I recently read the opinion piece written by A. Russell Jones entitled "Open Source Is Fertile Ground for Foul Play
." This piece is just the type of Fear Uncertainty and Doubt (FUD) that I would expect to see from a journalistic institution that caters to corporate developers. Without actually presenting any evidence, open source developers are accused of producing malicious code. As a one-time corporate developer turned open source programmer, I felt incensed at the insinuation that corporate developers are somehow more principled than their open source counterparts, and so, felt that I should put into words some of my impressions regarding the article.
Mr. Jones' fears regarding back door programs are rightly justified. In fact, users of any software, be it closed or open source, should be concerned about such things. Just look at the number of "spy-ware" programs that are found in the wild. Many corporations are using such programs to gather information on their end users, including a certain operating systems company based in Redmond, WA. Often they justify this intrusion into our private lives by saying that it allows them to determine what end users want in their software. They claim that the data gathered by this software is only for demographic purposes and that individual data is not saved, but the fact of the matter is, it is transmitted somewhere. Those transmissions may be intercepted and used in a malicious manner, and no guarantees are given that the companies aggregating the data won't use them for other purposes at a later date.
|If the government should be concerned about people in the open source community putting malicious code in programs, they should be doubly concerned about companies that outsource their closed source development to other nations.|
I personally feel that the risk of backdoors and spyware code is much greater in closed source programs than in open source programs. When I purchase a closed source program, I have no way of verifying what the program is doing behind the scenes. My trust in the software completely rests on my belief that the company that produced it is acting in an ethical and safe manner. Sometimes that trust is misplaced. I have seen developers put back doors in to simplify development/debugging. I have heard of developers putting backdoors into software with malicious intent. Sometimes these are reported to their supervisors, sometimes not. And sometimes, they don't get removed, whether that be by oversight or by intent. These back doors, malignant or benign are difficult to discover because closed source companies are reluctant to allow people access to their intellectual property. Doing so usually involves getting a court order, or signing a prohibitive non-disclosure agreement, which limits the rights of the entities gaining access to the code to be able to do anything about what they see.
However, in open source software, full disclosure is the name of the game. Most open source projects track exactly who was responsible for each update to the software. It is usually easily verifiable, and the source code is available for perusal. Additionally, if security holes exist in open source software and are found, they are often fixed in a matter of days (depending on the severity and complexity of the issue). Compare that to weeks or even months in the closed source world.
One concern that Mr. Jones neglects is the fact that many companies are outsourcing their development to countries outside the U.S. Admittedly, this is also a concern for open source software, since many developers of said software reside outside the U.S. However, this is mitigated somewhat by the "many eyes" theory of software security. In the open source community, it is often easy to identify who was responsible for modifying the code for a particular piece of software. But, if the government should be concerned about people in the open source community putting malicious code in programs, they should be doubly concerned about companies that outsource their closed source development to other nations. Currently there is no regulation in place for companies disclosing where closed source software is actually developed when the government (or anyone else for that matter) purchases the software.
Mr. Jones for the most part gave a very reasoned explanation of some of the issues that the government should be aware of, but I disagree with his conclusion, that open source software is somehow more of a risk than closed source software. There are risks in both. However, I feel that the risks associated with open source software are more easily mitigated than those with closed source.
Mr. Jones concludes by attempting to downplay the methods that are used to mitigate risks involved in using open source software. Mr. Jones states in his final section "You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves." This is not necessarily true. While many people choose to trust the layers of security in open source software, this choice is not forced on them. In contrast, the layers of security in closed source software are hidden from the consumer. In fact, even the depth of those layers is not disclosed.
Mr. Jones uses the question "Who will watch the watchers?" to conclude his article, and I would like to answer it. With open source software, the answer could be you, or me, or anyone for that matter. What is done in open source software is done in the open. The watchers cannot hide their actions. With closed source software, sadly, the answer is often no one.