July 17, 2006

McAfee's new security journal: Sage is not sage

Author: Joe Barr

Commentary: The first issue of Sage, a new security journal published by McAfee's Avert Labs, appears today and is available for download as a PDF from the McAfee Web site. Dave Marcus, Security Research and Communications Manager for McAfee's Avert Labs, briefed NewsForge on the publication's launch, goals, and the content of the initial issue last week. In that briefing, Marcus admitted there were some "controversial" opinions contained in the inaugural issue, but said they were not attempts to create FUD about open source. I've since had a chance to review the first issue and have my own opinion about that.

Three things are made clear in the first issue: First, there is a financial motivation to today's malware, which should be obvious already. Second, McAfee Avert Labs thinks full disclosure is a bad idea. Finally, and unfortunately, the Sage editorial staff feels it is okay to conflate open source software development with the security problems that plague the world of proprietary software.

How can they do that? Well, by redefining the meaning of open source, for one thing. In the Editor's Note at the front of the issue, Kevin J. Soo Hoo explains his take on open source:

In this issue, we examine the darker side of open source. By open source, we refer to the free and unconditional sharing of source code and ideas. We look at how the social norms and tools of the open-source movement have been usurped by the malware-writing community and applied to the development of ever-more dangerous and virulent creations.

Sounds a bit like Humpty Dumpty, to me. Remember the famous line from "Through the Looking Glass" by Lewis Carroll? Humpty Dumpty tells Alice, "When I use a word, it means what I choose it to mean." Kevin J. Soo Hoo claims the same privilege by redefining open source.

But it is a useful literary technique. At least it is if your goal is to vilify open source in order to create a straw man to set upon, rather than face the core issues at the heart of the plethora of plagues which visit ordinary computer users around the globe. Especially if said condition creates and perpetuates the very reason for your existence.

I am not hammering on a minor point, an inconsequential observation. The redefinition of the term allows the Sage editors to say things like:

Belief in the open source philosophy approaches an almost religious zeal in its most ardent proponents. However, like any powerful tool, open source can also be used for malicious purposes, particularly in security. Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open sharing of information -- especially in the realm of computer and network security, where the desirable degree of openness in the sharing of vulnerability and threat information and the role of open source in the production of malware are significant points of contention.

Under that editorial umbrella, writers like Michael Davis are free to assert that the key differences between traditional and open source development include:

  • Features are specified and decided by the same people writing the code
  • Contributors choose the features or bugs they want to fix. No work is assigned by a manager
  • No direct roles are assigned to contributors. No one is necessarily dedicated to quality assurance or a certain area of the code base
  • No project plan, milestones, or deliverables are set. Releases are ad hoc and normally initiated by new features and bug fixes

While some items in the list above are true for some open source projects, none of them are universally true for open source or free software. IBM, Oracle, Hewlett-Packard, and many other global IT firms pay and manage developers who are producing open source code for projects such as Apache, the Linux kernel, and journaling file systems, using traditional management techniques for planning, architecture, design, and test. Some projects, such as GNOME, take up some traditional management techniques and set milestones on their own; Davis either doesn't know enough about open source projects to actually be discussing the topic, or he's deliberately painting open source as amateurish. You decide.

Marcus explained in the briefing last week that while some things in Sage might invite controversy and or criticism, a more careful reading of the text would reveal that Sage was not actually spreading FUD. One of the things he may have been referring to are the inflammatory titles and secondary titles used throughout the issue.

The cover page, for example, includes the phrase "Paying a price for the open-source advantage." The secondary title to an article called "Money Changes Everything" is "Malware authors leverage open-source model for profit." Another story is called "Open-Source Software in Windows Rootkits," and another asks "Is Open Source Really So Open?" The title of the final piece is "Will the Worm kill Apple?"

One thing -- perhaps the only thing -- I believe that Sage has gotten right is that open source methodology has improved both the quality and the time-to-market metrics for malware, just as it has for traditional software applications.

If you are a typical Windows user, un- or ill-informed about what free software and open source are all about, you'll probably lap up Sage because its deceptions go right over your head and it allows you to feel warm and fuzzy about using proprietary software like Windows and McAfee products instead of that evil open source, or even the hybrid evil of Mac OS X. I'm sure the Windows trade press and Microsoft's public relations folks will like it, too. Watch for selective quotes from Sage appearing on Microsoft.com or in Microsoft ads in the near future.

But if you are knowledgeable about open source software, or the debate over full-disclosure in the world of computer security, you'll find Sage one-sided and lacking in substance. Open source is the least of Microsoft's security problems. McAfee's business model depends upon that teeming cesspool of insecurity, however, so it shies away from the real issues and fundamental causes. McAfee wants to address those issues in the same way the pharmaceutical firms want to see the threat of AIDS disappear.

In this first issue, Sage goes beyond simple disingenuousness and attempts to frame open source as the fall guy for all the ills wrought by malware. Glib? Certainly. Superficial? Beyond question. Sage? No.


  • Security
Click Here!