Digg this story   Add to del.icio.us  
Alexis de Tocqueville Serves Up a Red Herring
Richard Forno, 2002-06-19

The use of "terrorism" and "national security" are shameful attempts to use fear, uncertainty, and doubt to push Microsoft's monopolistic agenda.

Recently, the Alexis de Tocqueville Institution (ADTI) released a report entitled Opening the Open Source Debate, which condemned open source software. While the ADTI may be a little-known research firm, the white paper created quite a stir in the Internet community. This may have been due in part to the fact that the document was heralded by a panicky ADTI press release entitled Open Source Software May Offer Target for Terrorists. According to the announcement, "terrorists trying to hack or disrupt U.S. computer networks might find it easier if the federal government attempts to switch to ‘open source’ as some groups propose.” The press release concludes with the Chairman of ADTI stating: “Before the Pentagon and other federal agencies make uninformed decision to alter the very foundation of computer security, they should study the potential consequences carefully." Naturally, as a security professional, I took an interest in this report. I was curious to see what was so evil about open source software that it would place the United States at significant risk of future terror attacks, particularly since I believe open source to be more of an asset to our national security than a liability. Contrary to the promise of the press release, the actual document spoke very little about the role of open source software in the fight against terrorism. However, it did do a magnificent job as a thirty-three page marketing brochure extolling the business value of closed-source, proprietary software. Indeed, the ADTI white paper does portray open source software as a potential danger, but only in terms of economic, legal, and market considerations, not in terms of national security. So, we have a document that seems to need misleading press releases in order to gain attention. While irksome, this hardly justifies me devoting an entire column to it. After all, to get noticed in today’s marketplace, one need only mention the words “terrorist” and “national security” to win an instant audience. Perhaps ADTI’s press release was just a nifty bit of marketing. Unfortunately, holes in the paper’s credibility do not end there. The conclusions of the ADTI document seem to directly contradict the predominantly accepted wisdom of the security community, which espouses open source as much more secure than proprietary code (although admittedly, this debate is destined to go on ad infinitum). Indeed, the white paper runs contrary to a July 2001 MITRE paper, drafted for the Pentagon, which shows “ the applicability of Linux to the military business case…and provides considerations for military Program Managers.” Interestingly, the MITRE report gives very valid reasons both FOR and AGAINST open source, and presents a very balanced, objective, and mature assessment, something the ADTI document does not. Furthermore, John Gilligan, the US Air Force CIO, said in a March 2002 interview that “coding errors in commercially developed software account for roughly 80% of successful system intrusions…and that the overall life-cycle cost and vulnerability [of Microsoft products] may cause us to look at other products….it’s not an economic security issue anymore, it’s a national security one.” In a September 2001, Washington Post article discussing the Nimda and Code Red incidents (both arising from problems with closed-source software from Microsoft), David Molchany, the Fairfax County, VA CIO said that “Peer-reviewed, open-source software has shown itself to be far less susceptible to these sorts of attacks…it is also cheaper to install and maintain.” Remember also that Microsoft executive Jim Allchin admitted in his courtroom testimony that Microsoft code was so flawed it could not be safely disclosed for national security reasons. In its rush to weave any number of reasons why open source is evil, dangerous, and to be avoided at all costs, the ADTI document conveniently fails to acknowledge today’s grim reality – a computing environment where closed-source, proprietary software is the technical cause of nearly all major IT security incidents. Perhaps that explains why the institute - despite its claims regarding the danger of open source - uses the free Apache program to run its corporate Web server. Follow the Money… Certainly a questionable conclusion is no reason to vilify a white paper, or to demonize the otherwise innocuous think tank that produced it, right? So, why has this document so clearly raised my ire. Well, as Deep Throat told Woodward and Bernstein during the Watergate investigation: “Follow the money.” Shortly after the ADTI paper was released, Wired News, concerned that “the white paper is actually a veiled Microsoft response to recent reports of rising government and military interest in open source systems,” ran an article that reported on the relationship between Microsoft and ADTI. In the article, “a Microsoft spokesman confirmed that Microsoft provides funding to the Alexis de Tocqueville Institution”; however, neither the company nor ADTI would discuss specific details despite repeated press enquiries. Rumours abound on the Net over this report and the alleged level of Microsoft's involvement, especially given how the ADTI document parallels Microsoft's stated business case and their well-known (not to mention well-founded) fear of open source software. And then this document appears. If indeed the ADTI document was a Microsoft-funded project, it’s sad that the profiteering interests of one company to maintain its market dominance and avoid legal penalties are wrapped up in “national security and the American flag” format to generate sympathy for its business practices, some of which were found to be criminal in federal court. If this is the case, it would represent a pathetic attempt by Microsoft to deny the threat that open source software poses. In reality, around the world, an increasing number of governments and companies are exploring open source alternatives to the Redmond menace. For instance, Wired reports that “Linux is now proliferating on powerful government computer systems in the United States and abroad, with technology giants increasingly providing support.” Further, according to an IDG.net story, “Some countries, such as Germany, have decided to replace Windows and other commercial software products with open source applications.” Naturally, large purveyors of closed-source software have a huge vested interest in preventing this from happening. If such a mass exodus goes unchallenged, such companies would certainly take a dive in both their profits and ability to influence (or dictate) technology standards for the majority of computer users. Obviously, this poses an enormous threat to Microsoft’s current hegemony, something their shareholders cannot be happy about. We Need to Pull Our Hands Out of the Sand If nothing else, September 11 should have served as a wake-up call. Profits and market-share should not drive security planning or be the foundation of national policies and laws. If we’re going to ever develop an effective computer security mindset, we need to stop pointing the blame on hackers, crackers, terrorists, or bands of ‘rogue programmers’ such as the open source community, and start looking within. We need more corporate and government leaders around the world to assess and challenge the true costs and benefits of closed-source software. Are we throwing good money after bad addressing constantly repeating problems with closed-source products? If so, what is our actual return on investment in such products? Is it an asset? Or is it a risk to our companies and our nation? Is there a more secure solution? The true value of open source software is not in its ability to make a profit, but in its transparency, ease of customization, stability, security, and ability to empower users to take control rather than ensnare them with proprietary codes and standards. These features make open source software ideal for trustworthy mission-critical services in government and private sector use, and should be explored fully and objectively. More importantly, we need to look at our commitment to developing a security architecture that really works – using the best products, discussions, laws, and planning available, and recognize fear-mongering and sensationalism - like this ADTI document – for what it is, and ignore it appropriately. Further Reading: An Excellent Analysis of the ATDI Report by David Skoll, Roaring Penguin.com The Freedom to Innovate Includes The Freedom to Obfuscate:
Why Microsoft's New "Security Framework" is Just Another .NET Vulnerability
by Rick Forno


Richard Forno is the coauthor of Incident Response (O'Reilly) and The Art of Information Warfare (Universal). He helped to establish the first incident response team for the U.S. House of Representatives, and is the former Chief Security Officer at Network Solutions. Richard is currently writing and consulting in the Washington, DC area.
    Digg this story   Add to del.icio.us  
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus