Free & Opensource Software and Security By  Buddhika Siddhisena CTO & CoFounder ThinkCube Systems Member of LKLUG
“ Opensource software lets anyone to look at the blue print source code”
“ What happens if these blue prints got into the  wrong hands ?”
Can you achieve security through Openess?
NSA
NSA = No Such Agency
NSA = National Security Agency
“ NSA is famous for keeping secrets, including their existence”
“ NSA releases SELinux, a security enhanced version of Linux as Opensource Software”
“ Hey wait a second !”
#1 org to keep secrets  releases their blueprints?
"Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in R...
So whats going on @ NSA?
Why did the most security conscious agency in the US do this?
"The Information Assurance Research Group of the NSA is responsible for carrying out the research and advanced develo...
critical to U.S. National Security interests
critical  to U.S. National Security interests
All computer software, whether Open Source or proprietary...
Has had bugs...
Currently has bugs...
And will continue to have bugs...
“ Given enough eye balls all bugs are shallow” - Eric S. Raymond
EnglishTranslation  : Given the fact that many people are constantly looking at the source code, and because anyone can im...
“ So how secure is Linux?”
A four-year study released by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6...
Commercial software contains 20 to 30 bugs for every thousand lines of code, according to Carnegie Mellon University's CyL...
Opensource vs Proprietary 985 bugs vs 114,000+ bugs
Defect density declined by 2.2 percent as the total lines of code in the Linux kernel continues to grow from 5.76 million ...
Free  & Opensoure software is transparent
“ Did you someone say Free?”
“ Free as in Freedom  not as in  Free Beer!”   - Richard M. Stallman
By using FOSS you have 4 types of freedom
Freedom 0 The freedom to run the program for any purpose
Freedom 1 The freedom to study how the program works and adopt it to your need
Freedom 2 The freedom to redistribute copies
Freedom 3 The freedom to improve the software and release the improvements to the world
Many Governments are adopting or have completely migrated to FOSS
Brazil Source: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
Germany Source:
France Source: http://www.technewsworld.com/story/36886.html
China Source : http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
South Korea Source: http://news.com.com/2100-7344-5084811.html
To name a few...
but what about Sri Lanka?
Why are they adopting or migrating?
Its not always because of the lower price of acquiring FOSS
Its not always because of the lower Total Cost of Ownership (TCO) of using FOSS
Though they alone are good reasons!
Some Chinese officials are convinced that having an American government dominate the market compromises national security....
“ Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US governmen...
Conspiracy Theory? http://en.wikipedia.org/wiki/NSAKEY
Kraft points to an ongoing public battle between the Commonwealth of Massachusetts and Microsoft. The state is trying to p...
The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its pl...
Imagine during an emergency or after a disaster, governmental organizations not being able to work effectively because the...
And finally...
Why aren't there a lot of Linux viruses?
A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in orde...
The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses...
And finally finally finally ...
True security comes NOT from  OBSCURITY
True security comes from TRANSPARENCY
~ the end
Upcoming SlideShare
Loading in …5
×

FOSS and Security

1,469 views

Published on

This presentation originally developed as part of FOSSSL 2006 (FOSSMil), was recently slightly updated and delivered at CERT SL Conference.

In my talk, I discuss why FOSS is generally considered to be more secure than proprietary software.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,469
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

FOSS and Security

  1. 1. Free & Opensource Software and Security By Buddhika Siddhisena CTO & CoFounder ThinkCube Systems Member of LKLUG
  2. 2. “ Opensource software lets anyone to look at the blue print source code”
  3. 3. “ What happens if these blue prints got into the wrong hands ?”
  4. 4. Can you achieve security through Openess?
  5. 5. NSA
  6. 6. NSA = No Such Agency
  7. 7. NSA = National Security Agency
  8. 8. “ NSA is famous for keeping secrets, including their existence”
  9. 9. “ NSA releases SELinux, a security enhanced version of Linux as Opensource Software”
  10. 10. “ Hey wait a second !”
  11. 11. #1 org to keep secrets releases their blueprints?
  12. 12. "Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers” --Larry Loeb Source: http://www.ibm.com/developerworks/library/s-selinux/?n-s-381
  13. 13. So whats going on @ NSA?
  14. 14. Why did the most security conscious agency in the US do this?
  15. 15. "The Information Assurance Research Group of the NSA is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests .” Source: http://www.nsa.gov/selinux/info/faq.cfm
  16. 16. critical to U.S. National Security interests
  17. 17. critical to U.S. National Security interests
  18. 18. All computer software, whether Open Source or proprietary...
  19. 19. Has had bugs...
  20. 20. Currently has bugs...
  21. 21. And will continue to have bugs...
  22. 22. “ Given enough eye balls all bugs are shallow” - Eric S. Raymond
  23. 23. EnglishTranslation : Given the fact that many people are constantly looking at the source code, and because anyone can improve it (by reporting or fixing bugs for eg.), it is less likely to contain many bugs.
  24. 24. “ So how secure is Linux?”
  25. 25. A four-year study released by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6 Linux production kernel, now being shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million lines of code, far below the industry average, said Seth Hallem, Coverity's CEO. Source: http://www.internetnews.com/dev-news/article.php/3448001
  26. 26. Commercial software contains 20 to 30 bugs for every thousand lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. That is the equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code.
  27. 27. Opensource vs Proprietary 985 bugs vs 114,000+ bugs
  28. 28. Defect density declined by 2.2 percent as the total lines of code in the Linux kernel continues to grow from 5.76 million in December 2004 to 6.03 million in July 2005, which represents a 4.7 percent increase. "Although the size of the Linux kernel increased over the six-month study, we noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, CEO of Coverity, in a statement.
  29. 29. Free & Opensoure software is transparent
  30. 30. “ Did you someone say Free?”
  31. 31. “ Free as in Freedom not as in Free Beer!” - Richard M. Stallman
  32. 32. By using FOSS you have 4 types of freedom
  33. 33. Freedom 0 The freedom to run the program for any purpose
  34. 34. Freedom 1 The freedom to study how the program works and adopt it to your need
  35. 35. Freedom 2 The freedom to redistribute copies
  36. 36. Freedom 3 The freedom to improve the software and release the improvements to the world
  37. 37. Many Governments are adopting or have completely migrated to FOSS
  38. 38. Brazil Source: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
  39. 39. Germany Source:
  40. 40. France Source: http://www.technewsworld.com/story/36886.html
  41. 41. China Source : http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm
  42. 42. South Korea Source: http://news.com.com/2100-7344-5084811.html
  43. 43. To name a few...
  44. 44. but what about Sri Lanka?
  45. 45. Why are they adopting or migrating?
  46. 46. Its not always because of the lower price of acquiring FOSS
  47. 47. Its not always because of the lower Total Cost of Ownership (TCO) of using FOSS
  48. 48. Though they alone are good reasons!
  49. 49. Some Chinese officials are convinced that having an American government dominate the market compromises national security. Secret security flaws in Windows can be used to access Chinese networks. Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues. Source: http://www.g4tv.com/screensavers/features/39528/China_The_Republic_of_Linux.html
  50. 50. “ Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues?”
  51. 51. Conspiracy Theory? http://en.wikipedia.org/wiki/NSAKEY
  52. 52. Kraft points to an ongoing public battle between the Commonwealth of Massachusetts and Microsoft. The state is trying to pass legislation that would have the state adopt an open source document policy by January 2007 in order to better protect the accessibility of its digital documents. Source:http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1180306,00.html
  53. 53. The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its platforms, thousands of the state's archived documents could be rendered useless.
  54. 54. Imagine during an emergency or after a disaster, governmental organizations not being able to work effectively because they relied on a closed document format
  55. 55. And finally...
  56. 56. Why aren't there a lot of Linux viruses?
  57. 57. A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning
  58. 58. The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus. Source: http://librenix.com/?inode=21
  59. 59. And finally finally finally ...
  60. 60. True security comes NOT from OBSCURITY
  61. 61. True security comes from TRANSPARENCY
  62. 62. ~ the end

×