[BBLISA] Quick Poll: Would you trust system software from an anonymous source?

Dean Anderson dean at av8.com
Sat Feb 27 19:19:19 EST 2010 

Hi, Tom,

Very good points. Detailed response inline.

On Fri, 26 Feb 2010, Tom Metro wrote:

> Dean Anderson wrote:
> > By anonymous, I mean a source that traces only to an email address with
> > no phone number, no address, no anything.  Not even a significant
> > history of email from that account.  This source has no accountability,
> > because they are anonymous.
> 
> You're describing essentially the vast majority of open source projects, 
> excluding the small minority of open source projects that are backed up 
> by corporations. Even then, unless you are paying for a support contact, 
> the corporation probably carries no legal liability, and there is no 
> guarantee that they've vetted the end-user contributions to the code base.

Err, Most open source projects have a mailing address, or someone (a
project manager) who does have a mailing address, a history in the
field, usually a real job, and a phone number, more often than not, a
domainname, which also has this information.  Larger projects are often
incorporated, sometimes as non-profit, sometimes as for profit.

> If you disagree, can you clarify how you see the majority of open source 
> as not falling under this definition?

Most aren't anonymous. For example, the FSF has a physical address.
Richard Stallman has an office at MIT.  

I went to freshmeat just now, and the first system software I found was
NetSecL (a linux distribution). It has a domainname netsecl.com,
registered to Yuriy Stanchev:

Registrant:
    Nobody
    Yuriy Stanchev        (i_stanchev at ml1.net)
    Bulgaria
    Sofia
    Sofija,1330
    BG
    Tel. +359.000000

I had never heard of NetSecl before, but it was not anonymous.

By anonymous, I mean /only/ an email address, I mean no domainname, no
history, nothing whatsoever but an email address from a free email site.  
e.g. user at we-do-free-email-accts.com The project is distributed by
sourceforge, again setup by the email address only. This user and their
name just appeared recently, and has no previous history in any related
project, mailinging, or that field. Ordinarilly, if you give a name and
an email account, that person will have posted on some list on a similar
subject.  An accountant doesn't wake up one day and decide to launch a
Linux distribution; A linux guy might; a *bsd guy might; a sysadmin
might.  And one can find out something about that person just by looking
at lists that discuss linux issues; Pretty much everyone has a history.
They aren't really anonymous.  But I'm talking about a sockpuppet
distributing software.

> If you do agree, then we can conclude that a large portion of the IT
> industry now feels comfortable using such anonymously sourced software
> for system critical functionality. Though perhaps with some
> qualifiers.  (See below.)

I don't agree that most open source software is anonymous and
unaccoutable.  But I am concerned that people could fall prey to malware
that is simply put out as a "security fix" to a well-known program.

I think this kind of scam first started with free anti-virus "scan and
disinfect" programs that were themselves malware.  This kind of scam
could spread to other kinds of software, and other means of
distribution.  Most people know better than to download a "free"
anti-virus program, that is spammed out, and claims to scan their
computer for viruses.  Of course, some people learned the hard way.  
But shouldn't a professional admin know better?


> > By 'System software' I mean software whose integrity a company relies on
> > to perform its functions. 
> 
> Like say the Linux kernel?

Indeed. But consider ssh, ftp, web, email servers, dns, etc.


> > Here are the specific questions:
> > 
> > 1. Would you trust (meaning use) system software from an anonymous
> > source?
> > 
> > 2. Would the fact that the software is a derivative of well known
> > software, but with apparently gratuitous "security fixes": would that
> > increase or decrease your willingness to trust the software?
> 
> So the hypothetical response to this threat vector is that you audit
> the code. The practical approach, though, is that you stick to
> projects that have a wide user base, with the expectation that you've
> vastly increased the probability that someone else has audited the
> code, or encountered any potential exploits.
> 
> I think any time you deal with a fork or project that has a small user
> base, you're increasing your risks, unless you're willing to diff the
> fork against the main project, and then audit the diff.

I agree. But auditing millions of lines of code is tough.  I think there
are few sensible checks that one can make first, such as whether the
software comes from a reliable and accountable source.

The discovery that you can't find an address, past history, or phone
number or anything should be a red flag, I think.  Isn't the refusal of
the email/sockpuppet to respond to queries for this information a wildly
waving red flag?

> > 3. Would the fact that source implements a variation of discredited
> > changes advocated by gray-hat or black-hat hackers increase or decrease
> > your willingness to trust the software?
> 
> I'm not sure I follow. Changes discredited by gray/black-hat hackers? So 
>   that could mean the fixes are pointless, if they're being
> altruistic, of that the fixes hamper their ability to exploit, if
> they're not.
> 
> Can you get a white-hat hacker to weigh in? :-)

Whitehat hackers usually provide proof of exploits--programs that
demonstrate the vulnerability, and sometimes an explanation. I'm talking
about fixes for non-exploits, provided by gray-hat/black-hats, with no
explanation and no prior vulnerability.  Just an unsubstantiate claim
that "these changes improve security".

Certainly we could learn a lot from say, Kevin Mitnick and many
black-hats on /how/ to break into systems. But would you trust Kevin
Mitnick to have full access to the Bank of America computer systems?

I think there is a line of trust between black-hats/gray-hats:  
black/gray-hats demonstrate exploits; while honest people have to be in
charge of the sensitive data and code.

> > 3. Would you consider it a bad judgment to use such software knowing
> > (1) for sure...
> 
> Not at all, with noted qualifications.
> 
> Of course it also depends on the amount of exposure the software has.

I think that you didn't really understand what I meant by anonymous
source. Hopefully, I clarified it above. What do you think given my
clarificiation?

> 
> 
> > and perhaps (2)...
> 
> #2 would make me nervous, given the circumstances you describe. If the
> user base was large, or the group forking and patching had a known
> reputation, it may be fine, but your case seem to meet neither of
> those qualifiers.

Obviously, being anonymous and having just appeared on the scene, they
have no reputation, other than the reputation of black-hats & gray-hats
who are supporters of the project.

> > and (3)?
> 
> Which #3? :-)
> (I assume the former, which I've asked for clarification on.)

Yes.

> > Please reply off list.
> 
> I think the clarifications of your premise warrant on-list discussion.

Indeed, you've made good points.

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494

More information about the bblisa mailing list