Is Open Source Fertile Ground for Foul Play?

jsrjsr writes "In an article DevX.com entitled Open Source Is Fertile Ground for Foul Play, W. Russell Jones argues that open source software is bad stuff. He argues that open source software, because of its very openness, will inevitably lead to security concerns. He says that this makes adoption of open source software by governments particularly worrisome. In his words: 'An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"

Take action

[Strudleman]

All these great reply's, these reasons why Russell is wrong, will never be read by the public because they're stuck in /.

Take a cue from devX: "Editor's Note: DevX is pleased to consider rebuttals and related commentaries in response to any published opinion. Publication is considered on a case-by-case basis. Please email the editor at lpiquet@devx.com for more information."

Here's the article, site has been slashdotted

[W2k]

Open Source Is Fertile Ground for Foul Play

The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.

by A. Russell Jones February 11, 2004

An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.

This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.

How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)

So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably hi

Impartiality

[gowen]

I believe every word of this article because A Russell Jones [amazon.com] certainly [amazon.com] has no vested interest [amazon.com] in Microsoft based web solutions.

Re:Fear Outlook Express for Linux...

[Anonymous Coward]

Windows Media Player for Linux will be announced in April by bill himself.

You heard it here first, anon. for a reason.

Already a Good Rebuttal

[doomicon]

Joe Barr, already has an article [newsforge.com] responding to this FUD. I personally feel these sorta FUD articles are outdated. With IBM, HP, and others already showing large profits from taking advantage of opensource, you would think they would come up with something that isn't drudging up arguments from 1998.

you get what you pay for...

[caino59]

or with closed source, it really should be - you pay for what you get.

c'mon, this article has to be a joke.

closed source has all the problems of OS, and more, not vice-versa. you can at least review the code of a program before implementing it, and even if you don't know how to code, there's thousands of other users surveying the code as well for errors. the OS community wants OS to look good - sure there are some people in it that probably would/have coded a backdoor here and there, but that's few and far between - especially compared with the people writing exploits for commonly used closed source applications...

You really have two choices:

[Bendebecker]

1. Use open source products which you can modify if need-be. For example, you can have your tech support modify it to make it better fit your business needs (compared to trying to modify your business to fit around a microsoft software solution) or if a bug is doscovered you could either wait for the developement team that orginally made it to fix it or you could fix it yourself. Heck, you could even have your tech guys go through the code themsleves looking for security holes to fix.

2. Use closed source. If a bug appears, your at the mercy of Microsoft to fix it. That may mean months waiting while your system is vulnerable. No way to find the bugs, no way to fix them yourself. Your business could be relying on a time bomb and not even know it. And of course, with only the MS guys looking for holes, the chance they'll miss them is greater. More eyes scanning code usually means less bugs. And any time Microsoft could decide to drop the product or force you to upgrade or pay overcharged rates for licenses, all at Balmer's whims. Going with closed source is putting your business at the mercy of Microsoft (yes, I know closed source != just microsoft but what is easier: to type closed source or to simply type MS?)

WTF?

[jjp5421]

You get what you pay for? Examples: SCO UNIXWARE, Windows, MS-DNS, IIS, bea weblogix, etc.. Realization: I paid for crap!!! You get MORE THAN what you pay for! Examples: Linux, *BSD's, BIND, Apache, gcc, etc. Realization: Why did I pay for that crap??? The code from Diebold was closed, and how secure was it? Windows code is closed and I had to install a server just to keep the hoard of daily patches up to date. I think that the key to secure code is not a debate of open v. closed it is about having a programmer/company that cares about security and knows what they are doing. Hell NetBSD is open and very secure (read:unusable). This guy is a moron.

Re:Sounds like someone trying to by controversial.

[theonlyholle]

absolutely right - 90% of all software I install on my box is compiled from source, I hardly ever use the vendor provided binaries. And I guess that a lot of other people do the same. Of course there are limits to what we can notice at a glance, but if things behave strangely, imho the first thing to do is compare the supplied binaries with binaries compiled from the available source...

Slashdotted: Article text here:

[Anonymous Coward]

In old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because proprietry products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free proprietry software will put their country's and their citizens' data in harm's way. Eventually and inevitably an proprietry product will be found to contain a security breach not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the proprietry software from inside, by someone working on the project.

This will happen because the proprietry model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter proprietry software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Windows code is carefully scrutinized, that's not terribly likely. Much more likely is that vendors will be created and advertised for free, or created with the express purpose of marketing them to governments at cut- rate pricing. As anyone can create and market a vendor, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Windows, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Windows itself, the same possibilities (and probabilities) exist for every proprietry software package installed and used on the machines.

How Can This Happen?
The products of the proprietry software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Windows, a free open-source operating system, the free open-source Apache Web server, and proprietry office suites. There are several reasons that proprietry software and Windows in particular are seeing such a dramatic uptick in use, including IBM's extensive Windows support effort over the past several years, and the widespread perception that Windows is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)

So far, major Windows vendors such as Microsoft and others have been able to discover and remedy attacks on their core source- code servers. The vendors point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market or give away a Windows vendor, there's also a reasonably high risk that someone will create a vendor specifically intended to subvert security. And how would anyone know?

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group

Re:figures...

[8282now]

In addition, it looks like this fellow's got a seriously vested interest in the spread of MS's closed source products.

http://www.amazon.com/exec/obidos/search-handle-ur l/index=books&field-author=A.%20Russell%20Jones/10 3-4406437-9264652 [amazon.com]

Re:Who's paying DevX to write this shit?

[Anonymous Coward]

I did notice as I read the site that there was one of those new, huge, M$ ads right beside the title.

Who can really trust a site that purports to be objective while taking money from one of the sides in the "controversy"? (Right, Slashdot?)

Re:Who's paying DevX to write this shit?

[FuzzyBad-Mofo]

For explanation, we need look no further than the prominent Microsoft ad on the article. It wouldn't surprise me if the whole site was sponsored by Redmond.

Re:Russell seems a bit dated

[arf_barf]

What else do you expect from a MS shop? DevX was born as a VB support shop. In all the years that I visited DevX (mainly for VBPJ magazine), I have not seen one article critical of MS. I stopped, once .NET came out cause the coverage was nauseating...

Re:Sounds like someone trying to by controversial.

[johnnyb]

'I don't recall any follow up determining, "Hey this happened X_TIME ago, therefore clean programs should be reinstalled on your machine."'

That's because the relevant teams _checked_ the code against known good code to see if there had been anything planted. If there were problems, you would have heard about them.

From other articels by the same author

[carabela]

In another article [devx.com], the same author claims:

The point is not so much that open source is copycatting Microsoft but rather that open source vendors understand that Linux users, especially the great mass of potential Linux users, aren't any different from Windows users. They want the same applications, with the same features, the same ease of use, and largely, the same look and feel. As Linux moves beyond the hobbyist and server space into the corporate and home desktop space, there will be an increasing number of Linux users who genuinely don't care whether their applications are open source, and in fact would probably rather use their familiar Microsoft applications, if they are available, than retrain on unfamiliar and less mature applications. "

/me thinks that he has missed the point with Open Source completely...

On the other hand, he has a point concerning Linux while quoting Pavlicek's Top Ten list in yet another article [devx.com]:

The multiple-GUI problem illustrates a basic difference in Windows and Linux. Windows has one general GUI interface which has served many millions of people and works for many millions of different applications. The Mac (another successful consumer OS) is similar; one general GUI works across all Mac applications. Why is Linux different? [...]
Give them the real thing, Microsoft. Give them choice. Port the applications and development tools [to Linux]. Turn the millions of Microsoft developers loose on Linux, and let them build the future on both platforms.

Provided they do so with Open Source, that is!

Re:Um, yeah

[Waffle Iron]

Actually, IIRC, the Interbase back door existed for all the years that it was a proprietary product, and it was only discovered after the source code was released.

Re:Sounds like someone trying to by controversial.

[SvendTofte]

Email the author. I just did, rebutting two of his "points". rjones@devx.com [mailto]

Hey Russel,

Just two obvious points of rebuttal.

1. Your question:

Who's Watching the Watchers?

Makes a cold chill run down my spine, when I think of closed source
software. In fact, many of your statements, such as the rogue coder,
holds just as true, for CSS. The difference? You (as a consumer)
cannot see the code. At atmosphere, which breeds closedness, and
non-disclosure of hacker attacks, is far more scary, then one (such
as Debian), which openly announces, that it has been hacked. Imagine
a hacker gaining access to Microsoft code. Imagine MS catching him,
and removing the malicious code. But ... did they get it all? Only
the hacker will ever know.

Your statement, that "core" members, will port the code, just doesn't
make sense. Assuming we're not into the old chicken and egg problem,
with the bootstrapping compiler, an Open Source project, is defined
as having the source open. If you compile a program, and it ends up
different, then the one you downloaded, then something is very
wrong indeed.

2. In academia, and security circles, full disclosure, to be able to
repeat trials, and be able to uncover weaknesses in software, is the
norm. Hiding behind binary code, does not a very powerfull brickwall
make. Hiding behind a wellthought out design, which is not open to
attacks (confirmed by peerreview), and relies on algoritmic
defences, makes a strong brick wall.

I am sorry, but all in all, a very poor article.

Regards,
Svend

Re:Sounds like someone trying to by controversial.

[uradu]

> So? If they don't get publicity, they're not worth fixing?

This attitude is EXACTLY what is making OS so popular and attractive. Even a small bug can drive someone out there eventually crazy enough to pick up the code and fix it. There's a famous feature in Word that pushes footnotes to subsequent pages if line spacing is anything other than single spacing. Only the footnote, mind you, not the anchor and the surrounding text. As it so happens, double-spaced text with footnotes is extremely prevalent in academia and other formal environments, making this feature very well known amongst grad students and such. But again, since this feature hasn't brought down entire computer networks and hasn't been mentioned by Tom Brokaw on the six-o-clock news, it's not worth Microsoft's time to fix. Even though it significantly impedes Word's primary purpose, that of creating documents.

Jones is a Microsoftie from way back

[Tin Foil Hat]

Do a search [google.com] on his email address (rjones@devx.com) and you'll find that R. Jones has been writing about MS technologies for many years, including numerous articles on Visual Basic, .Net, and C#. Small wonder he feels threatened by open source, it's a direct challenge to his career.

Re:Sounds like someone trying to by controversial.

[dubious9]

Yeah, and there is nothing stopping independent resellers of closed source software to insert anything they want. Poeple tend to forget that you don't need source code to figure out how the program works. It's just easier. And it's not like you really need to know the program either, just find a good place to stick something.

This is why we have trusted vendors. I'd bet from here to Tuesday that IBM performs internal audits on the software that it redistributes. And before it gets to IBM, Redhat does it's own. Before that then it is the people writing the software. There are three layers of people, two of which there are responsible people behind. If you are not using software except from a trusted vendor,your risk is low.

The only argument this guy makes is that it is not good to use software from people you don't trust. Duh. That point is true wether you are talking about open source software or not.

Re:Sounds like someone trying to by controversial.

[herulach]

A factoid would just be confusing though, because a good number of BBC radio 2 listeners will know factoids as interesting bits of trivia.

Re:Um, yeah

[Smallpond]

I think you're right. Here's [cert.org] the link.

"It was introduced by maintainers of the code within Borland."

So that just leaves the Sendmail trojan, which lasted how long? 8 days?

windows: as good as it gets?

[NickFortune]

I suppose MS is some micky-mouse cowboy operation that would write secure software if only they employed grown-ups and professionals.

Or is his point that it never gets any better than MyDoomA and MyDoomB and we better learn to live with it? 'Cause I think we already disproved that one...

Backdoor in Borland InterBase

[boolyball]

The Borland InterBase database server had a backdoor in place for 6 years! It wasn't until the product was open sourced that the backdoor was made public. See here [cert.org] for details.

Security by Obscurity is crap.

[gurps_npc]

Where has this guy been for the past 20 years????

Has he no knowledge of the numerous papers that have pretty much torn apart the concept he proposed? Or did he think he invented the idea of Security by Obscurity???

Yes, not letting people see the holes in your software does make it harder to break into them. But it also makes it impossible for white hats (good guys/hackers) to find and correct them.

Open source has pretty much demonstrated that the number of white hats examining their software is greater than the number of black hats (criminals/crackers) and that the white hats tend to have more experience, creativity, and skill that then black hats.

Finally, when your stuff DOES get cracked open, the open source nature means it is far easier to figure out how it happened, to fix it, and to publicize the fix preventing additional break ins.

Q.E.D. Open Source is more secure than Close source.

Attempts at planting backdoor in Linux failed

[SysKoll]

As examplified in this story [slashdot.org], we have already seen attempts at inserting backdoors in the Linux kernel.

The attempts failed because of the meticulous grooming given by the "many eyes" watching each open source release.

Any one can write a new kernel patch. But getting these patches accepted is a whole different story.

Conversely, years after the commercial, closed-source program Borland Interbase was released and used worldwide, it was found that it contained a back-door [cert.org].

So recent history proves the article is wrong. Facts demonstrate exactly the opposite of what the article rants about.

Conclusion: the article is an unsubstantiated troll written by a Microsoftie eager to fart FUD at the Penguin. Ignore.

Letter to the DevX editor

[Squeamish Ossifrage]

I submitted the following response in a letter to the editor:

Dear Sir or Madam,

I am concerned that Mr. Jones's column of February 11th, "Open Source is Fertile Grounds for Foul Play," indicates a significant misunderstanding of open-source development processes. The argument presented is that all software development carries the risk that malicious code will be inserted by insiders, and that open-source is especially vulnerable because more people are insiders. The first part is absolutely true, and applies to both closed- and open-source development as Mr. Jones acknowledges, but the second part does not stand up to scrutiny.

Most open-source projects have only a small group of "core developers" who have the ability to modify the official source code, just as is the case with proprietary software development. Any malicious person could insert destructive code into his or her own copy, but not back into the official version. That leaves the possibility of intentional compromise by the core developers, or by subsequent distributors. The first is a risk, but less so than with proprietary software: The number of people in a position to corrupt the source is similar in both models, but the possibility of outside review reduces the danger for open-source software. Mr. Jones posits that core developers could avoid such scrutiny by not making the corrupted version public, but this is nonsensical: The version of the source code available for use is by definition also available for review.

The other concern raised is that distributors who re-package open source software could add vulnerabilities. Again, this is possible, but no more so than with proprietary software. It's easy for an attacker to add malicious code to compiled binaries; indeed much pirated software is reported to contain viruses or Trojan Horses. For both open-source and proprietary software, the solution is the same: Be careful who you get your software from. Downloading open-source software directly from the public sources or buying a packaged version from a trustworthy distributors is no riskier than buying e.g. Windows directly from Microsoft or a system integrator like IBM. If a consumer buys either open- or closed-source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.

Open-source is not the security panacea that some advocates make it out to be, but it doesn't incur the added risks which Mr. Jones attributes to it, either. A government or other user which applies common sense to its software acquisition is no more at risk from open-source software than closed-source, and may even be a bit safer.

Respectfully,
Eric Anderson

--
Eric Anderson - anderson@cs.uoregon.edu
University of Oregon Network Security Research Lab
PGP fingerprints:
D3C5 D6FF EDED 9F1F C36D 53A3 74B7 53A6 3C74 5F12
9544 C724 CAF3 DC63 8CAB 5F30 68AE 5C63 B282 2D79

Why So Scared of open source??

[Nikker]

As evreyone posting / reading on this site knows Open Source is a platform that is used to share knowledge about techniques, inner workings of software / hardware. This has been used only for the benifit of the community that is intrested no membership card required and was never even pushed into the mainstream. Now companies are realizing that there is no "magic" to operating systems and they can do it them selves, own the code and hire programmers to code it for them. They are under no pressure to patch the software, or even listen to the linux community at large on procedures. Maintaining software becomes faster and easier and MUCH less expensive once the project is done it is theirs and no need to pay any one any additional fees to keep it. This is all because apparently we have discovered all there is to know about operating systems. How do I know this? Simply because there has not been an innovation that has eclipsed Linux even kernel 2.2 can keep up with the GUI's and stability that Microsoft has started, the gui hasent changed since the Mac in 1982, Multi tasking was started in UNIX before the Mac, there is nothing new Microsoft hasn't invented a single thing since day 1, Bill even bought QDOS to build on to become MSDOS. Now is the mal educated that think that open source is wrong because they think we are trying to take over the big software companies and take all of their profits... LOL ... We are just watching this happen some of us take credit where we really shouldn't we are just sharing knowlege. It just so happpens that this is the same knowlege that software companies have and is availible for any one to learn. Do you have to use linux to take advantage of it, no! Reading source on AGP will give you a very good understanding of what it is about and then could apply this to *ANY* operating system as long as you are still building on AGP. Open Source will always exist weather certain individuals think it is right or not because we are curious and best of all when it really comes down to it do we really care it evreyone on the planet uses Open Source? No, it just gives an oppertunity to learn about computing. Open source is not for profit it is about education it just so happens that no one is able to take this lesson any further than what is already out there. That is why closed source is going to die a slow and painfull death in the Operating system world, they have done it to themselves. The door is always open for an amazing new interface, filing system, method for organizing, optimzing, executing code. When that happens the open source community will get together and learn on how it works and in time will be able to understand how it works. Operating systems as of the time of this writing have been completed. Unless some thing/one comes along with a new ideal Open source will take over as it is now for all to see and use. Move on and work on the "Next big thing" and try to out do open source we *Want you to*.

The Department of Defense Disagrees

[TheCrayfish]

In a Powerpoint Presentation [web-services.gov] entitled Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, sponsored by the Defense Information Systems Agency, the MITRE corporation found these "(Unexpected) Security benefits of FOSS":

• FOSS includes applications such as the OpenBSD operating system that have been intensively reviewed from a security and reliability perspective. Such applications present far fewer openings for cyberattacks. BSD licensing lets benefits flow into the entire software industry.
• FOSS includes much of the most advanced work and tools for analyzing network/system weaknesses. These tools are a vital & dynamic part of security self-assessment
• FOSS concept of user autonomy enables rapid responses to novel types of infrastructure attacks. e.g.: GPL license grants user rights that allow security groups to change code without invoking slow, confusion-prone "owner loops."

The GPL has a number of features that benefit security groups and applications:

• GPL user rights make it possible for groups to develop rapid autonomous response capabilities for handling novel cyber attacks.
• Contrary to a widespread misconception, the GPL grants users the right not to release source code changes unless and until they release the corresponding binary software. This right allows rapid-response teams to keep critical changes "under wraps" until new attack modes have been fully analyzed and defeated.
• Using GPL to encourage sharing of basic bug fixes provides a powerful tool for reducing network-wide cyber attack opportunities.
• The GPL provides an effective pathway for rapid dispersion of critical defensive changes to users of shared GPL infrastructure.

To view the entire presentation, you may need the free Microsoft Powerpoint viewer [microsoft.com].

Re:Sounds like someone trying to by controversial.

[Haeleth]

If all someone does is check an MD5 on the executable they produce, they wasted their time and might as well have fetched the binary because nothing they build on their own is likely to match the official binary's MD5 anyway.

Indeed, even if they built their executable on the very computer the official binary was produced on, by executing the exact same commands as those used to produce the official binary, straight after the official binary was made, their binary's MD5 might well not match the official one, since many systems include the build time in their object files...

THE key flaw in this argument

[Lysol]

This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source.

Of course you can get the source code and modify it. However, 99.9% of the time you cannot commit it back to the tree without first getting to know the guys running the project. And what usually comes first is submitting patches to the project via a project member (uaully a high-level member since some level of oversight and accountability is needed).

Once that 'trial period' has passed, then a coder can usually check into the repository head. However, I don't see any major difference in that respect to someone working at [insert super software company here] and someone coming in and being a good person for a bit and then adding back doors to code.

The author assumes that as soon as you get the repository login set up on yr machine, then you're just able to start fucking things up. This is highly unlikely and since that, in my view, is the most fundamental piece of team programming, I find his argument to be dead right there.

As for distributing the results, that is also flawed but not by logic, but by market forces. Even if someone got a hold of the entire RedHat repository or Evolution for that matter, I don't think people would be using that product for a few reasons.
1. Lacks credibility. Forks have enough time gaining intrest from the project they forked off. So why would someone want to fork something just to insert back doors and take over the world. Seems like an awful waste of time and effort. And just because you fork it, doesn't mean they'll come.
2. Even if a 'malware' fork happened, it wouldn't stay afloat long. It would probably take less than a day for someone to figure out something was going down and to spread the word. Again, the OS community is the key here. You wouldn't see this happen behind closed doors.

This guy lives in the fairytale land of spooks and secrets and bad guys around every corner. While I'm sure there's plenty of falling outs of people in various projects and groups, it's highly unlikely that any of these scenerios the author plays out will ever come true. In any ecosystem, only the strong will survive. And I just can't seem some 'malware' being released and taking over everything. In fact, all the worst case infections and money losers to date have all happened in the ActiveX/DevX/.NET/M$ propreitary, closed door, secret world. Of course this guy has this opinion. He exists in a world where everone is paranoid and everything not yours is evil or doomed to failure or ripe for punishing.

Free your mind..

Re:Sounds like someone trying to by controversial.

[thirdrock]

Back in the 30's and 40's Time and Life Magazine publisher, Harry Luce, overlooked the realities of Chaing kai-Shek's brutal regime in China, choosing to believe Chiang was a christian and a good leader, while Mao was a monster backed by the godless communists of Moscow. Luce's publications were the word. Too bad he had it wrong and couldn't see it. This guy is about as blind to reality.

First of all, it was Henry Luce. He and Charlie Soong were making an absolute fortune from printing and selling bibles in China. Charlie Soong was well connected with the Kuo Min Tang and eventually one of his daughters married Chiang Kai Shek, and another married Sun Yat Sen.

The Kuo Min Dang however was not really considered a 'brutal regime' until the communist movement arrived in the cities (ShangHai in particular) after which it cracked down brutally on Communist and the infant Trade Union Movement.
Before that however, the Kuo Min Dang was the political successor to a criminal organisation known as the Green Gang, who eventually came to distribute nearly half of the opium in China. Chang Kai Shek rose to a position of power in the Green Gang before joining the military. Once the Kuo Min Dang was in power, they assisted the Green Gang in distributing opium and eliminating competitors.

Later, when the Nationalist army was fighting the Communists, Henry Luce and Charlie Soong lobbied in Washington to support 'christian' Chang Kai Shek. Many millions of dollars were funneled from Washington, but very little of it reached the troops fighting on the ground. Most of the money appears to have ended in Charlie Soong's sons and Chang Kai Shek's bank accounts.

Chang Kai Shek and Charlie Soong were probably the richest and most successful 'rice christians' in history.

The rebuttal

[kwiqsilver]

Hidden under their tiny Open Source section:
rebuttal [devx.com]

Looking at the list of topics in their menu, and the predominance of MS products, it's obviously a biased site.

Who is guarding the guardians

[Kirth]

Well, I'd rather be able to read the source at all, than to blindly trust.

You know, we had that, the NSA getting companies to put backdoors into products. Here in Switzerland:

http://jya.com/nsa-sun.htm [jya.com]
--

Re:Sounds like someone trying to by controversial.

[aweraw]

Who's accountable? Names and phone numbers are what most businesses expect. Not a handle in an IRC channel. Not Usenet posts.

what if there was someone to hold accountable? someone who knew about the software because they installed it themselves? Names and phone numbers covered.

Do you seriously think, that if you ever sued a Microsoft due to a software bug leading to a massive security breach, you'd ever see a red cent? No, there is terms in their EULA's that absovle them of any resonsibility. How is this different from the terms stated in GPL/BSD licenses? What accountability are you refering to?