Linux Containers Authors: Zakia Bouachraoui, Elizabeth White, Liz McMillan, Pat Romanski, Stefana Muller

Related Topics: Linux Containers

Linux Containers: Article

"Foreign Powers Will Deploy Spies to Infiltrate Linux," Argues O'Dowd

"Foreign Powers Will Deploy Spies to Infiltrate Linux," Argues O'Dowd

  • Read "Subversive Software" - O'Dowd's Linux Security Controversy Continues

    Dan O'Dowd is back. Today he issued his second white paper in a series that his company Green Hills Software describes as being focused on "the urgent security threat posed by the use of the Linux operating system in U.S. defense systems, including the Future Combat System and Global Information Grid."

    Provocatively titled "'Many Eyes' - No Assurance Against Many Spies," today's paper debunks the fallacy that the "many eyes" with access to Linux source code ensure that it is free of Trojan horses or other malicious software.

    Here is O'Dowd's argument:

    "Now that foreign intelligence services and terrorists know that we plan to trust Linux to run some of our most advanced defense systems, we must expect them to deploy spies to infiltrate Linux. The risk is particularly acute since many Linux contributors are based in countries from which the U.S. would never purchase commercial defense software. Some Linux providers even outsource their development to China and Russia."

    What O'Dowd believes is that the assumption that Linux is "safe" is based on what he calls "the dangerous misconception that the so-called 'many eyes' looking at Linux source code will find any malicious bugs hidden in Linux by foreign intelligence agents or terrorists."

    "This misconception is based on the silly assumption that looking at source code is an effective way of finding bugs," he continues.

    It is this 'many eyes' doctrine that he seeks to debunk:

    "Hundreds of bugs that attackers can exploit to penetrate Linux security are identified every year. Many of these critical security bugs have been in the code for years without being detected by the 'many eyes' looking at the source code. How can anyone believe that the open source process can eradicate all of the cleverly hidden intentional bugs put in by foreign intelligence agents and terrorists when the process can't find thousands of unintentional bugs left lying around in the source code?"

    Then, just as he did last week, O'Dowd contrasts the vulnerability (as he sees it) of Linux, with the designed-in security of his own company's products - 12 years old, his company specializes in real-time operating systems and software development tools for 32- and 64-bit embedded systems.

    "Many people," he declares, "believe that it is impossible for any operating system to have no known bugs in security-critical code, implying that no operating system is really secure. But that is not true. There are no outstanding bugs in our DO-178B Level A certified INTEGRITY-178B real-time operating system. This is the true reliability and security that our national defense systems need."

    Anyone who wants to take a look at O'Dowd's white paper first hand will see that it reviews mechanisms that O'Dowd believes can be used to infiltrate and compromise Linux and its source code. He also explains why he believes malicious code can easily escape detection.

    O'Dowd isn't done yet. Next week will come paper no. 3: "Linux Security: Unfit for Retrofit."

    Surely rebuttal arguments are not beyond the community's collective energies and ability? LinuxWorld invites informed discussion of the two white papers so far.

  • More Stories By Linux News Desk

    SYS-CON's Linux News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers.

    Comments (16)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    IoT & Smart Cities Stories
    @CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
    There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
    LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
    Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...
    Rafay enables developers to automate the distribution, operations, cross-region scaling and lifecycle management of containerized microservices across public and private clouds, and service provider networks. Rafay's platform is built around foundational elements that together deliver an optimal abstraction layer across disparate infrastructure, making it easy for developers to scale and operate applications across any number of locations or regions. Consumed as a service, Rafay's platform elimi...
    Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessio...
    Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Ca...
    New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
    According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
    In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...