This is in response to Larry Braud's post about the study due on 6/7/02 by the Alexis de Tocqueville Institute that claims open source software is less secure and more likely to be hacked by terrorists than closed source software.
On the face of it, most people will quickly accept that having access to source code of software means that ill-intentioned individuals will be able to exploit weaknesses within that software. It seems to make sense. But, let's consider this situation a little more carefully. If, let's say through an act of Congress (oi...), that the US Government mandates that only closed source software can be used for operational purposes, then, for example, the NSA would have to make some major changes (http://www.nsa.gov/selinux/index.html) in what it uses on a daily basis. I'm not saying you should draw any kind of conclusions about who know more about terrorism or security (NSA vs AdTI), but I'll let you make up your own minds. The next thing that would have to happen is that all current holders of copies of closed source software would have to permit the DOD to classify their copies of closed source software to Secret or Top Secret classification. And then those holders would have to build physical and network security systems to keep terrorists from stealing it. If you didn't know it, there are _many_ businesses and organizations around the world that have copies of closed source software, including for example, the various Microsoft operating systems. To get a copy of the source code for closed source software now, you merely have to purchase it from the original publisher. For instance, many hardware manufacturers negotiate licenses for the source code to the Microsoft operating system in order to make certain that their hardware will run on it. Are we prepared to trust that the many businesses and organizations that already possess this source code will keep it secure from terrorists? Let's consider the number of ways that closed source code can get into the hands of terrorists: 1. They simply buy it, either through a front organization, or from a disreputible business that already has a copy. 2. Hackers simply get it via network intrusions from either the original publisher () or from an organization that already has a copy. 3. Employees within a business/organization that has a copy makes a copy and sells it. I'm sure there are many other ways. But in the final analysis, I want to tell you about something called "Kerckhoffs' Principle". You can read a good explanation of Kerckhoffs' Principle at: http://www.eatel.net/~john/cryptogram/crypto-gram-0205.html#1. Originally, this was at: http://www.counterpane.com/crypto-gram-0205.html#1, but this morning I can't view that page for some reason. Basically, this principle says that if you depend on keeping an algorithm (a software program) secret to ensure security, your security is very fragile and will be discovered eventually (through any of the means I list above). The only was to ensure that something remains secret, therefore secure, is to encrypt it using the strongest encryption methods publicly available and then keep the encryption key secret. In that way, if someone does find your key, you merely have to get a new key. If we mandated that the US Government use closed source software to ensure security, then all it would take is one terrorist to get the source code to that software and then it would have to be assumed that all terrorists would have a copy of that source code. And therefore that closed source software would have to be replaced with new closed source software. And the cycle would begin again. If the US Government mandates that it will only use closed source software, I can only say that I hope you like paying taxes. My basic point is that depending on the characteristic of software being "closed" or hidden to ensure security is to delude one's self. If terrorists wanted the source code to software, they would simply get it. Real security involves a lot more than using closed source software for daily government operations. John Hebert IT Professional Former Electronics Warfare Technician, USN Petty Officer 3rd Class Held "Secret" clearance __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
