A handful of recent online attacks on free and open-source software servers has open-source developers looking over their shoulders.
During the last four months, unknown intruders have breached the security around servers hosting programs and code published by the Linux kernel development team, the Debian Project, the Gentoo Linux Project and the GNU Project, which manages the development of many important programs used by Linux and other Unix-like systems. The attacks have convinced open-source project leaders to take another look at their security.
"It is a definite eyebrow raiser that there has been this targeting of open-source servers and core open-source development servers," said Corey Shields, a member of the infrastructure team that oversees the distribution system for Gentoo Linux's code. "The worry is that if someone wanted to be malicious, they could change core software and users could be using corrupted packages."
Although the open-source model has led to immense progress in developing a competing operating system to Microsoft's Windows--long a target of hackers--it now seems to be a magnet for attackers itself. In a sort of backhanded compliment, attackers are aiming at the Linux OS and other open-source applications because of the software's popularity. Even developers who believe they've adequately secured their development systems are looking at the trend with some trepidation.
"It is one of those things where you have to hope you are not next and try to be one step ahead of the bad guys," said Jeremy Allison, co-founder and developer of the Samba Project, the programming effort for the popular open-source file server that seamlessly fits into Windows networks.
On Dec. 1, an attack on Gentoo Linux compromised one of 105 volunteer-run servers that make copies of Gentoo's source code available to users. The attack, however, didn't threaten the main source-code database. Moreover, security software on the targeted server detected the attack quickly and kept a detailed record of it.
The incident followed a November attack on the Linux kernel, which similarly happened because another system--this time a developer's--had been breached and used as a stepping-stone. The attacker used the developer's machine to submit code to a secondary server, code that could have been used by a later attacker to gain access to any systems that installed it. That attack also was detected within 24 hours.
Other incidents in the rash of attacks have been more serious.
Intruders gained access to the GNU Project's development system, Savannah, and in a separate incident, to four Debian Project servers used to manage development and community efforts for that Linux distribution.
Both attacks were similarly executed: An attacker managed to garner a legitimate user's log-in name and password and then used a recently discovered vulnerability in the Linux kernel to gain the rights and privileges of the system's owners. Both Debian and GNU Project leaders continue to keep the systems offline--and inaccessible to developers--until they can ensure they're secure.
The GNU Project said the latest attack, and another one that compromised the project's file transfer servers last March, had prompted its leadership to make changes.
"We expect to take measures in the aftermath of the Savannah incident," said Eben Moglen, general counsel for the Free Software Foundation, which maintains the GNU Project, a source of freely available software for Unix and Linux systems. Among the measures, the project leaders will force developers to digitally sign any code they submit, and they plan to introduce additional features to freely available source-code maintenance systems--the best known being the Concurrent Versions System, or CVS--to check developers' digital signatures before accepting changes.
"We believe (adding digital signatures) is the single most useful technical change to tighten these systems to assure the integrity of the code they contain," Moglen said.
The GNU Project, which has created a great deal of the software that makes Linux and Unix systems tick, calls its software "free" because the programs are distributed under the GNU Public License, which allows an application and source code to be used and modified freely as long as the resulting code is distributed under the same terms. The intent is to give the public a set of software that it can freely use, improve and share.
However, that model of software development comes with a hidden cost, critics say. Companies that want to have a high assurance that an attack hasn't resulted in a security weakness will have to audit the code themselves, said Greg Wood, general manager of information security for Microsoft, a vocal opponent and rival to many open-source software projects, such as Linux and the Apache Web server.
"There is a cost for open source, in terms of business process," Wood said. "I think that you are buying into the cost of doing your own integrity check and your own building process."
Microsoft has had its own problems. In October 2000, for example, an attacker was able to leverage control of a developer's computer and gain access to the software giant's network. Since that time, the company has embarked on its Trustworthy Computing initiative, aimed at securing its software and development process, among other goals.
Developers are quick to point out that although the recent attacks on open-source software may have given their perpetrators access to some computers, they've largely failed to affect development because projects are already taking security seriously.
"The reason all the latest break-ins have been quickly noticed is that the master sites tend to be private and…various checks trigger" when attackers change something on secondary sites, said Linus Torvalds, original creator and current maintainer of the Linux kernel and a fellow at the Open-Source Development Labs.
Torvalds has rethought his security more than once. At Helsinki University in Finland, he maintained the early versions of the Linux kernel on a machine that was accessible on the school's open network. Today, the Linux kernel server is protected by multiple firewalls, encrypted communications through secure shell (SSH), and cryptographic signatures to ensure integrity.
Larry McVoy, founder of BitMover, the maker of the source-code maintenance application used by Torvalds to administer the kernel project, stressed that every project should be using such signatures--or "checksums"--to ensure that source code hasn't been changed.
"If you are not checksumming your data--if you are not paranoid--guess what? You have asked to be screwed," McVoy said.
Already, the Debian Project, Gentoo Linux, and the Samba Project use external checksums to verify whether files have been tampered with during an attack. Such techniques remove much of the worry from maintaining a project, said Gael Duval, co-founder of MandrakeSoft, which uses such techniques to protect its distribution of Linux.
"Security issues are not new, and the solutions are not new," Duval said. "A first step would certainly be that system administrators--and users--consider security issues with more importance."
The Apache Software Foundation is moving its popular open-source Web server software over to another source-code maintenance system, Subversion, despite the GNU Project's intent to add additional security features to the CVS software. The primary reason for the move is security, said Justin Erenkrantz, a developer with the Apache Software Foundation.
"We have found that Subversion may be able to provide a better security model than we currently have with CVS, primarily by removing the need for local Unix accounts for all committers and adding checksums to all transactions," Erenkrantz said. "We are hopeful that we can reduce one common attack vector: reducing the number of local accounts that we have to support."
Other aspects of the open-source development model also remove some of the worry, said Erenkrantz. The distributed nature of development means that many other repositories of source code will be available to check the integrity of the code on the main server.
"In the event of an apache.org compromise, we can verify that each developer is in sync with the…repository--that is, (that) there has been no malicious insertion of code," Erenkrantz said.
Torvalds echoed the sentiment, saying that even in the event that the main server for kernel development gets compromised, the open-source community has other checks and balances.
"The thing is, it will get noticed in the end," Torvalds said. "The kernel source code is endlessly replicated, and we will find out if anything nasty was added."
Malicious attackers are less of a worry, Torvalds said, than simple mistakes.
"Personally, I worry a lot more about just plain bugs," Torvalds said. "Whatever kernel weakness people find is much more likely to be just a silly bug--like the one Debian got bit by--than some clever cracker doing bad things."