Feeds

MS-funded think tank propagates open-source lies

Catastrophe in the making

  • alert
  • submit to reddit

Build a business case: developing custom apps

Updated A Washington think tank called the Alexis de Tocqueville Institution has released its anticipated study of the dangers of open-source software. Much to our disappointment, the organization's press release, which last week promised that the study would explain in gory detail how open-source software will foster international terrorism, turns out to have been a tissue of headline-pimping lies.

Indeed, the paper never mentions terrorism at all. Instead, it overflows with the usual half-truth drivel about the economic dangers of the GPL which one can find re-hashed regularly on the Microsoft 'Press Pass' PR site and the editorial pages of ZD-Net News. More than half the paper is an enumeration of the Crimes against Commerce of Richard Stallman.

As for system security, the paper allows that having the source code to a well-secured OS or application is little help to an attacker, just as knowing the layout of Fort Knox isn't going to help you sneak in and empty the joint. But it tries to persuade us that not having the source code means we're all safe from hackers.

"If you open the blueprints for every aspect of it to the world your adversary can reconstruct a test lab in which he can create tools he may need," the paper quotes one consultant as saying. But what's not said is that one can just as easily construct a 'test lab' for a closed-source product and torture it in a thousand ways to find exploitable points of failure. Indeed, this is how the myriad holes in Microsoft's closed-source products have been found.

Additionally, the paper never mentions the vast difference in patch turnaround time between the open source and proprietary software vendors. It never mentions that proprietary vendors can conceal security flaws and leave their customers vulnerable until some bright empiricist finds one of them and blows the whistle. It never mentions that the most significant holes, worms and viruses affect only Microsoft products. If these hypocrites want to focus on economic impact, then let's hear some numbers on the costs associated with security stuff-ups. Linux has a small market share in most areas, but since most of the Web is running Apache, a comparison with IIS over Windows of time spent struggling to sort out security issues, costs from lost data, and so on should tell us a great deal about which is cheaper, and safer, to run.

For some more FUD, the author suggests that if the DoD were to use any GPL'd code in a classified software project, they'd have to publish the source code for all to see. I'm afraid that's wrong. They would only have to make the source available if they were to make the software available. But if it's classified they won't, so the issue is moot. Contrary to the author's nonsense, the GPL doesn't compel anyone to make their creations public. It only forces them to provide sources if they should choose to make them public.

Then of course there's this Internet distribution thing, which puts us all at terrible risk:

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

We're supposed to imagine a government bureau or a Fortune 500 company downloading kernel patches from some Tuxerz-R-Us board and installing them on critical systems. The author makes a similar appeal to improbability when he warns us that open-source systems don't have adequate tech support.

"Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them."

First off, closed-source products are just as often distributed in precisely this manner. Second, your major government bureaux and corporations are going to go through a major distributor or they're going to hire a qualified staff to build what they need. Either way, technical support will be there. There's no need to lie about this, unless you're getting paid to lie about it.

In our original story we mentioned that the Alexis de Tocqueville Institution takes money from Microsoft, but we couldn't say whether or not the company actually sponsored this report. We still don't know; but if style and FUD are any guide, and we were to venture a guess, we'd say this one's got "Redmond" written all over it. ®

Update

Since we ran this story the .pdf file linked below on the ADTI Web site has been changed. It now leads to a small .pdf file which simply says the paper will be restored by the close of business on 10 June (5:00 pm EST). Perhaps it's being revised. If that's the case, we'll let you know of any significant changes tomorrow.

Related Story

Open source invites terrorism - study

Related Link

Download the paper here

Maximizing your infrastructure through virtualization

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.