This lecture was given by Dr. David Mirza Ahmad one of chief mentors of Subgraph, which is a open-source security start-up based out in Montreal. The talk was based on Kerchoff’s principle which states “the security of any cryptographic system does not rest in its secrecy; it must be able to fall into the enemy’s hand without inconvenience” . The kerchoff’s principle underlines the fact that free software should be having reasonably good security. This fact is well understood by the world of cryptography because cryptography is a black-box where you never know what is happening inside it.
There are lot of security research communities across the globe, ...view middle of the document...
• In July 1999 it became a property of SecurityFocus and was later acquired by Symantec on August 2002.
• The community was defiantly open and the Symantec acquisition provoked strong protective reactions.
Both hackers and security researchers have always shared their research enthusiastically. Someone would be coming with a new class of attack, then the exploits begin to appear and the cycle continues.
Another notable example was the coming of Intrusion Detection Systems (IDS) in the mid late 1990’s. IDS were in high gear selling their IDS by publicising to buy this box and never fear the hackers again. IDS are designed to detect the various attack signatures in the real world. But their happiness was short-liví when Tom Ptacek and Tim Newsham published a paper that broke IDS.
Open Source and Security
The researchers also write tools, often free software like BackTrack, Helix. The world owes so much to the open source innovation like grassroots. There were several others used for vulnerability assessment like ISS(which was eventually acquired by IBM) and SATAN released in 1995 that did perform a variety of checks although it was controversial during its time.
• Version 1 of SSh was designed and implemented as freeware in 1995.
• The job of creating a new version of SSH and OpenSSh was taken by OpenBSD.
• By the year 1999 it was no longer a freeware.
• It turned out to be an enormous success when the whole world abandoned telnet, rsh, rlogin for OpenSSH
• The OpenSSH continued to innovate, adding things like privilege escalation built-in proxies etc.
The question in front of us would be whether open source leads to better security. As of now we would say yes but there are counter examples to this as well:
Debian OpenSSL Fiasco
• A particular bug fix on the uninitialized data (reported by a static bug tool) led to the removal of most of the entropy which was used to seed the random number generator.
• This was a devastating code fix which meant it has the...