RISK PERCEPTION AND TRUSTED COMPUTER SYSTEMS: IS OPEN SOURCE SOFTWARE REALLY MORE SECURE THAN PROPRIETARY SOFTWARE?

....................................................................................................................................................... III CHAPTER 1: A HISTORY OF THE OPEN SOURCE MOVEMENT.......................................................1 A MIGHTY WIND................................................................................................................................................1 FREE (AS IN SPEECH) SOFTWARE .......................................................................................................................1 BETTER MARKETING MEANS BETTER SOFTWARE............................................................................................5 THE GREAT SUCCESS STORIES ..........................................................................................................................7 A NEW, SOMETIMES SCARY, WAY OF LIVING..................................................................................................9 CHAPTER 2: BACKGROUND AND DEFINITIONS ................................................................................12 DEFINITIONS.....................................................................................................................................................14 CHAPTER 3: LITERATURE REVIEW, WHAT MAKES SECURE SYSTEMS ..................................16 A WORKING DEFINITION .................................................................................................................................16 WHAT DO USERS WANT FROM A SECURE SYSTEM? .........................................................................................21 CHAPTER 4: THEORETICAL ARGUMENTS FOR OPEN SOURCE ..................................................27 WOULD BETTER SOFTWARE TESTING HELP?....................................................................................................33 CHAPTER 5: COULD MAKING CODE AVAILABLE HARM SECURITY? ......................................40 WHAT THE DATA SHOW....................................................................................................................................43 CHAPTER 6: EXPERIENTIAL ARGUMENTS..........................................................................................52 MARKET FORCES..............................................................................................................................................52 GOT ROOT?.......................................................................................................................................................56 PERCEPTION OF RISK........................................................................................................................................58 AFFECT, PERCEIVED RISK, AND PERCEIVED REWARD ...................................................................................62 CHAPTER 7: CONCLUSION.........................................................................................................................65 REFERENCES ...................................................................................................................................................69 Is Open Source Trustworthy iii

[1]  Steven B. Lipner Security and source code access: issues and realities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Steven Weber The Political Economy of Open Source Software , 2000 .

[3]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[4]  Richard E. Smith Cost profile of a highly assured, secure operating system , 2001, TSEC.

[5]  Sami Asiri,et al.  Open Source Software , 2012 .

[6]  Shon Harris,et al.  CISSP Certification All-in-One Exam Guide , 2002 .

[7]  Nikolai Bezroukov,et al.  Open Source Software Development as a Special Type of Academic Research (Critique of Vulgar Raymondism) , 1999, First Monday.

[8]  Thomas M. Chen Trends in Viruses and Worms , 1904 .

[9]  David A. Wheeler,et al.  Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! , 2005 .

[10]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[11]  James A. Whittaker,et al.  What is software testing? And why is it so hard? , 2000 .

[12]  Peter G. Neumann,et al.  Robust Nonproprietary Software , 2000, IEEE Symposium on Security and Privacy.

[13]  Ken Auletta,et al.  World War 3.0: Microsoft and Its Enemies , 2001 .

[14]  Chris DiBona,et al.  Open Sources: Voices from the Open Source Revolution , 1999 .

[15]  Stephen M. Johnson,et al.  The affect heuristic in judgments of risks and benefits , 2000 .

[16]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[17]  Ortwin Renn,et al.  The Social Amplification of Risk: A Conceptual Framework , 1988 .

[18]  Rodger Drabick Best Practices for the Formal Software Testing Process: A Menu of Testing Tasks , 2003 .

[19]  P Slovic,et al.  Powerline frequency electric and magnetic fields: a pilot study of risk perception. , 1985, Risk analysis : an official publication of the Society for Risk Analysis.

[20]  Hossein Saiedian,et al.  The availability of source code in relation to timely response to security vulnerabilities , 2003, Comput. Secur..

[21]  Fred B. Schneider Open source in security: visiting the bizarre , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[22]  Paul Ferris The Age of Corporate Open Source Enlightenment , 2003, ACM Queue.

[23]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[24]  Gerald J. Popek,et al.  Preliminary Notes on the Design of Secure Military Computer Systems. , 1973 .

[25]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[26]  Lawrence Robinson,et al.  A Provably Secure Operating System. , 1975 .

[27]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[28]  J. Herbsleb,et al.  Two case studies of open source software development: Apache and Mozilla , 2002, TSEM.

[29]  M. Defleur,et al.  Theories of mass communication , 1968 .

[30]  Paul A. Karger,et al.  Multics Security Evaluation Volume II. Vulnerability Analysis. , 1974 .

[31]  Willis H Ware Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security , 1979 .

[32]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[33]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .

[34]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[35]  G. Lawton Open Source Security: Opportunity or Oxymoron? , 2002, Computer.

[36]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[37]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[38]  Cristina Gacek,et al.  Issues of dependability in open source software development , 2002, SOEN.

[39]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[40]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[41]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[42]  Robert L. Glass A sociopolitical look at open source , 2003, CACM.

[43]  Johndan Johnson-Eilola Open source basics: definitions, models, and questions , 2002, SIGDOC '02.

[44]  Steven Levy,et al.  Hackers: Heroes of the Computer Revolution , 1984 .

[45]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[46]  Simson L. Garfinkel,et al.  Practical Unix & Internet Security, 3rd Edition , 2003 .

[47]  Winfried E. Kühnhauser Root Kits: an operating systems viewpoint , 2004, OPSR.

[48]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .