and the Chinese and other gov't who have copies of the sourcecode and the people who MS have shared the sourcecode with will be immune from bribes and extortion? No, the security rules have chnaged a lot, keeping one step ahead and minimizing breaches is now how security will work, and the OSS model does this better that the proprietary model.

Well, I'll give the guy half a point. Over the past several years we have become a moving target of fast paced development. Every year sees a new kernel. Good security however takes time - regardless of the system in question.

Perhaps the way to resolve this is to add two more levels to the kernel release process so that we'd have unstable, testing, ready, stable and secure. Ready and secure presently exist but only in a defacto sense. There are upgraded programs sitting in testing that have been debugged and are 'ready' for release. Great for those who need to upgrade. Likewise, development continues on the 2.2 and 2.4 kernels to keep them 'secure'. Great for those are more concerned with security than the latest and greatest set of features.
Better division would help clarify what's what and allow us to address the security question in a more structured fashion.

Well, to argue O'Dowd, if you deployed HIS software
on 90% of the world's computers, even HIS software
would crumble eventually.

The only perfect world is where no 2 boxes have the same
operating system, but share only the most rudimentary
communications protocols.

So, in other words, even HIS crummy software isn't
bulletproof. It just has been passed through too few intelligent tinkering hands!

Another pissant with a bigger mouth than balls.
I wonder how much Microsoft is giving him through
their standard untraceable proxies...

It's like the guy has never read anything about
Linux in his life, and gets his fuel from the
International FUD Association.

[quote]
Now that foreign intelligence services and terrorists know that we plan to trust Linux to run some of our most advanced defense systems, we must expect them to deploy spies to infiltrate Linux. The risk is particularly acute since many Linux contributors are based in countries from which the U.S. would never purchase commercial defense software. Some Linux providers even outsource their development to China and Russia.
[/quote]

The companies outsourcing Linux development are only following the closed source developers.

[quote]
What O'Dowd believes is that the assumption that Linux is "safe" is based on what he calls "the dangerous misconception that the so-called 'many eyes' looking at Linux source code will find any malicious bugs hidden in Linux by foreign intelligence agents or terrorists."

"This misconception is based on the silly assumption that looking at source code is an effective way of finding bugs," he continues.
[/quote]

1) To get a piece of malicous software into the Linux kernel it would need to do the intended work as efficient as possible then besides that it should be able to do something nasty. That are two conflicting priorities for anything but the most obvious malware code snippets.

2) O'Dowd equates the many eyes doctrine to people grabbing the source code and scan it using the eyeball Mk. 1, convieniently forgetting that the big firms have the same (if not better) tools that O'Dowds firm has to analyze the code.
Note: the perusal of the code by eye happens, it starts at the time when the code snippet gets posted on a kernel mailing list and usually a piece of code gets thoroughly dissasembled by people trying to make it faster/clearer/simpler/shorter. It only stops when that piece of code gets retired. See it as an extra QA step that O'Dowd can never mimic for his own code.

[quote]
"Hundreds of bugs that attackers can exploit to penetrate Linux security are identified every year. Many of these critical security bugs have been in the code for years without being detected by the 'many eyes' looking at the source code. How can anyone believe that the open source process can eradicate all of the cleverly hidden intentional bugs put in by foreign intelligence agents and terrorists when the process can't find thousands of unintentional bugs left lying around in the source code?
[/quote]

Hundreds of bugs? Seems that someone got out that age old argument, convienetly forgetting to mention that this is for just about ALL programs that run ontop of Linux as well.
Then forgets to mention that 99% of the remaining bugs in the Linux kernel that are found require root acces in the first place to be exploited.
Then forgets to mention that non exploitable bugs also end up on that list.
Then forgets to mention that the ONLY reason the bugs are found is the many eyes doctrine.
Then forgets to mention that unlike closed source software you cannot hide a bug in the Linux kernel for several months.
Then forgets to mention that due to the many eyes doctrine the average bug count in the Linux kernel is 1/10 (or less) of the average bug count in closed source software.

[quote]
"Many people," he declares, "believe that it is impossible for any operating system to have no known bugs in security-critical code, implying that no operating system is really secure. But that is not true. There are no outstanding bugs in our DO-178B Level A certified INTEGRITY-178B real-time operating system. This is the true reliability and security that our national defense systems need."
[/quote]

Bugfree cannot be guaranteed without being able to run the code through some form of mathematical theorem prover (and hope that that program is bug free). What the certification demands is merely that all entry and exit points that a program has have been tried and how all the rest of program influences how you get from point A to point B.
Which means that for every addition to the code you need to get the code re-certified.
Which means that Linux as a full OS will never get this certification level, but a stripped down version build specifically for one purpose and one purpose only can get this certificion.
Further the DO-178B Level A certification itself is about having a validation process that in a consistent manner and with an acceptable level of confidence can say that the software aspects of airborne systems and equipment comply with FAA airworthiness requirements.
And it does this by ensuring that every line of code can be traced back to a requirement and having a test routine to test that line.

No OS is secure from modification by Spy agancies from anywhere. If they want to add things to it, they will. Either by making sure one of their guys becomes a kernel programmer in, say, the longhorn team, or for Greenhills for that matter. Closed source is no more protected than Open Source when funding is unlimited. Even a CIA written OS could be infected this way...

On September 28, 1999, an Internet Caucus Panel Discussion was held to discuss the issues surounding the Clipper chip and export restrictions on encryption in general.
http://www.techlawjournal.com/cong106/encrypt/19990928a.htm
Congressman Curt Weldon raised a couple of interesting questions over the briefing he had with John Hamre of the US NSA.

"But the point is that when John Hamre briefed me, and gave me the three key points of this change, there are a lot of unanswered questions. He assured me that in discussions that he had had with people like Bill Gates and Gerstner from IBM that there would be, kind of a, I don't know whether it's a, unstated ability to get access to systems if we needed it. Now, I want to know if that is part of the policy, or is that just something that we are being assured of, that needs to be spoke. Because, if there is some kind of a tacit understanding, I would like to know what it is."

Backdoors to systems can be inserted and vulnerabilities can be deliberately left open. Because it is easy enough to compare binary code and disassemble the difference, the same binary code has to used globally, or the backdoor will be quickly discovered. That means the backdoors used to get access to foreign powers computers by the NSA is will also be inside the computers in your country as well, left open for anyone to exploit.

This kind of security policy is an oxymoron. The only way to secure your countries information infrastructure is to have a policy to remove any such vulnerabilities and backdoors as soon as possible after discovery.

Unless you can have access to all the source code and have the right to recompile and compare the binaries, you cannot verify that the software you are using is free of backdoors.

If you do not have the resources to examin every line of source code, then you best bet is to use source code that is fully open to peer inspection.

In my opinion, an open source license, opens up the code to true peers in the industry, people who work with the source code to build solutions. When flaws are discovered, it is these peers who closely examin the patches and the source code that is vulnerable.

Otherwise who do you trust, the vendor? Remember Ed Curry!
http://www.iwethey.org/ed_curry/

In October 26, 1998, Ed Curry a former Microsoft contractor, presented documents to the Defense Department that he said proved that Microsoft Corp. conducted a campaign to mislead the government about the security certification status of Microsoft Windows NT.
http://www.gcn.com/archives/gcn/1998/October26/8.htm

You don't need to modify source code to insert a backdoor, "infection" can take place anywhere along the build to delivery chain.

In June 2002, Microsoft shipped a copy of Korean-language version of Visual Studio .NET infected with a copy of the Nimda worm.
http://www.securityfocus.com/news/480

There is a saying that goes back to the end of the cold war,: "Trust, but verify". In the same way you must have access to the source code and the ability to rebuild the toolchain from scratch to compare the resulting binaries.

Perhaps Green Hills is right. Any malicious person could attempt to insert malware into Linux or any other OSS program. This includes economic hackers, Microsoft backers, kiddie hackers, or anyone else. Proceedures need to be established for all OSS developed programs to eliminate malware as it is introduced. We clearly cannot rely on universal goodwill. As far as "spys", it is all too clear that several thousand dollars per year buys a good programmer in most developing countries.

For Linux, we have several "trusted" people who vet additions to the kernel for all problems, including malware. Whether this is sufficient or not is a question. Also, proceedures for establishing trust and responsibility for vetting code additions for malware should be established for all OSS projects.

-anon

"A third key?!

But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders."
http://www.heise.de/tp/english/inhalt/te/5263/1.html

"The European Parliament reports have sparked Continent-wide anger. Questions
have been raised by officials in Denmark, Germany, Norway, and Holland,
while the Swedish government has launched an investigation into whether
Swedish companies have been victims of covert NSA surveillance.
In Italy, a Rome deputy district attorney has opened an inquiry to determine
whether NSA activities violate Italian privacy law.
More important, perhaps, the reports encouraged France and Germany to lift
their restrictions on the use and sale of strong encryption software, which
Washington has been trying to limit."
http://www.chiark.greenend.org.uk/pipermail/ukcrypto/1999-September/0059...

"Germany's Bundiswehr is banning Microsoft software (and presumably other major American software packages) from use in critical environments due to concern over "back doors" suspected to have been placed for the use of U.S. spy agencies, particularly the NSA (National Security Agency).

China, last year, declared Linux, particularly the home grown Red Flag Linux, the official operating system for Chinese government and commerce due to similar security fears."
http://www.aaxnet.com/news/M010318.html

Sure Integrity is certified but it has very limited capability. If I were doing something that required DO178B level A certification, I would consider it and I would likely not consider Linux (yet). I would consider other vendors (Windriver pops into mind) as well as going OS'less and using a smaller microkernel approach.

However, very very little Defense software requires DO-178B level ANYTHING certification.

This certification does not mean that there are not bugs in the software. Based on some limited experience I would say it does not even imply that the compiler and OS that Greenhills provides actually even works together.

In the end, selecting an environment for any system has little to do with a closed v.s. open source issue and more to do with selecting the tool fits the job. However, the portion of the trade space that deals with open v.s. closed would certainly tip in favor of Open since I have almost no hope of reviewing or discovering holes in a closed system.

Being a competitor does not make him automatically wrong. In fact, one might say that he's an expert on the matter:

INTEGRITY178B has been audited and approved by the FAA for DO178B Level A use.

to me implies that it has had a more thorough external audit than most open source packages.

Dan O'Dowd is President and chief executive officer of Green Hills
Software,Inc.
Green Hills sells compilers and RTOS for embedded
systems. (They have been the market for a long time).
No wonder he does not like Linux.

This guy is right that the US cannot control linux.

Ironically, the more that perception of Linux is strengthened, the faster will be the adoption of Linux by governments outside the US. And that's a huge win for linux!

Basically, Green Hills seems to be just another proprietary software vendor scratching for ways to try and derail a competitor in their market space.

Doesn't the NSA also have tools and addons they continuously work on that provide extra security and auditing as well as testing for "backdoors" and such?

I don't see why you can't take an embedded linux distro, pull out what you don't need, harden it by controling program access to compents as well as comunication access, customize the user interface and have a secure system even if a back door is in there. I mean who cares about a backdoor if it is never allowed to be accessed by anything or anything to access it.

If I'm not mistaken I think thats part of what the NSA contribs do. It has been a while since I looked at them and I'm not a programer or anythign so i could be wrong. But I think your hitting the nail on the head here. It's not like a windows machine were some programs can have root access even if the user access is restricted.

Linux and Open source software is authorized so long as the code is available to the DoD service Red and Blue teams so they can have their analysis of it. Any major change to a network ( ie switch from windows to linux, Os upgrade, systems patches, change in network purpose, server additions, etc) would change the accrediation of the network and a new "Authority to Connect" document would have to be sent from G6. By signing off on the Authority to Connect, that means that we have tested the software.

The DoD does NOT just pull source or for that matter any software for classified and above networks. All Software that enters into the classified side of the house must be cleared by DoD and the represenitive G6. All patches are regression tested by the service CERT. Making changes to the operating system as Mr O'Dowd is suggesting would break the systems accredidation packet, as the service has not authorized the patch. By authorising the patch, the CERT approves of the work and in the case of Open Source, has examined the code. We are not dumb enought to certify a operating system or its related patches unless we check stuff out.

I'm just saying that it's not FUD to say that the open source model isn't up to the stringent standards of the defense industry. It's just the truth. That doesn't make open source software bad, or this guy anti-oss.

John Gruhn
SysAdmin, Theater Network Operations and Security Center, Korea
SPC, US Army