By Buddhika Siddhisena

CTO & CoFounder ThinkCube SystemsMember of LKLUG

Free & Opensource Softwareand

Security

“Opensource software lets anyone to look at the blue print source code”

“What happens if these blue prints got into the wrong hands?”

Can you achieve securitythrough Openess?

NSA

NSA = No Such Agency

NSA = National Security Agency

“NSA is famous for keeping secrets, including their existence”

“NSA releases SELinux, a security enhanced version of Linux as

Opensource Software”

“Hey wait a second !”

#1 org to keep secrets releases their blueprints?

"Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few

loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and

have a few beers” --Larry Loeb

Source: http://www.ibm.com/developerworks/library/s-selinux/?n-s-381

So whats going on @ NSA?

Why did the most security conscious agency in the US do this?

"The Information Assurance Research Group of the NSA is responsible for

carrying out the research and advanced development of technologies needed to

enable NSA to provide the solutions, products, and services to achieve

Information Assurance for information infrastructures critical to U.S. National

Security interests.”

Source: http://www.nsa.gov/selinux/info/faq.cfm

critical to U.S. National Security interests

critical to U.S. National Security interests

All computer software, whether Open Source or proprietary...

Has had bugs...

Currently has bugs...

And will continue to have bugs...

“Given enough eye ballsall bugs are shallow”

- Eric S. Raymond

EnglishTranslation : Given the fact that many people are constantly looking

at the source code, and because anyone can improve it (by reporting or fixing bugs for eg.), it is less likely to

contain many bugs.

“So how secure is Linux?”

A four-year study released by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6

Linux production kernel, now being shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million

lines of code, far below the industry average, said Seth Hallem, Coverity's CEO.

Source: http://www.internetnews.com/dev-news/article.php/3448001

Commercial software contains 20 to 30 bugs for every thousand lines of code, according

to Carnegie Mellon University's CyLab Sustainable Computing Consortium. That is the equivalent to 114,000 to 171,000 bugs in

5.7 million lines of code.

Opensource vs Proprietary

985 bugs vs 114,000+ bugs

Defect density declined by 2.2 percent as the total lines of code in the Linux kernel

continues to grow from 5.76 million in December 2004 to 6.03 million in July 2005,

which represents a 4.7 percent increase.

"Although the size of the Linux kernel increased over the six-month study, we

noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, CEO of

Coverity, in a statement.

Free & Opensoure software is transparent

“Did you someone say Free?”

“Free as in Freedom not as in

Free Beer!” - Richard M. Stallman

By using FOSS you have 4 types of freedom

Freedom 0

The freedom to run the program for any purpose

Freedom 1

The freedom to study how the program works and adopt it to your

need

Freedom 2

The freedom to redistribute copies

Freedom 3

The freedom to improve the software and release the

improvements to the world

Many Governments are adopting or have completely migrated to FOSS

Brazil

Source: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm

Germany

Source:

France

Source: http://www.technewsworld.com/story/36886.html

China

Source : http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm

South Korea

Source: http://news.com.com/2100-7344-5084811.html

To name a few...

but what aboutSri Lanka?

Why are they adopting or migrating?

Its not always because of the lower price of acquiring FOSS

Its not always because of the lower Total Cost of Ownership (TCO) of

using FOSS

Though they alone are good reasons!

Some Chinese officials are convinced that having an American government dominate the market compromises national security. Secret security flaws in Windows can be

used to access Chinese networks. Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working

with the US government on intelligence issues.

Source: http://www.g4tv.com/screensavers/features/39528/China_The_Republic_of_Linux.html

“Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues?”

Conspiracy Theory?

http://en.wikipedia.org/wiki/NSAKEY

Kraft points to an ongoing public battle between the Commonwealth of

Massachusetts and Microsoft. The state is trying to pass legislation that would have the state adopt an open source document policy

by January 2007 in order to better protect the accessibility of its digital documents.

Source:http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1180306,00.html

The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its

platforms, thousands of the state's archived documents could be rendered useless.

Imagine during an emergency or after a disaster, governmental

organizations not being able to work effectively because they relied on a

closed document format

And finally...

Why aren't there a lot of Linux viruses?

A computer virus, like a biological virus, must have a reproduction rate that exceeds

its death (eradication) rate in order to spread.

If the reproduction rate falls below the threshold necessary to replace the existing

population, the virus is doomed from the beginning

The reason that we have not seen a real Linux virus epidemic in the wild is simply

that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities;

the reality is that there is no viable Linux virus.

Source: http://librenix.com/?inode=21

And finally finally finally ...

True security comes NOT from OBSCURITY

True security comes fromTRANSPARENCY

~ the end