You don’t have to be a sage to realize that if the open source model can be used to build great software, it can also be used to destroy great software.
Sage, an advertorial publication recently launched by McAfee Inc., kicked off with a cover story about the price enterprises will pay for the open source advantage. It points out the way in which botnets, for example, are being created not by lone hackers or malware authors but by groups that use the same approach as that which led to Linux and JBoss. Malware is no longer an outside threat that comes from nowhere and strikes at will. It is a project, one that is managed and contributed to just as we would expect open source community members to add their own code and expertise to something on Sourceforge.
Perhaps wisely, McAfee stopped short of calling open source dangerous in and of itself. As a development strategy, however, it can be co-opted for malicious purposes just as a spammer finds ways to capitalize on emerging technologies such as instant messaging and blogs. Open source simply amplifies the potential vulnerabilities organizations face from viruses, bugs and phishing schemes. Which, of course, is great news for companies such as McAfee. Why wouldn’t they want to make their own headlines about it?
The problem lies in the last paragraph of the article, which I’ll quote in full. “In light of the ways malefactors use open source, perhaps the time has come to re-evaluate long-standing beliefs about full disclosure and absolute adherence to the open-source creed,” Sage says. “Similarly, the security community may need to revise its traditional strategy of containing threats by controlling and restricting information, as it tries to compete with an open-source malware community that is becoming better organized, better funded, and more effective than ever.”
This is a little rich, for a couple of reasons. For one, McAfee is not the company that needs to remind the security industry about the right time and place to control and restrict information. It was McAfee, after all, that fixed a flaw in its ePolicy Orchesterator product back in February, a design problem that reportedly lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. The update that fixed this issue was described as a feature enhancement, but it took some time for McAfee to finally get around to telling the customers that might not have bothered to install it that it was actually critical to protecting their data.
As for full disclosure – the practice of sending samples of malicious code from researcher to researcher – it is hard to imagine how anyone other than security firms such as McAfee and Symantec could benefit from restricting it.
These companies employ some of the world’s finest engineers to deconstruct malicious code and come up with ways to ward it off. It’s only natural that non-profit organizations and researchers, whose work could benefit the entire industry and not a set of shareholders, should be able to do the same thing.
Sage does not necessarily issue a call to action against open source, or even on full disclosure. It’s raising questions, which is fair enough.
The answer it needs to hear – as do those with similar concerns – is that there is no distinction between the security community and the open source community. Malware will continue to spring from a mixture of proprietary and open source areas. Bringing those same worlds closer together to fight it off together may be the most sagacious thing we could do.
Shane Schick is the editor of ITBusiness.ca.
sschick@itbusiness.ca