On Sunday 08 April 2007, Geoffrey S. Mendelson wrote: > On Fri, Apr 06, 2007 at 11:53:45PM +0300, Dan Armak wrote: > > On Friday 06 April 2007, Geoffrey S. Mendelson wrote: > > > I have a philosophical question. With open source software how do you > > > make sure that the copy you are running was not modified to send > > > your accounting data to some "data collection" site? > > > > You seem to be implying that there's a way to do this with proprietary > > software that doesn't work for free software. Is there? > > No, but there is a much greater risk of it happening with open source > software. First of all, the probablility in the real world of someone > being able to verify the source code is "clean" is not very large. Few > people can actually read source code to the point that a hidden exploit > is not present. Even those that can, rarely do so. Have you looked at > the source code for any of the open source applications you run? > > Not little bits here and there, but the entire "program"?
The probability of any one person verifying an entire codebase is very low - I've certainly never done so. But that of some people doing it collectively or even just as 'patchwork' can be high. In any project with more than one or two committers, there will be people watching the commit log, there will be people looking through the code to learn how to extend it. Really important projects will come under the scrutiny of dedicated audit teams. Anyway, the probability of someone verifying that non-open-source code is clean is a lot smaller yet. Both the ease of performing a complete-code audit, and the likelihood of one occuring for widely used programs, are higher for open source than for proprietary code. > > With open source software it becomes much easier for an unscrupulous > person to modify the downloadable source code or ceate a mirror of the > compiled program with a bug. There was for example a trojan placed in > one of the more common TCP/IP utilities (I forget which it was, either > traceroute or tcpdump) and it even made it to a few distributions of > various operating systems. Of course it's easier to make a mirror with a trojan for an open source app, because proprietary software disallows mirrors.But that doesn't automatically get the trojan to the end users. I looked up the tcpdump case. The CERT advisory[1] says an intruder to tcpdump.org inserted the trojan into the release tarball, and it was then copied to various mirrors. tcpdump installations began to fail for from-source Gentoo users, and some of them[2] spent the couple of minutes needed to diff the good and bad tarballs. This revealed a small change to the code which even on first inspection is suspicious, so they investigated further, and/or alerted upstream. [1] http://www.cert.org/advisories/CA-2002-30.html [2] http://www.hlug.org/trojan/ The whole issue was widely known and fixed in a few days. Apparently no major distributions' packages were affected. That's an example of a good immune response: the correct security system (release tarball hashes) both stopped the trojan and alerted people to it. Of course the system isn't perfect. tcpdump is a big project. When I install some small one-off utility I'd never heard of before, can I really trust that the distro's packager verified a GPG signature on the tarball he was testing, and got the signing GPG key out of band? For that matter, can I trust the upstream committers to keep that key and their development workstations separate from, and at least as secure as, the site where they publish releases? Can I even trust the good intentions of the main committers of this small project - not just that they won't trojan the code themselves, but that their code is security-conscious and of high quality and that they won't try to hide bugs and vulnerabilities instead of fixing them? The answer is no - at least not for small-to-medium projects. But that's not the issue here. Proprietary software isn't better off. For the most part it's a lot worse off because the average Windows user, and the average Windows infrastructure, isn't as secure and security-minded as good open source software. Imagine if a similar trojan were inserted into wireshark - not into the source tarballs, but only into the Windows .exe release. I'm sure they publish hashes and signatures for the EXEs as well. How many Windows users check those after downloading, do you think? Not users like you (if you ever use Windows), but average tech-savvy users? > > With closed source programs where the source code and the distribution > of compiled programs is tightly controlled, the skill level required of a > person modifiying it for nefareous purposes is much higher. Not that much higher. First, trojaning a random binary is easy: that's what all viruses do, and by now there must be a huge of virus-making tools and sample code out there. Second, it's true that it's a lot harder to penetrate the distribution of official stamped CDs than a worldwide network of mirror sites. But you can get opensource code on official stamped CDs too. So if you think it makes a security difference, you're free to buy your distro's CDs and only install very carefully filtered security updates online. Sure, the average linux user installs/updates all or most of his stuff online. But the average proprietary software == Windows user also installs a lot of opensource and freeware apps he downloads, plus there's a good chance his Windows CD and other proprietary apps are trojaned copies off a p2p network, and of course there are Windows' own security issues. So on average, I think an open-source system _is_ more secure than a proprietary one. It's true as you say that trojaning one specific program can be somewhat easier if it's opensource and widely distributed. But that's not the attacker's goal in itself; what he wants is trojaning _any_ app on your system, or using a remote vulnerability, and from there he can take over or infect the program he wants. > > > Using computer programs to steal money or hide income from the tax > > > authorities is not a new or uniquely Israeli concept. > > > > How do they check this today, for proprietary apps running on Windows? Do > > they have remote root access to your machine to make sure you're running > > the software you claim you are? Are they planning on using TPMs with RA? > > I have no idea. I can only assume they run some sort of virus/spyware > detection program against it and then verify the actions are correct. > For example, one committed, records can not be modified. Not an easy thing > to lock in an open source program with an external database. So how do they make sure noone's cracked their virus? Wouldn't it be easier, as well as more secure, to have the app submit records to the online tax authority DB when they are committed? Then no matter what app you use, you can't modify them later. -- Dan Armak ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
