From: Linux News Desk
An article from Dan (Drone Boy) O'Dowd
April 11, 2004 12:00 AM EDT |
"We must not entrust national security to Linux," he declares.
In a speech to the Net-Centric Operations Industry Forum in McLean,
Va., Dan O'Dowd, CEO of Green Hills Software Inc., argued that the
proliferation of Linux through a growing number of U.S. defense systems
poses a serious and urgent security threat,
"The very nature of the open source process should rule Linux out of defense applications," O'Dowd said.
"The open source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems," he con tinued.
"The very nature of the open source process should rule Linux out of defense applications," O'Dowd said.
"The open source process violates every principle of security. It welcomes everyone to contribute to Linux. Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software that will soon be incorporated into our most advanced defense systems," he con tinued.
In addition, O'Dowd noted, developers in Russia and China are also
contributing to Linux software. Recently, the CEO of MontaVista
Software, the world's leading embedded Linux company, said that his
company has "two and a half offshore development centers. A big one in
Moscow and we just opened one in Beijing."
Linux has been selected to control the functionality, security, and communications of critical defense systems including the Future Combat System, the Joint Tactical Radio System and the Global Information Grid, said O'Dowd.
"If Linux is compromised, our defenses could be disabled, spied on, or commandeered. Every day new code is added to Linux in Russia, China and elsewhere throughout the world. Every day that code is incorporated into our command, control, communications and weapons systems. This must stop," he added, before continuing:
Linux has been selected to control the functionality, security, and communications of critical defense systems including the Future Combat System, the Joint Tactical Radio System and the Global Information Grid, said O'Dowd.
"If Linux is compromised, our defenses could be disabled, spied on, or commandeered. Every day new code is added to Linux in Russia, China and elsewhere throughout the world. Every day that code is incorporated into our command, control, communications and weapons systems. This must stop," he added, before continuing:
"Linux in the defense environment is the classic Trojan horse
scenario - a gift of 'free' software is being brought inside our
critical defenses. If we proceed with plans to allow Linux to run these
defense systems without demanding proof that it contains no subversive
or dangerous code waiting to emerge after we bring it inside, then we
invite the fate of Troy."
One of O'Dowd's most telling points came when he debunked the
claim by Linux advocates that its security can be assured by the
openness of its source code, arguing that "many eyes" looking at the
Linux source code will quickly find any subversions.
Ken Thompson, the original developer of the Unix operating system (which heavily influenced Linux) proved that this just isn't true, O'Dowd argued. Thompson installed a back door in the binary code of UNIX that automatically added his user name and password to every UNIX system.
O'Dowd told his audience that, when Thompson revealed the secret 14 years later, he declared:
Ken Thompson, the original developer of the Unix operating system (which heavily influenced Linux) proved that this just isn't true, O'Dowd argued. Thompson installed a back door in the binary code of UNIX that automatically added his user name and password to every UNIX system.
O'Dowd told his audience that, when Thompson revealed the secret 14 years later, he declared:
"The moral is obvious. You can't trust code that you did not create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code.""Before most Linux developers were born, Ken Thompson had already proven that 'many eyes' looking at the source code can't prevent subversion," said O'Dowd. "Linux is being used in defense applications even though there are operating systems available today that are designed to meet the most stringent level of security evaluation in use by the National Security Agency, Common Criteria Evaluation Assurance Level 7 (EAL 7)." MORE
No comments:
Post a Comment