Security

FOSS is the end of the world as we know it

The scientific community's debate about whether to release specific details about an airborne-communicable version of the avian flu reminds Donovan Colbert of the IT industry's open source vs. closed source discussions.

A recent Gizmodo article indicates a scientist named Ron Fouchier genetically engineered an airborne-communicable version of the avian flu virus (H5N1). It seems the reason an avian flu pandemic hasn't already hit is because the virus is communicated physically. You have to be in the general area of the virus and touch something infected. This makes it much more difficult to spread. This is fortunate, because according to the article, the fatality rate of the avian flu is about 50%.

Dr. Fouchier has altered the avian flu virus, making it communicable via aerosolized methods, like a sneeze, a cough, or more chillingly, suspension in a gas. The truth is something like this escaping into the wild isn't that complex; all you would have to do is infect a handful of willing martyrs and send them out into the population hopping the globe until they collapsed. By the end of their journey, the pandemic would be in full effect, reaching the furthest corners of the globe. Of the remaining 50% who survive, we can assume that a significant number of those people would be recovering from the illness as well. It is a grim picture. If the flu itself was 50% fatal, you could expect greater than 50% total fatalities among humans from incidental deaths. I wouldn't be surprised if less than 25% of humanity remained alive after such a pandemic; this is very similar to the scenario outlined in Stephen King's The Stand.

Dr. Fouchier wants to have an open discussion with the scientific community to share his discovery so we can be better prepared to handle the inevitable global pandemic that will occur. This is causing a fair amount of concern among the scientific community; in fact, the discussion reminds me of the debate between open source and closed source philosophies. This shouldn't be much of a surprise considering we're dealing with virtually the same thing in either case: intellectual property and software coding. The only difference is that this software is wet, non-digital, and it has a 50% chance of killing you if it ever escapes.

It is easy for IT professionals to have academic arguments when the thing that is on the line is the security of an OS platform. I think most of us understand that security implications of having insecure code in critical installations could be as devastating to a society as the H5N1 virus, but the visual lacks the vivid imagery of Stephen King's Captain Trips spreading rapidly across the globe leaving a pile of 3.5 billion corpses behind it. Unpatched code leads to Russian hackers destroying a pump in a city water works (or maybe not). It is easy to visually extrapolate what a genetically engineered flu with a 50% kill rate results in, but it is harder to get your mind around the significance of foreign hackers being able to damage and disrupt municipal water supplies.

I'm not surprised that Dr. Fouchier feels compelled to release his information into the scientific community, and I have no doubt that he is doing so out of the most noble of motivations: a genuine desire to assist and help society to prepare for and overcome such an event. I'm even willing to bet that the systems on which Dr. Fouchier engineered his super-flu were probably running on the Temple of the Penguin. You don't do research like this on Windows, right?

So let's be honest about this: We're talking about releasing the code that describes how to make an avian super flu that can be distributed through aerosolized methods and has a predicted 50% global fatality rate in a FOSS-type scenario so that the many-eyes method can prepare to respond to such an illness. This is really where the boots hit the pavement for seeing how far an individual supports the idea of the many-eyes model. If Dr. Fouchier and the group of scientists who support his direction are right, then disclosure of this information may save billions of lives. If they're wrong, it is possible that 1 out of ever 2 members of TechRepublic may no longer be around to argue the merits of open source vs. closed source in the not too distant future. If there is any justice, I'll be among the fatalities, and the FOSS advocates will be left to weep in the ruins knowing I was right all along. I want the epitaph, "I told you FOSS sucked" on the memorial marker erected near the mass grave where I'll be buried.

If this information is released into the public domain, some fringe group of fanatics will try to create it and release it into the wild in a James Bond plot to destroy society as we know it. It doesn't necessarily have to be Islamic fundamentalists, either. I'd be as afraid of fringe Greens (i.e., ecologists and earth scientists) who would like to reset society to a manageable "hunter/gatherer" population living in harmony with natural ecosystems. There are people in the green movement who think a radical and rapid 50% decline in the earth's population might not be such a bad thing. The idea of PETA, ELF, or Greenpeace getting a hold of this information isn't very comforting, either. The sad truth is that while there aren't any real superheroes in life, there are real super-villains.

Moving forward with this starts a race between those trying to develop a vaccine, and those who would like to spread such a virus throughout society, and it seems to me that all the work has already been done on making the illness easily weaponized and distributed. The lunacy of moving forward with this plan seems to illustrate the faults of open-source security. You know the disease will break out and be spread intentionally once the recipe is released. The response is to get as many people working on the cure as quickly as possible so that we can minimize the impact once the disease is in the wild, hoping to mitigate the damage and minimize collateral damage from the disclosure.

So, am I right? Is there really no difference in this and the FOSS many-eyes model of security, or is there some critical difference I'm missing here? If you're an advocate of the FOSS model, do you support Dr. Fouchier's desire to release this information for peer review among the scientific community, or do you feel that it is brash, grossly irresponsible, and far more likely to disrupt the progress of society than the Large Hadron Collider? The odds are 50/50 that you'll survive if this disease gets out and I'm right. Are you willing to stand behind a FOSS-style disclosure facing those kinds of odds? Let us hear your opinion in the forum.

Also read:

About

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

161 comments
cerewa
cerewa

I am a real open-source fan but I can't advocate "open-sourcing" nuclear weapons technology, and i won't advocate "open sourcing" the technology to make people sick with a deadly disease either. Applying that logic to malicious software makes perfect sense: don't open source any malicious software. Saying that applies to all FOSS is ridiculous... "foss is going to destroy the world as we know it"? No, and allowing people to post all over the internet about how locks work is also not going to destroy the world as we know it. (use some linux-based Google servers to search for "how locks work")

sboverie
sboverie

In the back and forth between those who are strong believers in FOSS and others who disagree I come to the conclusion that the truth is in the middle. On one hand, FOSS as applied to software has good advantages but on the other hand, it is like what Mark Twain said of a camel- a camel is a horse designed by a commitee. Closed systems can be robust and stable but also tend to adapt poorly without fresh input. Using a poor analogy: when breeding dogs, the more pure the breed the less intellegent the offspring; bringing in a different genetic line to a pure breed results in offspring with "hybrid vigor" that can perform better than either parent lineage. There is also the sterile offspring that can happen if the parents are too different, a mule is an offspring of a horse and a donkey and while it does have hybrid vigor it is not able to reproduce. This is my view of extremes of ideology. Most ideology work in a large range but when pushed too far it falls apart. I like a comedian's (can't remember who for proper attribution) take on the break up of the communist USSR, he said "Who would have thought that the fatal flaw in communism was a lack of money?" I would feel more comfortable with the release of information on how to make a deadlier flu if that end result was used to make a vaccine. I appreciate the scientific method in using peer review to determine if the experiment meets consistency. It is the engineering of a nasty virus and the lack of protection from the results that bothers me.

dcolbert
dcolbert

I've updated the link that was broken to redirect to a story that explains the broken pump "hacked" by Russian hackers was actually NOT. Just to be clear, there was a link in the original story to a similar AP story, but that story broke - this one is on Wired and should have more longevity. It is important to the tone of the story to understand that I acknowledged this from the start).

Slayer_
Slayer_

But judging by the title, it's all crazy speak.

TechCreative
TechCreative

You can't patch the genetic code of a biological pathogen already released into the human population, then post the patch on the internet so infected people can download it and install it in all the millions of microscopic viruses spreading through their bodies. By comparison, applying security patches to code is trivially easy. The real advantage of open source is that security flaws get publicly identified and fixed quickly, and users get warned almost immediately. With proprietary code, zero-day vulnerabilities can remain hidden indefinitely, and even when the company that owns the code discovers them, they may not get fixed -- and customers may not get warned -- due to cost considerations or concerns about public relations. (Consider Apple's early reaction in the "Mac Defender" fiasco...)

dcolbert
dcolbert

tbmay - you propose that the degree does matter - where there is a difference between life and death and just general open-source, many eyes philosophy to address a common problem by sharing it quickly,easily and transparently with as many qualified eyes as possible who will contribute to a solution. Do you think that Dr. Fouchier is motivated by this same basic principle? Do you even agree that he might have adopted this principle from experience in the FOSS community, either as a user or even as a developer himself? That is - would you find it plausible that Dr. Fouchier could be a "true believer" in the philosophy of FOSS and be applying that to try and solve the legitimate problem here? I'm just curious about that - I don't really have a hidden agenda or point I'm trying to build off getting a response one way or the other. Because - it DOES seem suspiciously that way to me. It is so close in motivation and approach (at least, what I've heard about it) that I can't help but think that this guy is probably a Linux using academic, who is brilliant, who truly believes in the FOSS method of many-eyes on a problem - and this is JUST that sort of problem from his perspective. And to be honest, I can't say for certain he is wrong. I'm just not sure he is right. I *get* the counterpoint position on this, even Chad's. Yes, bad guys are trying to do this, and Dr. Fouchier has already established it CAN be done. Nature may do it anyhow - so if we get it out there and get the best minds studying it with full understanding - we'll probably figure out a fix for it sooner than later. Possibly. Or we might just give the bad guys that little boost they need to kind of give it a little nudge, a kick-start... a leg-up on global catastrophe. That is my real thesis... what a "darned if you do, darned if you don't" situation. We're close to the edge on this one, and it is potentially serious regardless of HOW you look at it. The fact that it all comes down to a question of "many eyes" or NOT is chilling, to me. If they do approach it from a "many eyes" model - I honestly hope I'm wrong. I hope Chad Perrin's perspective bears out as superior to mine. Don't we ALL?!? As offended and incensed as Chad is reacting - I think he has missed this. I'd rather he be RIGHT about this one if they decide to fully disclose. Fortunately, if "they" decide to close it down and they avoid the catastrophe anyhow, Chad can say it was just a fluke - that it would have been quicker and superior if the information had been distributed as freely as Dr. Fouchier originally wanted. The only way we lose is if I'm right. Trust me, that isn't worth winning an online argument. I haven't lost site of that. I hope no one else has, either.

apotheon
apotheon

It looks like MSNBC managed to avoid the kind of "open source" scaremongering you found so tempting.

apotheon
apotheon

You'll have to travel several decades back in time to prevent the design principles of nuclear weapons from getting out to the public. Let me know how that works out for you.

AnsuGisalas
AnsuGisalas

The principles for creating a critical mass explosion are not secret. So the argument is stillborn.

AnsuGisalas
AnsuGisalas

And knowing something of genetics, I really don't think the "12 monkeys" scenario is plausible. This is very difficult stuff. A high-category biohazard lab is hard to make, and preparations can be detected much like (though not as easily) as a reactor plant. Without a high-category lab this work is ABSOLUTELY impossible. You can't do this stuff in just any petri dish. Especially if you want to know that the bug can do what you want it to do. And if you want to survive to be able to weaponize it.... and weaponizing it takes another huge effort. Mapping the different genes that allows it to go airborne can lead to specific remedies. These will be tell-tales, and sometimes they can be exploitable weaknesses; if the proteins coded for can be attacked or used for a vaccine. There is no benefit in secrecy.

dcolbert
dcolbert

Regardless of your candidates... because at least it was funny.

tbmay
tbmay

...is speculate and speak in generalities. I certainly think there are people who have radical, wrong-headed ideas that can be dangerous. I don't know if this Doctor is one or not. Richard Stallman would dislike me immensely. I won't lose any sleep over that; however, he's a smart guy and has done a lot for FOSS. I can only scratch my head when he talks about "evil" and "wrong" with regards to closed source. But, as I've already let you know, my Lord is not FOSS. My own use of it stems more from having a Unix background than a commitment to the ideal. In other words, I just happen to be more skilled with *nix, so I specialize. FOSS is nothing more or less than an open exchange of information that facilitates problem-solving. That's a good thing. However, there is an obligation to use common sense. Analogy: My wife is a school teacher. We want her kids leaving her class above grade level in all subjects at the end of the school year (as if)....because it's a job well done....and because we love them and want them to succeed and life. But she doesn't teach them how to build a bomb in science. With great power comes great responsibility. I HOPE any scientist that makes dangerous discoveries understands this.

AnsuGisalas
AnsuGisalas

It's been a part of all scientific endeavors for a very long time, and is older than computers... though not necessarily by much.

apotheon
apotheon

Q: Do you think that Dr. Fouchier is motivated by this same basic principle? Do you even agree that he might have adopted this principle from experience in the FOSS community, either as a user or even as a developer himself? That is - would you find it plausible that Dr. Fouchier could be a "true believer" in the philosophy of FOSS and be applying that to try and solve the legitimate problem here? A: Anything's possible. It's probably more likely that Dr. Fouchier is familiar with movements in scientific communities toward sharing research and peer review to ensure the quality of one's own research and spur further research in the future, though. The biggest open secret (What other kind would there be?) of the open source "movement" is that these concepts predate open source software development as a formally defined practice, and are much more widely distributed by way of independent invention than would be reasonable to expect if these ideas only got out into "the wild" from open source software development itself. Quote: I'm just curious about that - I don't really have a hidden agenda or point I'm trying to build off getting a response one way or the other. Just for the record . . . I don't believe you, but I don't expect my answer to be of much use to your agenda anyway. Quote: That is my real thesis... what a "darned if you do, darned if you don't" situation. That may be what you really believe, but it's certainly not the thesis of the vast majority of your writings on the subject. Quote: As offended and incensed as Chad is reacting - I think he has missed this. I'd rather he be RIGHT about this one if they decide to fully disclose. I believe you'd rather not die. I think you'd rather be right if it didn't affect your quality of life, though, regardless of whether it killed thirty million people somewhere else. I really do think that, because of the evidence of your irresponsible manner of speculating in such a trollish manner about things in general, without considering the consequences of your actions. Quote: Fortunately, if "they" decide to close it down and they avoid the catastrophe anyhow, Chad can say it was just a fluke - that it would have been quicker and superior if the information had been distributed as freely as Dr. Fouchier originally wanted. What I'd actually say is probably "Well . . . still no evidence." I, unlike many (probably including you), both understand that correlation does not imply causation and try to keep that fact firmly in mind. Whether it's released or not, whether everyone dies or nobody, the fact is that it could be a fluke based solely on that information. Unlike you, though, I don't run across the very possibility of something happening, blow it out of proportion, and write articles called "FOSS is the end of the world as we know it".

dcolbert
dcolbert

That the person who wrote this up doesn't even know if the OS X on their MacBook is Windows compatible or not - they just know that they're immune from viruses because there is a big glowing Apple logo on the lid. This remains, at heart, a question relevant to open-source ideology. Here: http://www.healthcare-today.co.uk/news/deadly-bird-flu-research-may-be-censored/21130/ "It is a principle of modern scientific research that scientists should publish all their findings so they can be openly debated." BUT: "However, some believe that key details should only be available to a carefully vetted audience, in case they are misused." These arguments and discussions relate DIRECTLY to conversations we've had about the merits of open versus closed development in software and information technology best practices. It isn't scaremongering. It is OPEN discussion about the perils about open-source ideology. Seems like you should be all for that - not so outspokenly against it.

dcolbert
dcolbert

We do have some issues with rogue states, some of them neighbors with centuries of conflict and fundamentalist religious difference proliferating nuclear arms because they have the resources to leverage that open source information. So here is the application of that argument from my perspective, filtered through the feedback you've provided in this and other discussions: The minute that the key to sustaining a nuclear chain reaction was discovered and perfected, although we knew that the information would be carefully and jealously guarded - that it would eventually get out. In fact, we were surprised just how quickly it escaped and Russia arrived as the world's second nuclear power - creating a period of uneasy cold war that lasted what... 30 years at least? That information was shared and spread among partners and allies, causing rapid proliferation, once it was out - but overall there were still numerous attempts to keep the information as closed and unavailable as possible and to otherwise prevent the further proliferation of this knowledge. Arguably with each new nation that has become a nuclear power, the opportunity for global destabilization has grown. This is not a linear growth. Some nations bring more of a chance of this than others. Who here believes that the possession of nuclear weapons makes India and Pakistan an improvement for relations in that region? I'm certain there are some who do think this. Others think it makes for a tinderbox soaked in gasoline. What about North Korea or Iran? Now arguably, if that information had been made open-source from the very start - the odds are that some of these rogue nations would be much further along, or might have even already completed their nuclear arms programs. If we're going to look back hypothetically - I'd like to see the results of a world where after WW2, we decided that the full information, the exact recipe, with no omissions should be published to share with all of the nations of the world. How does such a decision change history? Does it move us all beyond the irresponsible adolescence of a nuclear age faster, or is today the burnt-out shell of a world ravaged by 7 decades of nuclear conflict? @cerewa - I'm not saying that the code for SAMBA being FOSS is going to destroy the world - I'm saying that the general concepts of FOSS ideology applied to a bio-engineered Avian flu could cause some SERIOUS upheaval for society. Let me say one last thing... the headline... headlines in general... should be taken with a grain-of-salt. Coming up with a title for a piece that is catchy is IMPORTANT. I was just reading about an author of an academic study who had a boring academic title for his book. One of his interns suggested, "this sounds boring, you need a better title." He took that advice, and his boring academic study became a #1 NY Times Best Seller. He is a PhD. out of Cleveland - but the rest of the details escape me at the moment. The point is - yeah, face it - I want a headline that pops out and makes readers say, "I want to check out what this article is about". I just read another one on ZDNet about "Why Android Tablets Have Failed." A lot of posters read the headline and went right to the comments without reading the article. We know that is going to be the case with headlines that generate interest. For me, when I read the *original* article - my initial response - I heard the REM song, "End Of The World As We Know It" in my head. My parallel between the Scientific community's version of peer-review and FOSS was drawn, and the rest came together to become the headline. I honestly figured people would see through the title - but maybe I under estimated how people would react to the head-line and not the actual article. In my defense - I think a number of people here, many of them FOSS advocates - have made this connection.

Sterling chip Camden
Sterling chip Camden

I can agree with you that it's funny -- though in real life I would never want anyone "hushed," no matter how much they annoy me.

dcolbert
dcolbert

The more that is disclosed here, the more sound and self-assured I am in the position I have staked for myself here. I'm going to take it as a good indication I'm headed in the right direction in the future, should I find that you disagree with what I've posted. I've been sucker punched in the gut on this thread - but not in the way that you would assume. But you keep on believing what you're selling, if it makes you feel good.

apotheon
apotheon

I don't think Dr. Fouchier is planning to teach grade school kids how to weaponize viruses in lab class.

dcolbert
dcolbert

And complete open disclosure to the world scientific community are two different things - and should be in a case like this. We've discussed elsewhere an example that relates to the FOSS/Closed Source angle of this debate - Just because you're not a FOSS organization doesn't mean that your code can't be peer-reviewed by qualified parties. It doesn't even have to be INTERNAL peer review. You may have trusted external partners that you engage in a closed peer-review process with. The same thing can apply here - and that is the crux of this debate. I've never said I'm opposed to having Dr. Fouchier's work peer reviewed. I have reservations about having an open, globally disclosed peer review process of this particular body of work. I think it should be closed and locked down to a trusted and small group of qualified researchers with thorough background checks and security clearances. And that argument *does* translate into - how far can we take this down the trail of open peer review versus closed peer review and the validity or superiority of each? I'm *not* saying I know the answer to that question, by the way - I'd like to open the dialog to discussing that in a civil discourse, as well. We know where I stand by "default" on that discussion - but this is an opportunity to explore the implications of that from BOTH perspectives hopefully *not* as a continuation of any PREVIOUS discussions that have been held on Tech Republic regarding this line of reasoning.

apotheon
apotheon

Whether it's older by much depends on your definition of "computers".

dcolbert
dcolbert

That two of my comments of this nature got voted down when they were quite conciliatory toward the opposition's perspective on this debate and conceded some of the claims being made by that opposite perspective. It is as if there are a group of people here who simply reject what I am saying out of hand, regardless of the content of what is said. That isn't productive. I am *not* accusing you, Chad - of being one of those who've thumbed-down the above response - this is just a separate musing before I respond to your post. You may be right - Dr. Fouchier *may* simply be approaching this from the perspective of scientific peer review unrelated to any correlation at all with FOSS. I think the correlation I draw is a valid analogy, in any case - but let's move passed that. I'm not opposed to general publication for scientific peer review of most science - and I'd agree broadly with EITHER the FOSS or the Peer-Review perspective on how that works in those cases. Having the largest body of eyes possible with access to results and the ability to peer review it is clearly superior in generating the best results in many cases. If the science that created and tested Chantix had been peer reviewed instead of internally reviewed solely by Pfizer and then the FDA - a lot of trouble and controversy could have easily been avoided. On the other hand, the reason that Pfizer wanted to keep the review closed and proprietary is clear (and therein we get into the conflict with your ideal of best and mine as a "true" best versus a more pragmatic "economic" best. I'll even give you this on that much - your "true" best may be morally superior to my economic best in that situation. But from a larger picture in the gears of industry and businesss that make society go forward, I think that is open to debate). But all of these examples are different degrees of risk and reward and motivation - as we've discussed. I'd think that Dr. Fouchier would see that this isn't a study on the water-table pollutant consequences of fracking or the study of airborne pesticides on the egg-shell density of indigenous raptors of North America. This is a genetically engineered airborne mutagen of a highly fatal influenza that has significant strategic importance as a potential biological weapon. The argument has been made elsewhere that this isn't a desirable weapon as it can't be controlled and doesn't discriminate among victims - but we're dealing with extremists who are willing to kill themselves and their loved ones to further their cause and have *faith* in religious rewards in the afterlife for themselves and their families. That puts THAT kind of logic and reason potentially off the table (we can argue that the leaders of these organizations simply manipulate that faith, while not wanting to risk their own behinds, and I'll buy that). In either case, it is a SIGNIFICANT gamble to take to open this for unrestricted global peer review. Do you agree with me? Or do you maintain that even in this case, an open approach to addressing this research is the *best* way? I'll stress once again, I'm not saying I'm *right* or that you're WRONG if you disagree with me, I'm saying that I want to discuss different opinions with a variety of people who have some foundation to build their opinions about this topic on. I would consider you one of those people. As for believing me or not on motive - that is your choice. As for my flexible morality versus "wanting to win on a debate" - let's be practical. With a 50% kill rate in the wild, if this escapes and I'm at all right, there is no way for it *not* to affect me directly, in a personal way. So regardless of my baser nature in an intellectual sparring match - logic says that the only way for me to *really* win is for me to lose. Even if it in no way directly impacted my quality of life - even if I went on unaffected - seeing that kind of global suffering and misery is something I would be incapable of cutting myself off from. Being able to tell you "I told you so" would be small consolation in the *reality* of the situation. I may take that "I told you so" position in the *rhetoric* of my article - but you can believe me - winning is no victory in this particular case. Finally - do you really think I'm blowing this out of proportion? This isn't a claim that the LHC will cause a micro black-hole to consume earth. This is releasing the recipe for mutating a H5N1 virus into an airborne pathogen to the general public without any system of controls or checks and balances - which could trigger a global pandemic unlike any influenza outbreak known to modern man. It is a *very* real possibility. It isn't fantastic or exaggeration or sensationalism - and there are many in the scientific community who hold this same perspective and are speaking up about that. This isn't a debate *I* created, it was one that was born in the very scientific community that is contemplating this. Correlation does not imply causation. You're right. In either case, this could go forward and the natural virus could mutate and spread and many people would likely jump to the conclusion (or create conspiracy theories) that it was related to this proposed peer-reviewed process, anyhow. There are lots of potential variables. I'd like to limit it to some manageable assumptions. I'll retract that last paragraph you quoted in either case - the tone was too near a personal attack to allow me to reasonably expect a measured response, anyhow.

dcolbert
dcolbert

am long... winded... (said in the voice of Stevie from Malcolm in the Middle for maximum effect).

apotheon
apotheon

SkyWlf77 . . . QUOTE: Per usual, you are making the claim that open-source software is not inherently dangerous and does not compare to peer review. Ah, so you're claiming that open source software is "inherently dangerous". Apparently, you believe that releasing software under an open source license somehow creates a situation where closed source software would necessarily be much safer. That's a big effing claim to make, and I hope you have an argument to back it up, because it seems pretty ludicrous from where I'm sitting. You're also claiming that it is "usual" for me to say that open source software "does not compare to peer review", which is in fact not very usual for me at all. I am, however, saying that the specific, explicit claim dcolbert made about open source software being equivalent to unleashing a deadly, virulent bioweapon upon the world is incorrect and, to the extent that might be the case with this particular bioweapon (and I don't actually think that's the case in this particular instance for this particular bioweapon -- that it is being unleashed upon the world -- but, like dcolbert, I am not actually qualified to make that judgment), the peer review contemplated here is not at all comparable to open source software development methodologies in general. I have no idea where you're getting the idea that it's "usual" for me to pretend there's nothing in common between peer review and open source software development in the genereal case. I suspect you just don't know what "usual" means, particularly when my objection to his comparison is very specific and unusual in that it refers solely to a single, very egregious case of overgeneralization from a specific, abnormal example. QUOTE: Open-source software is no less dangerous than a scientific release of information such as the one mentioned in this article. It's easy to make dramatic claims. Now, back it up. QUOTE: If one takes a piece of open-source software and designs a very nasty virus into it and releases it onto the web as a new version of a popular piece of software, they are inherently risking hundreds of thousands or millions of individual's computers, credit cards, bank accounts, and much more. Are you one of these woefully misinformed people who for some reason thinks that setting up a MySpace page with a link to a RapidShare download will somehow convince everyone in the world to install a maliciously modified Debian GNU/Linux installer on their computers? Do you think that, somehow, this kind of trickery is more likely to affect people trying to install open source software than people trying to install closed source software? This example of yours in no way, at all, whatsoever makes a strong argument that open source software is inherently more dangerous than closed source software. QUOTE: This is akin to this release of scientific data that could be use to terrorize the population. No, actually, it isn't. In one case, you're talking about lying to people about what software contains while providing the source code so that someone can actually discover the lie very easily; in the other, you're talking about telling everyone the truth about how something works and watching people apply that information in a way that results in deaths for large numbers of people. If anything, these two examples are just about diametrical opposites of each other, rather than analogous situations. QUOTE: Scientific peer review is no different than using the knowledge base of each individual that works on an open-source project to develop a piece of software. While peer review is definitely a part of the overall set of benefits of open source software development it is by no means the entirety of that process -- and what you just said makes no sense, because peer reivew is about getting others to confirm your results are correct while "using the knowledge base of each individual that works on an open-source project to develop a piece of software" is getting multiple people to contribute to different parts of a system. In the former case, one person does some work and everyone else looks at it; in the latter case, everyone does some work, and the results are integrated into a whole. So, while (as I mentioned) peer review is certainly among the opportunities for improving software quality on a grand scale when dealing with open source software, the specific mechanism of open source software development you just described is in no sense the same thing as peer review. QUOTE: Before you go around saying others are wrong, maybe you should examine your own incorrect ideologies so that you don't make incorrect analogies and statements. I'm not sure you understand the word "ideology". You just used it like you think it means "technical knowledge". It doesn't mean anything of the sort. QUOTE: You may disagree with Mr. Colbert - and you have that right - but going around spreading misinformation purposely to detract from Mr. Colbert's articles is morally reprehensible. I can't figure out whether you're playing the part of an ideologically motivated character assassin, a shill, or a comically misinformed member of the peanut gallery who decided to display ignorance for all the world to see. Maybe there's some fourth possibility, but whatever it is your words here amply demonstrate that what you are not is capable of mounting a well-supported argument to the effect that I said anything incorrect. --- dcolbert . . . QUOTE: I think I've been transparent in admitting that there is a gulf of difference in the potential impact of liabilities in the case of bio-engineered diseases in an open-source scenario versus the kind of impact we might see in an abuse of FOSS as it relates to information systems and platforms. Alas, what you still have not done is issue an apology to the effect that your presentation in the article was trollish, misleading, and sensationalistic to an absurd extreme (accidentally or otherwise). In fact, to the contrary, you have argued at some length for the very impression the article gives while at the same time disclaiming any possibility that anyone should have read your words as meaning exactly what they literally say. QUOTE: I think that a great example for weighing the benefits and liabilities of a FOSS approach to systems would be electronic voting machines like those made by Diebold. . . . Their ballot machines in particular have met with particular criticism because of perceived opportunities to circumvent the democratic process by manipulation of those systems . . . It's not just perceived. There have been many cases where Diebold voting machines had security failings technically inclined teens would have found if they had access to the source and testing during development (and in some cases actually did find without the source after deployment), and even cases where accounting discrepancies in the Diebold digital voting systems were discovered that looked incredibly like what one would expect from an intentional effort to subvert the electoral process. This is far from hypothetical in the case of Diebold systems, which is why the divisions responsible for a lot of this stuff have been spun off, renamed, or simply shut down in some cases. When a brand is caught in a series of scandals like this, it's time to change the brand name. QUOTE: At the same time, I'm not sure I'd want my local electoral process or my personal banking running on a machine that had an open-source code base. . . . because of FUD, evidently. QUOTE: But at some point I think a thresh hold is reached where regardless of the origins of the code - the final code base should be removed from open-source accessibility. . . . because you disagree with principles of security first laid down centuries ago, independently formulated over and over again over hundreds of years, and supported by actual practice and observed effects constantly during all of that time. QUOTE: In fact, I imagine that is the case. I believe it was China, but probably some other regimes, too - that developed their own Linux based state information systems and platforms. Of course they have. They don't want people to know what their software is doing, because they'd object to that behavior, and it would encourage them to find other, less trackable ways of doing things contrary to the interests of an oppressive regime in places like China. You're using the case of a government using secrecy to enhance its security FROM the best interests of the public as a way to argue that the secrecy of closed source development offers security FOR the best interests of the public. I'm not saying there are never any cases where some secrecy is a good idea: I'm just saying that your arguments are fundamentally broken, as presented. QUOTE: Google Android is a great example of a platform built on FOSS foundations where the developer has effectively closed their branch or fork of the code because of corporate competitive concerns. That hasn't happened at Google. What has happened is that Android OS code (actually open source, as required by law "thanks" to the GPL -- a license with whose philosophy I actually disagree) provides a platform, while applications that run on top of it may at times be closed source software (as allowable not only on Android, but also on Ubuntu and other more traditional, general-purpose Linux-based systems). QUOTE: Whenever we get into this part of the discussion, I think of AMD and Nvidia and the controversy surrounding their historical reluctance to make open-source drivers for the Linux platform. I'm positive a huge part of that foot-dragging was related to concerns about exposing code-based advantages, perceived or real, that gave one manufacturer or another a performance, reliability, security or other advantage over the other. Oh, I agree that this is the likely reasoning for at least some of the reluctance and foot-dragging. There is also a significant matter of law at play, though, because the "state of the art" for some 3D graphics technology has for a long time depended explicitly on designs patented by Intel. Intel licensed those patents to these two graphics adapter vendors (AMD's graphics adapter development was, for most of that time, the independent entity ATI that has subsequently been bought and absorbed by AMD), but did not give them license to share any details of the implementation of that technology with others, thus legally preventing them from opening the source for certain parts of the drivers. The decision for a long time was made to simply not open anything or, in some limited cases, only offer largely uninteresting snippets of code (or perhaps even barely functional drivers; I'm not entirely sure about that), though AMD/ATI eventually started working on the process of trying to clearly identify what they could get away with sharing and support open source development of drivers with extensive (though slowly produced) documentation. QUOTE: Secrets like this drive corporate advantages that have a direct impact on our economy. Our discussions fundamentally come down to *this* difference of opinion. I'm not sure what difference of opinion you think you've identified here. Do you think I'm incapable of noticing that sometimes businesses like to keep secrets to prevent others from competing with them? QUOTE: I don't see how closed-source, for-profit businesses can logically change their business models to embrace open source while still protecting their proprietary trade secrets. Obviously, it's a bit ridiculous to expect a business to share all its secrets and still keep them secret. Do you somehow think that's what I'm suggesting they should do? QUOTE: Meanwhile, the FOSS based corporations who maintain strict FOSS philosophies all remain relatively minor players in corporate profits and market mind-share, at best. You have made exactly zero arguments that actually establish this as fact, or even strong probability. In fact, going forward, I suspect that any company that substantially relies upon keeping secrets for (anti)competitive advantage to remain profitable is going to increasingly find that model is more a hindrance than help. There are distinct engineering benefits to a properly leveraged open development model that cannot be had without opening at least substantial portions of one's core product codebase in a manner that gets a user community invested in the success of the codebase, and where some businesses take that approach others take the opposite approach, increasingly drawing ire for customer-abusing behavior encouraged by secrecy (Why not secretly gather usage data when nobody will know you're doing it?) and end up with their code leaked, binaries copied and shared without permission, and software duplicated by increasingly savvy and capable open source development communities who offer prices you can never match (free). In fact, part of the problem is the entire idea of selling a non-scarce resource (freely copyable bits) as discrete product units; the big customers (from major enterprises all the way down to massively distributed popular end users with wildly varying levels of technical aptitude) are eventually far more likely to want to collaborate on providing better software than a single software "product" vendor ever could at a price such a vendor can never match than to keep throwing money at the vendor to underserve their needs. When your massive enterprise has a choice between $40M per year in licensing fees across the worldwide enterprise on one hand, and $400K in developer time per year on contributing to a community managed open source development project that provides software better suited to the enterprise's specific needs, the choice is pretty easy. It will take time for this to become the obviously dominant model, because it takes time for such products to evolve to such a state, but the signs that this is happening are numerous, widespread, and visible if you look for them. QUOTE: That isn't the same thing as having a truly open discussion about the recipe to develop an aerosol-delivered H1N1 virus - but it is a critical consideration for the firms that have made the decision to make their code closed or open sourced. There is almost nothing at all in common between those two examples you just juxtaposed again. One is about keeping a secret for personal (anti)competitive advantage; the other is about keeping a secret for worldwide safety. Note that in neither case am I making a judgment about the efficacy of such a decision, because in the former the statement is far too hand-wavy and generalized to be able to say that the answer is always one way or the other, and in the latter neither of us is qualified to render final judgment. QUOTE: The H1N1 virus is a rhetorical example - and I don't think it is supposed to be a *perfect* fit. No analogy is perfect, but this one is (perhaps unobviously at first glance -- which is why I find the fact you made the analogy so credulously on behalf of your readers so distasteful) shockingly close to perfectly wrong. See above commentary (again). QUOTE: The headline is sensationalist, no doubt about it - but it should be clear that I don't mean that FOSS software will end the world, but that the basic IDEALS of FOSS philosophy, applied to this particular case, do imply the risk of a global cataclysm. There you go again: "FOSS philosophy . . . impl[ies] the risk of a global cataclysm." What kind of cockamamie nonsense is this? "I'm really reasonable! I swear! Open source software development principles will destroy us all! The sky is falling!" QUOTE: So discounting MY lack of authority in speaking on this topic seems irrelevant. It's not irrelevant when you use a technically deficient, sensationalistic, rabble-rousing line of propaganda to scare people into thinking scientists are going to destroy the world without actually knowing what you're talking about, then use that as evidence for an argument that "FOSS philosophy . . . impl[ies] the risk of global cataclysm" for actual software development by association between the two (almost completely non-analogous) situations. One could just as easily argue that patents should be kept secret using the same technique of mis-applied analogy, because otherwise napalm patents could be used to destroy the world -- and that analogy would actually be stronger than the one you chose. QUOTE: There are lots of authorities who ARE qualified to have an opinion on this who seem to share my opinion. There are enough worried, qualified individuals that this is an ongoing debate that is still being struggled with at the highest levels. Good. It should be considered in great depth by such people, who will hopefully have the wit to never rely on fatally flawed analogies with open source software development to make their final decisions on the matter. That is as it should be. QUOTE: This story is still generating press, and the press is all unified in the message, "Releasing this information into the open could have globally cataclysmic consequences". The press is mostly filled with buffoons who try to comment authoritatively on subjects about which the writers know next to nothing, mangling the message and ending up totally misinforming the public, where anything requiring any specialized knowledge is involved. There are exceptions, and they should all get Pulitzers for their restraint in avoiding making such facile, grossly inaccurate statements about things, but they should get those awards precisely because they are a vastly outnumbered minority. The fact "the press is all unified" on a matter of epidemiology, viral pathology, bioweapons research, and science in general is more a matter for concern than for confidence, if for no other reason than the fact you can be pretty certain this means a lot of people will be putting pressure on politicians to do something incredibly stupid based on half-baked fears, overriding the people who actually know anything meaningful about the subject by application of law. QUOTE: That is *obviously* what I meant in my headline - not that Linux was going to be the harbinger of the end-of-times itself. 1. It's not obvious, considering your headline basically said that Linux was going to be the harbinger of the end-of-times itself, and the article went on to reinforce that point. 2. Your statements here seem tailored to try reinforcing that point as well, while containing just enough disclaimer to make you self-contradictory. Consider "FOSS philosophy . . . impl[ies] the risk of a global cataclysm." QUOTE: Trying to make twist that headline into a claim that I mean that a FOSS SSH app would bring about the end of the world misses my actual argument. As long as you keep getting hung up on that semantic misunderstanding, we're not actually arguing the same thing. It's not a semantic misunderstanding. It's "read as written". If you meant something different, perhaps you should have said something different -- and, at some point, stopped saying the same thing, such as when you said "FOSS philosophy . . . impl[ies] the risk of global cataclysm." QUOTE: Strangely enough - it is the OPEN discussion that puts it all out in the air and lets each individual draw their own conclusion - and where you seem to think I am irresponsible and should be censored, that my opinion should be "closed", I'm all for your position being open. 1. I agree that the open discussion is useful and meaningful. In fact, I'm pretty sure that the only people who are likely to agree with your position wholeheartedly are people with biases to confirm and axes to grind, if they actually read the whole discussion rather than just reading the article and failing to note there's a counterargument worth considering. 2. I think you are irresponsible, and should be more responsible in your consideration of circumstances, of your own level of knowledge, and of the problems with the analogy you preseted, and that you should be more explicit -- retroactively, where at all possible, when it's too late to do it right the first time -- about where taking what you say as meaning exactly what you said creates unrealistic misconceptions. 3. I don't want you censored, you jackass.

dcolbert
dcolbert

TL:DR - We're having an open discussion about this - and ultimately, that is good. Everyone should have their voice heard on this - my position has been misinterpreted - but I'm as concerned with infrastructure and even economic aspects as with actual global security risks. --------------------------------------------------------------------------- "As the creator, maintainer, and only contributor to my Open-Source texture website FOSS Media I have definite experience with the FOSS movement and I obviously support it." I'm glad you stuck around, SkyWlf77. I appreciate your input. Chad, I'm willing to concede that there is a broad difference in the potential impact here. But I think I've been transparent in admitting that there is a gulf of difference in the potential impact of liabilities in the case of bio-engineered diseases in an open-source scenario versus the kind of impact we might see in an abuse of FOSS as it relates to information systems and platforms. I think that a great example for weighing the benefits and liabilities of a FOSS approach to systems would be electronic voting machines like those made by Diebold. Diebold is a proprietary company that develops the code for their industrial devices in-house. They do not disclose their code to the public, and their machines serve many mission-critical and security intensive industries. Their ballot machines in particular have met with particular criticism because of perceived opportunities to circumvent the democratic process by manipulation of those systems - but they also run many of the world's ATM systems and other security critical devices. I'm sure we can find cases where all of their systems have been hacked. I think I understand your position in a case like this. You would argue that the veil of secrecy allows them to be leisurely, casual and careless in addressing exploits - because there isn't really anyone in a position to disclose those exploits but the company itself or ethical hackers who have put significant effort into finding and isolating exploits. At the same time, I'm not sure I'd want my local electoral process or my personal banking running on a machine that had an open-source code base. I'm not sure I'd want the systems that run our national defense or other critical infrastructure like energy or water and sanitation systems running on an open-source code base. And I think it is important to keep in mind here - that doesn't mean that open-source code platform can't be a *base* for developing those systems. But at some point I think a thresh hold is reached where regardless of the origins of the code - the final code base should be removed from open-source accessibility. In fact, I imagine that is the case. I believe it was China, but probably some other regimes, too - that developed their own Linux based state information systems and platforms. But I also suspect that there have been heavy modifications geared mostly to security that have been implemented on those systems built from FOSS foundations, and that this modified code has not been released back into the open source community in compliance with the FOSS licensing that would apply. As always, I also focus on the purely economic drivers of competitive economic models in business. Google Android is a great example of a platform built on FOSS foundations where the developer has effectively closed their branch or fork of the code because of corporate competitive concerns. This may not be the end of the WORLD for you or I, but for Google, it is a decision with significant and serious impact on the viability of their business model. Whenever we get into this part of the discussion, I think of AMD and Nvidia and the controversy surrounding their historical reluctance to make open-source drivers for the Linux platform. I'm positive a huge part of that foot-dragging was related to concerns about exposing code-based advantages, perceived or real, that gave one manufacturer or another a performance, reliability, security or other advantage over the other. Secrets like this drive corporate advantages that have a direct impact on our economy. Our discussions fundamentally come down to *this* difference of opinion. I don't see how closed-source, for-profit businesses can logically change their business models to embrace open source while still protecting their proprietary trade secrets. All of the most successful companies that have technologies based on FOSS foundations are all at least quasi closed-source corporations at their current industry dominant size. Meanwhile, the FOSS based corporations who maintain strict FOSS philosophies all remain relatively minor players in corporate profits and market mind-share, at best. That isn't the same thing as having a truly open discussion about the recipe to develop an aerosol-delivered H1N1 virus - but it is a critical consideration for the firms that have made the decision to make their code closed or open sourced. The H1N1 virus is a rhetorical example - and I don't think it is supposed to be a *perfect* fit. The headline is sensationalist, no doubt about it - but it should be clear that I don't mean that FOSS software will end the world, but that the basic IDEALS of FOSS philosophy, applied to this particular case, do imply the risk of a global cataclysm. There was a lot of focus on that aspect in the original thread discussion, with many arguing that my claims where hyperbole and that I didn't have the sound scientific knowledge to understand if this claim was true or not. Yet the debate goes on *among* those experts in the community who ARE highly qualified to be concerned about this. So discounting MY lack of authority in speaking on this topic seems irrelevant. There are lots of authorities who ARE qualified to have an opinion on this who seem to share my opinion. There are enough worried, qualified individuals that this is an ongoing debate that is still being struggled with at the highest levels. This story is still generating press, and the press is all unified in the message, "Releasing this information into the open could have globally cataclysmic consequences". That is *obviously* what I meant in my headline - not that Linux was going to be the harbinger of the end-of-times itself. Trying to make twist that headline into a claim that I mean that a FOSS SSH app would bring about the end of the world misses my actual argument. As long as you keep getting hung up on that semantic misunderstanding, we're not actually arguing the same thing. Finally, here is where your strongest point lies - can the lessons learned and applied in the disclosure of the H1N1 scenario be exported and applied in whole or in part to discussions about FOSS itself? That *is* what the article and this discussion is all about - and I think that the dialog here is a good thing, I think your counterpoint *deserves* consideration, and I'm honestly glad to have you here passionately arguing the devil's advocate position against my claims. This kind of discourse allows the readers to see two widely different perspectives and to draw their own conclusions. I'd rather have it be that way than a one-sided discussion that only presented my perspective without any counter-point. Personally, although I ultimately disagree with you, I think your position adds value to this discussion. Strangely enough - it is the OPEN discussion that puts it all out in the air and lets each individual draw their own conclusion - and where you seem to think I am irresponsible and should be censored, that my opinion should be "closed", I'm all for your position being open. I want to see our different ideologies examined in the full light of day.

SkyWlf77
SkyWlf77

Per usual, you are making the claim that open-source software is not inherently dangerous and does not compare to peer review. Per usual, you are wrong. Open-source software is no less dangerous than a scientific release of information such as the one mentioned in this article. If one takes a piece of open-source software and designs a very nasty virus into it and releases it onto the web as a new version of a popular piece of software, they are inherently risking hundreds of thousands or millions of individual's computers, credit cards, bank accounts, and much more. This is akin to this release of scientific data that could be use to terrorize the population. Scientific peer review is no different than using the knowledge base of each individual that works on an open-source project to develop a piece of software. Both processes use the knowledge, experience, and skills of a group of people to ensure that the data that is collected/used is pertinent, applicable, and correct. Both are a type of peer review process. Before you go around saying others are wrong, maybe you should examine your own incorrect ideologies so that you don't make incorrect analogies and statements. You may disagree with Mr. Colbert - and you have that right - but going around spreading misinformation purposely to detract from Mr. Colbert's articles is morally reprehensible.

apotheon
apotheon

QUOTE: I think there is a strong correlation between the ideological process of scientific peer review and the ideological process of open source peer review. Let's say you're right about that (though for the most part any significant ideological overlap, from what I've seen, is a minority segment of both scientific and open source communities). That in no way makes your analogy work any better, because nobody's making open source software that involves significant danger of hundreds of millions of people being infected by a potentially lethal bioweapon. The differences in terms of effect are so vastly disparate that the only thing trying to tie the things together as closely as you did accomplishes is giving a bunch of people the impression you're saying open source software development is inherently troubled by world-wide catastrophic danger. Your argument here is akin to saying that because sleeping while you drive and sleeping while you ride a commuter train both involve sleeping while you travel, it's worthwhile to draw an analogy between the two when someone suggests that sleeping while driving a car is a good way to ensure you're bright eyed and bushy tailed when you get to work. Even if you somehow suggest something that sounds like a plausible danger in the commuter train case, though, the major danger is missing your stop -- which bears almost zero resemblance to the carnage of a sixteen-vehicle pileup on the interstate at rush hour.

dcolbert
dcolbert

I think there is a strong correlation between the ideological process of scientific peer review and the ideological process of open source peer review. They're both seeking the same goals through the same methodology. The extrapolation of the dangers of application of open peer review in one discipline can be observed and applied to the other - because they're both after the same end-game. In this case, we see a case where even among the scientific community, there is great and passionate, ongoing debate questioning if it is sound to have a general, open release of the data being discussed. This is a community as passionate and convicted in their faith in open dissemination and review of data as the FOSS community - but there are many vocal opinions saying that this data *must* be kept private at this point. It serves to illustrate that open and unfettered disclosure is not an absolute. The rational discussion of this and relation to how it applies to FOSS principles is not, in my opinion, scaremongering or perpetuation of FUD. Instead, it is a reasonable and rational discussion that expands the scope of understanding of the benefits *and* liabilities of open-source ideologies.

apotheon
apotheon

We've already discussed this. Scientific peer review predates open source development, and it is a key component of the process of verification. Without verification of scientific findings, crackpot notions would be used as the basis of new technology far more often, resulting in probably unimagined extents of danger. If you have a bone to pick in this case (as already pointed out, more than once), it's with the scientific community's use of peer review, and not with open source software development. All tying this to open source software does is troll for flames. Yes, it's scaremongering.

dcolbert
dcolbert

I'll even elaborate. I've read a bit on how nuclear proliferation started. Two of the most interesting theories I've seen proposed were: 1: Some individuals felt (arguably, correctly) that the disparity that would result in having a sole global nuclear power would lead to indiscriminate use of that technology by the nation that had this huge tactical advantage - and leaked the information solely for the purpose of creating a parity. Cold-war by design in substitute of a much worse, one sided and very HOT war otherwise. 2: Convergent development - just like there wasn't one individual, group or nation responsible for development of the automobile - there were simultaneous studies going on entering into the nuclear and jet ages among various nations with the wealth and resources to do so. That is the driving force here, after all - if someone HAS done it, someone else CAN and WILL do it. That is frankly a scary thing to contemplate as we head into a society that produces super-science virtually indistinguishable from magic. Genetically engineered super-soldiers, cloned humans and other abuses of ethical scientific research either have, will or will continue to happen. It seems inevitable that eventually some genie is going to get out of the bottle. I *am* willing to approach this intellectually from both perspectives and I'd like to state once more - I do *not* have a real strong bias one way or the other on this particular topic (and related topics like I've brought up above). I'm concerned, and I'm equally skeptical about which course is the most prudent going forward. Regarding the recent bump in 2nd tier nations becoming nuclear powers and their recent decisions to pursue that widely available knowledge goes along with resource and economic constraints. That has certainly been a major obstacle and is obviously one that is rapidly eroding. I'm still unconvinced that efforts at suppressing this knowledge did not also play an impact in delaying the arrival of additional nuclear capable nations, though. I do remember the kid giving himself radiation burns building his own back-yard reactor. But it stands to reason if a Boy-Scout could mail order the stuff he needed domestically in relatively recent history, then rogue nations (as I'm defining them. I'll call them evil-doers if you would like, :) ) then accessibility to that kind of knowledge, resources, and skill must be an order of magnitude easier to assemble by a nation with relatively huge resources and a network of other like-minded partner nations and contacts. I think the difference is scale and ambition and end-goal, here. quote: however, that grain of salt turns out to be the Bonneville salt flats. LOL... Ok... bring a dump-truck full of salt - then.

apotheon
apotheon

Quote: We do have some issues with rogue states, some of them neighbors with centuries of conflict and fundamentalist religious difference proliferating nuclear arms because they have the resources to leverage that open source information. The most interesting part of this particular case is that nuclear weapons technology was not developed as an "open source" project. It was developed in secret, with great care to keep others from getting the technology -- but it got out anyway. This makes it an excellent example of how trying to keep something secret often fails utterly to achieve the desired results, especially in the apparently most important cases, and also of how once it got out the result was nowhere near as bad as people thought it would be -- and, in fact, we are now much better informed as the public at large about the dangers arising from nuclear weapon testing so that we can put political pressure on your nominal "representatives" to better protect us from the excesses of military nuclear weapons programs. The fact our politicians are a mix of lame ducks and sociopaths, in the general case, and thus fail to protect us worth a cowpie's market value in the US, is another matter entirely. The argument that intentionally making the knowledge open would result in quicker arrival of related problems does not really hold much water, for a couple reasons: 1. The information has been publicly available for more than half a century. The relatively recent arrival of nuclear weapons programs in various "rogue" states (for some definition of "rogue" that includes North Korea and Iran but does not include the US) is a result of those states only recently pursuing the program, and not of the relative secrecy surrounding development of nuclear weapons in the thirties and forties. 2. To the extent those nations have failed to develop nuclear weapons programs more quickly and fully, it has -- so far as I've seen -- been pretty much a matter of economic and political hurdles rather than of (lack of) access to knowledge. I seem to recall a boy scout developing a nuclear reactor in his backyard some few decades ago, when it was easier to order fissionable materials from catalogs. Why is North Korea so much slower? Quote: Let me say one last thing... the headline... headlines in general... should be taken with a grain-of-salt. When the headline is followed by an article that seems to support the headline as a literal statement of fact, however, that grain of salt turns out to be the Bonneville salt flats. Even if the headline was not so strongly supported by the text following, though . . . Quote: I just read another one on ZDNet about "Why Android Tablets Have Failed." A lot of posters read the headline and went right to the comments without reading the article. This is the danger of using a trollish headline. Live with it, or come up with something less trollish. Just turning it into a question, then explicitly answering the question at the end of the article in a way that suggests that no, you do not think the literal text of the headline is strictly true, can defuse a lot. You waited to provide any kind of backpedaling on the headline until you were probably a dozen comments or more deep in your involvement in discussion, though, by which point anyone could reasonably be forgiven for not noticing your backing off from the statement that "FOSS is the end of the world" or disbelieving you. Quote: maybe I under estimated how people would react to the head-line and not the actual article . . . or maybe the actual article was most easily interpreted, in combination with the headline, as supporting the literal meaning of the headline's words.

apotheon
apotheon

I'm down with that, as already indicated by my immediately previous comment in this subthread. Have an upvote (and a cookie or twelve, courtesy of TechRepublic).

dcolbert
dcolbert

It is likewise your right, to feel so strongly and passionately about the (from your perspective) irresponsibility of my position and my presentation that you state that opinion in no uncertain terms. I wouldn't want your ability to do so limited, either. Assuming our conversation had some sort of impact with key decision makers - and I am as wrong as you feel - it could be your strongly voiced opinion that sways the opinion of those who make the call. That is probably pretty unlikely in this case - but this is more about the principle.

apotheon
apotheon

I may hate what dcolbert said in the "article" in question, but I'd defend his right to say it even more emphatically than I argue against it -- and at peril of my own life, if necessary. It's worth noting, of course, that there's a big difference between telling someone to shut the heck up and trying to enforce such a dictum (or even threatening enforcement).

AnsuGisalas
AnsuGisalas

I am not selling FOSS. I am "selling" (as in: why am I talking, here) if anything at all "moderation". I react to outrageous statements, half-cocked pot-shots and assumed stupidity : I honestly do not believe these to be useful, for anything. In a nutshell; you were trolling. When I encounter someone trolling, whom I think could do better, I tell them "You can do better than that". Simple, huh?

apotheon
apotheon

Apparently, AnsuGisalas is evil too, because he disagrees with your statements that "FOSS is the end of the world as we know it". Hypocrite, much?

dcolbert
dcolbert

I actually don't completely discredit the idea that some governments might have a pressing interest in keeping this information suppressed. If the MythBusters were exploring that possibility, I think they would end up with a "Plausible" on this particular idea. Worrying yourself crazy is a risk with situations like this. I mentioned the LHC earlier. In that case - where after a member of the scientific community made the tongue-in-cheek comment that "If we try and start it up again and it fails, with those kind of odds, we'll have to assume that someone is coming back from the future to prevent it from starting to save humanity"... and then it didn't start... I uneasily decided, "you've just got to let go and not worry about this one because it is futile. This case feels different to me, though. This feels like one where the public voice should be heard. The suggestions that the LHC were going to destroy the world were fantastic and extreme. The idea that this could be abused and disrupt society massively are far more plausible. I'm firmly in the middle here - I've got strong doubts about approaching this from a conventional "scientific peer review" model. At the same time, I see the value of doing just that. So far, this conversation hasn't clarified where I stand at all, unfortunately. I wonder if anyone else has developed a stronger position one way or the other because of this forum?

tbmay
tbmay

...and assume not. I was simply acknowledging the same thing you did, anything is possible. There is a possibility that bright members of the scientific community are so committed to some ideas they would defy common sense to adhere to those ideas. They are people after all, with opinions and biases, just like the rest of us. But it's pointless to worry about all the possible things that could happen. You'll drive yourself crazy. And the fine line that is being walked is keeping "how-to's" out of the hands of bad people....at least long enough for us to have an answer for how to deal with it....vs. knowledge suppression...and giving people what they need to know to individually deal with risks...and avoiding getting in to censorship, witch-hunts, book burning, Government knows best and will tell you how to live and thing....etc. Some people don't think "degree matters" and some people actually think Government control is Promised Land. I hope most of us are somewhere in the middle.

apotheon
apotheon

If you take the same approach that you did in this case, I will be equally harsh. If, on the other hand, you actually say true things, make reasonable statements, and avoid saying things that directly contradict everything you should instead take into account (previous arguments debunking your trollish statements, the claims you occasionally make about how you never meant any offense with your utterly offensive words, and the moderate position you say you hold in "real life"), I'm sure we can have far more productive discussions in the future. I'm skeptical.

dcolbert
dcolbert

As unlikely as it may have seemed at the beginning - I think we're approaching a common ground. Obviously we both have our differences of opinion and we don't see eye-to-eye completely on this topic - and I doubt we ever will. Despite that, I think we're both closer to a middle ground here than we've been at any other time in this ongoing discussion between us. I'm pretty happy with that. Now, keep in mind, I might throw some rhetoric around in future headlines to get people to click through. I'm still going to *challenge* Open Source ideologies - and I'll always welcome your particular perspective and insight as a counter-point.

apotheon
apotheon

Quote: The people matter as much, or more, than the ideology? Of course they do -- because no matter how excellent and perfect a process or set of principles you choose to bring to bear, with the wrong people, the execution will not match the intent. What good is a nominally open source project that absolutely refuses to accept bug reports or patches, to listen to any outside input, to care how its code looks when released into the wild, and so on? There's exactly one benefit to that, and it's not a benefit to the project itself, but rather to its users: it can be forked and done better. Quote: It isn't that FOSS in inherently superior as an ideology for code design. We've hit this in the past - could it just be that the FOSS development community attracts people who are more dedicated to these hot button issues of security? No, that's not how I'd say it. You're painting the picture of a false dilemma. The principles of open source software development yield significant benefits, in and of themselves, when applied well; the open source development process is not irrelevant to the quality of the work. There are certainly people more dedicated to quality and security who are attracted to open source development because of that, but it's not just an article of faith for them that results in better software because of those people rather than the processes. They would not be attracted to the open source model if there were not a reason for them to be attracted to it, after all. People who are very good at analyzing and producing quality don't arrive at that state of affairs entirely by accident. They get there by thinking about their craft, by developing good practices, by thinking about the consequences of their decisions, and by adopting processes and principles that support those decisions in recognizable ways that stand up to scrutiny. The fact that good people make a big difference, and bad people make a (differently) big difference, does not mean the factor of people quality is the only factor relevant to project quality. Quote: I understand that Chad, you and Ansu (and others) feel strongly that the lack of transparency in closed-source development has a negative impact on disclosure and response to security and other bug-fix issues. I still think that there are places with closed-source makes far more sense than open - and not just in matters of national or global security. I agree with that, too, as far as it goes. I just think those cases are far less common than you seem to think, considering you seem intent on ignoring most of the benefits of open source software, and on refusing to examine some of your assumptions about the "need" for secrecy in many cases where it simply is not as important as you seem to imagine.

apotheon
apotheon

Quote: And I think you three are farther to one side than I am in this regard - I'm more moderate. You've made this claim but it is very hard to support with any evidence - that closed-source companies MUST have inferior peer-review processes - processes that you won't acknowledge are peer-review at all. I don't think so. See, the only person who applies "MUST" to what we say is you, and while I (for instance, as probably the worst offender in your eyes) diligently point out the counterarguments to your wild claims, I do not make such absolutist statements as you then pretend I did. In each of these discussions, I end up eventually explaining at great length how I speak of trends and tendencies and logically evident influences, and not of invariant end results -- in direct response to your in-depth assaults on me where you bludgeon me with assertions that I am claiming the opposite case (that end results are invariant, and there are no trends and tendencies and logically evident influences in the relative sense). To me, then, it really looks like you are anything but moderate. I foresee that you might try to hold up my use of the term "crony review" as a counter-example, but that was a reference to the tendency toward institutional bias, and not a statement that internal review processes are necessarily void of all value. Quote: I disagree - peer review does NOT have to happen only one way - it does NOT have to be completely transparent. With whom do you disagree? Nobody said that, per se. What I have said, and what I'm pretty sure both Sterling and AnsuGisalas have meant at every turn, is that transparency and public peer review are far more effective at overcoming systemic biases and similar problems. That does not mean that peer review must always be a public, 100% transparent process; it just means that, to the extent it is not, you are reducing the range of perspectives from which you might otherwise learn in the peer review process. Once again, it's you who injects the "must" into the discussion, and not anyone else. The cases where such broad, public, transparent peer review should be judged less than ideal are not cases where for some reason peer review is bad; they're cases where some other concern directly competes with peer review, so that a weighing of benefits and detriments must be taken into account. Of course, in most cases, people who are skeptical of open peer review tend to be unnecessarily conservative in a way that undermines their own efforts, and I will point that out when appropriate (as in the case when someone says "FOSS is the end of the world"), but that does not mean that I think there are no competing concerns that should be considered. The fact you refuse to see that, and keep insisting that everyone who disagrees with your broad, sweeping, ludicrous exaggerations and generalities is saying "You MUST do it this way!" makes your claims of being more "moderate" look hollow at best, and downright flabbergasting in their contrariness to evidence at hand otherwise. This, I think, is why discussions with you turn into flame wars. Even when you say something reasonable (like "my first hand experience is that internal peer-review can be very effective"), you do so only as one statement among many. The rest of your statements pre-emptively or unjustly cast others as inflexible, monochromatic ideologues with no sense of perspective or proportion, and only after spending days and thousands of words sounding like an inflexible, monochromatic ideologue with no sense of perspective or proportion, yourself. Yes, it's true: I should not take the bait. No, it's false: neither I, nor Sterling, nor AnsuGisalas said or implied the "MUST" you assign to all of us any time you want to have some way to dispute what we say. Quote: I tend to think that the committee like groups that form around many FOSS projects probably do not operate much differently than projects in closed-organizations. Deliverables and ARs are assigned to team members who are trusted to go forward and because of resource constraints and time-lines, that work isn't thoroughly peer-reviewed prior to publication of the final project. In short, it sounds like you're trying to claim that a nominally open source project that does not actually make effective use of open source development processes and principles somehow says that open source development processes and principles are to blame. There are only three reasonable excuses for why it might look like you are saying something like that. 1. I misunderstood what you said. If so, I recommend you consider how to phrase something like this differently next time. 2. You didn't think through the concepts you addressed before saying something, ending up with a self-contradictory statement as a result of commenting without sufficient thought. 3. You're assuming or implying (once again) that what you are arguing against is not statements that open source development processes and principles offer significant benefits, but statements that anything with the label "open source" is necessarily better than an equivalent that does not bear that label. Considering none of us have (as far as I've noticed) made the latter claim, this is just as wrong as the second option. I'll refrain from offering any of the unreasonable explanations, because any time I mention one of those you focus on that as if it was the only thing I said, then take your ball and go home or declare yourself the moral victor without ever even addressing my points. Quote: This is where I think the "inherently better" argument breaks down. You are the only person who said "inherently better" on this entire page. I just did a text search. It's not there in any other comment but this one of yours, period. In fact, even the word "better" is in rather short supply on this page. Four people have used it: AnsuGisalas in referring to better communication in articles and discussion; me, referring to my chances of getting to a TR Live event next year; someone entirely unconnected to the discussions between you and those you seem to regard as the "Axis of Open Source Evil"; and you. You are the only person who has used the text string "inherent" at all. Take the quotes off your use of "inherently better" and stop trying to attribute statements to the effect that something is "inherently better" to people who never said anything that amounts to exactly that in this discussion, for future comments, please. Quote: The ideals of FOSS may be better equipped to deal with those factors in *theory* - but I don't think there is any concrete evidence that suggests that they're better able to handle those factors in *practice*. There is such evidence, as in the case of source code reviews by neutral third parties that discover closed source bug rates are greater than open source bug rates for projects of similar complexity, size, purpose, functionality, or some combination of the foregoing, by literal orders of magnitude. There are also other indicia as well, such as minimum and average vulnerability response times being lower for major open source projects than equivalent closed source products. The evidence is out there, if you want to look for it. The key to the pragmatic approach is not to ignore the evidence, but to realize that one should compare the conditions of projects that point out such advantages to the conditions of one's own project and decide whether it seems likely those advantages might apply differently in your case, or be overshadowed by other concerns. Even anecdotal evidence -- where "anecdotal" is roughly equivalent to "not statistically meaningful" -- tends to overwhelmingly favor the open source approach, as in the case of differences in handling long-undiscovered vulnerabilities that come to light only years of their existence. Where are the cases of a vulnerability suddenly being widely exploited for open source software dominating its niche (e.g., webservers and DNS servers), and it turning out the developers knew about it years ago and just suppressed the vulnerabilities' existence? I've written articles about Microsoft instances of exactly that for its closed source software, by contrast. While anecdotal evidence does not make for a very rigorous argument, it is certainly suggestive, especially when coupled with all the non-anecdotal evidence that better stands up to scrutiny. Quote: When we include economic drivers - the closed-source model still drives far more economic strength in the IT industry than FOSS models (although FOSS has a growing presence - just not in the model with which FOSS pundits had wanted it to arrive). The economic strength of closed source software in its market is not quite what the purveyors would like, either. One of the reasons MS Windows has such a strong presence in the world is its (illegally) free availability, especially in emerging markets. In short, the economic strength you perceive is not quite what you think it is. You're probably ignoring a lot of the economic strength of open source software, too, as in the case of Apache and nginx as the first and second most widely deployed webservers in the world -- definite drivers of economic activity, especially in the case of nginx which does not even have a substantial foothold in the shared hosting market. I'm not sure exactly what you mean about how "FOSS pundits had wanted it to arrive," by the way, but it mostly looks like roses to me. I would definitely bet my income far more readily on open source revenue models, where the access others have to the same source code I'm using does not hurt my business model at all, than on closed source revenue models where I have to expend tremendous resources on copyright enforcement in a world where enforcement attempts are becoming increasingly irrelevant to the success of a closed source model.

dcolbert
dcolbert

So then, in a nutshell... The people matter as much, or more, than the ideology? A lazy team of FOSS designers taking short-cuts and assuming that each project member has their bases covered is going to create code that is inferior to the efforts a dedicated team of closed-source designers taking every reasonable precaution, pursuing thorough peer-review and otherwise making a focus on quality? It isn't that FOSS in inherently superior as an ideology for code design. We've hit this in the past - could it just be that the FOSS development community attracts people who are more dedicated to these hot button issues of security? I understand that Chad, you and Ansu (and others) feel strongly that the lack of transparency in closed-source development has a negative impact on disclosure and response to security and other bug-fix issues. I still think that there are places with closed-source makes far more sense than open - and not just in matters of national or global security.

Sterling chip Camden
Sterling chip Camden

I said "there's significant pressure" -- that doesn't mean that companies don't sometimes overcome that pressure. One of my clients, who is a closed-source software vendor (surprise!), has allowed me to be involved in some of their code reviews which were very thorough. Like your experience, a pedant or two on the review committee helps make sure all the i's are dotted. It isn't that it can't work, it's that it often slips. In recent years, that client has migrated to a more informal code review process, relying more heavily on testing. I think the quality of some sections of their code has suffered thereby, although in general they've improved quality through more rigorous testing.

dcolbert
dcolbert

And I think you three are farther to one side than I am in this regard - I'm more moderate. You've made this claim but it is very hard to support with any evidence - that closed-source companies MUST have inferior peer-review processes - processes that you won't acknowledge are peer-review at all. When I sat on the Change Control Board for my engineering group at Intel there was an engineer I *despised*. His temperament and personality actually reminded me a lot of Both Chip and Chad. I'd get through the entire change presentation, discuss all the questions, have approval from all the board members, and he would inevitably speak up, "Ok, but I just have one more question before I approve". It was very frequently a deal breaker that sent me back to the drawing board, scrambling to overcome some fatal flaw that he had discovered during the peer-review process of the change control. I despised him, but he probably kept me, and countless other engineers, from getting fired for flawed deployments. His singular focus on getting it done right, doing what was in the best interest of the company - resulted in averted disasters on a consistent basis. So my first hand experience is that internal peer-review can be very effective - and Intel is a notoriously tight-lipped organization that values proprietary information to a fault. We also engaged on a consistent basis with external partners, vendors and other resources and shared information and opened up our processes to independent peer review from outside on a non-economic driven basis (there was no benefit in pushing something through for these outside partners). I disagree - peer review does NOT have to happen only one way - it does NOT have to be completely transparent. I've accepted that in many scenarios the kind of peer review you three advocate can have a significant advantage - but I disagree that it is absolute. There are many cases, many models, where keeping your information a little closer has value. Additionally, though those burdens might be decreased by a FOSS approach, it is in human nature to seek project completion, to look for the quickest, not necessarily the most efficient - course toward resolving an outstanding issue and meeting deliverables. I tend to think that the committee like groups that form around many FOSS projects probably do not operate much differently than projects in closed-organizations. Deliverables and ARs are assigned to team members who are trusted to go forward and because of resource constraints and time-lines, that work isn't thoroughly peer-reviewed prior to publication of the final project. It might be easier to go back after the fact once things don't work right and find out where that went wrong, and easier to attribute that to a single individual's carelessness - but that doesn't prevent human nature from having the initial impact in any case. At that point. This is where I think the "inherently better" argument breaks down. It may be inherently easier to *address* - but neither FOSS nor Closed-Source can account for human-nature. There are lazy people, there are sloppy people, there are people who've over-represented their skill-set and there are people who are actively malicious. The ideals of FOSS may be better equipped to deal with those factors in *theory* - but I don't think there is any concrete evidence that suggests that they're better able to handle those factors in *practice*. When we include economic drivers - the closed-source model still drives far more economic strength in the IT industry than FOSS models (although FOSS has a growing presence - just not in the model with which FOSS pundits had wanted it to arrive). I think that that economic strength is strongly correlated to the closed-source model of businesses - and I feel that this benefit is the "greater good" compared to any weaknesses, perceived or real, comparing closed-source models to FOSS models. With this case - I don't see any reason why a closed-source peer review among qualified representatives from engaged and relevant communities couldn't achieve the same thing as an open peer review and publication of the data being discussed.

Sterling chip Camden
Sterling chip Camden

As much as companies want to have honest internal reviews, there's significant pressure to "get it to market" which can lead to taking shortcuts. One of the first and easiest shortcuts is to downplay the significance of flaws found in internal review, and just write them off as "technical debt" that we'll address later.

apotheon
apotheon

If it's closed, it's not "peer review" -- it's "crony review", and subject to significant biases in the review process.

AnsuGisalas
AnsuGisalas

That is by publication in a journal of Science or by presentation at a scientific convention; usually followed by publication. That's what it is, and that's what it means. There's no such thing as a "closed peer review". This disease is so hard to handle that there are no non-gov labs capable of performing this stuff. And a gov lab can figure out how to do this if they want, publication or not.

apotheon
apotheon

I almost always edit my comments in Vim, and save a copy in a tempfile before posting. I didn't this time. Oops.

dcolbert
dcolbert

Select all, cut, paste into text, save, then click submit reply. :) The last time I *didn't* do that, TR ate a lengthy reply. Murphy is a SOB.

apotheon
apotheon

1. I don't beat people to pulps. I haven't got it in me. I'd defend myself (and others) to the extent necessary with no qualms, but I don't take things to extremes of physical violence for any reason but necessity. Sorry, you won't guilt me into silence by giving me a chin to punch. 2. It was pretty difficult to justify the expense and time of such a trip immediately after finally confirming that CBSi would not let me (the most prolific security writer at TR for quite a while) keep writing for TR if I didn't share invoices for other clients with their third-party qualification team (likely a gross security violation under the circumstances). C'est la vie. Maybe next year I'll be in a better position to do that next year, when I have not just had a decent chunk of monthly change and a significant portion of my involvement here cut by an impersonal bureaucracy.

AnsuGisalas
AnsuGisalas

I came right out of an argument with Adornoe; so I had my pen dipped in too much plutonium... sorry. But your piece was sensationalist and tendentious, you know that. And you made some claims that you did not qualify; you refer to "the stand" as if it is explanation enough of how things could/would go; it is not. You make no qualification that this disease would aversely affect the human species in the long term (the short-term ones never have before). Long-running diseases, like AIDS and Malaria... those are a burden. The short-burn ones, not so. And after the smoke clears, people are generally pretty well off for a few generations; each culture which lives through a plague has then gone on to have a period of prosperity (if no war interferes). It hasn't actually ever failed. Cultures gridlocked in overpopulation free up when the population drops suddenly. Especially if infrastructure is not harmed.

dcolbert
dcolbert

We both handled it poorly - and I am equally to blame. Let's both try to do better going forward. I feel like it would have helped if you had come to the TR Live this year and we had met face to face. Somehow I think a few beers and an hour of two of face-to-face time and we would get beyond this. Or you would beat me to a pulp and feel to guilty to engage online going forward. ;) Either way, problem solved.

apotheon
apotheon

Sterling didn't say anything inflammatory or contribute to a flame war. AnsuGisalas was not nearly the poor customer you portrayed him to be. Yes, I played a central role in creating this mess, I suppose -- by taking the bait in your "article". I take responsibility for that. I should have made a brief comment, then refused to engage you any further when you refused to actually acknowledge my points. . . . most of which you still ignore in favor of saying "Yeah, well, you're worse!"

apotheon
apotheon

I wrote a lengthy, detailed reply. TR ate it. If I try again, it probably won't be today.

tbmay
tbmay

Quote: " Because I do want to explore that this issue makes some people who are otherwise strong proponents of FOSS say, "Wait a minute... the Many Eyes are great - but not in *this* situation"." That's probably close to my own position, assuming the dangers are really grave and not exaggerated for effect. But understand I also agree with Chip that no-good-nics will be trying to get the information, and will eventually get it. If guns are outlawed, only outlaws.....well...you know what I'm going to say here. For me it's just common sense to attempt to stall it's arrival in wrong hands. But who's to say the hands it's in aren't wrong? Honestly not an easy question. But I don't find it all that close to FOSS as a practical matter for reasons we've already discussed. Just because I think the free exchange of information, ideas, and knowledge are good things, doesn't mean I'm going to paste my credit card number on Techrepublic. Software is just a tool. Lots of good ideas are built in to lots of software, but in and of itself, it's not anything but an arrangement of one's and zero's. One's and zeros are not destructive any more than a gun sitting on a shelf is. People are destructive.

dcolbert
dcolbert

I don't think it is sensationalist to say, "look, scientific peer review amounts to the same thing as the Many Eyes Model of IT security". Do you? They're the same basic concept, driven by the same core tenets. Many Eyes *is* about peer review? So then, what is sensationalist about making that link more explicit? Because I do want to explore that this issue makes some people who are otherwise strong proponents of FOSS say, "Wait a minute... the Many Eyes are great - but not in *this* situation". At which point, that opens a discussion for me about where we decide when FOSS/Many Eyes applies and when it doesn't. You've staked your claim - I can see you're pretty absolute about where you think it applies. And that is fine that your position is that strong. But I think an issue like this helps illustrate that it is very situation specific for a lot of people. I've come to see that FOSS and the Many Eyes model has application in some situations - but I've also come to a clearer understanding of why there are situations where close-sourced models can be equal or superior and can potentially be equally as secure. I think that kind of discussion is a benefit for our readers, handled correctly. As for saying anything inflammatory, I've got a story. When I was young and had long hair and wore leather jackets and torn jeans, I was at the California State Fair. A group of similar youths broke out into a fight, and I stood by and watched. When the police arrived, they threw me out along with those who were fighting. I was nearby, and by a number of ways I was easily identified as being part of their group. I protested my innocence to no avail. You're identified by the company you keep. You're taking a position on how this particular riot started and my part in it - and I'm saying, "I saw you standing near those guys who were a big part of the fracas - seems that you're part of their mob". In return you're responding, "Me Sir? No sir, I'm just a victim of appearances". That may be so, Chip, in which case, accept my apologies - but again, try to see it from outside your own view into the situation.

Sterling chip Camden
Sterling chip Camden

I don't know where I've said anything inflammatory, but if I did I certainly didn't mean to. On the other hand, I found sensationalism in your original article, attempting to tie the "many eyes" model of FOSS with enabling terrorism. "End of the world as we know it" is pretty hyperbolic, don't you think? Anyway, I think the argument for secrecy fails to take into account the cost of inaction. It's a head-in-the-sand strategy that hopes we can keep everyone else's there, too.

dcolbert
dcolbert

I don't know that I agree with you - especially on this topic - but I appreciate you coming out and taking a definite position. I got a big dose of "look at yourself from outside" up above - Do me a favor and try the same. You write an article, a group of usual suspects shows up with their own biases, and instead of addressing the *topic*, they lay immediately into your CHARACTER based on previous engagements. All fair enough to expect, but I'd use this to illustrate that I was not the one who went OFF topic and that the "sensationalism" received an external accellerant. You can make assumptions about my motivations and if this is what I wanted or not - but it wasn't. My mistake was, and I've said this a number of other places - responding back in kind rather than trying to dial it back immediately. Chip - Chad, Ansu and you played a HUGE part in this thread spinning out of control. There were a number of other people who responded and engaged in a dismissive way and those didn't turn into flame wars. I've taken MY responsibility in that passing - now it is turn for you three to admit your own culpability in this coming to pass. Back to the meat of this discussion, though - this is where we get into the circular loop I have trouble dismissing. Those who are "searching for it earnestly through whatever means" will do so either way, right? This makes it EASIER for them to get to that information. Instead of digging for it, they get it hand delivered to them. For me, it is a 6 of 1, half a dozen of the other situation. I see your point about it reaching more mind-share in a more rapid manner, and that this may result in a quicker and more satisfactory solution - but in this particular case, it is a TERRIBLE gamble. Can you convince me that it isn't a gamble, that it is in fact the statistically significantly superior course of action? Because, even if you're RIGHT but it is a 49/51% split in your favor - the odds of it going the OTHER way are simply too high in this case. You might make that breakdown when it is the security of your SSH server that holds ePHI with those kind of odds, but when we're talking 1 out of every 2 infected dead, I'd want to see something like "It is 98.9% likely that making this information open will result in a satisfactory solution, deployed more rapidly." I know we can't really come up with numbers that are guaranteed that are this specific - but are you really comfortable that the potential benefit outweighs the potential risk in this case? That is what I asked - and what I stated in the original post, this is where the boots hit the pavement on showing your faith in this philosophy. To me, it speaks to the strength of your belief if you're willing to take this stand in this case.

Sterling chip Camden
Sterling chip Camden

... because it seems to me you took a big step back on topic, with a modest reduction of sensationalism. Personally, I think trying to keep this mutation secret would be more dangerous than revealing it. When information is kept secret, then the only people who find it are those who are earnestly seeking it through whatever means are at their disposal. Publishing this brings the problem to the attention of more well-meaning people who can help formulate a plan for dealing with it rather than just hoping that nobody ever finds out how to do it and that it won't develop naturally.

Editor's Picks