The Need For More Open Source Watchdogs
The security problems associated with proprietary software products have been well documented. Thanks to the efforts of countless IT watchdogs, security flaws in Microsoft Windows XP and other proprietary software packages have been exposed and patched. However, there are fewer watchdogs focusing on the many "open source" software programs that are in widespread use. The most important IT watchdog, Carnegie Mellon University's CERT Coordination Center, has identified security vulnerabilities in two popular open source programs, Sendmail, an e-mail program, and OpenSSH, a software tool used by network managers "to log in remotely and gain encrypted access to computers..." The Sendmail flaw was described by one security expert as "an extremely serious vulnerability" while the OpenSSH vulnerability was considered more theoretical although "it might prove to be exploitable." A CERT official said that if the flaw were exploitable, it would be serious since, "a user would not need privileges to log on to the machine to run the exploit." A number of major name software vendors sell products incorporating the vulnerable OpenSSH program including: IBM, Sun Microsystems and Red Hat. Hewlett Packard, IBM and Red Hat sell products that could be affected by the Sendmail security flaw. An internet security specialist explained that both programs "are commonly used at large companies, making them an attractive target to hackers." Also noted was that "In any given year there have been just as many vulnerabilities in the open-source community as there have been with Microsoft." In that open source software is being increasingly used in critical business and government applications, there is a clear need for additional watchdogs to monitor the security of open source products. Furthermore, Winston has a question regarding open source programs. When there is a problem with an Apple or Microsoft product, he knows who is responsible for patching them, but who is responsible for fixing software that nobody is responsible for writing in the first place?
This question is of sufficient importance that a discussion thread on the issue has been established on CyberActivist.US. Please click here to comment.
Click to read CNET News article.
Click to read CERT Advisory for OpenSSH.
Click to read CERT Advisory for Sendmail.