LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

CEO's of LynuxWorks and FSMLabs Reply to Green Hills' FUD (Groklaw)

[Posted April 12, 2004 by ris]

Last Thursday Green Hills Software sent out a FUD missile (covered here). Now Groklaw has statements from Dr. Inder Singh, CEO of Lynuxworks, and Victor Yodaiken, CEO of FSMLabs in response. "You may remember that in November of 2003, someone tried to do what O'Dowd posits, attempt to bypass the normal submission procedures for Linux code in an attempt to get a back door incorporated into the kernel. Alert Linux coders quickly spotted the alterations in a routine file integrity check and picked up on their hidden intent, despite the clever way they were coded to obfuscate their purpose, before the code got anywhere near the kernel, and the attempt failed."
(Log in to post comments)

Many Eyeballs vs. the Management Hierarchy/Hegemony

Posted Apr 12, 2004 23:01 UTC (Mon) by AnswerGuy (subscriber, #1256) [Link]


Long time readers of LWN realize that "Many eyeballs" isn't a perfect recipe for more secure and robust code. We see bugs proliferate every week in free software and some of them are embarassing and have gone undetected for far too long.

However, we see even more examples of the limitations of the closed source model, driven by management hierarchies and a hegemony around the code.

The evidence is compelling, once the existence of a bug is known then the "shallow" nature of open source allows for rapid location, identification and mitigation.

Meanwhile some of the bugs in MS Windows products which propagate viruses, and worms have been known for years; users are unable to close these holes while the vendor is unable or unwilling to do so.

We've repeatedly seen a tendency by vendors to special case each fix rather than make a change that eliminates the whole class of problems related to an exposed bug. When "Land" and other TCP/IP packet fragment handling bugs were found one fix went into the Linux kernel and it took a whole series of separate fixes (one for each trivial variant of the degenerate fragmentation attack) to resolve the issues on MS Windows platforms.

It should be obvious that an attacker who gets hired by Microsoft could insert bugs that could stay hidden for years.

How thoroughly has Green Hills vetted each of the programmers they've ever had working for them? How about the janitors? How about the programmers for every compiler and library tool they purchased to build their products? How about the janitors at each of their upstream software vendors?

With open source the DoD at least as the option of auditing all of the code, including the code of the compilers and libraries all the way up the dependency tree. The could, if they chose, bootstrap a system all the way from printed sources and their own hand built tool chain (mitigating the Kernighan "trusting trust" issue).

Of course this would be an enormous undertaking. However, they have the option and they don't have to do it alone. The U.S. government is an immense organization and they could share the work and benefits among dozens of huge departments and farm it out to the vast array of state agencies, and trusted contractors.

Frankly it's far more likely that the U.S. DoD or the NSA or some other agency will attempt to INSERT trojan code into open source tools than vice versa.

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds