Is Open Source Fertile Ground for Foul Play?

jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"

Wow

[daeley]

Igniting flame war in 5...4...we have main engine start...3...2...ignition!...1...

Ahhh..

[Jeremiah Cornelius]

An article-length Troll.

The whole thread that will light-up in response to this old chestnut!

PLOFIT!

[Anonymous Coward]

1) Write bogus article that will enrage slashdotters. Slashdot, being knee-jerk as it is, posts it to the front page.
2) Get a bazillion hits.
3) PLOFIT!

He might be right.

[AtariAmarok]

He might be right. If governments switch from Windows to open-source OS, they might open their computers to the possibility of being infected by worms, virii, and trojans.

'You get what you pay for'

[Raindance]

Netcraft says that his server (running IIS) has only been up for 2 days.

I wonder if he's getting what he paid for.

Re:Sounds like someone trying to by controversial.

[Anonymous Coward]

Wow, an insightful first post.
This day will go down in history.

Whos to say what someone implements?

[lake2112]

The problem with Open Source is that there are no controls as to what someone may program. You know I've seen WarGames I know what a back door is. Also a question of accountability. I hate to say it but for some things I am forced to trust Microsoft, not because of the quality of the work but for the accountability that they are held to. They have to make a semi-reliable and safe system or else they got out of business. This insures the proper cycle of software development and testing.

Re:Russell seems a bit dated

[Anonymous Coward]

Seems like W. Russell Jones is trying to apply 1900-era economics to a collaborative, abstract, not-truly-market-driven, positive-feedback context.

Holy crap. I thought 'no way could someone sum this up fast' but you did it in one sentence! Bravo!

Vulnerable?

[Anonymous Coward]

He argues that open source software, because of its very openness, will inevitably lead to security concerns.

Well, thankfully Windows is closed-source, or else there'd be security issues wi-- oh, hang on a sec.

At least they seem to practice what they preach

[morelife]

devx.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 12 Feb 2004 21:06:06 GMT
X-Powered-By: ASP.NET

In other news, the devx.com website was found lying in its own blood and excrement after being linked from Slashdot.ORG today.

Elequence personified

[mccalli]

" When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get"

Aah, the sweet sweet tones of language in the hands of a master. What subtlety, what charm, what wit. Prithee kind sir, wherefore is thy prose, thy grasp upon the fundamentals comprising the very art of speech itself?

English Grade: C-, should learn not to use informal language when making a formal argument.

Cheers,
Ian

Hi I'm A. Russell Jones...

[Psarchasm]

you might remember from other high quality works, like...

Mastering ASP .NET with VB .NET [lowth.com], Visual Basic Developer's Guide to Asp and IIS [lowth.com],
and...
How To Kill Penguins With Broken Shards of Windows.

*YAWN*

Re:Russell seems a bit dated

[mekkab]

yeah, it seems he's never paid for a BSOD! Unfortunately, neither has Microsoft. But when I get my hands on them, they'll pay. Oh, how they'll pay!!

You get what you pay for? He's right...

[Anonymous Coward]

Considering how much I paid to read his article.

Re:Um, yeah

[Dr Caleb]

Please cite some specific examples Mr. Jones.

If that is your real name. . .

Article is by A. Russell Jones

[RichDice]

Someday he hopes to be The Russell Jones.

Re:Here's the article, site has been slashdotted

[gnuguru]

Mod the above down as flaimbait.

pure genious

[ansonyumo]

A. Russell Jones may not know dick about oss, but he's a genious on the topic of "how to spike your web traffic for one day".

you get what you pay for

[rebel]

...his article is freely available.

I don't know whether to laugh or cry

[GMFTatsujin]

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.

The advert that appeared (one of those ones that takes up a quarter of the page and shifts all the article text around) was this:

FREEVBCODE.COM -- Get high-quality, FREE Visual Basic code

The real kicker is that I can already get free, high-quality Visual Basic code... Just open the wrong attachment in Outlook.

Re:Sounds like someone trying to by controversial.

[Wyatt Earp]

"We need a new term for this kind of journalistic troll."

No talent assclown.

Reading his article is free.

[Mirkon]

So, I guess I shouldn't take any of it seriously.

Re:Microsoft irony is not lost

[JohnFluxx]

Even funnier if this is true:

http://neowin.net/comments.php?id=17509&category =m ain

In other news ....

[BaronAaron]

DevX.com has reported a recent drop off in website hits and has implemented a campaign to "leverage" the Slashdot masses.

The new project entitled "Flaming Troll" was kicked off today with an article that would be very interesting and informative for your average Slashdot reader.

So far the project seems to be a success ...

Oops...

[JabberWokky]

Darn it, I didn't want to click on the "Read More" for this article, I meant to click on the next article down, "New Worms Feed on MyDoom Infections". Gosh, I hope those new worms don't hurt too many of those fragile open source systems.

--
Evan "About to take down a Linux system running kernel 1.2.x for about 4 or 5 years and upgrade to SuSE 9.0"

Re:Wow

[MAPA3M]

gniting flame war in 5...4...we have main engine start...3...2...ignition!...1...
This is ground control to major troll...

Re:Sounds like someone trying to by controversial.

[gumbright]

Close, but you misspelled it. Its: F-u-c-k-t-a-r-d

Re:Sounds like someone trying to by controversial.

[Trigun]

Not to throw too much wood on the fire, but wasn't an Al Queida sympathizer arrested at Intel? Just imagine what he could have done! Intentional security breaches right in the chips! Start the paranoia meters!

(and this is nothing more than baseless speculation. I don't want to be sued by Intel)

Fairly Humorous

[chaoticset]

I don't know -- most of this is either a truism about software with the words "open source" in front of the word software, or else something Microsoft said about open source in one of their -- er, I mean the independant testing consortium they hired's -- tests.

Plus, el supremo Jones fails to comprehend the concept of reverse engineering. Perhaps learning things is more difficult with that enormous wad of MicrosoftBucks that keeps showing up in his bank account.

Absolutely right

[jazman]

Absolutely. Spot on. Can't use anything that's free, otherwise you automatically get problems.

Just as well nobody is stupid enough to breathe the air in the atmosphere isn't it? I mean, who wouldn't go with cans of Ozone Friendly FreshAir(TM) Only $10 A Can?

And as for that wet stuff that comes out of clouds, nobody, surely, would be dim enough to think that was actually /drinkable/, would they? Har har har.

Repeat after me, all consumers: Free = Wrong. Pay Corporation $$$$$ = Right. Have you supported your local fat cat today by buying something that is normally available for no cash whatsoever?

Re:Sounds like someone trying to by controversial.

[pohl]

We need a new term for this kind of journalistic troll.

Urinalist?

Re:Sounds like someone trying to by controversial.

[afidel]

I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected."

Oh the irony! The very next slashdot story is about Windows NT and 2000 source code being leaked to the net.

Re:Sounds like someone trying to by controversial.

[Psiren]

I, doubt, he'd, bother, to, read, it, since, you, obviously, have, a, fetish ,with, the, comma.

Re:Russell seems a bit dated

[Pentagram]

Exactly. How do we know that the original wasn't actually a logical, intelligent article, and that this copy isn't actually an evil corruption due to it being freely available for modification?

s/open source/Microsoft/g, get same article?

[thomas_klopf]

It's funny, but if you just make opposite words out of this article, you get something that sounds just as reasonable about Microsoft.. Try it out!

"In short, Microsoft's expensive and high-cost software products are likely to be widely adopted in governments, where spending public money for licenses is an easy justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify."

"Microsoft software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be."

Man, this is fun! Nothing like reading Microsoft gimp droppings! drool.

Windows is open source too! (sorta)

[Anonymous Coward]

http://slashdot.org/articles/04/02/12/2114228.shtm l?tid=109&tid=187

It just lacks the advantage of peer review all these years.

Re:Sort of

[Darth]

i disagree. SCO have been trying desperately to patch the huge holes in it's lawsuit. They are just too big to patch, is all.

(you did mean the lawsuit when referring to SCO's flagship product, right?)

Fixed Your Article

[Anonymous Coward]

I noticed a couple of minor errors in your article, so I fixed them for you. You're welcome!

An old adage that governments would be well-served to heed is: Caveat Emptor. When you rely on proprietary products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because closed source products are less capable or less efficient than open source products, but because sooner or later, governments that rely on proprietary software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an proprietary product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the proprietary software from inside, by someone working on the project.

This will happen because the proprietary model, which hides the source from external audits, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter proprietary software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source disguised as a fix or extension. As the core Windows code is carefully scrutinized, that's not terribly likely. Much more likely is that versions will be created and advertised, or created with the express purpose of marketing them to governments at cut-rate pricing. It's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every proprietary software package installed and used on the machines.

How Can This Happen?
The products of the proprietary software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, an expensive proprietary operating system, the expensive and proprietary Internet Information Server, and proprietary office suites. There are several reasons that proprietary software--and Windows in particular--are seeing such a dramatic downtick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, or at least that vulnerabilities are patched quicker.. (Use this link to see an example of how long Microsoft can take to fix a critical vulnerability, or this link to see what Gartner Group thinks about IIS and security.)

So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks against proprietary software vendors have been more successful (in other words, undiscovered or unreported). Because so few people can audit the Windows source code, there's also a reasonably high risk that someone will create a modification specifically intended to subvert security. And how would anyone know?

Open source software advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same ey

Mod the parent INSIGHTFUL. . .

[UFNinja]

That was a piss poor article!

Re:Sounds like someone trying to by controversial.

[adrianbaugh]

In days gone by the term would just be "usenet poster"

Re:Security problems?

[darketernal]

Addendum to my previous comment, I hadn't read the article carefully enough:

yes, there is the issue of big name distros like Debian getting rooted. Yes, we heard about the attempt to corrupt Linux BKCVS (someone committed to the repository, disguised as Dave Miller). The OSS community as a whole found and corrected every case and the author of this article is looking for the time when we won't catch such a subversive change.

Developer trust on the Internet is typically done via PGP/GPG too. Numerous key signatures verifying someone's identity are not ultimate proof, but they assist in reassuring people that a person with that name exists and probably is fairly trustworthy. I've mostly found all of the OSS developers I've met to be forthcoming and truthful and wanting their programs to be rock solid and uncorrupt.

And only half tongue in cheek (considering the possibility that this is a fake)
But can you explain why there are traces of Code Red sitting in the zipfile of the alleged leaked Windows source code? :)

This just in!

[Anonymous Coward]

Some big idiot says something stupid and the /. community responds!

4. Profit!

[Tablizer]

1. Lose job to offshoring
2. Grow desparate
3. Sell out to big corps by writing article
4. Profit!

Ironic slashdot ordering

[zekt]

This story comes right after the story that Windows 2000 and NT code has been leaked onto the net. Now that both Linux and 2000/NT source are out there, we can ask the question, which of those two source code trees are you more worred about having in the wild!?

Re:Sounds like someone trying to by controversial.

[Anonymous Coward]

You really should, try to avoid, using so many, commas. You really don't, need that many, and it makes you sound, like William Shatner.

SOURCE CODE OMFG R0Xx0R!!!!1!!1!1111

[Xidius]

/* Source Code Windows 2000 */ #include "win31.h" #include "win95.h" #include "win98.h" #include "workst~1.h" #include "evenmore.h" #include "oldstuff.h" #include "billrulz.h" #include "monopoly.h" #include "backdoor.h" #define INSTALL = HARD char make_prog_look_big(16000000); void main() { while(!CRASHED) { display_copyright_message(); display_bill_rules_message(); do_nothing_loop(); if (first_time_installation) { make_100_megabyte_swapfile(); do_nothing_loop(); totally_screw_up_HPFS_file_system(); search_and_destroy_the_rest_of-OS2(); make_futile_attempt_to_damage_Linux(); disable_Netscape(); disable_RealPlayer(); disable_Lotus_Products(); hang_system(); } //if write_something(anything); display_copyright_message(); do_nothing_loop(); do_some_stuff(); if (still_not_crashed) { display_copyright_message(); do_nothing_loop(); basically_run_windows_31(); do_nothing_loop(); } // if } //while if (fast_cpu()) { set_wait_states(lots); set_mouse(speed,very_slow); set_mouse(action,jumpy); set_mouse(reaction,sometimes); } //if /* printf("Welcome to Windows 3.1"); */ /* printf("Welcome to Windows 3.11"); */ /* printf("Welcome to Windows 95"); */ /* printf("Welcome to Windows NT 3.0"); */ /* printf("Welcome to Windows 98"); */ /* printf("Welcome to Windows NT 4.0"); */ printf("Welcome to Windows 2000"); if (system_ok()) crash(to_dos_prompt) else system_memory = open("a:\swp0001.swp",O_CREATE); while(something) { sleep(5); get_user_input(); sleep(5); act_on_user_input(); sleep(5); } // while create_general_protection_fault(); } // main

Re:Sounds like someone trying to by controversial.

[FIGJAM]

This! Makes! You! Sound! A! Lot! More! Like! William! Shatner!

Re:Closed source can be just as bad.

[unitron]

"You paid for IE?"

I pay for it every time I use it--in wasted time, in aggravation, etc.