Feeds

MS-funded think tank propagates open-source lies

Catastrophe in the making

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Updated A Washington think tank called the Alexis de Tocqueville Institution has released its anticipated study of the dangers of open-source software. Much to our disappointment, the organization's press release, which last week promised that the study would explain in gory detail how open-source software will foster international terrorism, turns out to have been a tissue of headline-pimping lies.

Indeed, the paper never mentions terrorism at all. Instead, it overflows with the usual half-truth drivel about the economic dangers of the GPL which one can find re-hashed regularly on the Microsoft 'Press Pass' PR site and the editorial pages of ZD-Net News. More than half the paper is an enumeration of the Crimes against Commerce of Richard Stallman.

As for system security, the paper allows that having the source code to a well-secured OS or application is little help to an attacker, just as knowing the layout of Fort Knox isn't going to help you sneak in and empty the joint. But it tries to persuade us that not having the source code means we're all safe from hackers.

"If you open the blueprints for every aspect of it to the world your adversary can reconstruct a test lab in which he can create tools he may need," the paper quotes one consultant as saying. But what's not said is that one can just as easily construct a 'test lab' for a closed-source product and torture it in a thousand ways to find exploitable points of failure. Indeed, this is how the myriad holes in Microsoft's closed-source products have been found.

Additionally, the paper never mentions the vast difference in patch turnaround time between the open source and proprietary software vendors. It never mentions that proprietary vendors can conceal security flaws and leave their customers vulnerable until some bright empiricist finds one of them and blows the whistle. It never mentions that the most significant holes, worms and viruses affect only Microsoft products. If these hypocrites want to focus on economic impact, then let's hear some numbers on the costs associated with security stuff-ups. Linux has a small market share in most areas, but since most of the Web is running Apache, a comparison with IIS over Windows of time spent struggling to sort out security issues, costs from lost data, and so on should tell us a great deal about which is cheaper, and safer, to run.

For some more FUD, the author suggests that if the DoD were to use any GPL'd code in a classified software project, they'd have to publish the source code for all to see. I'm afraid that's wrong. They would only have to make the source available if they were to make the software available. But if it's classified they won't, so the issue is moot. Contrary to the author's nonsense, the GPL doesn't compel anyone to make their creations public. It only forces them to provide sources if they should choose to make them public.

Then of course there's this Internet distribution thing, which puts us all at terrible risk:

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

We're supposed to imagine a government bureau or a Fortune 500 company downloading kernel patches from some Tuxerz-R-Us board and installing them on critical systems. The author makes a similar appeal to improbability when he warns us that open-source systems don't have adequate tech support.

"Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them."

First off, closed-source products are just as often distributed in precisely this manner. Second, your major government bureaux and corporations are going to go through a major distributor or they're going to hire a qualified staff to build what they need. Either way, technical support will be there. There's no need to lie about this, unless you're getting paid to lie about it.

In our original story we mentioned that the Alexis de Tocqueville Institution takes money from Microsoft, but we couldn't say whether or not the company actually sponsored this report. We still don't know; but if style and FUD are any guide, and we were to venture a guess, we'd say this one's got "Redmond" written all over it. ®

Update

Since we ran this story the .pdf file linked below on the ADTI Web site has been changed. It now leads to a small .pdf file which simply says the paper will be restored by the close of business on 10 June (5:00 pm EST). Perhaps it's being revised. If that's the case, we'll let you know of any significant changes tomorrow.

Related Story

Open source invites terrorism - study

Related Link

Download the paper here

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Entity Framework goes 'code first' as Microsoft pulls visual design tool
Visual Studio database diagramming's out the window
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.