Security

FOSS is the end of the world as we know it

The scientific community's debate about whether to release specific details about an airborne-communicable version of the avian flu reminds Donovan Colbert of the IT industry's open source vs. closed source discussions.

A recent Gizmodo article indicates a scientist named Ron Fouchier genetically engineered an airborne-communicable version of the avian flu virus (H5N1). It seems the reason an avian flu pandemic hasn't already hit is because the virus is communicated physically. You have to be in the general area of the virus and touch something infected. This makes it much more difficult to spread. This is fortunate, because according to the article, the fatality rate of the avian flu is about 50%.

Dr. Fouchier has altered the avian flu virus, making it communicable via aerosolized methods, like a sneeze, a cough, or more chillingly, suspension in a gas. The truth is something like this escaping into the wild isn't that complex; all you would have to do is infect a handful of willing martyrs and send them out into the population hopping the globe until they collapsed. By the end of their journey, the pandemic would be in full effect, reaching the furthest corners of the globe. Of the remaining 50% who survive, we can assume that a significant number of those people would be recovering from the illness as well. It is a grim picture. If the flu itself was 50% fatal, you could expect greater than 50% total fatalities among humans from incidental deaths. I wouldn't be surprised if less than 25% of humanity remained alive after such a pandemic; this is very similar to the scenario outlined in Stephen King's The Stand.

Dr. Fouchier wants to have an open discussion with the scientific community to share his discovery so we can be better prepared to handle the inevitable global pandemic that will occur. This is causing a fair amount of concern among the scientific community; in fact, the discussion reminds me of the debate between open source and closed source philosophies. This shouldn't be much of a surprise considering we're dealing with virtually the same thing in either case: intellectual property and software coding. The only difference is that this software is wet, non-digital, and it has a 50% chance of killing you if it ever escapes.

It is easy for IT professionals to have academic arguments when the thing that is on the line is the security of an OS platform. I think most of us understand that security implications of having insecure code in critical installations could be as devastating to a society as the H5N1 virus, but the visual lacks the vivid imagery of Stephen King's Captain Trips spreading rapidly across the globe leaving a pile of 3.5 billion corpses behind it. Unpatched code leads to Russian hackers destroying a pump in a city water works (or maybe not). It is easy to visually extrapolate what a genetically engineered flu with a 50% kill rate results in, but it is harder to get your mind around the significance of foreign hackers being able to damage and disrupt municipal water supplies.

I'm not surprised that Dr. Fouchier feels compelled to release his information into the scientific community, and I have no doubt that he is doing so out of the most noble of motivations: a genuine desire to assist and help society to prepare for and overcome such an event. I'm even willing to bet that the systems on which Dr. Fouchier engineered his super-flu were probably running on the Temple of the Penguin. You don't do research like this on Windows, right?

So let's be honest about this: We're talking about releasing the code that describes how to make an avian super flu that can be distributed through aerosolized methods and has a predicted 50% global fatality rate in a FOSS-type scenario so that the many-eyes method can prepare to respond to such an illness. This is really where the boots hit the pavement for seeing how far an individual supports the idea of the many-eyes model. If Dr. Fouchier and the group of scientists who support his direction are right, then disclosure of this information may save billions of lives. If they're wrong, it is possible that 1 out of ever 2 members of TechRepublic may no longer be around to argue the merits of open source vs. closed source in the not too distant future. If there is any justice, I'll be among the fatalities, and the FOSS advocates will be left to weep in the ruins knowing I was right all along. I want the epitaph, "I told you FOSS sucked" on the memorial marker erected near the mass grave where I'll be buried.

If this information is released into the public domain, some fringe group of fanatics will try to create it and release it into the wild in a James Bond plot to destroy society as we know it. It doesn't necessarily have to be Islamic fundamentalists, either. I'd be as afraid of fringe Greens (i.e., ecologists and earth scientists) who would like to reset society to a manageable "hunter/gatherer" population living in harmony with natural ecosystems. There are people in the green movement who think a radical and rapid 50% decline in the earth's population might not be such a bad thing. The idea of PETA, ELF, or Greenpeace getting a hold of this information isn't very comforting, either. The sad truth is that while there aren't any real superheroes in life, there are real super-villains.

Moving forward with this starts a race between those trying to develop a vaccine, and those who would like to spread such a virus throughout society, and it seems to me that all the work has already been done on making the illness easily weaponized and distributed. The lunacy of moving forward with this plan seems to illustrate the faults of open-source security. You know the disease will break out and be spread intentionally once the recipe is released. The response is to get as many people working on the cure as quickly as possible so that we can minimize the impact once the disease is in the wild, hoping to mitigate the damage and minimize collateral damage from the disclosure.

So, am I right? Is there really no difference in this and the FOSS many-eyes model of security, or is there some critical difference I'm missing here? If you're an advocate of the FOSS model, do you support Dr. Fouchier's desire to release this information for peer review among the scientific community, or do you feel that it is brash, grossly irresponsible, and far more likely to disrupt the progress of society than the Large Hadron Collider? The odds are 50/50 that you'll survive if this disease gets out and I'm right. Are you willing to stand behind a FOSS-style disclosure facing those kinds of odds? Let us hear your opinion in the forum.

Also read:

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

Editor's Picks