Hmmm... I know Open Source is all well and good but I often wonder
about the security of it all. We made a business decision to write
everything for our CMS from the ground up rather than just trying to
charge consultancy for installing open source stuff.

Anyone here use Etomite? If you do then hopefully you're aware of the
problems caused by installation since 11/01/06!

These guys seem to have dealt with the problem quickly but how many
other open souce packages might have been undermined like this?

A

--
Andy Jacobs
www.redcatmedia.net
Intelligent Websites For Intelligent Business People

On Sun, 29 Jan 2006 18:58:29 +0000 (UTC), Andy Jacobs
<andy@redcatmedia.net> wrote:

How can you be so sure your system is more secure than what is
installed elsewhere? Or are you just relying on your service being
obscure?

All software is likely to have bugs, many of them severe, one of the
advantages to your client of you using some open source software is
that they can easily get it fixed elsewhere - because they'll be other
people with experience of the system - if you are not available to do
the work.

When your proprietrary code is shown to have flaws, it's a lot more
expensive for them to get it fixed elsewhere.

Of course there are many other things to consider, but it's certainly
not as you described a situation of "Open source software has security
issues so we write own" to be discussed, there's a lot more to
consider the security situation is just one of them.

Jim.

On Sun, 29 Jan 2006 18:58:29 +0000 (UTC), Andy Jacobs
<andy@redcatmedia.net> wrote in
<andy-7F246E.18564829012006@news.btinternet.com>:

Open source is not what caused the problem here. The download server was
cracked and a modified version of the code installed. Those who do such
things are just as capable of inserting trapdoors into the binaries of
closed source code, so you could face the same issues with any code
supplied by someone else. This is why projects such as Apache provide
PGP signatures of their code - creating a fake signature is still beyond
what the criminals can do. This is also why tools such as Tripwire have
been created - if the download server had been runnning that kind of
monitoring tool the unauthorised modification would have been spotted
much more quickly.

If you write all your own code, you have to be confident that your own
systems are secure against intruders. I would hope that anyone
contemplating this approach on security grounds would also have read
"Reflections on Trusting Trust" and have understood the scale of the
task they are taking on if they are serious.


--
Owen Rees
[one of] my preferred email address[es] and more stuff can be
found at <http://www.users.waitrose.com/~owenrees/index.html>

On 30/1/06 12:50 am, in article vkmqt1tm1mvgek82gmssariao2ovon6nji@4ax.com,
"Owen Rees" <orees@hotmail.com> wrote:

Agreed, the software didn't cause the problem but the result was that the
open source software that people downloaded was compromised.


I think its all about control. As a developer, I'd be more nervous if I was
giving my code to a number of people. It just shows the level of
responsibility you have to your community. And to put it in context for the
end user, how comfortable would you feel as a business owner knowing that
the code that your web developer had installed was something they'd just
downloaded and installed for your site.

I think it's just fraught with danger when there is a middle man (the open
source code provider) in the frame as well. It's nobody's fault (apart from
the toe rags that hacked in) but you lose the element of accountability.

A

On Mon, 30 Jan 2006, Andy Jacobs wrote:

As was already pointed out, that problem has existing solutions
(such as publishing a permanent record of the software's MD5
signature).

Your potential customers might want to think about that too!

So would I, which is why I'd prefer to build on top of respected
publicly-reputed packages. One-offs have a reputation of being
inadequately debugged and security-audited, and their weaknesses often
only become apparent when they're already in the hands of customers,
by which time the damage (in various senses) has been done.

Then the authors find that they have more important/lucrative projects
on their hands to want to bother with proper maintenance of their
previously released code, and the package just staggers from one
kludge-up to the next. Been there, done that - both as developer and
as customer.

That depends on how well they understand the process!

I *know* it's fraught with danger when the not-invented-here merchants
refuse to use well-designed and well-debugged open software, in favour
of re-inventing (what often turn out to be square) wheels.

Isn't it more likely that using open source is fitting a square peg into a
round hole? From my experience, open source usually ends up fulfilling 'a
percentage' of the requirement and you then spend unnecessary time, that you
either can't charge for or that inflates the cost to the client, reverse
engineering it and bolting bits on just to make it fit.

It doesn't matter how good you (Royal you) think you are, there's still
someone out there thinking up ways to exploit your code at this very moment.
I think phpBB was attacked like this recently. Yes, there is a danger that
my bespoke code will not have the same number of man hours thrown at it for
security testing, etc, but nothing is 100% safe. Open source means making
something public enough that it will attract attention from exactly the type
of people you don't want. I'm a hacker (for illustration purposes, not
really!!!) and part of the hacking community, I download your open source
CMS, pass it to all my hacker friends and we *will* find an exploit. By
opening a piece of code up for 100s of developers to develop, you also open
it for 100s of hackers to hack.

Andy

Andy Jacobs <andy@redcatmedia.net> wrote:

This seems to be an example of the "Ok, it works in practice, but does
it work in theory?" argument. ;-)
--
TimH
pull tooth to reply by email

Andy Jacobs <andy@redcatmedia.net> writes:
*shrug* That's not an open source issue, that's a not writing it
yourself issue. It would be the same problem if you got a "no charge
but not open source" or a "pay us some money" program to do the job.

Conversely by using 3rd-party components (open source or not) in the
right places you can do a lot of good. We wrote a CMS from scratch
here because the 3rd-party ones (some open source, some not) didn't
really do what we needed in some key areas. A couple of components
of it (comment handling, graphical HTML editing for content items,
etc) we got from 3rd parties because they fitted in well with what we
were trying to do there.

phpBB is a bad example, in some ways - there have been security
problems found in it recently, some very serious, and some very
nastily exploited - *but* they were all initially discovered by
white-hat/grey-hat security researchers, patched by the phpBB team,
and then the exploits started coming on people who hadn't
upgraded. The exploits were made a lot more serious because phpBB is
very widely used and at the time (now fixed) had a poor infrastructure
for notifying people.

I read security announce/discussion lists like bugtraq, and I notice
exploit attempts bouncing off my server (which doesn't usually have
the relevant software installed, never mind unpatched) - and the
announcement nearly always comes first, usually by at least a week.

The small-time attacks go from published vulnerability
information. The big-time criminals are starting to employ bespoke
highly targeted attacks, and for those it doesn't matter what you use.


As a side question... do you write your own web server and OS when
putting up websites? If so, why? If not, why are these 3rd-party
pieces of software fine but the web applications aren't?

--
Chris