On the first anniversary of Microsoft’s “trustworthy computing” initiative, the spotlight has gone on security of open source software.
The issue arises after the discovery last month of a serious vulnerability in CVS (concurrent versions system), a Linux and Unix development tool.
The US-based CERT alert service noted that CVS servers could be accessed by unauthorised users and used to execute arbitrary code via a set of directory requests that could free a memory reference.
CERT advised disabling anonymous access to CVS servers or blocking access from untrusted sources until patches were available. The main Linux and Unix CVS suppliers have issued patches.
The alert wasn’t the first and won’t be the last, prompting the question: is open source software more or less secure than that from a more vigilant Microsoft?
Like most things in life, it’s not that simple, says Canadian Theo de Raadt, co-developer of open source OS OpenBSD.
“The real question hinges on ‘if I am an idiot and I install both machines side by side, which will get broken into first?’
“That is not a question about Windows, Linux or BSD, it’s about which vendor has decided to turn on more or less things; the people whose machines these worms go through are inexperienced.
“Much of the time we see ‘security’ mentioned on the news is when mass break-ins happen and they are break-ins of machines owned by people who aren’t experienced enough to turn services they don’t need off.”
De Raadt says OpenBSD is distributed with most functions turned off “and if you need it, you learn how to turn it on; when you learn to turn it on, hopefully you’ve read a bit of the documentation”.
Knowing about the functions you activate “is more important than all the buggy or non-buggy code in the industry”.
Gauging which OS is more or less secure is itself a fraught question, and methodologies used to show one or other on top should be closely examined. New Zealand Linux users are happy with the level of security the OS provides, but for most, avoiding Microsoft’s software assurance licensing scheme and seeking a more stable OS were greater considerations in switching from Windows or starting from scratch with Linux.
“We decided on Linux for the reasons of licensing costs and avoiding having to update the OS for three years,” says Noel Duckworth, technology manager of Global Online Promotions, the company behind loyalty programme Kachingo.
However, while it was “those other reasons” that prompted the decision to go with Linux, “part of it was that we were satisfied Linux provided for handling our main security mechanism, IP Sec. The security situation there is unusual, “as Linux is being used on our remote servers in a closed way — no files from outside sources are distributed”.
Tait Electronics group information and supply chain manager George Elder says that for Tait, Linux security was a consideration in deploying it as the primary file server and for parts of the network infrastructure, but not a primary reason. The company also runs Microsoft servers.
“It wasn’t a central issue. Licensing and the wish to remain in an OS environment that’s as open as possible were stronger motivators.”
In terms of what’s more secure, “I couldn’t really compare them, but we’re happy with the results”.
Meanwhile, Microsoft head Bill Gates concedes more needs to be done a year on from the introduction of the company’s trustworthy computing initiative, designed to make its products more secure.
“While we’ve accomplished a lot in the past year, there is still more to do — at Microsoft and across our industry,” Gates says in an email sent to a mailing list that is part of a Microsoft marketing effort called Executive E-mail.
As part of the initiative, Microsoft halted the development work of thousands of software engineers for 10 weeks to train them to look at software like hackers do. This resulted in the in-house discovery of many security bugs, Gates says.
The company spent some $US200 million on improving Windows security alone, Gates wrote.
However, it continues to be embarrassed by security flaws, its own systems falling victim to last month’s Slammer worm, which affected SQL Server. A spokesman confirms that the Slammer worm penetrated the company’s network and infected a number of SQL Server databases and desktop machines.
“There were circumstances where we were not patched,” says spokesman Rick Miller.
The vulnerable machines were mostly in the company’s Redmond campus and concentrated in an area of Microsoft’s network used by SQL Server developers, according to Miller.