Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Open Source
Refuting the FUD at DevX.com
Share
Print
Comments
Jones begins his proprietary propaganda piece with this jewel: "An old adage that governments would be well-served to heed is: 'You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"
NewsForge readers are not likely to be fooled by that opening. They know that the free in free software is about speech, not beer. But Jones is not writing to NewsForge readers. He is writing to developers who produce code for the monopoly platform. His false assertion that the value of free software is zero, or that based on its price, it is less valuable than the latest over-priced and over-hyped edition of Windows, is not as likely to be noticed by his target audience.
Nor are they as likely to note the falseness of his second major tenet, which he claims is responsible for open source being a "fertile ground for foul play." Jones says, "This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source."
Again, those who have even rudimentary knowledge of how open source development actually works won't be fooled by that idiocy. But will Windows developers, and their PHMs, know any better? Whether Jones glosses over the improved reliability and security inherent in the "many eyes" nature of open source on purpose or through ignorance is hard to say, but gloss and casually marginalize it he does.
Jones makes it sound as if a single developer can magically poison an open source project simply because he can see the code, and if he likes, compile it as well; just as if every change made everywhere by anyone is automatically made to the project itself.
Nowhere, for example, does he describe the attention given to contributions to the Linux kernel, attention that comes in waves: first by maintainers of the section of code in question, then by one of the small number of trusted lieutenants of Torvalds, and finally by Torvalds himself.
Nor does Jones mention the attempt last year that was made by thus far undiscovered code terrorist who tried to insert a "back door" into the Linux kernel.
If Jones were aware of that effort, it would have been a tough call for him to decide whether to include it or not. On the one hand, it would seem to lend support to his thesis, but on the other, it was the open source process itself that revealed the dastardly plot and prevented it from succeeding.
His most fanciful "scenario," one with which he hopes to paint security as a hopeless cause in the open source world, involves a situation where a "bad apple" in a government shop running Linux uses the fact that it is an open source platform to concoct a booby-trapped version of Linux and distribute it organization-wide. No, really. He wrote that. Here is the scenario is his words:
Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.
The fact a skilled developer with the necessary access could do exactly the same sort of thing in a proprietary shop seems to have escaped Jones completely.
On the Windows platform in particular, it isn't even necessary to be an insider with the necessary permissions in order to insert a back door or create trojan systems. Just ask the Cult of the Dead Cow. They've been putting backdoors in Windows for years. It's not hard at all to argue that the spectre Jones is trying to sell here is more likely in a proprietary world than in the world of open source.
Later in the article, Jones partially backtracks from some of his earlier assertions. He even goes so far as to admit vulnerabilities also exist in proprietary code. But his conclusion is that governments using open source to save money are making a huge mistake because doing so "will cost those same governments (and ultimately you), huge amounts of money."
Finally, Jones also suffers from bad timing. On the day his FUD piece appeared, it was announced that Microsoft had a patch for the most critical security hole in Windows of all time, and that Microsoft had known of the hole for six months without revealing it to the customers exposed by it.
As I pointed out to Jones in an email, such a thing could never happen with open source and free software, no matter how politically incorrect it might be to announce such a huge vulnerability while corporate leaders are jawboning about a new security initiative.
Comments
on Refuting the FUD at DevX.comNote: Comments are owned by the poster. We are not responsible for their content.
You type "make", it pulls down and verified the tarball, configures, builds, installs and packages it.
Yes, I'm trusting that the md5 checksum is correct, but I'm getting that from a single source (netbsd.org) and the work is stronly peer reviewed.
Contrast this with behaviour I see in linux uses who find a cool RPM, become root and install it.
danger! danger!
Check out Gentoo some time. Its system is based on the BSD ports system, except portage allows you to set flags that determine what should be --enable'd, and --disable'd during the configure script. I use a mix of Gentoo and Debian, Debian (And for that matter RPM distro's too) are just as capable of fetching source and compiling it for you. BSD may have pioneered the idea, but I've used both, and I feel Linux has improved on the concept. Granted I never used BSD enough to feel really comfortable there, so I may be way off base.
We exchanged several emails, but I don't believe he ever replied to the one mentioned in the story.
<A HREF="http://www.devx.com/opensource/Article/20135" TITLE="devx.com">http://www.devx.com/opensource/Article/20135</a devx.com>
It's a fine response to the inane ideas presented in the original article.
Since all the errors and their responses are so obvious on their face, I won't waste any time. However, its nice to go to the security source he references and compare, say Windows 2000 Professional versus RedHat 9. Substitute any distro, it doesn't matter. Windows has 51, RH has 83. But the RH listing includes applications as well as the kernel!
This points out one of the fallacies of trying to compare security reports for Unix and Windows. It's like comparing apples and, oh, I dunno, marmots. Their architectures are so different that direct comparison isn't possible, even if you take into account that each OS has a different philosophy about issuing security updates, and different philosophies about trying to find them in the first place.
Here we are in the midst of YET ANOTHER MICROSOFT-BASED WORM/VIRUS OUTBREAK. Here we are dealing with massive amounts of extra network traffic generated by YET ANOTHER MICROSOFT-BASED VIRUS/WORM OUTBREAK. Here we are running around frantically trying to patch machines as quickly as possible because of YET ANOTHER MICROSOFT-BASED "CRITICAL VULNERABILITY". Here we are scanning through tens of thousands of extra entries in our IDS logs because of YET ANOTHER MICROSOFT-BASED VIRUS/WORM OUTBREAK.
I find it amusing that the article begins with the "You get what you pay for" argument. Does that mean that companies and individuals the world over who have been appropriately indoctinated into the "Windows War Machine" are somehow getting an extra benefit by running Microsoft operating systems and being exposed to security risks? Instead of running Linux, I guess I should rush right out to my local store, drop $300 for Windows XP Pro, and install it so that I, too, can reap the rewards of paying for and using software that costs me money! Maybe, if I'm REALLY lucky, my machine can become another zombie for generating tons of spam!
By all means, Mr. Jones, please outline all the risks we're exposing ourselves to by not using Microsoft's products!
2 were at least 6 months old werent they.doesnt that really make you feel all safe and secure?
several were critical 2 were back door type flaws.
i think i must be really more ignorant of technology than i thought i was.everyone ought to be running from M$ if we follow the reasoning?
After he achieves his Darwin award, maybe Jones will be reincarnated as a Windows server or workstation full of viruses<nobr> <wbr></nobr>.. his Workstation network name will be Zombot or maybe Zombo<nobr> <wbr></nobr>.. yes I can see it now<nobr> <wbr></nobr>..
Thanks for your input!<nobr> <wbr></nobr>:)
(seriously, it lets me know the article hit the bullseye)
Please cite examples, and provide evidence (e.g., real world examples) for how they are "good points."
(Or, are you just trolling?)
I guess you just don't understand what it is all about... maybe you should read more, and think more using YOUR head.
Do you really understand what Joe Barr says on his article? I think you are missing the point... maybe you are not beeing "open minded" enough. I will give you some tips, OK.
1. Governments as well as other institutions make contracts with other companies in order to have software tailor-made for them. I AM NOT TALKING ABOUT MICROSOFT!! I my self work for a small company that makes software for the government. What protects the government against me?
2. ANY ONE CAN MAKE SOFTWARE. We are talking about changing existent software as if Windows and Linux were the only piece of software on earth. ANY ONE CAN MAKE A MALICIOUS SOFTWARE. But this doesn't imply this program will be executed on your computer!! (unless you use Outlook express, or IE)
3. Projects have administrators. Any one can download an Open Source project and change THEIR OWN VERSION. But this doesn't change the original "offical" version.
4. Suppose I make a malicious software and try to run it on a Linux machine... My program would be "bind" to "privilege restrictions". That is not really true for Windows... A hacker doesn't even need to change anything on windows to execute programs with arbitrary privileges!
5. Even if you run Windows, this is not the only software being executed on your system! You have many applications inside your computer. Some how I feel you see "closed programs" as immutables because you belive they all come from God (Bill).
6. Why don't you read the article once more?
It seems that in order to "poison" some institutions program, one would need to be already inside it and have the proper power! What is the role played by the open source then?
If am developing a piece of software to some organization, then the software is OPEN TO ME and CLOSED TO THE ORGANIZATION (as well as to the rest of the world).
Please, when you read some article, don't just skip the part you don't understand. Ask your self: "What does the author means with..."
This boob must think that a government will trust its infrastructure to some 13yr old kid's homegrown distro that they downloaded for free off the 'net. Give me a break.
You do get what you pay for - and sometimes you get MORE than what you pay for.
The real value of software is the investment in time and money put into making it work, both on the part of those who write and release it, and those who have to make it work in their environments. Sometimes that's represented by a sale price and a service cost, but usually it's represented in payroll. That's something that any "analyst" in this industry should know without being told. That's why I find that particular argument so foolish. Even in plain economics terms, it makes little sense.
Then it would be just as vulnerable to attack.
Hold on a second...
"Assume you have a company running on Windows 2000 Pro and Office 97.
Determine the price for upgrading that to XP-pro + Office 2003, and try to justify spending that money.
IOW who is the vendor where you don't get anything for what you pay for? (in the case of XP: an integrated winzip?)
Even if you think Windows NT is a solid base (and a case can be certainly made both in favour and against that), most companies have already payed for NT two of three times, probably even more for Office.
And Microsoft will make you pay it another time, don't worry.
trusted sources
Posted by: Anonymous Coward on February 13, 2004 12:46 AM#