February 12, 2004

Refuting the FUD at DevX.com

Author: Joe Barr

A. Russell Jones, the executive editor at DevX.com, has written and published one of the most egregious examples of anti-open source FUD I've seen in a long time. FUD, by the way, stands for "Fear, Uncertainty, and Doubt." FUD was invented by IBM during the bad old days, but Microsoft elevated it to an art form during the days when Redmond felt threatened by OS/2. FUD is designed to raise false fears about the use of a competitive product in the minds of customers who might be considering a switch.

Jones's piece serves as an elegant example of the craft. It is glaringly, blatantly, and indisputably meant to sour his readers on free and open source software. I don't blame Jones for being alarmed by the trend away proprietary software; after all, it puts his means of livelihood at risk. But I do take exception to his false premises and the false conclusions he reaches based on them.

Jones begins his proprietary propaganda piece with this jewel: "An old adage that governments would be well-served to heed is: 'You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get.'"

NewsForge readers are not likely to be fooled by that opening. They know that the free in free software is about speech, not beer. But Jones is not writing to NewsForge readers. He is writing to developers who produce code for the monopoly platform. His false assertion that the value of free software is zero, or that based on its price, it is less valuable than the latest over-priced and over-hyped edition of Windows, is not as likely to be noticed by his target audience.

Nor are they as likely to note the falseness of his second major tenet, which he claims is responsible for open source being a "fertile ground for foul play." Jones says, "This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source."

Again, those who have even rudimentary knowledge of how open source development actually works won't be fooled by that idiocy. But will Windows developers, and their PHMs, know any better? Whether Jones glosses over the improved reliability and security inherent in the "many eyes" nature of open source on purpose or through ignorance is hard to say, but gloss and casually marginalize it he does.

Jones makes it sound as if a single developer can magically poison an open source project simply because he can see the code, and if he likes, compile it as well; just as if every change made everywhere by anyone is automatically made to the project itself.

Nowhere, for example, does he describe the attention given to contributions to the Linux kernel, attention that comes in waves: first by maintainers of the section of code in question, then by one of the small number of trusted lieutenants of Torvalds, and finally by Torvalds himself.

Nor does Jones mention the attempt last year that was made by thus far undiscovered code terrorist who tried to insert a "back door" into the Linux kernel.

If Jones were aware of that effort, it would have been a tough call for him to decide whether to include it or not. On the one hand, it would seem to lend support to his thesis, but on the other, it was the open source process itself that revealed the dastardly plot and prevented it from succeeding.

His most fanciful "scenario," one with which he hopes to paint security as a hopeless cause in the open source world, involves a situation where a "bad apple" in a government shop running Linux uses the fact that it is an open source platform to concoct a booby-trapped version of Linux and distribute it organization-wide. No, really. He wrote that. Here is the scenario is his words:

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.

The fact a skilled developer with the necessary access could do exactly the same sort of thing in a proprietary shop seems to have escaped Jones completely.

On the Windows platform in particular, it isn't even necessary to be an insider with the necessary permissions in order to insert a back door or create trojan systems. Just ask the Cult of the Dead Cow. They've been putting backdoors in Windows for years. It's not hard at all to argue that the spectre Jones is trying to sell here is more likely in a proprietary world than in the world of open source.

Later in the article, Jones partially backtracks from some of his earlier assertions. He even goes so far as to admit vulnerabilities also exist in proprietary code. But his conclusion is that governments using open source to save money are making a huge mistake because doing so "will cost those same governments (and ultimately you), huge amounts of money."

Finally, Jones also suffers from bad timing. On the day his FUD piece appeared, it was announced that Microsoft had a patch for the most critical security hole in Windows of all time, and that Microsoft had known of the hole for six months without revealing it to the customers exposed by it.

As I pointed out to Jones in an email, such a thing could never happen with open source and free software, no matter how politically incorrect it might be to announce such a huge vulnerability while corporate leaders are jawboning about a new security initiative.


  • Open Source
Click Here!