October 12, 2024

Open source should prove bulletproof

This archived article was written by: Erik Falor

“Do you pine for the nice days of minix-1.1[sic], when men were men and wrote their own device drivers? Are you without a nice project and just dying to cut your teeth on a OS you can try to modify for your needs? Are you finding it frustrating when everything works on minix? No more all-nighters to get a nifty program working? Then this post might be just for you :-)”
This Usenet post by Linus Torvalds marked the birth of the Linux Operating System. From its humble beginnings in a college dormitory in Helsinki, Finland, it has grown into an enormous project actively involving millions of hackers around the world. It has exceeded many expectations and inspires the minds of hackers the world over.
Today, the little operating system that could, stands at the crossroads of its existence. It is on the verge of becoming the much-awaited rival to Microsoft, poised to unseat Bill Gates from his throne of unholy dominion.
What is the reason for this upstart’s increasing popularity? The answer to this question, and a host of others, is open source software. Open source means that the original code that make up a program is distributed across the internet, free for anybody to download, modify and repost.
There is tension between the OSS camp and the traditional, corporate closed-source faction. Opinions run deep, especially when there is so much money at stake. So far, only a handful of open-source companies have been able to turn a profit without resorting to suing their potential customers. Almost every aspect of software development is regarded by both camps as being best met through their own methods.
Depending on whom you ask, OSS is the ultimate solution for computer security, or the quickest way to put a system at risk. In light of recent events involving private Microsoft source code, we may find out for sure how important secrecy is to computer security.
Microsoft buys into the “security through obscurity” paradigm. Many software companies ensure the security of their products by not revealing the source code that can point straight to an Achille’s tendon. Their greatest fear is that the source code will be read by crackers, reverse-engineers and script kiddies.
Early last week, large portions of Windows 2000 and Windows NT Server source code began showing up on peer-to-peer networks in the form of giant archives. In all, over 500 megabytes of copyrighted source code were posted between the two archives. The situation is being investigated by the FBI, who has authority to enforce copyright laws.
Microsoft and the computer security industry are checking this code closely to anticipate where crackers are likely to strike. If there are flaws that have not yet been repaired, crackers can write programs designed to exploit the weaknesses.
If we see an increase in computer viruses in the coming weeks, that will prove that security through obscurity works, and these flaws would never have been found if the source code was not leaked.
Virus writers are generally able to find and exploit weaknesses in software without the benefit of source code. There is a possibility that whatever flaws are evident in this outdated source code have already been discovered by crackers, and repaired by Microsoft. If that is the case, and crackers are not able to make use of this source code, it will show that as far as security is concerned, obscurity holds no advantage over open source development.
Whatever outcome occurs, there will still be plenty of ground for both sides to continue their debates. Many other benefits of open source software abound. For example, there are no trade secrets amongst open source developers.
In the spirit of scientific progress, developer’s discoveries are shared with the world. Much of the innovative computer technology that our information society so heavily depends upon was originally developed this way. Innovations including the internet and the world wide web, e-mail, P2P file sharing and many more. Those technologies were not originally developed as part of the dot-com boom, and were not designed with money in mind.
In contrast, pop-up ads, spam and flashing banner ads are the result of capitalistically motivated software developers. That alone is an ugly smudge on proprietary software development. Open source development is the antithesis to conventional software developers who frequently withhold technology in order to force their clients to purchase superfluous software upgrades. The un-competitive nature of OSS encourages developers to code for coding’s sake.
Because of that, open source software is incrementally upgraded over the course of time. This gradual evolution is the consequence of hundreds of programmers around the world who are familiar with the inner workings of the software, and who freely contribute their expertise and time to improve upon it.
Instead of waiting for Microsoft to get around to releasing a service pack, open source users can find weekly and daily patches to their most crucial programs. At any given time, there are several hackers working to offer their unique solution to the problem. This results in remarkable turnaround times from when a bug is first discovered to when a solution is made available.
Often times a patch is available the next day after a flaw is found in a piece of software. That kind of response time is unheard of in the proprietary software industry. Even a casual perusal of the news turns up a number of articles outlining gaping holes in security software and operating systems. Microsoft now has the practice of releasing security patches once a month. These are flaws that nobody outside of Redmond should know about, mind you.
Even that frequency can leave users exposed. Development time, coupled with the time needed to test software updates can force users to wait over a month before a flaw in their system is repaired. And the very act of announcing a security update tells everyone exactly where backdoors lie. This causes exploitative programs to proliferate in the meantime between the announcement and when end-users get around to upgrading their software.
Last year’s annoying MS-Blast worm is a prime example of Microsoft shooting themselves in the foot by trusting that their customers will immediately upgrade their copies of windows.
The author of MS-Blast was inspired by a Windows Update announcement that more or less told him exactly how to bring Windows to its knees. Because the majority of Windows users didn’t bother to install the updated software when it was announced in July, there was a rash of computers randomly shutting down by August. Obscurity only works if you don’t blow your cover.
Another factor that must be taken into consideration is how computer users feel toward their computing platform. Hackers enjoy their computer much more when it doesn’t insult their intelligence.
By writing software from the standpoint that the user doesn’t understand much about computers, Microsoft has forever turned off the technologically savvy to its user-friendly software. Microsoft also does not allow the community to become involved with the evolution of Windows. Combine that with the inclusion of spy-ware into their operating system, and you create a cadre of computer geeks who hate Windows and everything it stands for.
Hackers who don’t feel like their rights are being violated are much less likely to turn traitor and try to throw a wrench into their computer. Linux users are fiercely loyal to their operating system because they are encouraged to participate in its development.
Loyalty is especially the case with Apple users. This satisfactorily explains why of the 55,000+ known viruses, only 100 infect Linux systems, and a measly 26 thrive on Apple computers. Apple users can compound their risk, however, by using the Microsoft Office Suite. MS Office for Mac OS X plays host to over 500-macro viruses. Secrecy itself has not yet proven itself to be an effective protection against viruses. The numbers speak for themselves.
The coming weeks will tell whether open source development is the definitive solution for computer security. Should it play out in favor of OSS, it will deal another blow to Microsoft who is beginning to miss the market share that Linux is wresting away. If not, Linux will surely live another day to challenge Microsoft on another front. In the meantime, users should stay on top of software updates and be especially wary of what software they install on their computers.