Feeds

MS-funded think tank propagates open-source lies

Catastrophe in the making

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Updated A Washington think tank called the Alexis de Tocqueville Institution has released its anticipated study of the dangers of open-source software. Much to our disappointment, the organization's press release, which last week promised that the study would explain in gory detail how open-source software will foster international terrorism, turns out to have been a tissue of headline-pimping lies.

Indeed, the paper never mentions terrorism at all. Instead, it overflows with the usual half-truth drivel about the economic dangers of the GPL which one can find re-hashed regularly on the Microsoft 'Press Pass' PR site and the editorial pages of ZD-Net News. More than half the paper is an enumeration of the Crimes against Commerce of Richard Stallman.

As for system security, the paper allows that having the source code to a well-secured OS or application is little help to an attacker, just as knowing the layout of Fort Knox isn't going to help you sneak in and empty the joint. But it tries to persuade us that not having the source code means we're all safe from hackers.

"If you open the blueprints for every aspect of it to the world your adversary can reconstruct a test lab in which he can create tools he may need," the paper quotes one consultant as saying. But what's not said is that one can just as easily construct a 'test lab' for a closed-source product and torture it in a thousand ways to find exploitable points of failure. Indeed, this is how the myriad holes in Microsoft's closed-source products have been found.

Additionally, the paper never mentions the vast difference in patch turnaround time between the open source and proprietary software vendors. It never mentions that proprietary vendors can conceal security flaws and leave their customers vulnerable until some bright empiricist finds one of them and blows the whistle. It never mentions that the most significant holes, worms and viruses affect only Microsoft products. If these hypocrites want to focus on economic impact, then let's hear some numbers on the costs associated with security stuff-ups. Linux has a small market share in most areas, but since most of the Web is running Apache, a comparison with IIS over Windows of time spent struggling to sort out security issues, costs from lost data, and so on should tell us a great deal about which is cheaper, and safer, to run.

For some more FUD, the author suggests that if the DoD were to use any GPL'd code in a classified software project, they'd have to publish the source code for all to see. I'm afraid that's wrong. They would only have to make the source available if they were to make the software available. But if it's classified they won't, so the issue is moot. Contrary to the author's nonsense, the GPL doesn't compel anyone to make their creations public. It only forces them to provide sources if they should choose to make them public.

Then of course there's this Internet distribution thing, which puts us all at terrible risk:

"Another security concern is that the primary distribution channel for GPL open source is the Internet. As opposed to proprietary vendors, open source is freely downloaded. However, software in the public domain could contain a critical problem, a backdoor or worse, a dangerous virus."

We're supposed to imagine a government bureau or a Fortune 500 company downloading kernel patches from some Tuxerz-R-Us board and installing them on critical systems. The author makes a similar appeal to improbability when he warns us that open-source systems don't have adequate tech support.

"Open source products are often distributed without manuals, instructions or technical information. While a commercial developer is obligated to produce manuals, diagrams and information detailing the functionality of their products, open source programmers are not. In addition, open source developers cannot be expected to create software manuals with the vigor of private firms that are obligated to produce them."

First off, closed-source products are just as often distributed in precisely this manner. Second, your major government bureaux and corporations are going to go through a major distributor or they're going to hire a qualified staff to build what they need. Either way, technical support will be there. There's no need to lie about this, unless you're getting paid to lie about it.

In our original story we mentioned that the Alexis de Tocqueville Institution takes money from Microsoft, but we couldn't say whether or not the company actually sponsored this report. We still don't know; but if style and FUD are any guide, and we were to venture a guess, we'd say this one's got "Redmond" written all over it. ®

Update

Since we ran this story the .pdf file linked below on the ADTI Web site has been changed. It now leads to a small .pdf file which simply says the paper will be restored by the close of business on 10 June (5:00 pm EST). Perhaps it's being revised. If that's the case, we'll let you know of any significant changes tomorrow.

Related Story

Open source invites terrorism - study

Related Link

Download the paper here

Intelligent flash storage arrays

More from The Register

next story
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.