Welcome!

Virtualization Authors: Tony Bishop, Pawel Plaszczak, Jeremy Geelan, Glenn Rossman, Lori MacVittie

Related Topics: Linux, Security

Linux: Article

"Subversive Software" - O'Dowd's Linux Security Controversy Continues

"Subversive Software" - O'Dowd's Linux Security Controversy Continues
By Linux News Desk
Article Rating:
April 19, 2004 12:00 AM EDT
Reads:
 13,167

"There are plans to rely on Linux to control our most advanced future defense systems," writes Dan O'Dowd this morning, referring to systems such as the Army's Future Combat Systems (FCS), the Joint Tactical Radio System (JTRS), and the Global Information Grid (GIG).

But O'Dowd continues to argue - as LinuxWorld reported he already did last week  at the Net-Centric Operations Industry Forum - that it is a mistake: "Until Linux achieves the same level of reliability and security required of commercial operating systems," he insists, "it should not be used in critical defense systems."

In a news release today, O'Dowd defends his position. Much of the reaction to his April 8 speech at the Forum, he argues, was based on the misconception that proprietary software could not be as reliable or secure as open source software.

"This stands the truth on its head," says O'Dowd, referencing an example from his own company. "Green Hills Software's INTEGRITY operating system has been used for years in safety-critical avionics displays, communications, navigation and flight control systems on numerous military and commercial aircraft including the B-1B, B-52, C-17, F-16, F-35 Joint Strike Fighter, Sikorsky S-92 helicopter, and Airbus A380. The U.S. Federal Aviation Administration (FAA) has certified our operating system to DO-178B Level A, the FAA's highest safety standard for software design, development, documentation, and testing."

"The U.S. mandates DO-178B Level A safety certification for software on which airline passengers' lives depend," O"Dowd continues. "Should we accept a lower level of reliability for the defense systems on which the lives of our soldiers, sailors, airmen and marines depend? Until Linux is certified to DO-178B Level A, we should not ask them to trust their lives to it."

O'Dowd also pointed out that an internationally recognized software security standard exists: the Common Criteria for IT Security Evaluation (ISO standard 15408). The Common Criteria defines seven Evaluation Assurance Levels (EAL), with EAL 7 being the highest level.

In his April 8 speech, O'Dowd sparked controversy when he said:

"The open source process violates every principle of security. Now that foreign intelligence agencies and terrorists know that Linux is being used to control military applications, they can contribute subversive software that will soon be incorporated into our most advanced defense systems."

In the white paper released today, titled  "Linux Security Controversy," O'Dowd explains what he believes is the importance of Linux security certification.

"Verification of security under Common Criteria EAL 7 means that you must formally and mathematically prove that the software has not been compromised," he writes. "An EAL 7 security evaluation will prevent a saboteur working on the operating system development team from subverting the operating system."

He then more or less repeats his earlier allegations:

"Linux development and support are being outsourced to China, Russia, and other countries from which commercial defense software would never be purchased. Therefore, it is absolutely essential that Linux be subject to formal EAL 7 verification to determine if it has been subverted by foreign intelligence agents or terrorists before it is allowed to control our nation's critical defense systems such as FCS, JTRS, and the GIG."

Before turning the whole thing, again, into a major plug for his own company's solutions:

"Green Hills Software's INTEGRITY-178B operating system is being used in critical defense systems that require EAL 7 certification by the U.S. National Security Agency (NSA)."

"Several other proprietary operating system vendors have also committed to certifying their operating systems to EAL 7," O'Dowd observes, "but Linux has only achieved EAL 2. Even Microsoft Windows has achieved EAL 4."

"We must not trust national security to Linux until someone is prepared to take responsibility to certify Linux to the same EAL 7 standard that commercial vendors are committed to meet," O'Dowd concludes.

He saves his most deliberate soundbite till the end: "We don't need cheaper security, we need better security."

His company Green Hills Software, he says, will publish a further white paper next week, with a similarly combative title. It's going to be called "Many Eyes - No Assurance Against Many Spies."

Published April 19, 2004 – Reads 13,167
Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Linux News Desk

SYS-CON's Linux News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers.

Comments (8) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
WO 02/11/05 02:56:41 AM EST

I believe that O'Dowd, knows about security from books but he doesn't have a real base to talk about things above his understanding power, I would ask him what he believes that is the best OS (flexibile, open for customization, with unlimited posibility of adding/modifying internal FS ...and don't forget the SPEED and reliability)...name one (1) O'Dowd! O'Dowd look in your courtyard and see that you are using over 90% *nix platform...and then...be ashame of youself and beware of malicious *nix user...think!
D C O'Driscoll 05/22/04 09:59:22 AM EDT

Pure snakeoil. He is just rehashing the 'security through obscurity' argument which has been discredited many times over.

He conveniently ignoring the case of PGP, where the code is freely available and as a result has now become the de facto standard in cryptography, a case which points out the flaws in his argument.
Diyanat 04/28/04 06:00:34 AM EDT

well if windows was so secure why would linux exist

Mr. Dowd (Down) is afraid of loosing business to open source which is getting better and better and more secure. hence all this FUD
Linux Caca 04/23/04 02:01:29 PM EDT

Open source software will eventually fade to obscurity. People will not continue to put huge amounts of effort that they don't get reimbursed for. No matter what the extreme Linux pushers want you to believe. It's funny the main drive behind Linux is a "kill MS" and an anti-corporate attitude. Now that all these companies are increasing their profit margins because they don't have to pay for software. In effect, all these fools are providing free labor to the huge corporations they claim to despise. I'm laughing my arse off. We'll see how long this lasts. Are you really that foolish? Work for years to help the profits of all those corporations. Let me say thanks from the bottom of their heart.
me_mybusiness 04/20/04 12:14:48 PM EDT

And where is most US commercial software being coded? China, India, or anywhere else that labour is 40 cents a day (remember, it's all about maximizing profits). But then, Al Qaeda wouldn't have operatives in either of those countries, would they?....

God bless America, where doing business means to do whatever is necessary to fill your pockets and protect your piece of the pie, and damn the truth or social responsibility.

Seriously, it's hard to believe the word or opinion of anyone who is an interested party, and it's in Mr O'Dowd's best interest to do everything he can to stop competition from taking away his business.
Bring in the zealots 04/19/04 05:31:21 PM EDT

"FUDDUP already!! I'm fed up with all this FUD."

Yes of course any facts like Windows has a higher EAL rating must be FUD. Because we all know Linux is more secure based solely on the words of the Linux zealots. Sorry if Linux was so secure it wouldn't have a problem getting certified, now would it?
Carst 04/19/04 02:59:24 PM EDT

I hope the US military would never use Linux. After all, do we really want to contribute to the next assault, invasion, occupation?
Praetorpal 04/19/04 12:40:53 PM EDT

FUDDUP already!! I'm fed up with all this FUD.

"even windows has EAL 4" ? One small part of windows has certification but no one in their right mind would bet the farm on Microsoft security. (Oh my gosh, shouldn't we be patching right now?) The NSA's SELinux does not have any certifications either, but gosh, we should not trust them either;they might be accepting contributions from Russia and China too !!!