The document discusses open source software and security. It notes that while open source code being publicly available could enable security vulnerabilities if viewed by malicious actors, open source may also increase security through transparency and many eyes reviewing the code. Studies have found Linux source code to have significantly fewer bugs than closed source commercial software. The document also discusses how transparency, interoperability, and avoiding vendor lock-in have driven many governments to adopt open source solutions for national security and accessibility reasons.

1. Free & Opensource Software and Security By Buddhika Siddhisena CTO & CoFounder ThinkCube Systems Member of LKLUG

2. “ Opensource software lets anyone to look at the blue print source code”

3. “ What happens if these blue prints got into the wrong hands ?”

4. Can you achieve security through Openess?

5. NSA

6. NSA = No Such Agency

7. NSA = National Security Agency

8. “ NSA is famous for keeping secrets, including their existence”

9. “ NSA releases SELinux, a security enhanced version of Linux as Opensource Software”

10. “ Hey wait a second !”

11. #1 org to keep secrets releases their blueprints?

12. "Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers” --Larry Loeb Source: http://www.ibm.com/developerworks/library/s-selinux/?n-s-381

13. So whats going on @ NSA?

14. Why did the most security conscious agency in the US do this?

15. "The Information Assurance Research Group of the NSA is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests .” Source: http://www.nsa.gov/selinux/info/faq.cfm

16. critical to U.S. National Security interests

17. critical to U.S. National Security interests

18. All computer software, whether Open Source or proprietary...

19. Has had bugs...

20. Currently has bugs...

21. And will continue to have bugs...

22. “ Given enough eye balls all bugs are shallow” - Eric S. Raymond

23. EnglishTranslation : Given the fact that many people are constantly looking at the source code, and because anyone can improve it (by reporting or fixing bugs for eg.), it is less likely to contain many bugs.

24. “ So how secure is Linux?”

25. A four-year study released by Coverity, reports Linux has a low bug count, making the code more stable and secure. The 2.6 Linux production kernel, now being shipped with software from Novell and other Linux vendors, contains 985 bugs in 5.7 million lines of code, far below the industry average, said Seth Hallem, Coverity's CEO. Source: http://www.internetnews.com/dev-news/article.php/3448001

26. Commercial software contains 20 to 30 bugs for every thousand lines of code, according to Carnegie Mellon University's CyLab Sustainable Computing Consortium. That is the equivalent to 114,000 to 171,000 bugs in 5.7 million lines of code.

27. Opensource vs Proprietary 985 bugs vs 114,000+ bugs

28. Defect density declined by 2.2 percent as the total lines of code in the Linux kernel continues to grow from 5.76 million in December 2004 to 6.03 million in July 2005, which represents a 4.7 percent increase. "Although the size of the Linux kernel increased over the six-month study, we noticed a significant decrease in the number of potentially serious defects in the core Linux kernel," said Seth Hallem, CEO of Coverity, in a statement.

29. Free & Opensoure software is transparent

30. “ Did you someone say Free?”

31. “ Free as in Freedom not as in Free Beer!” - Richard M. Stallman

32. By using FOSS you have 4 types of freedom

33. Freedom 0 The freedom to run the program for any purpose

34. Freedom 1 The freedom to study how the program works and adopt it to your need

35. Freedom 2 The freedom to redistribute copies

36. Freedom 3 The freedom to improve the software and release the improvements to the world

37. Many Governments are adopting or have completely migrated to FOSS

38. Brazil Source: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm

39. Germany Source:

40. France Source: http://www.technewsworld.com/story/36886.html

41. China Source : http://news.zdnet.co.uk/software/linuxunix/0,39020390,39196592,00.htm

42. South Korea Source: http://news.com.com/2100-7344-5084811.html

43. To name a few...

44. but what about Sri Lanka?

45. Why are they adopting or migrating?

46. Its not always because of the lower price of acquiring FOSS

47. Its not always because of the lower Total Cost of Ownership (TCO) of using FOSS

48. Though they alone are good reasons!

49. Some Chinese officials are convinced that having an American government dominate the market compromises national security. Secret security flaws in Windows can be used to access Chinese networks. Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues. Source: http://www.g4tv.com/screensavers/features/39528/China_The_Republic_of_Linux.html

50. “ Officials like to state the discovery of the NSA key in Windows as proof that Microsoft is working with the US government on intelligence issues?”

51. Conspiracy Theory? http://en.wikipedia.org/wiki/NSAKEY

52. Kraft points to an ongoing public battle between the Commonwealth of Massachusetts and Microsoft. The state is trying to pass legislation that would have the state adopt an open source document policy by January 2007 in order to better protect the accessibility of its digital documents. Source:http://searchopensource.techtarget.com/originalContent/0,289142,sid39_gci1180306,00.html

53. The state is arguing that if Microsoft or another closed source software vendor ceased to support older versions of its platforms, thousands of the state's archived documents could be rendered useless.

54. Imagine during an emergency or after a disaster, governmental organizations not being able to work effectively because they relied on a closed document format

55. And finally...

56. Why aren't there a lot of Linux viruses?

57. A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning

58. The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus. Source: http://librenix.com/?inode=21

59. And finally finally finally ...

60. True security comes NOT from OBSCURITY

61. True security comes from TRANSPARENCY

62. ~ the end