Re: On the Other hand: Re: [ISN] Auditors warn of foreign risks to weapons software

From: brennan stewart (brennan@private)
Date: Wed Jun 02 2004 - 22:37:33 PDT

  • Next message: InfoSec News: "[ISN] E-mail Confidential"

    Some milestones relating to Linux in the US Government
    Linux COE certification
    Linux distros with Common Criteria certification
    Products on Linux with FIPS certification
    Common Access Card compatibility with Linux
    DISA's Linux STIG (horribly outdated and inadequate by the way)
    So it does appear that Linux holds all the certifications needed.
    The agencies I have worked for will insist on performing a code audit
    regardless of the software source (vendor/OSS/etc) if it is a national
    security system.  They aren't going to just plug something into a SCIF.
    I could make the argument that Linux adoption will help improve the
    security of the US government too, to prevent a monoculture (defense in
    diversity).  Take for example the way the IRS was victimized by
    Sasser... (and how many other agencies?)
    I think many proprietary software companies fail to understand what is
    happening with the software industry, the "creative destruction" as the
    open source paradigm spreads.
    DoD technologists can see the writing on the wall too.
    On Wed, 2004-06-02 at 04:44, InfoSec News wrote:
    > Forwarded from: security curmudgeon <jericho@private>
    > Cc: Hope This Works <dano@private>, Or This One <odowd@private>, Maybe This One <dan@private>
    > : Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt
    > : "We must not entrust national security to Linux," he declares.
    > : April 11, 2004,
    > : In a speech intended to serve us a wake-up call to anyone relying on the
    > : "many eyes" that look at the Linux source code to quickly find any
    > : subversions, the CEO of Green Hills Software last week reminded his
    > : audience how UNIX's creator Ken Thompson installed a back door in the
    > : binary code of UNIX that automatically added his user name and password
    > : to every UNIX system - a secret he revealed only 14 years later.
    > : "The very nature of the open source process should rule Linux out of
    > : defense applications," O'Dowd said.
    > How is this any different than Windows or Solaris (or a dozen others)
    > then? Both should be ruled out just as fast since each has shared its
    > source code with the world. Solaris source has been available for
    > years (and was available for years before they willingly made it
    > public). Microsoft has shared huge portions of Windows source code
    > with the Chinese government, and i'm sure we can trust them to report
    > vulnerabilities they find .. right?
    > : "The open source process violates every principle of security. It
    > : welcomes everyone to contribute to Linux. Now that foreign intelligence
    > : agencies and terrorists know that Linux is going to control our most
    > : advanced defense systems, they can use fake identities to contribute
    > : subversive software that will soon be incorporated into our most
    > : advanced defense systems," he continued.
    > They can also use those fake identities to get a job at Microsoft (or
    > Green Hills) where the code is reviewed by significantly less people,
    > then pushed out to millions of customers world wide. Is this any
    > different than O'Dowd's scenario?
    > : "If Linux is compromised, our defenses could be disabled, spied on, or
    > : commandeered. Every day new code is added to Linux in Russia, China and
    > : elsewhere throughout the world. Every day that code is incorporated into
    > : our command, control, communications and weapons systems. This must
    > : stop," he added, before continuing:
    > And if these systems are running Windows or Solaris, it's magically
    > better? Because those two operating systems don't have vulnerabilities
    > or something? Microsoft has proven it doesn't need foreign agents to
    > code gaping holes in its products. Or is this some obscure argument
    > that the world needs to move to proprietary RTOSs and self-serving
    > advertising?
    > : "Linux in the defense environment is the classic Trojan horse scenario -
    > : a gift of 'free' software is being brought inside our critical defenses.
    > : If we proceed with plans to allow Linux to run these defense systems
    > : without demanding proof that it contains no subversive or dangerous code
    > : waiting to emerge after we bring it inside, then we invite the fate of
    > : Troy."
    > You demand proof? You have the source, audit it. Find all the
    > malicious backdoors and trojans in it. Quit grandstanding and spouting
    > this crap and *prove* it beyond doubt. That would seal your argument.
    > : One of O'Dowd's most telling points came when he debunked the claim by
    > : Linux advocates that its security can be assured by the openness of its
    > : source code, arguing that "many eyes" looking at the Linux source code
    > : will quickly find any subversions.
    > :
    > : Ken Thompson, the original developer of the Unix operating system (which
    > : heavily influenced Linux) proved that this just isn't true, O'Dowd
    > : argued. Thompson installed a back door in the binary code of UNIX that
    > : automatically added his user name and password to every UNIX system.
    > :
    > : O'Dowd told his audience that, when Thompson revealed the secret 14
    > : years later, he declared:
    > :
    > : "The moral is obvious. You can't trust code that you did not create
    > : yourself. No amount of source-level verification or scrutiny will
    > : protect you from using untrusted code.h the recent sasser "
    > :
    > : "Before most Linux developers were born, Ken Thompson had alreadyped by Microsoft (as I am sure their 'royalty-free' velOSity kernel is) – a closed door/closed-mouth association of developers from Washington. The very nature of this operation violates every principle of security and we have actual evidence. I'm talking about security risks and damage on a global scale, not only in the USA. Microsoft's software has done some serious damage to the computer systems of the world, as well as the pocketbooks of the companies running it. Think about it... employee salaries, overtime, professional support, software upgrades, patches, etc... all factor into the damages caused by the malware encouraged by the flaws in Microsoft's software products. You can bet that Green Hills is no different. How do their customers know they are safe? They don't. They have to rely on what they are told by the company... the same company who is interested in the big sale. Linux does not come with an agenda. What you see is what you get. No hidden surprises that keep you in your data center all night squashing bugs that have completely devastated your servers. Furthermore, you know what you have in your Linux systems because you can actually see for yourself.
    > : proven that 'many eyes' looking at the source code can't prevent
    > : subversion," said O'Dowd. "Linux is being used in defense applications
    > : even though there are operating systems available today that are
    > : designed to meet the most stringent level of security evaluation in
    > : use by the National Security Agency, Common Criteria Evaluation
    > : Assurance Level 7 (EAL 7)."
    > This is worthy of a used car salesman. Two major points here, and I
    > get to paraphrase since others have seen through this..
    >  Huh? Since when was Unix Open Source? Notice the technique here: first,
    >  make an association between Linux and Unix. Then, tell an anecdote about
    >  how Unix, a Closed Source project, was infected with a security leak.
    >  Then...voil! Linux joins the Axis of Evil. This is a classic non
    >  sequitur. It's another example of the deconstruction of both the English
    >  language and the logical thought processes of the general population.
    >  Backdoors also have a long history in Unix software. Ken Thompson, a
    >  designer of the Unix OS, explained his magic password, a password that
    >  once allowed him to log in as any user on any Unix system, during his
    >  award acceptance speech at the Association for Computing Machinery (ACM)
    >  meeting in 1984. Thompson had included a backdoor in the password
    >  checking function that gets included in the login program. The backdoor
    >  would get installed in new versions of the Unix system because the
    >  compiler had Trojan Horse code that propagated the backdoor code to new
    >  versions of the compiler. Thompson's magic password is the best known,
    >  and most complex in distribution, backdoor code.
    > So first, O'Dowd is trying to say that old UNIX is magically Linux and was
    > open source, when it most certainly was not. Second, he says that Thompson
    > revealed this fact 14 years later, yet the talk that disclosed it was
    > presented in 1984, long before Linux was even a notion in Torvalds' mind
    > ( You can read details of Thompson's
    > tomfoolery in his presentation (
    > Third, the backdoor wasn't in the UNIX operating system, but the
    > closed source compiler being used at the time (which was also used by
    > Microsoft very early on.. trust issues and tin foil hats!), not the
    > GNU C compiler. Further, his backdoor *was* discovered by people
    > working on UNIX and by one professional's guess (no, not mine), it was
    > around for six years before being discovered, in a closed source
    > system, much like some of the nasty Windows bugs we see these days.
    > O'Dowd's entire argument is a practical joke that some reporters fell for.
    > All of that said, if it's really that bad, why does O'Dowd's company boast
    > about its impressive sales and mentions that they sell embedded Linux?
    >  In its latest study, entitled "Embedded Software Strategic Market
    >  Intelligence Program: Volume IV," published February, 2002, VDC reports
    >  on the worldwide market for all embedded operating systems for the year
    >  2001. According to the VDC report, the embedded operating system market
    >  is estimated to top $663.8 million in 2001 shipments. This includes
    >  shipments of embedded operating systems from Microsoft (Windows XP
    >  Embedded, Windows CE), Palm (PalmOS), VenturCom (Windows), Symbian
    >  (SymbianOS), Sun (Solaris) and several vendors of embedded Linux.
    > Despite this, Green Hills is on a recent anti-Linux crusade:
    > 17-May-2004:  Green Hills Software Issues White Paper: Linux in
    > Defense: An Urgent Threat to National Security
    > 10-May-2004: Green Hills Software Issues White Paper: Linux in
    > Defense: Free Software Is Just Too Expensive
    > 3-May-2004: Green Hills Software Issues White Paper: Linux Security:
    > Unfit for Retrofit
    > 26-Apr-2004: Green Hills Software Issues Linux Security White Paper:
    > Many Eyes No Assurance Against Many Spies
    > 19-Apr-2004:  Green Hills Software CEO Responds to Linux Security
    > Controversy
    > 8-Apr-2004: Using Linux Software in Defense Systems Violates Every
    > Principle of Security Says Green Hills Software's CEO and Founder
    > I'm not defending Linux as some magic solution to insecure operating
    > systems, i'm not touting it as a secure alternative to any other
    > operating system. However, I am tired of a few clowns conveniently
    > bashing Linux and Open-Source for their own gain, especially when they
    > use paid-for research (ADTI) or arguments that are easily shot down by
    > third graders (GHS).
    > So O'Dowd .. what's your real motivation here? Have anything remotely
    > substantial to back these claims? Or is this a convenient media frenzy
    > designed to get attention for your company? Just a way to scuttle your
    > competition (MontaVista Software)?
    > Jericho
    > Security Curmudgeon
    > Another Rebuttal:
    > _________________________________________
    > ISN mailing list
    > Sponsored by:

    _________________________________________ ISN mailing list Sponsored by:

    This archive was generated by hypermail 2b30 : Thu Jun 03 2004 - 01:31:49 PDT