Presidential Ramblings

Last month I promised our esteemed editor and past president that I would not advocate legislation for some indeterminate length of time, so I'll try to find something less controversial. How about software security? Please read to the end before you lite your email flamethrowers.

Microsoft security versus Open Source and the press

Over the past few months there have been a number of articles in magazines and trade journals that have dared to compare Open Source software to the equivalent Microsoft products. Who won, you ask? Assuming you can extract your tongue from your cheek, it was not as much in favor of the open source projects as you might think. There are many reasons some of which are not obvious. To my mind a security hole is a bug, so I will simply talk about bugs, but you can think security vulnerabilities--"holes", in the popular vernacular--if you wish.

First let's understand that no significant software project is perfect--especially when it is first released. This has been shown time and again in all sorts of situations, including the software I write. I'm quite familiar with this problem since, try as I might, I can code bugs as well as the next guy. The point is that open source software has bugs just like any other software, such as products from Microsoft. Now, open source projects do not have stock holders or sales goals like Microsoft, so they are less likely to push a new version out the door before they think it's ready. This is a very important difference that should make open source software less buggy.

Open source advocates cite several advantages inherent from the very fact that the source code is available. The one I hear most often is that people other than the developers can inspect the code and from this inspection can find bugs and report them (but hopefully not exploit them). Believe it or not, there are actually a significant number of people capable of doing this! They can even attempt to fix the bugs if they have the skills. Of course there are other ways to find bugs. We all participate in the method where we actually use the software! Unfortunately, this is how most bugs are found, like the problem I've been having with Microsoft Word 2002. It hangs when adding or changing numbers or bullets in a list, but only sometimes. With software this complex, it's easy to assume the problem is our installation rather than the software itself. Without extensive testing, how would you know? Now this same principle applies to Linux and other open source software such as Apache, OpenSSL, Secure Shell, and even Sendmail where bugs were recently found and reported to the developers. As far as I know, patches to correct all of the reported security bugs were available within days of the initial report. So everything is fixed and we're all safe, right? Not quite so fast, as we'll see in a minute.

The response of open source teams to security problems is generally much faster than Microsoft. This is admirable and more often than not puts Microsoft to shame. The problem is that the patch must be applied to all the machines running the software. Microsoft runs a web site specifically to distribute patches and updates to Windows. If you are running Windows 98 or newer, you can configure your machine to automatically look for updates whenever you connect to the Internet. This service is free (so far) and can go a long way toward making your machine more resistant to security problems. Please note that I did not say immune. You still need anti-virus software and some form of personal firewall if you have a high-speed internet connection.

On the open source side, there is no equivalent facility to keep a Linux machine up to date with patches. If you have Red Hat Linux, the Red Hat Network will scan the software installed on one machine and send you emails when the major packages are updated, but this only works with Red Hat and is not free (last time I looked) when you have more than one machine, a common situation these days. I am not aware of any similar facility for other Linux distributions. But, let's assume that you are notified somehow (email lists, newsgroups, personal diligence) that your version of some software needs a patch. How do you get it? When first released, these patches are source code that is merged into the source code available for the package (open source, remember?). How many non-guru Linux users know how to download source code, compile it and install the result? I've tried this several times with small programs without any success. Ok, let's say the patch is available as a new binary (i.e.: already compiled and ready to run), how easy is it to download and install the new version without screwing up the existing installation? Linux and other open source software need to be much easier to install, configure and update.

Which brings me to my last point, when there is a problem with open source software, who does the press call to get information? Still wondering? Well, so am I. When there is a problem with Windows, they call Microsoft--or any pundit. When a problem was found in one of the key GNU libraries (in this case, a library is the Linux equivalent of a DLL) included with almost all Linux distributions it received only token attention in the press even though it allowed security problems in several critical parts of a Linux web server. Why? Well, who was to blame? The typical television reporter barely understands television, let alone computers running open source software. How do they prepare a story? Who can they interview? Even if they really dig, how many people will stay tuned for an interview with some Linux hacker (in the true, good sense of the term) who really understands the problem and its implications? That massive click you heard was a million people changing channels at the same moment. A problem in any Microsoft product is news, open source problems are a yawn.

So it's no wonder the popular perception is that Microsoft security or Microsoft quality are oxymorons. Now I asked that you read to the end before you fire up your flamethrower, and I appreciate that you got this far. I use Linux and I'm struggling to learn to make it work the way it's supposed to--securely. Regardless of the quality of Microsoft products, the server products are too expensive for most of my clients. While open source software looks awfully good on the price list, just installing Linux is a non-trivial task that needs to be much easier. Then, and this is even more important, it needs to be easier and less technically daunting to keep a Linux machine up to date. Now, if you still want to light fires in my email inbox, come to the next meeting of the Server SIG instead!

Jim Scheef
dacsprez@dacs.org