The creators and distributors of the Gnome open-source desktop software project are investigating a server breach that reportedly did not affect released Gnome sources and the project’s source-code repository, but nonetheless delayed the latest update scheduled to come out this week.
The sysadmin team of Gnome, a free Unix-Linux desktop suite and development platform, reported evidence of an intrusion on the server hosting the project’s Web sites. The team is working to restore services from the affected machine but indicated the compromise appears to be limited in scope.
The group’s handling of the hack mirrored the rapid disclosure and response of similar intrusions on the Linux kernel last month and the Debian Linux project last November. While open-source proponents have touted the superiority of the open-source community’s security response compared with that of proprietary software vendors, such as Microsoft, experts tend to point to equivalent risks and responses in both open- and closed-source software.
“I don’t think any kind of distinction can be made between closed source and open source in terms of security,” iDefense director of vulnerability intelligence Sunil James told LinuxInsider. “All vendors take many steps to ensure the integrity of their source trees is protected.”
Right Response
James credited the Gnome project for reacting appropriately to the incident, adding that disclosure of the breach — including the response and review — is the typical software-vendor procedure.
“I think the Gnome group is definitely taking the right steps to explain the situation, explain the potential damage and protect the integrity of their source code,” James said.
Independent security analyst Ryan Russell agreed, telling LinuxInsider that there is general agreement among observers that open-source software vendors and distributors deal with security incidents more quickly than proprietary software vendors.
Russell added that adequate incident response is probably lacking at a large number of companies in the business world.
Quiet Compromises
Russell said that because sellers of proprietary software have more control over when code is released and who has it, breaches similar to the Gnome and previous Linux kernel and Debian hacks might not be reported.
“In cases where [proprietary] software vendors [go] through something similar, [they hide it] for a period,” he said. “So we have to assume there has been some cover-up. There’s an unfortunate chance this is happening elsewhere and either being covered up … or they decide to handle it without disclosing it.”
While James said he would not be surprised to learn of similar intrusions with large software vendors not reporting the risks, the security expert praised Microsoft for its handling of a recent leak and for posting portions of its Windows 2000 and NT source code last month.
“They did take solid steps to determine where the leak came from, what was the problem, what was leaked,” James said.
Crucial in Open Source
Russell said the open disclosure of security breaches might be more critical with open-source software because there is less control and accountability regarding which software versions are out and when they were downloaded.
However, he noted, there is an advantage in open source in that any number of organizations or companies can offer a clean copy of the software to compare against and check for problems.
IDefense’s James said public disclosure of such breaches is particularly important with open-source software because the users represent a wide range of people and organizations.
“There is a definite need to reveal these kinds of leaks before they become something much more dangerous,” James said, referring to the potential to exploit a flaw or back door after software is released.