Open Source

How open-source software could save your life

As software becomes a vital part of our lives, does the open-source ethos give us a better chance of making it safer?

Karen Sandler's heart condition means she lives with what she describes as a "very high risk of suddenly dying".

Because of the danger her abnormally large heart could suffer a cardiac arrest she has been fitted with a combined pacemaker-defibrillator.

Encoded in this parcel of electronics are instructions for when to deliver a shock to correct potentially-fatal irregularities in her heart beat.

Unfortunately for Sandler these instructions turned out to be wrong. Last year, while pregnant, Sandler was twice needlessly electrocuted by the unit.

Faulty assumptions were to blame: it's so unusual for a woman carrying a child to be implanted with the device - her condition, hypertrophic cardiomyopathy, affects about one in 500 people - that when her heart rate fluctuated in a manner consistent with a pregnant woman it triggered software in the unit to fire off a burst of volts.

"That was outside of what was anticipated by the algorithms programmed in these devices," she said, explaining the unit is far more commonly implanted in older men.

Karen Sandler "It really brings home the fact that if you don't have control over the software that you rely on it can be really problematic."
Image: SFC

For Sandler, the mistaken suppositions coded into the device are a reminder of how important it is for software to be transparent.

"I've got a pacemaker-defibrillator implanted in my body that my life relies on," said Sandler, who is executive director at Software Freedom Conservancy (SFC) - a charity that helps promote and defend free and open-source software.

"I can't even review the source code, let alone hire people or write myself some code that is specific to my own situation that would avoid me being shocked as a pregnant woman.

"Expecting the device manufacturers to anticipate all the problems that I would have is naive. It's not in their financial interests but also it [my condition] is very rare.

"It really brings home the fact that if you don't have control over the software that you rely on it can be really problematic."

Sandler, who describes herself as a "cyborg lawyer", has an engineering degree and worked for a time in corporate law before getting involved in the free software movement.

It's easy to see Sandler as an outlier and to assume that most people's lives aren't so dependent upon code. But as we move into an age where cars are becoming increasingly autonomous she argues that all of us will soon, to some degree, be reliant on software to keep us alive.

"The average luxury car has 100 million lines of code in it. The Software Engineering Institute estimates that one bug is introduced for every 100 lines of code. It's really scary to think about."

Modern vehicles with their reliance on software-controlled electronics to handle everything from diagnostics to engine management have already been shown to be vulnerable to hacking. Only last year a security researcher was able to exploit bugs in software in on-board computers in cars and lorries to remotely apply the brakes. Last year the US Library of Congress Car ruled that owners and security experts can modify automobile software without incurring US copyright liability.

And as everyday items from lightbulbs to fridges begin to be connected up as part of the Internet of Things, the security of software running on these devices will become a concern for everyone, she said.

"Now we have an Internet of Things where everything talks to everything else and your phone is talking to your security system or your refrigerator. There's a whole network of things talking to each other and suddenly your lightbulbs have become security critical."

The argument that open-source software is inherently more secure than proprietary alternatives has long been debated. While some say the open-source practice of releasing the source code for anyone to see and modify increases the chance that bugs will be uncovered, others argue there is insufficient evidence to support the claim. Other detractors point to the fact the recent Heartbleed bug went undetected in the open-source OpenSSL cryptographic library for a number of years.

Sandler says that while she doesn't believe the open-source practice of making code available for anyone to see will always lead to better outcomes, she does believe it gives people a better chance of detecting issues.

"While free and open source software isn't necessarily better and safer, we have a chance with free and open source software because we can review it and audit and anyone can fix it. With proprietary software you're waiting for companies to admit there's problem to begin with and then develop patches."

Getting corporations to respect open source

For an organisation with only three full-time staff, SFC is certainly busy - providing administrative assistance to high profile open-source projects such as Git, as well as running outreach programs to help women and other under-represented groups get involved with free and open-source software.

But perhaps the most controversial, and most financially costly, activity undertaken by the group is holding to account organisations that it believes have violated the principles of sharing at the heart of the open-source movement.

Last year SFC hit the headlines for funding an action to take virtualization specialist VMware - part of the tech giant EMC - to court. The litigation alleged VMware had written software built on the code in the Linux kernel but had not shared the code for its own software in turn.

Sharing code in this way is a requirement of version 2 of the GNU General Public License (GPL) that the Linux kernel is licensed under and in March 2015 top Linux contributor Christoph Hellwig began steps to sue VMware in Germany. At the time VMware said the lawsuit is "without merit".

"We're interested in the ideology of free and open-source software. I believe very strongly, and we believe, that society as a whole will be safer with free and open-source software and the GPL is one of the most powerful mechanisms to bring that about," said Sandler.

"While there is more useful software under GPL it means that the library of free and open-source software is ever increasing."

Put simply, the GPL guarantees users of software the ability to run, study, share and modify that program's source code and requires anyone building on GPL-licensed software to also release their work under the GPL.

Sandler stresses that suing companies for non-compliance is a last resort, and that the action followed years of negotiation with VMware to release the source code.

However, legal action is necessary, if you want companies to adhere to the requirement they share their software and its code, she said.

Lawyers within large firms have even thanked the organisation for backing enforcement action, she said, as it gives company boards a reason to honor open-source principles.

"If a general counsel can go and tell the board of a company this is a real risk, we really need to comply because otherwise we could get sued down the road, it makes it much more effective for them internally to advocate for the company to do the right thing."

The issue of corporate compliance with copyleft licenses like the GPL is becoming increasingly important, as open-source software becomes an integral part of the business world. Today some of the world's biggest companies such as Google and Facebook are built largely on open-source software stacks and even long-term purveyors of proprietary software like Microsoft have recently begun professing their "love" for open-source software.

"I've been really excited that companies are embracing open source because as they wind up making statements promoting free and open-source software they find the benefits of it and incorporate more of it into their products," said Sandler.

"The only thing that troubles me is this co-option and the idea that them saying they use a lot of open source means they are great participants in the community, which is basically often not true.

"It's frustrating when it's whitewashing, for lack of a better term, when it's covering up violations and not really participating with the community or using free software in ways that are proprietary."

Since SFC backed the legal action against VMware the charity has seen companies pull funding and SFC has also seen its members blocked from speaking at conferences, she said.

"Companies have become more reluctant to fund us ever since the VMware lawsuit," said Sandler.

Financially the charity has been hit so hard that it is now fighting to keep enforcing copyleft licenses like the GPL. SFC is now appealing for individual funding: however, the charity so far only has attracted support from just over 720 people and will be forced to put enforcement on hold - barring the ongoing VMware case - unless it secures funding from more than three times that number of people.

Despite the odds being somewhat stacked against SFC, Sandler remains optimistic. But she points out enforcement is necessary to get companies to give back to open-source communities and stop them from wresting control of open-source projects and code.

"We think that compliance with the GPL is incredibly important. We think it's important for society, important for business. We also have seen that companies are much, much less likely to comply if there aren't consequences for not complying. It's simple analysis, it's not too hard to see."

About

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks