Listening to some Linux critics, you might think that the open-source operating system is more of a threat to U.S. national security than a gaggle of Islamic jihadis lugging rocket-propelled grenade launchers around Fallujah, or mad Pakistani nuclear scientists selling secrets to rogue states.
At yesterday’s Net-Centric Operations Industry Forum in McLean, Virginia, near Washington D.C., the CEO of Green Hills Software, Dan O’Dowd, generated national publicity when he opined that the “proliferation of the Linux open-source operating systems poses a serious and urgent security threat.”
O’Dowd said that the open-source coding movement — a cooperative endeavor by loosely affiliated programmers around the globe — was inherently insecure. “The very nature of the open-source process should rule Linux out of defense applications,” said O’Dowd, whose company is headquartered in Santa Barbara, California, and has international operations in the UK.
“The open-source process violates every principle of [information] security,” he said. “It welcomes everyone to contribute to Linux.”
Subversive Software
The risk to national security posed by Linux is grave, he said, for now that foreign terrorists and foreign intelligence agencies know that the software is being used in advanced U.S. defense applications, these subversives will “use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems,” said O’Dowd.
Although O’Dowd was clearly trying to be provocative with his remarks, it’s not as if the Pentagon hasn’t considered the risks of Linux before. As far back as last spring, the chief information officer of the Pentagon was issuing public policy statements on the use of open-source software.
The Pentagon produced a memo on open-source computing last May, stating that open-source deployments comply with the Department of Defense’s computer-security regulations. The military has more than 200 open-source projects underway, according to a report by the military think tank and consultancy, Mitre Group. This has grown substantially over the last year.
The report noted that open-source computing is becoming a “critical component” of the IT infrastructure at the Pentagon and that everything from Linux firewalls to the Emacs text editor and Linux encryption tools were being used by the warriors.
The Pentagon also has noted, separately, that it customizes much of the Linux used for its projects.
Fear, Uncertainty, Doubt
Are O’Dowd’s remarks credible? To the trained ear, his rhetorical tactics are reminiscent of the old strategy of sowing “fear, uncertainty, or doubt,” or FUD, used by IBM in decades gone by to dissuade upstarts from buying into the concept of personal computers.
O’Dowd provided no evidence that subversives had actually developed malicious Linux software products that have been used by the Pentagon with adverse consequences. But he raised the possibility of this happening in the future.
“Developers in Russia and China are also contributing to Linux software,” said O’Dowd. “Recently, the CEO of MontaVista Software, the world’s leading embedded Linux company, said that his ‘company has two-and-a-half offshore development centers. A big one in Moscow, and we just opened one in Beijing.'”
Fears About Russia
Apparently not knowing or caring that Moscow, along with the United States, is part of NATO’s extended alliance, called the Partnership for Peace, O’Dowd also cautioned that another embedded Linux supplier, LinuxWorks, has a development center in Russia.
Noting that the developer of Unix installed a back door on the operating system, O’Dowd fears that a similar vulnerability could be hidden in the Linux code contributed by international Linux developers.
“If Linux is compromised, our defenses could be disabled, spied upon, or commandeered,” said O’Dowd.
What a pathetic article. I mean, so blatant misinformation, call it FUD if you like, has nothing to do with expertise. Do people really think anyone can stuff any piece of code in Linux or in another FOSS project, for the sole reason it’s "open-source" ? And what about being hired by a software company (say Microsoft) and pouring malicious code in their close-code software ? It’s probably much harder to put malicious code under sun light in an open source code base, than to tinker with hidden, close-source features.
I appreciate Mr. Koprowski’s coverage of this issue as FUD shouldn’t dominate such a topic of discussion, but instead facts and information. While I am a supporter and believer in both Linux and Windows, I think that both have security issues that need to be addressed. The issue, as I see it though, is not about open or closed source, but about the business model of the respective vendors and software creators. Any software is a product of the quality of its design and the ability of its developers to control the process of its development. It seems that when it comes to open source, the discussion should be about how new software components and improvements are adopted and not about who is contributing them. Let a terrorist give us his best ideas a good software engineer / programmer, a sound development process, and good review process should expose any holes before they make it to prime time.
I think it’s a bit of a discredit to the many skilled Software Engineers who develop our software to say that they aren’t assessing new components and implementing them with care and caution. It’s also a bit irresponsible to defend their use and implementaiton of new components without knowing exactly what they are doing. Open source provides a much more comprehensive ability to examine what is going on and assess whether the development model is in fact responsible enough for our needs. A closed source project has a company’s reputation and financial well-being behind software it buys. Any entity buying software should be able to insure for it’s user base that the software is of the highest quality. If you cant get either of this from a vendor, open source or not, I think its in your best interest to look elsewhere.
Time and again, Trusted Solaris and the BSD operating systems, including Apple’s Darwin come up on security expert’s lists as the most secure software. Solaris is closed source and Darwin and the BSDs are open source. The reasons are objective, quantifiable and sound. I think rather than discussing open and closed source, we should be asking how it is that Linux and Windows are being chosen for critical applications over these more proven operating systems. Lets make this debate one that will truly benefit computer science and the FUD of the moment.
And as an aside, perhaps we can again ask why applications are still being created in C and other procedural languages that are both less secure and less easy to maintain/refactor. Once we get secure operating systems, lets not forget that Object-oriented languages, that utilize virtual machines such as the JVM and .Net environments, are much more transparent and secure to run the applications that users interact with.
DoD is a moron. He clearly knows nothing about OSS.
Surprise that this is from an EXPERT !!! Or he has been mistakenly called an expert. If he had known anything about OSS, he would be more confident with what’s in the plan!
This is a mis-leading article to people who are just getting to know linux!