Get mad, then tell people nicely that they're wrong
Thursday, February 12th, 2004Date: Thu, 12 Feb 2004 18:29:02 -0500 (EST)
From: Asheesh Laroia
To: rjones@devx.com
Subject: Your recent article on DevX
I recently read your article on DevX, which I found at the URI
http://www.devx.com/opensource/Article/20111 .
Let me say that you do not understand what “open source” is. I'm sorry to
hear that you have fundamentally misunderstood a greatly-emerging trend in
computer software. “Open source” software gives you the freedom to
inspect code. Just like Microsoft's license agreements, it provides no
warranties; has anyone ever sued Microsoft over shoddy-quality software,
bugs, or the “NSAKey” fiasco?
First, then, I must point out that open source gives you control. If you
don't want the control, then fine. Closed source lets someone else tell
you what you want, and never give you the right to pick it apart (or pay
someone else to pick it apart) for security, aptness, or effectiveness.
This is becoming a big issue in the state where I go to University,
Maryland, because proprietary, expensive, closed-source voting machines
the state bought are insecure, unreliable, and unaccountable.
Diebold machines, as their memos explain, are fraught with vulnerabilities
that the management doesn't care about. Yet open-source, well-documented
voting systems (such as the one out of MIT, or the one in use in
Australia) have been audited by security experts and put into use with
adequate safeguards against foul play. Diebold refuses to allow a paper
trail on voting machines in Maryland, making me wonder what they have to
hide. Because of their source code access policy, they will never allow
me to find out.
Apache is the web's most popular web server. Because it is open-source,
various companies create their own “distributions” of it, ensure its
security, and let people pay for support. The open-source “stock”
distribution has not once seen a vulnerability inserted from someone “on
the inside”, as you fear. The same can be said of the other software that
created the Internet as you today use it: ISC BIND, Sendmail, the BSD
network stack that Microsoft now includes with Windows, just to name a
few.
Why have these high profile projects never seen such disastrous results as
you predict? Because all the same risk factors exist with closed-source
code as you, cautiously and carefully, remind the world exist with
open-source software. When your company pushes down Windows updates on to
your computer, they could be installing Back Orifice 2000. Or maybe
they're spying on you right now through standard Windows remote access
tools.
The fact is, reputable vendors just do not do this. Secondly, because of
the openness of Free Software (see
http://www.gnu.org/philosophy/free-sw.html if you think “free” just means
“without cost”; it means “granting the user freedom”), the end-user (or
your IT department (or their vendor)) has the EXTRA benefit of being able
to review the code and assure it.
So, proprietary software has all the same possible flaws, with the extra
added deficit of being uninspectable.
I hope that this clears up the misconceptions that seem to have guided
your article. If you disagree with anything I've said, I'd love to hear
back from you.
Best wishes and a Happy Valentine Day!
– Asheesh.
–
The startling truth finally became apparent, and it was this: Numbers
written on restaurant checks within the confines of restaurants do not
follow the same mathematical laws as numbers written on any other pieces
of paper in any other parts of the Universe. This single statement took
the scientific world by storm. So many mathematical conferences got held
in such good restaurants that many of the finest minds of a generation
died of obesity and heart failure, and the science of mathematics was put
back by years.
— Douglas Adams