Protecting Yourself from the Internet

Download Report

Transcript Protecting Yourself from the Internet

“Open Source”
Introductions – Mark Lachniet
•
•
•
•
•
•
•
MSU Graduate
Open Source user since 1997
Security specialist for Sequoia Services
Linux Professional Institute LPIC-1
Novell CNE / Master CNE
Microsoft MCSE 4.0
Checkpoint Certified Security Engineer
Tentative Agenda
•
•
•
•
•
•
•
•
•
Introductions
Quick survey
Open Source History
Open Source Defined
The Cathedral and the Bazaar
Current Status
Open Source security
Training and Support
Cultural and global issues
Quick Survey
• How many of you consider yourself
technical?
• How many of you are already familiar
w/ Open Source?
• How many are already using O.S.
software? (this is trick question)
Being ChEaP
• In order to understand OS, you have to
understand its advocates and developers
• Cheap refers more to the desire to learn,
experiment, and develop in new and clever
ways
• Cheap means pretty much the same thing as
the term Hacker used to, or the term Geek
currently does
• For many people, OSS is a powerful
statement about lifestyle and personal choice
• The question is… WHY?
Open Source History
• Richard Stallman could conceivably be called
the founder of the Open Source Movement
• Worked at the MIT Artificial Intelligence Lab
as part of a community of programmers who
designed a free compiler for the PDP-10
• The AI group promoted the sharing and use
of computer time and code - the early roots of
OSS
• This eventually came to an end when the
university decided to use a non-free system
and Stallman was forced into the world of
commercial software
Endings and Beginnings
• Stallman left MIT shortly thereafter, citing a
“stark moral choice” not to capitulate to a
commercial software company
• Thus began his mission
• The first step towards creating the “utopian”
software society of his dreams was the
creation of the first free operating system
• He then began work on the GNU System and
the Free Software Foundation
• This started with the GNU C compiler and
associated tools
Meanwhile, back in Finland
• GNU was a great work in process, but the kernel (the
real brains of the OS - like command.com) was nonexistent.
• A Finnish programmer name Linus Torvalds had
been working on creating a UNIX-compatible kernel
for the 386 platform
• His kernel was actually an adaptation of the earlier
MINIX operating system for the 386
• Linus worked long and hard on coding the kernel,
according the the legend, sometimes releasing two or
more versions in a single day
• Around 1992, GNU and the LINUX kernel were
combined to create what we now think of as Linux
Open Source Defined
• Depends upon the OS license – there are many!
• The GNU Public License has these aspects:
1. Free Redistribution – may not restrict or require a fee
2. Source Code – must distribute unobfuscated source
code
3. Derived Works – must allow modifications by others
4. Integrity of the Author’s Code – my require “patches”
5. No Discrimination Against Persons or Groups
6. No Discrimination Against Fields of Endeavor
7. Distribution of License – cannot add restrictions (NDA)
8. License Must Not Be Specific to a Product – bundling
9. License Must Not Contaminate Other Software
The Cathedral
• Think of the way that a cathedral is built - it is
overseen by the church and takes lifetimes to build
• The end result is usually quite beautiful, and a
testament to the work, but it is slow in the making
• Commercial software is built in exactly this way they take their time, release a few versions only now
and then, and try very hard to make sure that the
final product is beautiful (hopefully!)
• In software, this means insulating end users from the
process, and working very hard to make sure that
every possible bug is found and fixed before it is
released - just like making sure that the cathedral is
perfect before it is opened to the public
The Bazaar
• The bazaar, on the other hand, is a chaotic free-for-all
• Anyone can come to the bazaar if they bring the right
currency (skills) to the table
• The bazaar method makes all of the information available
to all of the people so that anyone with a knack or an
interest can tinker with whatever they want
• In the bazaar method, software is released frequently with or without bugs
• This invites the whole world to participate in the process bugs are found, people modify the code to suit them and
contribute it back to the project
• While this frequently means that a revision of software
may have a problem, it also means that it can be fixed very
quickly
Current Status
• Linux, runs now on some 20% of the
world servers in volume
• Apache, runs on over 60% of the world's
web servers
• Perl, which is the engine behind most of
the `live content' on the World Wide Web.
• BIND, the software that provides the DNS
(domain name service) for the entire
Internet.
• Sendmail, the most important and widely
used email transport software on the
Internet.
OSS F.U.D.
• [F]ear [U]ncertainty and [D]oubt
• Because of the highly polarized debate
on OSS, it is often difficult to get to the
true heart of the issue
• Both sides of the argument are guilty of
an overly one-sided argument
• The truth is that OSS is *not* the best
solution for all situations
• Let’s refer again to the European
Commission’s findings
FUD Fighting - misconceptions
• OSS is just a new gadget
• OSS belongs to nobody
• People cannot be motivated to produce
OSS, because it is free
• OSS is just for hackers and students, not
for business
• OSS provides no support
• There is no stability, because so many
people can change the software.
• Divisions or “forking” will split OSS
projects in many un-compatible variants.
True OSS Risks
• Lack of accountability
• Reduced set of supported hardware
• Reduced set of business
applications
• Lack of guide-lines
• No guarantee that development will
happen
• Some limitations regarding highend installations (but IBM is
changing this problem)
• MJL: Difficulty – the Geek Factor!
OSS In the Enterprise
• Commercial support from a variety of “big
player vendors” such as IBM, Compaq, and
Dell
• Many companies now ship Linux preinstalled on select product lines
• Improved hardware support for enterprise
solutions such as the Compaq Smart Array
RAID adapter and others
• 24/7 Support contracts are available from
multiple sources such as LinuxCare, IBM,
and others
Popular uses for OSS
• Web server – Apache, PERL, PHP, and even
ASP emulation
• File server – NFS, Novell Emulation, SaMBa
Emulation
• Journaling File System (JFS)
• Mail / UNIX shell server
• Network appliance – dialup server, Linux
Router, security devices
• Programming and application development
platform
High-End OSS Computing
• One very real shortcoming in OSS /
Linux software is in high-end systems
• In particular, SMP support > 4 CPUs
• This is being addressed in several ways
• One way is to use IBM’s “Linux for
S/390” software
• Another way is to use “clusters” of
parallel-tasking machines such as the
Beowulf cluster system
Linux on the IBM S/390
• Runs on the “zSeries” server
• Can run in “native” mode as the main and
only operating system
• Can also run in logical partitions so that you
can run native OS/390 applications in one
partition, and Linux in another
• IBM made a test server available and offered
free computing time to anyone who wanted to
play with it
• Will provide service and support
• Future plans for “memory speed” network
communication between partitions
Beowulf Clusters
• Makes use of many cheap PC’s
• Communicate over regular 100mb/s or
Gigabite Ethernet
• Requires specialized client software but can
be installed on free Linux distributions
• Very popular in universities and schools
where cheap number crunching is required
such as physics and math
• E.g. National Oceanic & Atmospheric
Administration
Security on OSS software
• Some people say that OSS is inherently
insecure for a few reasons:
–
–
–
–
Anyone can scan the source code for problems
OSS developers are not “paid” to look for bugs
People simply like to hack UNIX and Linux
Lack of organized control over code
• Some people say that OSS is inherently secure
for a few reasons
–
–
–
–
Anyone can scan the source code for problems
OSS developers are not “paid” to look for bugs
People simply like to hack UNIX and Linux
Lack of organized control over code
Training
• One sign of a robust industry is
standardization of skill-sets and
certification
• Three major Linux certification exist:
– The Linux Professional Institute
– GNU / Sair Linux
– Red Hat – Red Hat Certified Engineer
• These are challenging certifications
• The curriculum is publicly available –
read it!
Support
• Contrary to the F.U.D., there are
support mechanisms for Linux
• Look to your favorite hardware vendor
• Many national companies will sell
support contracts – check your handout
• There are also many resources in
Michigan, certainly many more than are
listed in your handouts
Cultural Considerations
• Economic concerns aside, there is another important
reason to contemplate how we deal with (and think
about) technology
• Technology is integrally meshed with western culture
- the Internet is now ubiquitous, especially for those
of the middle class and above
• Technology is in many cases our portal to the world a source of information, as well as a means of
processing it
• Information is truly the commodity of the 21st
century, and how we are able to manage and
manipulate information and communicate with
others will be the new frontier of our age.
Cultural Considerations
• This is why the whole question of Free Software is so
important – people ask: “do we want to live in a
world where the means to our most important
resource - INFORMATION - is controlled by
software companies?”
• Do we want to live in a world where we cannot peer
“inside the box” to see the true workings of the
technology we use on a daily basis?
• Do we want to be reliant upon a company to provide
us with a limited number of ways to harness this most
precious of resources?
Global Considerations
• It is not just the western world that will be affected by the
decisions we make, because the path we take will set the
environment for other countries and places making the
transition to information societies
• Consider the “third world” countries in our southern
hemisphere. They can barely afford the hardware to
establish an information infrastructure, let alone purchase
a copy of Windows NT workstation and Microsoft Office
for every box
• The “Community Aid Abroad” organization points out
that “Information and Communication Technologies are
now fundamental to dealing with all development issues in
developing countries.”
• In essence, technology is now the crux of improvement and
aid efforts worldwide. The very difference in monetary
price alone could theoretically be equated to human lives
Western-centric politics
• Besides money, the CAA also makes the point that
commercial software creates an external dependence that
is volatile and subject to political whims.
• What if, for example, the entire country of Columbia
standardized on Windows NT. Then say, for example that
a major security bug was found in said operating system.
To further complicate the matter, say that the CIA was
angry with Columbia over some issue such as the Drug
trade and decided to impose a complete embargo.
Columbia could potentially be in the unenviable position
of having a completely insecure network infrastructure
and no way to obtain patches. This is probably not a very
good example - they could just illegally obtain the patches
- but there are many other ways that this dependence
could work against them
Technology and Culture
• In addition, its worth noting that modern software and the
Internet itself is Anglo-centric. It is primarily written in English.
• Language itself plays some factor in cultural development, as the
western history of Imperialism has shown - embedded in
language are the values, mores, and assumptions of the
dominant culture
• In this way, technology can serve to introduce external cultural
influences on other cultures. What does this do to these other
cultures? Americans may not think of this stuff!
• With free software, this risk is somewhat reduced
• Free software is written by a world-wide audience - although the
language of discourse is English, the participants are diverse
• Free software, such as Linux, is more frequently adapted to
other languages such as Kanji, Spanish, and Thai - because it is
possible to do so. They do not have to rely on the altruism of a
company to release a version - they can obtain the source code
and do the work themselves
The Scientific Method
• There are strong parallels between computer software and
scientific discovery
• Both are built upon the works of others - where one researcher
or programmer is unable or unwilling to take the work further,
someone else will
• In science, theories are not conclusive unless they are replicable that is to say, the scientist must publish a paper laying out their
ideas, methods, data and conclusions to the community. Other
scientists then take this data and attempt to replicate and
understand it. If the results can be replicated, the work is
accepted and built upon
• In commercial software, this isn’t the case. Having a binary
without the source code is like being presented with a summary
and conclusion to a scientific paper without being given any
data. One may be able to “reverse engineer” the project to
discover the methods, but it is difficult and costly to do so.
The Scientific Method
• In this sense, commercial ownership of software may
serve to hinder the progress of software (our vital
national interest) in general
• With Open Source, all of the data is there for the
taking - the methods can be improved, the
assumptions corrected, and the conclusions modified
• All software serves as a building block for the next
generation of software to follow. With open source,
this provides a rapid development path towards
better software (and hence better manipulation of our
information commodity).
Fire… A Satire
Mark Lachniet
[email protected]