[Linux-aus] RELEASE: OSIA Warns Against the use of Closed Source Software for National Security Purposes

Con Zymaris conz at cyber.com.au
Thu May 6 12:59:09 UTC 2004

[feel free to disseminate this to other lists]
For Immediate Release.

OSIA Warns Against the use of Closed Source Software for National Security

Australia, APRIL 30. Australia's Open Source industry body, OSIA, calls
upon government departments and organisations which are implementing
solutions within the sphere of national security, to discontinue use of
closed-source software where possible due to serious security risks.

"Whilst no software can be mathematically proven to be 100% secure,"
OSIA spokesperson Con Zymaris said, "closed-source software brings with
it the added security risk that clandestine 'back-doors' and malicious
'trojan horses' code can be embedded within a codebase, and there is no
reliable method of detecting these without full access to the source

"The best way to reduce such a risk is through code which can be fully
audited by independent 3rd parties," continued Zymaris. "Additionally,
the full compilation and build environment, that is, the environment on
which the software can be converted from source code to machine binary
code, would need to undergo a similar auditing and confirmation process.
At present, the only code for which such a process can be undertaken is
open source code."

OSIA also directly disputes the self-serving suggestion from U.S-based
closed-source tools provider Green Hills Software Inc., that open source
software, through it's open nature, can become unnecessarily susceptible
to infiltration by equivalent trojan code. 

"Any software can be the target of a malicious trojan insertion, not
just open source," added Zymaris. "The key difference with open source
software is that such an attempt will be found and extirpated. There is
no such guarantee with closed-source software. Our assertion is borne
out by real-world events. Whilst there have been numerous attempts at
inserting trojan code into both closed and open source products, all
such attempts on open source program have been discovered and reversed,
prior to the code becoming widely deployed and therefore a security risk
to business, government and security agency users."

This has not been the case with closed-source software. In several
published instances, and probably many more un-acknowledged cases,
trojan code or back-doors, providing an external attacker with total
privileged control over a remote system, have surfaced. Borland's
Interbase SQL-server had an inbuilt back-door which exposed possibly
hundreds of thousands of computers and confidential data-stores to
malicious attack. This backdoor, existing in the product for many years,
was only found when open source coders where given access to the
product's codebase in 2000, when Borland open-sourced it. [Ref #1]

More recently, Cisco announced that all its products built atop the
closed-source Wireless LAN Solution Engine (WLSE) and Hosting Solution
Engine platforms have also been back-doored. [Ref #2] 

"OSIA is amused that that this announcement from Cisco was made on the
same day that Green Hills CEO, Dan O'Dowd, proclaimed that such a
vulnerability was primarily the purview of open source software" said
Zymaris. "In effect, this makes a mockery of O'Dowd's thesis, with
impeccable timing!"

"OSIA notes that attempts at partial disclosure of the source code, such
as the Microsoft Government Shared Source Government Security Program
(GSP) are a worthless marketing gimmick, designed to give governments
the feeling of independently audited and certified code, without the
reality" he added.

Explicitly the Microsoft GSP:

* does not allow full, unfettered access to the complete Windows
platform source code base;

* nor does it offer the complete unfettered access to the compilation
and build environment needed to re-compile that platform source code

* nor does it offer a facility for independent, knowledgeable 3rd party
security researchers to also audit these codebases.

The second point is an absolute necessity to independently verify that
the putative source code offered by Microsoft as the source code to the
Windows platform, is in fact the legitimate codebase. Anything less than
this is never going to provide a fully-vetted and auditably secure
platform for government security use.

"OSIA believes that the only platform, compilation-suite and build
environment which can offer any such level of surety in situations where
security is required by government software users, is the open source
platform. Using anything else is the equivalent of sticking one's head
in the sand and hoping for the best" concluded Zymaris.

[Ref #1: http://lwn.net/2001/0118/security.php3]
[Ref #2: http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml]

- - - 

About Open Source Industry Australia

OSIA is the industry body for Open Source within Australia. We exist to
further the cause of Free and Open Source software (FOSS) in Australia and
to help our members to improve their business success in this growing
sector of the global Information and Communication Technology (ICT) market.


Spokesperson/Contact: Con Zymaris
Phone: 03 9621 2377
Fax: 03 9621 2477
Email: conz at cyber.com.au


Con Zymaris <conz at cyber.com.au> Level 4, 10 Queen St, Melbourne, Australia 
Cybersource: Australia's Leading Linux and Open Source Solutions Company 
Web: http://www.cyber.com.au/  Phone: 03 9621 2377   Fax: 03 9621 2477

More information about the linux-aus mailing list