Whitehouse Drupal and The Open Source Security Model
Update: Apparently people don’t understand the difference between COTS and Bespoke proprietary. Commercial Off the Shelf is no better than open source for this argument, but I’m not talking about that. I’m talking about proprietary software that is only available to the Whitehouse staff and they are the only ones with access to source. Hopefully that clears up people’s ire.
Have you heard the news? The Whitehouse has decided to go open source. They have decided to switch from their own proprietary in-house CMS system to Drupal. You heard me right, Drupal. The same Drupal with 12 pages of vulnerabilities at OSVDB since it’s inception. I’m sure this made the Open Source community jump for joy, but I see this as a big mistake if you take it on face value and I’ll get back to that in a minute.
According to Dries Buytaert, “…this is a clear sign that governments realize that Open Source does not pose additional risks compared to proprietary software…” This is a complete fallacy. More than that, it’s a dangerous that non-security people are touting their knowledge of security as if it’s fact. Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works. There is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov. Further, if I’m a foreign government I can hire a small army of pen-testers for pennies on the dollar who can try every single attack known to man against every known Drupal configuration without setting off a single IDS alert at the Whitehouse SOC.
Now, like I said, I see this as a huge mistake, but only if you take it on face value - that means that if the Whitehouse is installing the same Drupal install that you yourself could download and run on your own machine with no tweaks or changes whatsoever, then yes, that’s just foolish. But there’s almost no way that’s true. Like ha.ckers.org they most likely chopped it up, removed all the unnecessary functionality, stripped it down to bare bones, locked the server up so tight it would be impossible to even upgrade it without an act of Congress and on and on… And if you think they’re going to blindly upgrade with every new update that Drupal.org puts out - well I have an EV cert I’d like to sell you. And how is a locked down highly customized variant of Drupal different than a proprietary solution? So don’t jump for joy too quickly, this is either a marketing ploy or it’s going to end badly for National Security. Either way.
October 25th, 2009 at 3:12 pm
I agree this is a marketing ploy. I think it’s a response to the latest talk that the administration should encourage open source adoption.
And I doubt this is a such a big risk to Us national security even if they are not using a stripped down version like you said.
October 25th, 2009 at 3:44 pm
I clicked on the white house link. If they check referrers at all, they might stumble upon this article.
October 25th, 2009 at 5:00 pm
You claim that “there is one very massive difference between open source and proprietary coded applications. I can pen-test Drupal all day long without sending a single packet to Whitehouse.gov.”
However, of course this is the case for commercial off-the-shelf (COTS) proprietary systems as well; it is not restricted just to open-source systems: all I need to do is buy the product and I can test it all day. It is only custom-written applications using no visible off-the-shelf components (whether proprietary or open-source) that do not have this property.
Please consider being more careful in your claims in the future.
October 25th, 2009 at 7:22 pm
say wa?
>There is one very massive difference between open source and proprietary >coded applications. I can pen-test Drupal all day long without sending a single >packet to Whitehouse.gov.
Exactly the same thing can be done with proprietary applications, if you consider source code analysis a valuable attack vector then you have a point, however your blog as written is rubbish because i can download any closed CMS and “hire a small army of pen-testers for pennies on the dollar who can try every single attack known to man against every known closed CMS configuration without setting off a single IDS alert at the Whitehouse SOC”
The only way to stop somebody being able to test against your solution is
1) Not tell anybody what you are running and hide it well (also known as security through obscurity)
2) Roll your own, in this case you are trading a known tested code base, for an untested unknown one (also known as being retarded)
>or it’s going to end badly for National Security.
It is only a website, how long do you think a successful attack will last 5 maybe 10 minutes before they fix it, snapshots are a bitch.
October 25th, 2009 at 10:16 pm
If you’re a foreign government you wouldn’t be wasting time to crack Whitehouse.gov It’s not like Kim Jong-Il is going to be all like “Haha, here’s a new post, ‘US Finally Gives in to NK Superiority’”
In fact, ha.ckers is probably much more likely to get hacked.
If you’re going to deface the President you’re much better off selling a joker picture to Time.
Seriously, come up with some way that Whitehouse.gov is related to national security.
October 25th, 2009 at 10:17 pm
“How is a locked down highly customized variant of Drupal different than a proprietary solution?” - it starts out working, and gets better. A proprietary thing starts out as nothing, and needs to be built up from scratch.
I’m curious what you think the National Security implications of the white house website CMS are.
October 25th, 2009 at 10:25 pm
Why don’t you pentest Drupal and find some vulnerabilities instead of writing wotheless articles like this one? That would help somebody.
October 26th, 2009 at 5:26 am
If we’re nitpicking assumptions… let’s not immediately assume that whitehouse.gov contains any information of National Security-importance. It is a public information portal after all. (If classified information is stored on those servers, the administration has bigger issues than whether they are using stock Drupal or highly customized/secure Drupal!)
Notwithstanding the above, your other points are quite valid!
October 26th, 2009 at 6:03 am
I was having a similar debate last weekend with some-one in the medical sector on the software procurement side of things who strongly favors open source. I ultimately found myself back at the security by obscurity debate. No-one can deny that finding vulnerabilities in any application is made 10 times easier when you have the source of that application available (even if the target doesn’t exactly match the source code you have), and no pre-deployment pen testing can ever be perfect. Obscurity should never be relied on for security, but it does add an extra layer of difficulty. Perhaps slowing down the opposition enough for you to keep 1 step ahead… mostly.
I think you’re pennies a day pen testers argument holds a lot of water. That the whole thing can happen without the white house knowing makes things worse.
October 26th, 2009 at 6:45 am
For what closed source company are you working for?
The future will profe that you were so wrong when writing this piece of “security” content!
October 26th, 2009 at 6:51 am
@All - I didn’t say closed source. Stop reading into this. I said open sourced verses PROPRIETARY - meaning they are the only ones with access to source. I make no claims about open source verses COTS (and in fact agree with all of you on that point). The Whitehouse CMS was not COTS though so that’s a Non sequitur.
Also, yes, it’s unlikely that the Whitehouse stores any sensitive information on the Whitehouse.com website, but the users of it are still critical to protect from malware or tracking, so I would argue it’s still extremely dangerous to allow that site to be hacked into.
October 26th, 2009 at 7:13 am
This reads as an attempt to trumpet security through obscurity. I understand you can have that as one of your layers of security, but to complain that open source software is inherently insecure because it isn’t obscure is wrong.
October 26th, 2009 at 7:17 am
@Brian - obscurity as a philosophy is bad, clearly, but in reality it works as long as you’re the only one who knows. Give me obscure over totally insecure any day.
October 26th, 2009 at 11:10 am
The term “proprietary software” is usually used to mean the opposite of “free software” / “open-source software”. Windows is an example of proprietary software in this sense.
The notion you’re looking for is something like “custom”, “bespoke”, or “in-house” software. Your original post was not at all clear that this was what you meant, and in retrospect you seem to be conflating a number of different issues:
source-available vs. secret-source: May the customer (or others) read and use the source code?
free/open-source vs. proprietary: May the customer copy and share the software legally? Is it developed in a public process? (Note: Open-source implies source-available, but not vice versa.)
off-the-shelf vs. custom-written: Is there more than one customer using the same software? Is it a standard package anyone can download or buy?
Since people have made well-known arguments about how all three of these these issues affect security, it’s important to be clear what sort of argument you are making.
October 26th, 2009 at 11:13 am
@Frater - I concur - I wasn’t at all clear. Bespoke is a better word for what I was describing. That’s the trouble with the written word + my brain on a weekend - those two things in combination just doesn’t work that well for conveying thoughts.
October 26th, 2009 at 2:00 pm
utter bollocks - which is the most hacked operating system in history , and has the most viruses.
ERRR.. CLOSED SOURCE Windows.
just because something is closed doesnt stop hack attacks.
October 26th, 2009 at 2:03 pm
and in any case, you have absolutely ZERO idea on how this whitehouse drupal installation is configured.
i would have no doubt - because Dries is involved - that the front end is actually nothing more than cacheing servers, with the backend ACTUAL Drupal install completely firewalled and utterly inaccessible to the public.
i’m only guessing here - but considering the importance of the site, and Dries’ reputation, i would hazard a guess that when you hit whitehouse.gov you aren’t hitting an actual Drupal install. you’re hitting a clever cacheing server mechanism.
October 26th, 2009 at 2:16 pm
@zmx, FYI, rsnake did find sec vulns in Drupal.
October 26th, 2009 at 4:04 pm
@threequarks - Right, which is why I said you can’t take that statement on face value. Furthermore, why would Boeing need to be involved to install Drupal? Can’t a 13 year old kid do it? You and I are actually in agreement about that. And to re-iterate because I think you missed the rest of the conversation I was talking about bespoke applications not closed source.
October 26th, 2009 at 5:50 pm
The White House web site has run off of Akamai for years. You are unlikely to ever get anywhere near a hackable Drupal installation.
October 26th, 2009 at 7:06 pm
Michal Migurski Says:
October 25th, 2009 at 10:17 pm
“Seriously, come up with some way that Whitehouse.gov is related to national security.”
You telling me that people dont see whitehouse.gov as a method of communication from the government?
October 27th, 2009 at 8:23 am
New EV cert!! Awesome!!! Will it make the title-bar morph from green to blue??
Unfortunately, I only have $200,000 to spend on a new ev cert before the end of the year. Is that enough?
October 27th, 2009 at 8:25 am
@Spider - all that and more! For a limited time offer, I’ll throw in a self signed root cert that you can put in your browser too! $200,000 is fine, you can pay me the rest next year.
October 29th, 2009 at 3:57 am
Starting the security by obscurity debate again and again and again doesn’t bring new value to it.
The gov site clearly is no normal Drupal site and it seems pretty obvious that Drupal is not serving the actual pages - Other big sites have done the same thing bevore. - You can’t access the normal Drupal user pages for example.
While they may have changed core I don’t think they actually have changed alot, why should’ve they? It is way more simple to deny all direct access and only serve the pages that are supposed to be visible to the public.
So what they get is a highliy flexible system with tons of features, which is upgradable without too much headake and highly secure because it is locked away from public.
If you are actually proposing to hack Drupal core to improve security and see security fixes (of third party modules) as a bad sign you probably havn’t understood alot about how security works in the open source world.
October 29th, 2009 at 6:03 am
@threequarks: Dear God… there are still some people out there that really think that Windows is less secure than open-source OS’s??? First of all, I am clarifying that I am a UNIX user mostly (SOlaris, BSD) and a Windows user at home. Of course my friend there are more vulnerabilities discovered and more malware against windows… windows runs on 90% of machines worldwide nowadays…. Would you prefer to write an exploit against the 10% or the 90%?
I really cannot stand these stupid statements anymore… some open source guys manage to get closed-minded sometimes…!!!!
RSnake’s article makes sense and I agree with most of the stuff. My only objection is the criticality of the Server content. It will be bullshit dude… The latest President’s quotes, places and visits etc…. no National Security issues anywhere.
October 29th, 2009 at 11:28 am
@s.Daniel - right, which is why I said that it’s not a standard install. You and I agree. I’m not saying they necessarily changed a line of code, but they certainly aren’t using it like a normal user would - making it almost not Drupal at all. Incidentally I found a funny book (randomly searching for something else today, that is really apropos). http://www.amazon.com/Cracking-Drupal-Bucket-Greg-Knaddison/dp/0470429038/ref=sr_1_10?ie=UTF8&s=books&qid=1256840509&sr=8-10
@JollyJokker - Again, I am sure people visiting the site could be subverted. National security by way of hacking the people who visit - not necessarily because the content itself is critical (although as others have mentioned that might insight people to take action where they wouldn’t otherwise).
October 29th, 2009 at 4:14 pm
As every security officer knows, security is not merely implemented inside an applicaition like Drupal, the real protection is embedded in system components.
October 30th, 2009 at 10:35 am
Interesting… so why is your site using Wordpress when you are telling everyone Open Source should not be used.
Sure, this site isn’t as important as the Whitehouse website is but since you are so concern about security (which everyone should be), why choose Wordpress especially because it has been known for numerous exploits?
Don’t you want to build your own bespoke CMS? I guess not, since you’ll be the only one that needs to fix the security issues as opposed to 1000s of developers working together in a community (which equates having it fixed quicker and at times someone else fixed it for you).
October 30th, 2009 at 2:40 pm
@WPuser - where you got that I said “Open Source should not be used” I’ll never know. Please re-read the post. I didn’t choose WordPress. I chose a codebase which I modified to be wildly different from any other WordPress install out there. That was the point of the post. It’s NOT WordPress and that is why it’s less insecure, as WhiteHouse is not just Drupal. It’s Drupal++ and therefore it’s not a win for the Open Source community necessarily because who knows what they did to it. Make sense?
October 31st, 2009 at 12:03 am
@Mattcorp
I agree. Its possible some people might want to get information from the government itself rather than regurgitated from CNBC/FOX/CNN/etc. Information is a big weapon, do not mistake the power of information…pump & dump stock schemes anyone?
Now, I was having a similar discussion (in regards to Joomla!) with a developer who could not convince a client to use it because they thought it had a bad security reputation. The big issue as I pointed out in the conversation is not necessarily the core, its the third party applications/extensions. Drupal itself may be secure; the web admin may update that. Will the NSA pentest and review every third party application? Who will decide what gets included or not?
On the other hand, if you remove dynamic content completely you might have a much lower risk. it seemed that @s.Daniel was implying locking down the pages. Perhaps they only export a static version of the Drupal site as a snapshot in time?
What would be nice, for all those going back and forth about Open Soruce, would be this. Our fancy government security experts will lock down and improve Drupal, and then, dig this, give the security fixes back to the community. Then again, wouldn’t it be a great investment by the US government to break the crap out of Drupal, get other countries to use it, then gain secret intelligence from their Drupal installations, exposed passwords, etc. At any rate I’m sure that Veterans Affairs will eventually go Drupal too, and miraculously have another data breach…poor Drupal, will it be able to handle the publicity?
My guess is like everything, its coming down to costs. The government used to use its own proprietary operating systems. Now they just have locked down builds of Windows. It’s cheaper to maintain, and its cheaper/easier to higher people to work with and configure the technology. I don’t think there is much publicity benefit for the government to tell everyone they have gone open source…
November 12th, 2009 at 8:20 pm
i was like wtf oh they are going to use drupal? that just doesn’t seem smart…
lolz i would have gone with wordpress
November 27th, 2009 at 4:02 am
This post is pointless.
Every claim you make is circumlocution. You talk about how vulnerable Drupal is….then bitch because the Whitehouse.gov site has taken steps to make sure that it’s not an out-of-the-box Drupal site with the built in vulnerabilities that you FALSELY claim exist on the OSVDB site.
For the record the OSVDB site comprises mostly holes in MODULES…not Drupal Core.
The POWER of Drupal is that it IS customizable. Any and every page can be locked down, omitted, redirected, or placed BEHIND a firewall so that it can only be gotten to via a local IP addressing scheme using the built-ins that are availabe within Apache…or whatever Webserver you are using. Drupal is desinged to be able to do this.
It’s still Open-Source.
Modifying it, (which is why the API is made available openly, as in the words Open-Source) still means it’s BASED on Open-Source….which means. It’s Open-Sourced software.
No matter how you slice it, it’s a WIN for the Drupal Community.
November 27th, 2009 at 7:43 pm
@David - My main point is that it’s not open source if they modify it. It’s closed source. They may have started with something that was open source, but once they turn it into static HTML and rip out all the innards, and reduce it to nothing but a static system sitting on Akamai, it doesn’t matter if it’s open or closed source. It’s not a win for Drupal or the open source community. It’s a false sense of reality that too many people will take on face value - that it’s the same install that they can get and utilize themselves. I didn’t falsely claim that Drupal had vulns, just like I don’t falsely claim that it’s modules are secure. I pointed to OSVDB as a barometer to the coding practices of it’s development community - which is, unfortunately, appalling. I used to be a huge fan of open source, but after having been burned by so much of it, I just can’t stand when people try to swing around marketing fluff like the fact that the Whitehouse is using it. The Whitehouse is using no such thing in any meaningful way from a security perspective. They’re using a CDN.
Now there may be some small win for the Drupal community, but it’s not because of any reality - it’s because the Drupal fanboys can drum their chests and point to it. Just like the Wordpress team can tout the Web Application Security Lab as using their product. In the exact same way that I am not using Wordpress the Whitehouse isn’t using Drupal. So sure, you can convince the newbs that it’s the same thing, but unfortunately, it’s not.