As a run of the mill observer of the ongoing issue of cyber-security and more specifically open-source code security, it is interesting to notice how an initially bashed commentary and investigation from Alexis deTocqueville Institute President Ken Brown (Opening the Open-Source Debate, 2002,
http://adti.net/ip/opensource_debate.html ) has more recently become dittoed all across the computer-world spectrum. Seems to me that Brown was well ahead of his time as more and more inhabitants of ?planet geek? are now talking the same Brown-language; or shall I say, Brown-code.
(As a former employee of AdTI and around the offices when Brown authored the white paper on open-source, I witnessed first hand the initial backlash from many in the open-source community about his report. I have moved on since (Dec. 2002), but have kept in touch with the issues surrounding open-source software, in particular the issues of security and felt the need to give credit where credit is due.)
It is understandable why so many in the computer community, mainly ?open-sorcerers?, frowned upon Brown?s investigative and some would say common sense concerns. The general conclusion from Brown was that open-source code, especially with its use in highly sensitive areas such as defense and intelligence, leaves higher the open possibility of hackers obtaining, writing or deciphering sensitive code. As Symantec?s Asian Pacific Vice President, Vincent Steckler said in a March 17, 2004 speech (a full 2 years after Brown?s analysis), ?? imagine smart hackers with [access to] source code.?
In his 2002 white paper Brown noted the usefulness of open-source code in academia and in software development. Open-source advocates hardly found this flattering enough as some went so far as to place Brown into a full fledged conspiracy theory by saying, ?There is speculation in the open source community that the report is a Microsoft-backed attempt to scare governments away from the increasing interest in open source software.? So, instead of addressing the issues of the paper, many automatically looked at ?why? the paper was written as opposed to ?what? was actually in the paper; a common argument fallacy that does not address Brown?s accurate and important evaluation of open-source security concerns.
Simply put, at least from this everyday observer, Brown?s points addressing the specific security concerns were never fully addressed by ?open-sorcerers? at the initial release of the AdTI study; although some tried. One specific point raised was that with open-source, many users with their ?many eyes? would be able to catch and therefore patch security holes, while Microsoft users with no knowledge of the code itself, are not able to accomplish the same. While this may be a true depiction of the ?many eyes?, it fails to recognize a significant issue Brown raised in his 2002 study in that although there are many eyes checking out the source code in open source, there can be no guarantee all the eyes are helpful eyes. There has been growing speculation hackers have obtained source code, plugged in fallacious and/or malicious code, and have redistributed that malicious code to other open source users.
Probably the most notable quote I can give you in relation to this that I read is from a December 2003 C/Net article where Linux?s own Corey Shields admitted, ?The worry is that if someone wanted to be malicious, they could change core software and users could be using corrupted packages." Now this is what I was waiting for; a Linux guy supporting Brown?s thesis. This is highly encouraging that the community has recognized the issues and is combating them with great eagerness.
In addition, a recent March 17, 2005 article on silicon.com entitled ?Linux, not secure enough for enterprises? (Munir Kotadia) pronounced the IT heavyweight filled Agility Alliance ?does not consider Linux to be a suitable operating system for the largest of enterprise customers because the open source operating system has issues with security, scalability and the possibility of forking.? They specifically point to the unending question of who is providing the source code. As Brown rightly stated, nobody can be sure.
Again, this Brown commentary has been echoed throughout the industry. In one instance, Executive Director for the Center for Education and Research in Information Assurance and Security, Charles J. Murray said emphatically in an article discussing national security concerns with open source technology, ?But [open source] certainly has one problem, and that is that there are many elements of unknown provenance in it.?
Again, is there an echo in here?
There are many examples of recent speeches given and/or articles written where Brown?s assessment of security concerns with open source software is reverberated; when once it was dismissed as a political hack job. I believe that because certain United States agencies have seriously been using open source software for their own applications, the discovery of the security risks have become more apparent. For one, the National Security Administration (NSA) already uses a security-enhanced version of Linux. Additionally, a March 11, 2005 Washington Post article explained how much damage could be done by hackers that are able to reach the control centers of America?s power grid; and that the attempts are hundreds daily. Brown, realizing this trend, wanted to shed some light on some of the issues for the benefit of national security in our post 9/11 world, and I applaud his efforts.
Beyond the security threats foreseen with open source are the questions of intellectual property (IP). AdTI?s President Brown also shed a much needed light on this issue in terms of economics and business. Like it or not, Microsoft? Corp. is an economic engine in not only the American, but the world economy. Attached to this engine and the fuel necessary for its operation lies in the realm of IP and the safeguarding of its sources and ends. One of Brown?s main points was that major companies cannot be sure their employees do not contribute to the free open source network, therefore may lose IP critical to economic growth. This point is resonated by many in the investor-related community and is essential to understand for all of us interested in this critical market. After all, even Linux is looking for market share aren?t they?
With much excitement, I find it beneficial to all of us and I encourage everyone to think critically and openly about what Brown has and is saying about open-source security and proprietary rights concerns. The intense discussion, as I see it, is for the benefit of national, (and for you ?open-sorcerers? out there), intellectual security. It took one micro-second for Brown to be dismissed, ridiculed and ostracized; but as I have recognized through my research today, it has taken three years for his deserved vindication. Kudos.
---Keith Sheets, Jr.
Keith was employed by AdTI during the release of Brown?s white paper. Keith left AdTI in December of 2002.
