4 min read

Linux Called "Insecure" For Defense Systems

Linux code used to control national defense systems is vulnerable to attack, according to Green Hills CEO Dan O'Dowd.
NEW YORK -- A storm has erupted in the embedded community, with real-time operating systems house Green Hills charging that Linux is fundamentally insecure and wide open to security breaches by "foreign intelligence agencies and terrorists."

The explosive charges were made in a speech delivered Thursday (April 8) at the Net-Centric Operations Industry Forum in McLean, Va., by Green Hills chief executive officer Dan O'Dowd.

"Now that foreign intelligence agencies and terrorists know that Linux is going to control our most advanced defense systems, they can use fake identities to contribute subversive software," said O'Dowd, in a copy of the remarks released by Green Hills.

"If Linux is compromised, our defenses could be disabled, spied upon or commandeered," O'Dowd continued. "Everyday new code is added to Linux in Russia, China and elsewhere throughout the world. Everyday that code is incorporated into our command, control, communications and weapons systems. This must stop."

O'Dowd laid out a scenario in which the open source development process - where thousands of programmers contribute code that's subject to public review before being folded into Linux - could be subverted via "Trojan Horses" illicitly slipped in the software.

At least one embedded expert thought O'Dowd was overstating his case. "I think it's pure FUD [fear, uncertainty and doubt]," said Rick Lehrbaum, a respected board-level-computing guru and former president of Ampro Computer and currently operator of the developer site "I think the insecurity he's concerned about is an intentional back door and this [Linux] is the most transparent operating system in existence."

Several programmers on the Linux street are also giving O'Dowd some pushback. In a reader's forum on the Web site, a developer who identified himself only as "Concerned citizen" posted a lengthy rebuttal. "[Linux] has features, security, and strengths that are not easily compromised by a foreign agency," he wrote. "Let's not forget that the terrorists that Mr. O'Dowd refers to used proprietary software for attacks on the USA. They have Windows machines and Flight Simulator, you might recall."

O'Dowd claimed the salient issue is that Linux isn't held to as a high a security standard as is the proprietary "Integrity" RTOS made by Green Hills. "If all they would do is hold Linux to the same standard they hold us to, I'd be happy," O'Dowd said told EE "At the [Federal Aviation Administration], they have received from us documentation of every single line of source code and tests of every line of code and boundary condition. It costs us $500 to $1,000 a line to review our source code. It would cost billions of dollars to review Linux."

O'Dowd's tough stance may attract attention because he is also taking an unusual public stab at a competitor - embedded Linux powerhouse MontaVista Software. "MontaVista is outsourcing their development to Russia and China. That's not wrong if you're building toaster ovens," O'Dowd said in an interview. "If you're building national security applications, that's a different story. Nobody's even checking if there's anybody putting anything [dangerous] into Linux."

In response, said MontaVista CEO Jim Ready said Linux constituted a threat to vendors of proprietary software, because of its robustness, cost-effectiveness and its security.

"Mr. O'Dowd makes the common mistake of confusing obscurity with security," said Ready. "Open Source is actually more secure than closed source proprietary software because the oversight of technology content is broader and deeper. Instead of just one company monitoring its own contributions - or potentially hiding security holes and exploits - a worldwide community of interested parties actually oversees Linux to make it strong and secure. That's why the NSA - the most security-conscious organization in the world - chose to standardize on Linux, and even supplies its own version of secure Linux."

O'Dowd's criticism of Linux isn't aimed at non-defense applications such as set-top boxes and handheld computers. "I don't mind Linux's good press," O'Dowd continued. "But the good press it's receiving for the markets where it is appropriate is spilling over into a market where's it's not appropriate." O'Dowd is no stranger to controversy in the embedded arena. Earlier this year, O'Dowd wrote an Op-Ed entitled, "The myth of the embedded Linux tools market." In a swipe at Linux, which provoked a torrent of letters to the editor, he wrote: "I have some news for these embedded Linux wannabes: There is no sustainable embedded Linux tools market."

O'Dowd's digs at Linux appear to already be having some effect. "We've had five or six people calling us up saying we were thinking of using Linux, and now they're thinking again," he said. O'Dowd mentioned that one of those potential customers was the U.S. Navy, but his public relations representative cut in and cautioned him not to talk about that any further.