Linux guru warns on security of open-source code

By Richard Thurston
Posted on ZDNet News: Oct 26, 2006 5:54:00 PM

Alan Cox, one of the most respected figures in the U.K. open-source community, has warned about complacency over the security of open-source projects.

Speaking to delegates at London's LinuxWorld conference on Wednesday, he emphasized that considerable sums of money were being spent in attempting to hack into open-source systems.

And he cautioned that many open-source projects were far from secure.

Alan Cox
Linux developer

"There is a lot of money going into security, but the situation is worse, because there is a lot of money going into breaking security. People are being paid to work breaking down software systems," Cox, who is employed by Linux seller Red Hat, told delegates.

"Things appear in the media, like 'open-source software is more secure, more reliable and there are less bugs.' Those are very dangerous statements," Cox said.

Cox said that analysis looks only at well-known projects. An analysis of 150 projects from SourceForge, a repository for open-source code, would not result in the same high marks that the Linux kernel would get, he noted. "High-quality only applies to some projects--those with good code review and those with good authors," Cox said.

"The debate of Microsoft saying 'Look how secure we are' versus Linux saying 'We're more secure' is not looking at the important points," he added.

Cox, who has been closely involved with the development of the Linux kernel for many years, also took the opportunity to take a swing at a newly launched project that promises to measure the quality of open-source code.

The Software Quality Observatory for Open Source Software (SQO-OSS), funded by the European Commission, was launched on Monday. Cox told delegates that metrics must not become targets.

"It is good to build metrics, and SQO-OSS has great potential," he said. "But there are problems with this, and there are risks associated with that kind of methodology.

"If you are working with metrics and you have 14 bugs, you fix the 13 easy ones, and the one hard one can wait. That happens in the security world, but it becomes inefficient."

Richard Thurston reported for ZDNet UK in London.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 90 Talkback(s)

Thread View
Flat View

Spacely Spacerockets: BTW it was Sapcely SpaceSPROCKETS not SpaceROCKETS.

George Jetson would be offended and Astro would be appalled.

... (Read the rest); Posted by: filrod@... Posted on: 10/31/06 You are currently: Logged In | Log out

Open-Source should be under the 'eye' Linux User 1 | 10/26/06

Programmer's job? April May | 10/26/06

In Open Source, the fields overlap CobraA1 | 10/26/06

Yes but???? April May | 10/27/06

parameter defence in-DUH-vidual | 10/26/06

Let the games begin! ShadeTree | 10/26/06

Your world views notwithstanding... Spikey_Mike | 10/26/06

What about the Windows kernel? xuniL_z | 10/26/06

What about the Windows kernel? Spikey_Mike | 10/26/06

It blows the ABMer mind!! NonZealot | 10/26/06

Windows Vista was a trainwreck... Spikey_Mike | 10/27/06

Change your argument much? NonZealot | 10/27/06

Reply to NZ Spikey_Mike | 10/27/06

Reply to Spikey_Mikey NonZealot | 10/27/06

never said it was, did i? April May | 10/27/06

Talk about being deluded! ShadeTree | 10/27/06

So that explains why it has already been hacked zkiwi | 10/28/06

Please provide evidece of a hack on the ... ShadeTree | 10/30/06

Authentium reckon they've done it zkiwi | 10/30/06

Re: Let the games begin! none none | 10/26/06

Not a refutation at all, just the opposite eb276 | 10/26/06

Another possibility. 3D0G | 10/26/06

It is funny, isn't it? NonZealot | 10/26/06

Makes me wonder who is paying the hackers anyway ? Intellihence | 10/27/06

What makes you think... 3D0G | 10/27/06

is that Mike Cox's brother? Linux Geek | 10/26/06

Dummy Geek... yyuko@... | 10/26/06

Agree BobF_z | 10/27/06

You would know... John Zern | 10/27/06

"Wouldn't". That's the word John Zern | 10/27/06

I bet he was paid off by MS daMan25 | 10/26/06

Linux guru warns on security in open-source code Loverock Davidson | 10/26/06

In case you hadn't read the article zkiwi | 10/26/06

Which I did thanks Loverock Davidson | 10/26/06

Your response indicates you didn't read it zkiwi | 10/26/06

The Linux kernel Linux User 1 | 10/26/06

I did thanks Loverock Davidson | 10/26/06

What about the WindBlows Kernel PROBLEMS . Intellihence | 10/27/06

OS religion? Carl Rogers | 10/27/06

for clarification ... phburks | 10/29/06

The only faults you pointed ut were your inability to use Unix like OSs. B.O.F.H. | 10/29/06

And as it would seem that zkiwi | 10/29/06

RE: In case you hadn't read the article joe6pack_z | 10/26/06

Aww Loverock Davidson | 10/26/06

let's break this down so it is simple for you to understand fireman949 | 10/30/06

It's no use, LinuxGeek is a lost cause, yyuko A.Typical Zork | 10/26/06

Well, as it's been said before John Zern | 10/27/06

Village Idiot Semi-Finals handydan918 | 10/27/06

I Agree, though you may have missed one John Zern | 10/29/06

Very Impressive Postings MLHACK | 10/26/06

Finally, an objective voice xuniL_z | 10/26/06

Did you read some other article? DemonX | 10/26/06

I know it. xuniL_z | 10/26/06

Attn: Mr. Know it all. Spikey_Mike | 10/26/06

So you would... zkiwi | 10/26/06

a hybrid model. April May | 10/27/06

"The internet needs scrapped and redesigned as a good network." handydan918 | 10/27/06

Why do you feel more secure? zkiwi | 10/26/06

You forgot to apply ABMer logic! NonZealot | 10/26/06

What is ABM? hoiatl | 10/26/06

ABM perryroyce@... | 10/27/06

Well... zkiwi | 10/27/06

I will still be looking to Linux because... msolgeek | 10/26/06

Ooooo, you got me!!! NonZealot | 10/26/06

What you said was... msolgeek | 10/27/06

Awww, msolgeek is getting frustrated NonZealot | 10/27/06

Well... zkiwi | 10/27/06

That depends Sabz5150 | 10/27/06

MythTV NonZealot | 10/27/06

If I read correctly.... Shelendrea | 10/26/06

The only certain thing in the world of computers... Spikey_Mike | 10/26/06

Linux woes and problems Linux User 1 | 10/26/06

LOOK EVERYONE!!!@ HE MENTIONS ME!!! Loverock Davidson | 10/26/06

Plain & simply he called you an idiot ! <NT> Intellihence | 10/27/06

Inferiority Complex Spacely Spacerockets | 10/28/06

Spacely Spacerockets filrod@... | 10/31/06

Why don't you take your meds and run along... Linux_Fanboy | 10/28/06

Of course it expected to start happening hoiatl | 10/26/06

Internet Security - Despite O/.S zczc2311@... | 10/26/06

So when is the Linux community gonna get off their ass and build a secure.. BeGoneFool | 10/27/06

Have you tried??? Spikey_Mike | 10/27/06

Impossible! EJHonda | 10/27/06

EJ get thou blood pressure under control BXLE | 10/27/06

Don't fret, I tell all it's bulletproof Boot_Agnostic | 10/27/06

Poor , poor MS Shills . Intellihence | 10/27/06

Security........ Kobashrer | 10/27/06

I will use Linux exclusively LinuxUser&XPGamerGraphic | 10/27/06

Not recommending it?! Kobashrer | 10/27/06

I use XP and Linux, happily. WebThingy | 10/28/06

Give me a break, Linux will always be... Linux_Fanboy | 10/28/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry