| Purchase the AdTI white paper, Opening the Open Source Debate |
|
Cyber Security A conservative think tank on Monday issued a report arguing that "open source" software is intrinsically vulnerable to hackers and other security weaknesses, a conclusion that users of the open-source Linux system say is the reverse of the truth. In "Opening the Open Source Debate," the Alexis de Tocqueville Institution (ADTI) largely targets the general public license (GPL) that forms the backbone for the GNU/Linux operating system, the full name for one of the most popular software programs created using collaborative principles of free software. GNU stands for Gnu's Not Unix. The report, written by ADTI President Ken Brown, also criticizes GPL as incompatible with commercial software development and argues that it would represent a "radical change" to existing models. "Open source can coexist with the status quo, but GPL cannot coexist with traditional open source or proprietary source code," Brown wrote. GPL has become a particular lightning rod for controversy since targeted for criticism by Microsoft. Some argue that the software company is increasingly threatened by the visibility and market share of Linux, which is often distributed for free. Craig Mundie, Microsoft's senior vice president of advanced strategies, in May 2001 launched an assault on GPL even as he praised other open-source licenses, arguing that companies who work with such software are jeopardizing their intellectual property rights. The focus of the ADTI report suggests that Linux's open-source nature -- or the ability for anyone to inspect the details of its software code -- raises security concerns. The report said: "If the Federal Aviation Administration [FAA] were to develop an application to control 747 flight patterns from a widely distributed GPL open-source code, security questions would include: Would it be prudent for the FAA to use software that thousands of unknown programmers have intimate knowledge for something that has been actively targeted? Could the FAA be sure that intimate knowledge of this software is not being shared with the wrong parties? Would widespread awareness that software the FAA chose to use originated in the public domain hasten an invitation to hackers?" But Linux defenders claim that there are easy answers to those questions. In particular, they say there is no obligation for government or any other users of Linux to publicly release security enhancements they make to the software. Rather, the license only requires open inspection if software is redistributed. "The National Security Agency has a security-enhanced version of Linux," said Tony Stanco, senior policy analyst at George Washington University's Cyberspace Policy Institute. "If they use Linux as a base, any further enhancements don't have to be shared with anyone." Stanco, whose group actively promotes the adoption of open-source software by government agencies, argued further that "banning open source would have a negative impact on security in government and in the [Defense Department] in particular because it already relies on open source for security." Indeed, two recent reports by the Mitre Corp. argue that open-source software provides agencies significant security and cost advantages over commercial software.
|
