Home » 2004 - April

Linux Joins 'The Axis of Evil', Part II

Submitted by Willy Smith on 8 April, 2004 - 22:31.

Release from Green Hills Software (English)

More politicization in the debate over Linux: Dan O'Dowd, CEO of Green Hills Software, said in a speech today, "We must not entrust [US] national security to Linux." More pithy quotes:

"The very nature of the open source process should rule Linux out of defense applications. The open source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems."

And now, watch me pull a rabbit out of my hat:

'Advocates of the Linux operating system claim that its security can be assured by the openness of its source code. They argue that the 'many eyes' looking at the Linux source code will quickly find any subversions. Ken Thompson, the original developer of the Unix operating system-which heavily influenced Linux - proved otherwise. He installed a back door in the binary code of Unix that automatically added his user name and password to every Unix system. When he revealed the secret 14 years later, Thompson explained, "The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code."'

Huh? Since when was Unix Open Source? Notice the technique here: first, make an association between Linux and Unix. Then, tell an anecdote about how Unix, a Closed Source project, was infected with a security leak. Then...voilà! Linux joins the Axis of Evil. This is a classic non sequitur. It's another example of the deconstruction of both the English language and the logical thought processes of the general population.

Of course we don't know yet whether anyone is listening to Mr. O'Dowds comments. Also, I personally can't prove whether Linux is more secure than Closed Source opearting systems, even though I have my suspicions. But my guess is that this is more evidence that there are cultural mechanisms which will prevent developed countries from understanding and accepting what is happening with Open Source; and that the end result during the next generation will be an overwhelming shift of power to those cultures which are embracing it.

‹ Intellectual Projects and Management of Cooperative Projects - Towards a New Paradigm?upLinux Trio: Japan, China, South Korea ›
»

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Willy and Mitch are, of course, right.

Submitted by Wonko The Sane on 12 April, 2004 - 03:27.

On top of that, there was no contrast with how such a hole would have been found in a proprietary package.

What about such a hole in let's say... A Microsoft OS?

It was ugly. There were toothpicks everywhere...

»

Yes, but...

Submitted by mitch on 9 April, 2004 - 01:52.

This describes the Thompson backdoor
(taken from

here):

Historically, back doors have often lurked in systems longer than anyone expected or planned, and a few have become widely known. Ken Thompson's 1983 Turing Award lecture to the ACM admitted the existence of a back door in early Unix versions that may have qualified as the most fiendishly clever security hack of all time. In this scheme, the C compiler contained code that would recognize when the `login' command was being recompiled and insert some code recognizing a password chosen by Thompson, giving him entry to the system whether or not an account had been created for him.

Normally such a back door could be removed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to _use_ the compiler -- so Thompson also arranged that the compiler would _recognize when it was compiling a version of itself_, and insert into the recompiled compiler the code to insert into the recompiled `login' the code to allow Thompson entry -- and, of course, the code to recognize itself and do the whole thing again the next time around! And having done this once, he was then able to recompile the compiler from the original sources; the hack perpetuated itself invisibly, leaving the back door in place and active but with no trace in the sources.

In this situation, many eyes examining the source code would NOT have revealed the security hack even if the source code had been OSS. However, I don't think this proves O'Dowd's point, read again what Thompson's conclusion was:

The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.

The conclusion is: unless YOU wrote it you can't trust it.
Or, unless you wrote it you can only trust it as much as
you trust the people that did write it. So who do you trust:

  • Microsoft and Green Hills Software (a compiler vendor)
  • The US government (which we KNOW has never had
    any security related personnel problems)
  • Or the OSS community?

You decide!

»