wide open       print this storyrespond to this story

Open Source: How Secure?

Date: 14 Nov 99 Writer: Simson Garfinkel Location: Martha's Vineyard  

Open Source: How Secure?


On security particularly, the open source community cannot afford to rest on its laurels.
Open source boasts distinct advantages over proprietary software. But that doesn't mean it's bulletproof. First of five parts.

The theory of open source security is simple, and it is endemic throughout the entire open source community. The theory is so pervasive, in fact, that it can be reduced without much effort to a four-word mantra: Source code breeds security.

Most open source proponents instinctively believe this theory. I used to, but increasingly I've come to regard the theory as a kind of dogma that substitutes for critical thinking. Open source software is frequently more secure than proprietary software, but it doesn't have to be. In this series of columns I intend to explore why, and to make some suggestions for future development.

I have long been a proponent of the open source security theory because it does such a good job explaining what we all instinctively feel must be true. Without the source code, it's hard to know if an application program or an operating system has a security flaw. But with the source code, you can inspect the code, show it to experts, and try to ferret out all of the potential problems. If somebody else finds a problem with your system, possession of the source code will allow you to correct the flaw. If you don't have the source code, you are utterly dependent upon the software vendor for a patch.

The open source security theory also does a good job explaining why open source Unix-based operating systems seem to be more secure than Microsoft's Windows 98 and NT -- especially for production systems. When SYN flood attacks and the Ping of Death were discovered back in 1996, patches for Linux and other free Unix operating systems were available within a matter of days. That's because thousands of kernel programmers had the source code and the understanding of the attacks: they raced with each other to get the credit for posting the fix. Microsoft invariably took longer to respond, if for no other reason than fewer programmers had access to NT's source code, and these programmers were in great demand.

The theory of open source security actually got its start among cryptographers in the 1970s. Back then, the National Bureau of Standards was tasked with creating a federal Data Encryption Standard. The cryptographers of the day, most notably Whitfield Diffie, argued that the only way for an encryption algorithm to be secure would be if the algorithm's details and the theory of its design were published and analyzed in a peer review process. Secret, proprietary algorithms could never be secure, these cryptographers argued: there is simply no way to know whether or not the secrecy is hiding a fundamental flaw.

In the years that have followed, the cryptographer's claims have been shown to be mostly true: time and again, secret proprietary encryption algorithms have been analyzed and cracked by cryptographers. There is even a company in Utah, Access Data, which sells a system that can decrypt files that have been previously encrypted using the encryption algorithms in Microsoft Word and many other application programs. These programs all fail to provide adequate security because they're based on weak proprietary encryption algorithms. Indeed, Access Data's program can't decrypt files that have been encrypted using standard encryption algorithms such as triple-DES or 128-bit RC4. Those industry-standard encryption algorithms are unbreakable, given our current understanding of mathematics and physics.

But applications and operating systems are not encryption algorithms. And as we'll see, while open source may breed security, it can offer no concrete assurances.

Part II: Fiascos

Simson Garfinkel is a computer security consultant and author/co-author of several books on the subject, including "Practical Unix and Internet Security," published by O'Reilly & Associates.
© 1999 Wide Open / Red Hat, Inc. All rights reserved.