit.com/users/hdm/tools/debian-openssl/
http://www.debian.org/security/2008/dsa-1571
http://www.linux.com/feature/135270
http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html
This work is licensed under Creative Common By SA 3.0
