It would be grossly unprofessional of the three-letter agencies if they should have failed to run counter-intelligence operations upon the open source communities. Futhermore, given their resources to hire hackers and long history of infiltrating loosely affiliated organizations, it is hard to image that they have struggled to place moles deep within many critical projects.
Open source communities have no membership committee or state-funded security apparatus. Contributions are accepted based on trust and trust is established by technical merit. The means the three-letter agencies used against Microsoft and other corporations are not the only strategies they have available.
Maybe Linus doesn't have a price. I hope so and I trust him. But regardless of my trust and hope, there is no verification. My trust still acknowledges that no one is scanning Swiss accounts for activity which might be linked to him - and even if there were someone doing so, what would be my basis for trusting them?
Again, I'm not saying I don't trust in the integrity of Linus, but it's hard for me to trust everyone contributing to my Linux distro. Patriots and mercenaries can contribute to open-source just as well as anarchists and Samaritans.
Microsoft's closed source model required a more transparent method to subvert [more transparent than a black operation]. Subverting open source requires little more than a clever branch and merge with a veneer of social engineering. The fruit is so low hanging that merely singing the Open-Source Internationale, will get one street cred. Anyone who thinks they are immune, isn't. This is state level resources - put a man on the moon and bring down communism scale.
I don't think it is wise to trust any system, open or not, so I agree with your thesis.
However, the fact that Linux source is available for review does make it more secure on a relative basis. Sure, it is naive to think a zero day couldn't be buried in there, but at least there is the opportunity for review. With a closed-source OS, we don't even have the luxury of a false sense of security.
Not to get all tin foily, but I'd be more concerned about hardware exploits if you're thinking in terms of "man on the moon" resources... where are all those chips made again?
And that's what those 3 letters agencies do or at least should do. In addition of planting backdoors their job is also to make sure that their system are backdoor free.
In any case, the Microsoft is providing government with the source code of at least Windows (not sure about Office), so from a source code point of view, that is somewhat ok (minus finding people experienced enough to digest an enormous code base)
The main problem that is common with both Microsoft and OSS is actually checking the binaries. Except for China (to some extend), there is no government that is actually forking the project they use in order to create custom, controlled distro. So they are always going to have to trust their binary source. And that is the weak link.
When was the last time you reviewed the Linux kernel code looking for possible backdoors, found none and compiled your own kernel? Btw, when was the last time you reviewed the GCC code looking for possible backdoors, found none and built it from scratch? Btw, when was the last time...
Most companies and users get their pre-compiled distros and never bother because it's an impossible task so I don't see how open source is any better in this regard.
When people ask me why I switched to Gentoo, I'm going to borrow liberally from this post as justification. I know the code my system was built on now. It's trivial to do an audit of that code, as well. I didn't have that security with RHEL/Fedora or Ubuntu/Debian
If you didn't build your OS, you'd better trust the person/people that did.
I trust you audited your compiler, assembler (et al) as well then? The C library? All device drivers? Your BIOS? Firmware on everything from your mouse and keyboard to that USB stick you just used?
While free software does make it possible to gain some confidence in running TLA-free code it does not make it a simple job. Just stating that you ' know the code my system was built on now' is like stating you 'know what you eat because you read the label on the can'. There might be more in that can than the label tells you...
> I trust you audited your compiler, assembler (et al) as well then? The C library? All device drivers? Your BIOS? Firmware on everything from your mouse and keyboard to that USB stick you just used?
yes. you can very much trust that. I appreciate that you've never decided to do an audit of GCC's, glibc's, or your kernel's source, but understand that others have. I am one of them.
As for any binary blobs/firmware I can't peek into, that's why I have software [1] running on the gateway to see if anything phones home. So far, nothing has. If it's not communicating with anyone, I can be reasonably sure it isn't compromising my security.
Also, your reply was almost entirely an argument from incredulity [2], a logical fallacy.
OK, not to be the devil's advocate... but why are you so sure that nothing phones home? The mere fact that nothing on your network connects to https://bigbrother.com/snoop.php?suspectname=aclevernickname... is not solid proof of nothing phoning home. There are many ways of communication over a network, are you sure you check all of them?
If your answer is 'yes'... you should check again :-)
As to you having 'audited' all code running on your network, I can flatly state I don't believe it. I don't doubt you'll have looked over the source for a part of it but there is a difference between 'looking over code' and 'auditing code'. Take the Linux kernel for an example: as of 2013, the Linux 3.10 release had 15,803,499 lines of code (source: Wikipedia:Linux_kernel). Linux for Workgroups has even more. Glibc is good for another 1,188,385 lines of code (source: http://www.ohloh.net/p/glibc). The gcc collection spans 6,242,908 lines (source: http://www.ohloh.net/p/gcc). These are only those projects you mentioned (' I appreciate that you've never decided to do an audit of GCC's, glibc's, or your kernel's source, but understand that others have. I am one of them.').
Understand that an individual who claims to have audited all code on his or her network does not come across like someone who grasps the magnitude of the effort s/he claims to have conquered. This individual either has superhuman powers and unlimited time, or the individual overestimates the efficacy of his or her 'auditing' efforts.
Is there any evidence of this? Certainly there is a single hacker out there that has been approached by the gov't or contracted for them for these purposes at some point, that is also willing to talk, even anonymously.
Think of Federal employees at Fort Meade, who were hired to do the sort of work I am describing.
Think of defense contractors with nondescript offices in Fairfax who hire those same employees after they leave the government and whose employees spend their days writing and pulling and pushing and merging open-source software.
Think of $200,000 a year.
Think of Edward Snowden.
A 1000 hackers is a line item in the NSA's budget.
Or the KGB's.
Or China's.
It's asymmetric warfare. But the side without the money is disorganized and open and trusting.
> It's asymmetric warfare. But the side without the money is disorganized and open and trusting.
The Snowden leak happened (as did Manning), so the Government is not as organized as optics would suggest. They are drowning in the data deluge just like everybody else.
Open source communities have no membership committee or state-funded security apparatus. Contributions are accepted based on trust and trust is established by technical merit. The means the three-letter agencies used against Microsoft and other corporations are not the only strategies they have available.
Maybe Linus doesn't have a price. I hope so and I trust him. But regardless of my trust and hope, there is no verification. My trust still acknowledges that no one is scanning Swiss accounts for activity which might be linked to him - and even if there were someone doing so, what would be my basis for trusting them?
Again, I'm not saying I don't trust in the integrity of Linus, but it's hard for me to trust everyone contributing to my Linux distro. Patriots and mercenaries can contribute to open-source just as well as anarchists and Samaritans.
Microsoft's closed source model required a more transparent method to subvert [more transparent than a black operation]. Subverting open source requires little more than a clever branch and merge with a veneer of social engineering. The fruit is so low hanging that merely singing the Open-Source Internationale, will get one street cred. Anyone who thinks they are immune, isn't. This is state level resources - put a man on the moon and bring down communism scale.