is open source software trustworthy?

Source: Internet
Author: User
People often ask me if they really should believe in Oss. In other words, the worry is: is the OSS the angel that brings us a good life, or is it a demon that destroys our lives? As a matter of fact, this problem has been raised since the beginning of Linux and various BSD (Berkeley Software distribution) operating systems. In reality, any organization or enterprise is very cautious in planning to use a free software that is not from a reputable merchant. As a rule, a large amount of money is generally invested to test the software thoroughly. Recent events have heightened concerns about OSS. At some sites, it was reported that an IDs (intrusion detection system) was added to the backdoor in its installation script, and anyone who installed the software would put its system in jeopardy. The perpetrator disguised the backdoor, making it look like a part of the normal configuration process. We know that the back door is a system to do some special processing, so that in the future can easily and quickly use the system, without being discovered by the owner of the system. For the software system in the back door, the general people are disgusted, but because of its special function, some people flock to it. It is clear that the backdoor is one of the main factors that threaten the security of the system, both in commercial software and in Oss. The development of free software for more than 10 years has proven that OSS is still trustworthy. Also, you can take steps to make sure that your downloaded software has not been maliciously altered by checking the various digital signatures of the download site. The backdoor behind the software, the programmer, joins the backdoor in the software to gain access to the system that installs the software. In business software and systems, the back door has some other names, such as "Maintenance account", and these back doors are known to the owners of the system. This is not always the case, of course. In the late the 1980s, DEC (Digital Equipment Corporation, later merged by Compaq) included some system-level accounts with default passwords in its products. So DEC engineers can easily access the company's VMS operating system. Around the same time, the DG (Data general,www.dg.com) aviion system takes a specific option as part of its printer server management commands. With this particular option, which is not publicly available, the user can get root access. At&t engineers who maintain the company's minicomputer used a bug in the program to make themselves Superuser. The businesses that joined the backdoor in their products continued until the early the 1990s. In Unix software, the back door has a long history. Ken Thompson,One of the architects of the UNIX operating system, in his speech at the ACM (Association for Computing Machinery) awards in 1984, said that the people who wrote the operating system were so caught up in the temptation that they would put some back doors in the system. Think about it, if I write the operating system, secretly in the part of the login to add a piece of code, so that the world's operating system as long as I see my account and password let me in, give me root permissions, this is more interesting ah. But I can not directly in the login program's source code to write this, or a bit of people caught. What should I do? From the compiler inside the foot, I will call it "Patch 1" bar. In the compiler to add a procedure, if found to be compiled by the original program "suspected" in doing the login action, it opened a loophole, let me into. But this is not necessarily the case, the compiler will be revised later, the new version of the compiler may not be I write. The person installing the system is not necessarily using my compiler. What to do? So I made a second hand in the source code of the compiler, called "Patch 2". If the compiler finds that the compiled program is "suspected" of another compiler, add the "Patch 1" above and the "Patch 2" itself. Good! Now that the operating system is out, CC1 is the built-in compiler I wrote, which has two of my hands and feet. Now someone is compiling UNIX and has to use this compiler. However, the CC1 already has "Patch 1", so once compiled to login, compiled the login program is passive hands and feet. Just see my name, you must let me into the system, give me root permissions. At the time, Ken Thompson claimed to have a universal password, which could be used as any user to log into any UNIX system. I think Thompson's universal password can be described as the most high-profile and complex backdoor code. In addition, there is a well-known person is Eric Allman. He added some back doors to the early sendmail. When Allman first started writing sendmail, only three UNIX systems were using the software, and the systems were located at the University of California at Berkeley. That is, Allman had root privileges on all these systems at that time. After the SendMail was installed on the fourth system, the rear doors of Allman were amended. But in the early days, the internet was a platform for communication between friendly, trusting researchers. According to Eric Allman, he left some back doors for convenience. In 1982, Bill Joy was a student at the University of California at Berkeley and is now one of the founders of Sun. He created a sendmail version containing a backdoor, and distributed its copy to 50 sites, creating the first BSD. TheOne of the most amazing backdoor is an "additional" SMTP command that provides a root shell for anyone who can provide a configuration. Later, SendMail removed the password and simply connected to SendMail and entered "Wiz" to have root privileges. So a remote user can simply telnet to the 25 port where the SendMail system is installed, enter the Wiz, and then enter the shell to get a root shell to control the system. Commercial UNIX workstation businesses such as Sun and HP later removed the backdoor from the SendMail, but ignored the second backdoor (or bug). This backdoor can execute any command line as root. In November 1988, Internet worms used this error command to load and execute a worm short program that could spread. The merchant finally realizes the existence of this mistake and then removes it from the sendmail source. Then a third back door was discovered, but it had been fixed a long time ago. The development trend of software backdoor after the 1980s, the history of OSS backdoor began to haunt its development. UNIX developers want and believe that their operating systems can become mainstream, and backdoor code is not acceptable in the business world. However, the backdoor code did not completely disappear. In this period, the most well-known is the backdoor of Microsoft software. Microsoft Excel contains photos of developers and a variety of small games. Of course, to see these things, you need to know how to call these back doors, which is called "Easter Eggs (Easter Eggs)". Related content can be viewed in the URL: http://www.eeggs.com/tree/279.html. Of course, there are many versions of Excel that are now in use, not all versions of which are hidden games. In the early the 1990s, the FTP server for OSS downloads was the focus of attention. Because if someone invades the site without being detected and makes a change to the software that provides the download, thousands of users may download and install the software without their knowledge. Some people use other ways, such as impersonating a Trojan horse as a security software. A recent tool that claims to be dedicated to detecting weaknesses in a user's system actually installs a backdoor on the system that uses it. The tool can indeed detect a list of security issues and weaknesses in the system. In addition, a few days before the writing of this article (October 8), Linuxsecurity.com reported that Cert had been confirmed to have some SendMail source package copies modified by intruders, adding Trojan code. And remind the use, distribution, and mirroring site to immediately confirm the integrity of the original packet. As a user, be sure to downloadThere are several ways to secure OSS software. For the Master of Programming mania, they will study the source code, looking for possible backdoor. A simpler and quicker way to do this is to scan your code for code that can connect to a network, execute a command, or open a file. Because the backdoor code generally does these things. In fact, few people do that for large OSS packages. The 8.0 version of BIND (Berkeley Internet Name Daemon), OSS DNS and other software source code has 170,000 lines. In recent years, bugs have been rampant in bind, resulting in many patches. In this case, a security-sensitive programmer only needs to check the differences between the old and the new versions. In general, each patch will change only a few lines or add a few lines of code. In reality, most people choose to trust the software publisher rather than try to read the source code. Although in general, this is an effective method, but as a user how do you know the source version of their use is trustworthy? In the spring of 2002, some software distribution sites were compromised, and downloadable packages were likely to be slightly changed. One of these two sites is the site for IRC (Internet Relay Chat) software, and the other is monkey.org. It has a well-known security experts dug song written software Fragrouter. In both cases, the attacker made changes to the installation scripts that were commonly used to install OSS software. These scripts are typically used for name configuration, searching the location of the software installation in the system, and configuring the installation script to match the target system. Configuration scripts typically create a short test program to see if the desired libraries and features are available on the target system. Because configuration scripts are made up of a lot of detection procedures, attackers make backdoor programs look like they are doing a normal test. The attacker saves the backdoor program to a file, compiles and executes it, and then deletes the source code and the compiled program. The only evidence left by a successful attack is a running program, and the program periodically tries to connect to a remote server. If a remote server is connected successfully, the backdoor program executes a shell. This shell has the same permissions as the person who installed the software. This type of backdoor is very handy for external connections, and many firewalls cannot prevent this behavior. As OSS users, because most OSS comply with GPG (GNU Privacy Guard), it is possible to avoid the impact of tampering with the source code. GPG is a GNU tool that guarantees data transmission and storage security and can be used to encrypt and create digital signatures. GPG includes advanced Key management tools and follows the OpenPGP described in RFC2440International standards. PGP (Pretty), a successor to GPG, was released by Philip Zimmerman in 1991. You may never have visited the OSS site, but you've probably seen the signature file, but you're not aware of it. The package's signature file usually has an easily misunderstood suffix. asc. It is actually an ASCII version of the digital signature. On the web, we can find out how to use GPG or PGP to check the way signatures and OSS packages are associated. When the package signature is detected correctly, you can confirm that it has not been tampered with. At this point you can trust the person who signed the package. This signature key is still in a confidential state, which means that no one joins the back door in the source code during the signing process. OSS is safer now we are back to the question of whether we should believe in OSS. It is often easy to mention that no business entity is responsible for the flaws in the OSS, so it is unreliable. In fact, most of the widely used commercial software today has a EULA (end User Agreement). It stipulates that in most cases the business is not actually responsible for defects in the software. So the debate over accountability is untenable. OSS programmers are generally free to write or maintain software. The payoff for these programmers is that if you write good software, he can be famous. Therefore, for a programmer, if the backdoor is added to the software, the consequences are devastating. In fact, in reality, even some security-related bugs can seriously affect the reputation of OSS programmers. OSS programmers have a stronger desire and a sense of responsibility for software security requirements than programmers who work for large companies that will never be known to the public. In addition, because OSS programmers make the code that they write public, all people can check it. In reality, OSS software is much better at performing a particular job than the corresponding commercial software, whether its performance or the security it provides. The continued success of OSS in the marketplace is an indication of the growing recognition of its performance in all its aspects. OSS provides the tools needed to use the computer. In fact, many businesses now offer software to users that do not profit from it, but use software to sell other goods or services. It turns out that OSS has good security, or that it is more secure than commercial software. All we need to be aware of is to verify the source code and signature before installing an Open-source software. To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Original: Open source software trustworthy? Back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.