|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
00:00 EST/05:00 GMT | News Source:
EETimes |
Posted By: Robert Stein |
Thank you Bruce. "A storm has erupted in the embedded community, with real-time operating systems house Green Hills charging that Linux is fundamentally insecure and wide open to security breaches by "foreign intelligence agencies and terrorists." "
|
|
#1 By
19992 (164.214.4.32)
at
4/12/2004 8:46:30 AM
|
"Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software,"
What a joke.
First, most government entities (in the U.S at least) run full code reviews on open source programs before they use them. Actually they also run code reviews on Microsoft as well.
Also, it's not like a Foreign Intelligence service would be unable to plant someone at a non-U.S (heck, even a U.S one) Microsoft site and have them do the same thing to Microsoft, Corel, Adobe, etc.
"Every day new code is added to Linux in Russia, China and elsewhere throughout the world. Every day that code is incorporated into our command, control, communications and weapons systems. This must stop,' O'Dowd said."
Right, because their are no former Soviets or chinese working on Windows, Office, Exchange, etc.
|
#2 By
12071 (203.217.78.243)
at
4/12/2004 10:52:43 AM
|
#2 No no no, why use Linux when you can use Green Hills' own INTEGRITY RTOS =) I mean honestly, he's the CEO, he not exactly going to be going out and telling clients to use the free alternative when they can pay him for his company's proprietary version!
|
#3 By
19992 (164.214.4.61)
at
4/12/2004 10:55:24 AM
|
#2
Linux costs a lot less than UNIX, and it's easier to customize for these embedded devices than UNIX is.
|
#4 By
9589 (66.57.154.150)
at
4/12/2004 10:57:05 AM
|
Yipes! Somebody saying something bad about Linux? Stop the presses. No wait, attack this sicko! lol
|
#5 By
12071 (203.217.78.243)
at
4/12/2004 11:25:18 AM
|
#5 lol is about right.... pot meet kettle =)
|
#6 By
19992 (164.214.4.32)
at
4/12/2004 1:28:53 PM
|
Parkker - you're quite amusing.
"I doubt that has every happened."
Sorry to hear that. Unfortunately for you I know it happens. The kernel undergoes a review as do the "major" applications for linux.
"O'Dowd claimed the salient issue is that Linux isn't held to as a high a security standard as is the proprietary "Integrity" RTOS made by Green Hills. "If all they would do is hold Linux to the same standard they hold us to, I'd be happy," O'Dowd said told EE Times.com. "At the [Federal Aviation Administration], they have received from us documentation of every single line of source code and tests of every line of code and boundary condition. It costs us $500 to $1,000 a line to review our source code. It would cost billions of dollars to review Linux"
Maybe he's overpaying his code reviewers. What 'high security standard' is Integrity held up to? I see no mention of it in his diatribe, nor do I see anything on Green Hills website.
You forgot to quote his claim that Ken Thompson had installed a backdoor in UNIX that ran for 10 years. Guess what, he was wrong. The software was never included with UNIX. In fact what Ken demonstrated could apply to any software vendor there is http://www.acm.org/classics/sep95/
"There is no code review process for Linux. It is a myth."
Wow, what an active imagination you've got. Sorry, there is a code review process in place for Linux. whether it works 100% or not is another story.
|
#7 By
7754 (216.160.8.41)
at
4/12/2004 2:20:28 PM
|
"Let's not forget that the terrorists that Mr. O'Dowd refers to used proprietary software for attacks on the USA. They have Windows machines and Flight Simulator, you might recall."
"They bought butterknives from YYY cutlery and went out and killed 30 people with them... let's go after YYY cutlery company!!!"
|
#8 By
3339 (64.160.58.135)
at
4/12/2004 2:40:43 PM
|
"Considering that RedHat had 229 security holes in it over a 1 year period, we can assume there has never been a code review for Linux."
What number of vulnerabilities makes it a valid assumption that zero review is made? Sounds to me like we can assume Microsoft has never reviewed their code either. Which is worse, because they've been claiming so for quite some time now.
"6,000,000 x 500/1000 = 3 - 6 billion dollars just to review the Linux kernel."
Why would you continue to review code that has been reviewed? More like: each year a few tens or hundreds of thosuands of lines of code need to be reviewed divided by the number of companies doind so (government, security firms, developers, companies) = about $0 for all intents and purposes.
|
#9 By
19992 (68.169.46.164)
at
4/12/2004 4:33:03 PM
|
#14 No problem. Reread the first two sentances of his statement again.
"Essentially you shouldn't trust any code you didn't write yourself."
This would include everyone: Microsoft, Linux, Adobe, Corel, etc, etc, etc, etc. It is possible to sabotage virtually any software code, period.
In reading his comments, I see nothing to elevate the concerns of having foreign nationals (from a U.S perspective) contribute to the Linux source tree.
Remember, some of the worst breaches of security in the U.S governments security came from "trusted" individuals.
|
#10 By
3339 (64.160.58.135)
at
4/12/2004 6:53:08 PM
|
Parkker,are you retarded? (That's a rhetorical question by the way)
year 1: 10,239 lines
year 2: 7,511 lines
year 3: 63,341 lines
year 4: 95,159 lines
year 5: 134,700 lines
year 6: 467,006 lines
year 7: 1,022,891 lines
year 8: 1,722,178 lines
year 9: 829,832 lines
average: 483,650 lines
average per day: 1,325 lines
483,650 / 4 (IBM, Red Hat, Novell, and HP) = 120,913 lines of code per (named) commercial enterprise to review per year. Are you suggesting it's impossible for IBM to check a hundred thousand+ lines of code? Or 1,000 people to check 500 lines of code? Or 1,325 people check one line of code per day?
|
#11 By
3339 (64.160.58.135)
at
4/12/2004 8:05:19 PM
|
Again, Parker, you began by saying it was: "The Linux kernel is now at 6,000,000 lines of code and climbing rapidly. Add in another 100-200 million lines of code in all the included apps on one distro and it makes it impossible to do a code review."
Impossible to review because of shear volume...
And now you are referencing 1 million, but not claiming that is infeasible or going to cost 3 to 6 billion...
It just won't happen because a DARPA project failed. Yet you fail to mention that this failed, not because people didn't want to, but because it was actually put forward by a private company, Sardonix, that was attempting to control the process.
You've got to learn to stick to one theory, buddy... Throwing sh1t against the wall, when it's apparent to everyone, is not a very good strategy.
Not to mention, we all know that you are aware of this:
http://www.osdl.org/newsroom/press_releases/2003/2003_11_26_beaverton.html
In whihc it is rather thoroughly made clear that any contributions are reviewed by the appropriate subsystem maintainers, not to mention further peer review by ANYONE who wants to...
This post was edited by sodajerk on Monday, April 12, 2004 at 20:09.
|
#12 By
12071 (203.185.215.149)
at
4/12/2004 8:17:33 PM
|
#7 "He just wants a level playing field."
I'm sure you enjoy the humor in that comment given that it's coming from you =)
"If his OS has to have a code review that is totally documented before he can sell it to the air traffic control systems that people trust their life to every day, so should Linux."
Of course Linux should!! I would hope that every OS used for such a purpose whether it be Linux, Windows (god help us all) or anything else would go through a complete and utter code review and multiple checks. What would make you think that a code review WOULDN'T be done? Do you honestly think that they would just throw a new OS in on the belief that it'll be fine? If so, then there's much bigger issues at stake here than just what OS is being used!
"Considering that RedHat had 229 security holes in it over a 1 year period, we can assume there has never been a code review for Linux. "
This being parker logic of course?
"someone like Linux"
Who is this Linux person? You mean Linus?
"would just delegate it to a team from China or Russia and they would say everything is just fine."
My god you Americans are insecure scared little people! Yes, be scared, be very very scared, every single Russian and Chinese developer is secretly a terrorist trying to infiltrate the US of A's security by planting backdoors in Linux! Get a grip, stop pointing fingers and calling everyone a terrorist! Don't worry your pretty little head over it, I'm fairly sure that all your government agencies have teams going over and inspecting any code that they choose to use (whether that be from Linux or Windows or any other OS!). And if those government agencies are NOT doing this.... as I said before, you have far bigger things to worry about!
"No one should trust the unreviewed bloated insecure Linux."
We should all trust the reviewed trim secure and stable Windows =)
This post was edited by chris_kabuki on Monday, April 12, 2004 at 20:25.
|
#13 By
3339 (64.160.58.135)
at
4/12/2004 8:31:49 PM
|
Why the FCK would you need to review code that is never added to the kernel. Nonexistent code poses a security threat now, moron?
"If they were, some other site or project for code review would exist."
No, it definitely failed because it was called the "Sardonix Audit Portal" -- i.e. the project was based on a proprietary system solely controlled by one company, Sardonix.
"They found one, a sloppy fix was rushed out the door, they found another, another sloppy fix was rushed out the door and then they found another. Obviously no serious code review was done of this module after the first or second exploit was found or else the third would have been found."
I can think of numerous times where MS had to release multiple patches, in some cases, they had to release a patch to patch the patch because the first patch actually created more problems... Therefore, according to you, Microsoft security reviews do not exist.
Clearly, you are a moron, who cannot be satisfied with logic and well understood facts, but what you fail to realize is that you have not shown one iota of evidence to support a claim that a foreign intelligence agency can add a backdoor... Any code is going to be submitted by a registered contributor, it is going to be checked by the subsystem maintainer, it is then going to be checked by the kernel maintainers, and it will always be visible to the public... Before claiming that it is absolutely impossible to review a finite number of lines of code, shouldn't you work on how these foreign intelligence agencies are actually going to get their backdoors into the system in the first place?
|
#14 By
19992 (68.169.46.164)
at
4/12/2004 8:33:31 PM
|
#17
Holy crap!! I just realized what you were getting at!! He wasn't talking about not trusting any code you didn't develop, he was referring to not trusting code written by them thar foreigners.
With many of the foreigners that contribute to Linux working for the likes of Intel, oldSCO, IBM, I'll bet they've already subverted your system with trojaned drivers and Notes CDs. In fact, you were probably trojaned the instant that Microsoft used the drivers written by employees of these companies to create the mini drivers that ship with Windows!!! And since SCO holds the keys to the UNIX kingdom they've infected every version of UNIX out there.
I seriously think you need to alert the media to this one. Foreign Intelligence agencies completely own all of our computers and we are completely helpless to stop them. While you're at it, don't forget to tell the press about the flu shot being used by the US government to control our minds.
This post was edited by happyguy on Monday, April 12, 2004 at 20:35.
|
#15 By
12071 (203.185.215.149)
at
4/12/2004 8:35:07 PM
|
#17 "I believe Microsoft does write its own code."
This only goes to show how ignorant you are. Microsoft has not written a great deal of it's "own" code. Not only has Microsoft purchased many companies and then taken their products on board (with millions of lines of code already written), then have also used BSD code. So no, they have no written everything themselves. What makes you think that they didn't even have outside consultants helping them out at some stage? You know consultants that may have been Russian or Chinese in origin (as they're all terrorists).
|
#16 By
19992 (68.169.46.164)
at
4/12/2004 8:36:41 PM
|
#24
Don't forget about Microsofts outsourcing of developers to India.
|
#17 By
3339 (64.160.58.135)
at
4/12/2004 8:41:12 PM
|
Just to be clear that this man is a moron and a hypocrite... and apparently looking to become the next Darl McBride:
"Q: Does Green Hills Software support Linux?
"Yes, Green Hills Software has extensive support for Linux. Green Hills Software's entire family of development tools runs on Linux. Products that run on Linux or are used when developing from Linux include:
• INTEGRITY and ThreadX embedded and real-time operating systems
• MULTI and AdaMULTI integrated development environments
• TimeMachine 4-D debugger
• Optimizing C, C++, and Ada compilers
• SuperTrace, Green Hills, and Slingshot probes
"In addition, many of Green Hills Software's development tools support Linux as a target operating system:
• Optimizing C, and C++, and Ada compilers - with the GNU C compatibility in our compilers, we have reduced the code size of the Linux kernel by up to 35%. Read more.
• MULTI and AdaMULTI integrated development environment - with support for multi-threaded application-level development as well as Linux kernel and driver development.
• SuperTrace, Green Hills, and Slingshot probes - these hardware debug devices are Linux Memory Management Unit (MMU) aware, allowing them to be used effectively for kernel-level software development.
Q: Why does Green Hills Software support Linux as a target when it has its own operating systems?
As the leading vendor of embedded software development tools, Green Hills Software is committed to providing and supporting an open development environment on which our customers can standardize on across a wide variety of projects, whether embedded or general-purpose, legacy or new. Consequently, we support not only our own operating systems but also customers' homegrown solutions, Linux, and commercial real-time operating systems such as VxWorks."
|
#18 By
3339 (64.160.58.135)
at
4/12/2004 8:44:15 PM
|
And for some rebuttals:
"Dr. Inder Singh, CEO of Lynuxworks, provided Groklaw this response:
"The shrill broadside of FUD by Dan O’Dowd against the use of Linux in defense systems is in my view just a reflection of the pain that vendors of proprietary systems with closed interfaces are experiencing as the embedded world moves towards Linux. Linux is rapidly becoming the open multi-vendor standard across the embedded industry including the defense market. The fact is that embedded Linux is an unstoppable force -- the largest of the vendors of proprietary RTOS's, Wind River, has already switched from Linux bashing to embracing Linux.
"The release is full of inaccurate statements and wild generalizations. Mr. O’Dowd would have us believe that every foreign developer working with Linux is a spy or terrorist, contributing subversive software to the Linux sources, and that their contributions are automatically included in Linux by Linus Torvalds and the Linux kernel team without any scrutiny. Further he implies that all the professionals in the military and defense industry would blindly use it for mission-critical programs without addressing security concerns! His reference to Ken Thompson’s backdoor in Unix ignores the difference between a binary versus source.
"According to Mr. O'Dowd, 'Linux is being used in defense applications even though there are operating systems available today that are designed to meet the most stringent level of security evaluation in use by the National Security Agency, Common Criteria Evaluation Assurance Level 7 (EAL7).' In fact there is no operating system today that is EAL-7 certified. He is presumably referring to their MILS Separation Kernel (see http://www.omg.org/docs/realtime/03-01-26.pdf - MILS Architecture) which is 'designed to meet .' EAL7 requirements although it is not there yet; so this is, at the very least, rather misleading. Now, their Separation Kernel is a small microkernel with proprietary interfaces, which would require all applications code to be written from scratch, and would only be suitable for relatively simple deeply embedded systems. You could not reuse the large body of existing Linux software in the implementation of large complex mission critical systems, including command and control systems, and you would be locked into the one vendor of the kernel, which is of course financially attractive for the vendor but not the best use of our tax dollars.
"At LynuxWorks, we are also working on a MILS Separation Kernel which is designed to meet EAL7 requirements. However, with our focus on open standards and Linux, we have made sure that our Separation Kernel supports multiple execution environments including Linux or SELinux (Security Enhanced Linux – see http://www.nsa.gov/selinux/) running within a partition. By implementing critical security related functionality in partitions separate from the partitions running Linux or SELinux, the overall system is capable of being evaluated at EAL7 while running existing Linux applications. This approach provides both EAL7 security assurance as well as the compelling benefits of Linux."
|
#19 By
3339 (64.160.58.135)
at
4/12/2004 8:44:56 PM
|
AND...
Victor Yodaiken, CEO of FSMLabs added this:
"Mr. O'Dowd certainly knows that huge numbers of foreign students and immigrants have helped create the US software industry and that all the giant US technology companies depend on engineers based all over the world. His alarm over outsourcing by small Linux companies is hard to credit as genuine given these well-known facts. Furthermore, Ken Thompson did not introduce a back door into UNIX or assert that open source software was more or less secure than closed source. Mr. O'Dowd has presented a very peculiar take on the famous Turing award lecture by Thompson. One lesson that can be drawn from Thompson's lecture is that the security of software cannot be separated from the trustworthiness of the vendor. A Linux company that develops software globally and that stresses integrity, solid engineering methods and organizational processes to assure quality and security should inspire some trust. A company that depends on factually challenged and emotional appeals to fear of foreigners should inspire some caution."
Jim Ready, CEO of MontaVista, earlier was quoted in Alexander Wolfe's article in EE Times:
"'Mr. O'Dowd makes the common mistake of confusing obscurity with security,' said Ready. 'Open Source is actually more secure than closed source proprietary software because the oversight of technology content is broader and deeper. Instead of just one company monitoring its own contributions — or potentially hiding security holes and exploits — a worldwide community of interested parties actually oversees Linux to make it strong and secure. That's why the NSA — the most security-conscious organization in the world — chose to standardize on Linux, and even supplies its own version of secure Linux.'"
|
#21 By
12071 (203.185.215.149)
at
4/12/2004 8:47:28 PM
|
#22 "Any code is going to be submitted by a registered contributor, it is going to be checked by the subsystem maintainer, it is then going to be checked by the kernel maintainers, and it will always be visible to the public"
Don't be so naive!!! Clearly we can assume that the contributor, subsystem maintainer, kernel maintainer and the public are all Russians and Chinese who want to hide the existance of those backdoors because they clearly know that agencies like the NSA are far too stupid and lazy to perform their own code reviews and then create their own security enhanced distributions of Linux! (http://www.nsa.gov/selinux/).
http://www.nsa.gov/selinux/info/faq.cfm
"9. Why was Linux chosen as the base platform?
Linux was chosen as the platform for the work because of its growing success and open development environment. Linux provides an excellent opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system. A Linux platform also offers an excellent opportunity for this work to receive the widest possible review and perhaps provide the foundation for additional security research by others."
|
#22 By
3339 (64.160.58.135)
at
4/12/2004 8:48:20 PM
|
Yes, Parkker, how do you respond to the fact that the NSA has standardized on Linux and has its own SE-Linux?
Are we to believe that you and Mr. O'Dowd have thought this through more thoroughly and realistically than the NSA? Hmmm?
This post was edited by sodajerk on Monday, April 12, 2004 at 20:52.
|
#23 By
12071 (203.185.215.149)
at
4/12/2004 8:57:19 PM
|
#27 "The OSS fanatics goal is to to ban "proprietary" software leaving as the only alternative software that is open to exploit by agents of foreign governments."
Are you really that scared of the OSS fanatics? Most OSS fanatics, other than people like Mr Stallman, don't have this goal in mind, they simply want to be able to have a choice of what application they use whilst still having full interoperability.
|
#24 By
12071 (203.185.215.149)
at
4/12/2004 9:02:44 PM
|
#35 How in world does "Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux." = "No code review has been done."
Is this parker logic? Maybe you should run for President... you have a lot in common!
|
#25 By
3339 (64.160.58.135)
at
4/12/2004 9:11:04 PM
|
Parkker, I, and presumably Groklaw and chris, are well-aware that SE-Linux is not used by the NSA. It is simply designed to lock all access and permissions to the least necessary level to perform a task at any time.
However, if you were to go to the CCEVS site, you will see that many Linuxes have the same EAL certification as any other OS vendor.
http://niap.nist.gov/cc-scheme/
And that none fo your statements in #33 refute any other statements... hell, they hardly make sense. ("It appears that instead of self-interest, this is a brave attempt to shed some light on a very dangerous situation facing the US military." -- FCKing hilarious!!)
So, the same irrational fear that you have for Groklaw, why don't you have it for the very same reason with Green Hill? -- they stated they support Linux for economic reasons and openness and to support a popular system; they didn't say: to test the security of the military! They must be lying... about themselves! (Ha, ha, ha!) Therefore, Green Hills has nothing useful to say! There's that BRILLIANT Parkker logic again!
This post was edited by sodajerk on Monday, April 12, 2004 at 21:15.
|
|
|
|
|