Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's Security Stunt
"We must not entrust national security to Linux," he declares.
In a speech intended to serve us a wake-up call to anyone relying on the
"many eyes" that look at the Linux source code to quickly find any
subversions, the CEO of Green Hills Software last week reminded his
audience how UNIX's creator Ken Thompson installed a back door in the
binary code of UNIX that automatically added his user name and password
to every UNIX system - a secret he revealed only 14 years later.
"The very nature of the open source process should rule Linux out of
defense applications," O'Dowd said.
How is this any different than Windows or Solaris (or a dozen others)
then? Both should be ruled out just as fast since each has shared its
source code with the world. Solaris source has been available for
years (and was available for years before they willingly made it
public). Microsoft has shared huge portions of Windows source code
with the Chinese government, and i'm sure we can trust them to report
vulnerabilities they find .. right?
"The open source process violates every principle of security. It
welcomes everyone to contribute to Linux. Now that foreign intelligence
agencies and terrorists know that Linux is going to control our most
advanced defense systems, they can use fake identities to contribute
subversive software that will soon be incorporated into our most
advanced defense systems," he continued.
They can also use those fake identities to get a job at Microsoft (or
Green Hills) where the code is reviewed by significantly less people,
then pushed out to millions of customers world wide. Is this any
different than O'Dowd's scenario?
"If Linux is compromised, our defenses could be disabled, spied on, or
commandeered. Every day new code is added to Linux in Russia, China and
elsewhere throughout the world. Every day that code is incorporated into
our command, control, communications and weapons systems. This must
stop," he added, before continuing:
And if these systems are running Windows or Solaris, it's magically
better? Because those two operating systems don't have vulnerabilities
or something? Microsoft has proven it doesn't need foreign agents to
code gaping holes in its products. Or is this some obscure argument
that the world needs to move to proprietary RTOSs and self-serving
advertising?
"Linux in the defense environment is the classic Trojan horse scenario -
a gift of 'free' software is being brought inside our critical defenses.
If we proceed with plans to allow Linux to run these defense systems
without demanding proof that it contains no subversive or dangerous code
waiting to emerge after we bring it inside, then we invite the fate of
Troy."
You demand proof? You have the source, audit it. Find all the
malicious backdoors and trojans in it. Quit grandstanding and spouting
this crap and *prove* it beyond doubt. That would seal your argument.
One of O'Dowd's most telling points came when he debunked the claim by
Linux advocates that its security can be assured by the openness of its
source code, arguing that "many eyes" looking at the Linux source code
will quickly find any subversions.
Ken Thompson, the original developer of the Unix operating system (which
heavily influenced Linux) proved that this just isn't true, O'Dowd
argued. Thompson installed a back door in the binary code of UNIX that
automatically added his user name and password to every UNIX system.
O'Dowd told his audience that, when Thompson revealed the secret 14
years later, he declared
"The moral is obvious. You can't trust code that you did not create
yourself. No amount of source-level verification or scrutiny will
protect you from using untrusted code."
"Before most Linux developers were born, Ken Thompson had already
proven that 'many eyes' looking at the source code can't prevent
subversion," said O'Dowd. "Linux is being used in defense applications
even though there are operating systems available today that are
designed to meet the most stringent level of security evaluation in
use by the National Security Agency, Common Criteria Evaluation
Assurance Level 7 (EAL 7)."
This is worthy of a used car salesman. Two major points here, and I
get to paraphrase since others have seen through this..
Huh? Since when was Unix Open Source? Notice the technique herefirst,
make an association between Linux and Unix. Then, tell an anecdote about
how Unix, a Closed Source project, was infected with a security leak.
Then...voil! Linux joins the Axis of Evil. This is a classic non
sequitur. It's another example of the deconstruction of both the English
language and the logical thought processes of the general population.
Backdoors also have a long history in Unix software. Ken Thompson, a
designer of the Unix OS, explained his magic password, a password that
once allowed him to log in as any user on any Unix system, during his
award acceptance speech at the Association for Computing Machinery (ACM)
meeting in 1984. Thompson had included a backdoor in the password
checking function that gets included in the login program. The backdoor
would get installed in new versions of the Unix system because the
compiler had Trojan Horse code that propagated the backdoor code to new
versions of the compiler. Thompson's magic password is the best known,
and most complex in distribution, backdoor code.
So first, O'Dowd is trying to say that old UNIX is magically Linux and was
open source, when it most certainly was not. Second, he says that Thompson
revealed this fact 14 years later, yet the talk that disclosed it was
presented in 1984, long before Linux was even a notion in Torvalds' mind. You can read details of Thompson's
tomfoolery in his presentation.
Third, the backdoor wasn't in the UNIX operating system, but the
closed source compiler being used at the time (which was also used by
Microsoft very early on.. trust issues and tin foil hats!), not the
GNU C compiler. Further, his backdoor *was* discovered by people
working on UNIX and by one professional's guess (no, not mine), it was
around for six years before being discovered, in a closed source
system, much like some of the nasty Windows bugs we see these days.
O'Dowd's entire argument is a practical joke that some reporters fell for.
All of that said, if it's really that bad, why does O'Dowd's company boast
about its impressive sales and mentions that they sell embedded Linux?
In its latest study, entitled "Embedded Software Strategic Market
Intelligence ProgramVolume IV," published February, 2002, VDC reports
on the worldwide market for all embedded operating systems for the year
2001. According to the VDC report, the embedded operating system market
is estimated to top $663.8 million in 2001 shipments. This includes
shipments of embedded operating systems from Microsoft (Windows XP
Embedded, Windows CE), Palm (PalmOS), VenturCom (Windows), Symbian
(SymbianOS), Sun (Solaris) and several vendors of embedded Linux.
Despite this, Green Hills is on a recent anti-Linux crusade
Green Hills Software Issues White PaperLinux in
DefenseAn Urgent Threat to National Security
Green Hills Software Issues White PaperLinux in
DefenseFree Software Is Just Too Expensive
Green Hills Software Issues White PaperLinux Security
Unfit for Retrofit
Green Hills Software Issues Linux Security White Paper
Many Eyes No Assurance Against Many Spies
Green Hills Software CEO Responds to Linux Security
Controversy
Using Linux Software in Defense Systems Violates Every
Principle of Security Says Green Hills Software's CEO and Founder
I'm not defending Linux as some magic solution to insecure operating
systems, i'm not touting it as a secure alternative to any other
operating system. However, I am tired of a few clowns conveniently
bashing Linux and Open-Source for their own gain, especially when they
use paid-for research (ADTI) or arguments that are easily shot down by
third graders (GHS).
So O'Dowd .. what's your real motivation here? Have anything remotely
substantial to back these claims? Or is this a convenient media frenzy
designed to get attention for your company? Just a way to scuttle your
competition (MontaVista Software)?
© 2008; SpywareUninstaller.com Group Project; All Rights Reserved.