Open Source

The smallest threat to open source in 2009

How much of a problem is security updating for open source software going to be in 2009?

On the first of the month -- also the first of the year -- Dana Blankenhorn published the sensationally titled The biggest threat to open source in 2009. His thesis is simple: that, because open source software usually lacks any mechanisms for easily updating to the latest security patched version, the growing popularity of open source software will render it more vulnerable to problems than its closed source counterparts.

As a lead-in to his main point, he said:

There is no longer any doubt that hackers and malware writers are going after open source projects as they once went after Windows. Vulnerabilities are being found, discovered, created, exchanged.

There seems to be a common malady amongst opinionated tech writers -- that of never quite getting it when it comes to the fundamental principles of security. A particular favorite for being ignored is that of security through obscurity. Many many moons ago, I wrote what I think is a decent treatment of the subject as it applies to open source software, Security through visibility. While it makes a pretty strong case for ignoring the bleatings of "popularity is insecurity" doomsayers, it's really only the first step toward full understanding of all the problems with the assumption that the only thing "secure" about open source software is obscurity.

Obviously, based on his start to the article, I was already expecting very little in the way of useful information. His next statement left me even more mystified at what appeared to be a towering edifice of ignorance, however. Specifically, he said:

The best protection against vulnerabilities is to keep software updated, but most open source lacks update services. That's one part of the Windows license that is worth paying for, and there does not seem to be an open source equivalent.

As a long-time user of open source operating systems, previously favoring Debian GNU/Linux, and subsequently moving on to FreeBSD, I was stunned to see this in writing, published for all the world to see. Was he serious? Could he really believe that?

One of the most visible wins for open source Unix-like OSes, once one has learned a fair bit about them, is the casual availability of superior software management systems. I've written a brief primer for effective use of APT for TechRepublic, Efficient software management with the Advanced Package Tool in Debian. I've also addressed the excellence of a security tool integrated with FreeBSD's ports system, How FreeBSD makes vulnerability auditing easy: portaudit. Both of these articles illustrate some of the significant benefits of better software management systems than offered by MS Windows.

Perhaps even more relevant to Dana's point is the fact that, on open source Unix-like OSes (but not on MS Windows), the software management system typically manages security updates for far more than just the core OS and a couple of applications created by the same vendor. Such Unix-like OSes' software management systems tend to provide security update management for literally thousands of software packages originating outside the core OS project itself -- in some cases, tens of thousands.

Then, his next statement clarified his meaning:

An exception is Firefox . . . But how many take advantage of this? And how tied is Firefox to updating for security purposes? Remember we're talking about pushing updates, not asking users to pull them.

Suddenly, it all became clear. In Dana Blankenhorn's mind, "open source software" refers only to the handful of popular open source applications that are regularly used on MS Windows systems. I find it interesting that the only example of an open source application he offers is an exception to his rule, however.

Where are all the legions of open source applications that don't provide easy software updates? Whose fault is it that MS Windows doesn't have a software management system that can help ease the process of applying security patches for these applications the way open source OSes do? Where are the examples of closed source applications that provide such update management as he describes, where the MS Windows compatible open source alternative does not -- thus justifying his singling out of open source software as somehow more notably vulnerable?

Perhaps the worst part of the inaccuracies of the article is the fact that its clear assumptions (that all software worth discussing is MS Windows centric, for instance) for those of us who know better are opaque to those who do not. A manager with little or no experience of OSes outside of MS Windows may read this article and come away with the assumption that open source OSes completely lack software management systems. As a result, he or she may scupper any potential plans to deploy open source Unix-like systems in the network. So much for "the best tool for the job"; such decisions are often difficult to make well even when you aren't hampered by wrong-headed ideas like those Dana's article might inspire.

He does make a good point about corporate culture, though:

But until this ramps up (hopefully in a competitive market), enterprise managers have an easy way to say "no" to open source.

Regardless of how dangerous this is, the fact that managers feel it's dangerous makes it so.

Too bad some of those managers might "feel" it's dangerous specifically because of his own article.

I'd clarify that to say that managers feeling it's dangerous doesn't actually make it so -- but it does make it so for all intents and purposes in the corporate environment, when it comes to technology implementation decisions. When the higher-up says "I think the closed source software offering is better, because I have these concerns about the open source software alternative," his or her subordinate (and perhaps more technically inclined) IT worker will eventually reach a point where he or she must either make decisions limited by the manager's fears or polish his resume. Take it from someone who knows from personal experience.

On one hand, I'm inclined to be dismayed by this common bureaucratic failure of corporate culture, and feel the urge to rail against it. After all, security is everybody's problem; it's not just a problem for "that guy over there". Your problem, to a significant extent, becomes my problem when you connect to the Internet.

On the other hand, knowing something about security that others don't provides something of a competitive advantage. Where competitors may stumble and fall, the organization with a knowledgeable IT department will remain stable and secure, and prosper where others have failed.

I guess there's a silver lining to every cloud of disinformation.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

42 comments
DanaBlankenhorn
DanaBlankenhorn

I want to thank you for riffing on my piece. (Next time, send me a note and I'll get here sooner.) I was not thinking only of "certain open source projects" in what I wrote, but of detailed studies by Palamida of how seldom many open source installations are patched and how out-of-date (thus vulnerable to known bugs) enterprises using open source actually are. This is a real problem in the enterprise space. You're right, the way Microsoft addresses this is by giving you "one throat to choke." How can open source deal with this? Through software and update services. That's not just my argument in a blog post. It's the argument Palamida is making to the market. Thanks again for writing about what I did, and keep up the great work here at TechRepublic -- your source for indepth pro-to-pro IT analysis.

Neon Samurai
Neon Samurai

Did the companies with unpached systems have unpached windows systems along with other platforms? Did those companies have a service agreement with a service provider like Red Hat or Novell? Really, one would need to know more than just "many companies where not up to date" as I see as much unpached in Windows shops as any other's. MS provides one throat to cut plus a long list of legal reasons that they are not accountable. If your not a service agreement customer, MS doesn't care. This is no different from Red Hat which says "sure, download our development version; Fedora and the enterprise version if you like. Updates you subscribe to us for and we also offer support and services." Mandriva offers support, novel offers support. In terms of "on throat", I've yet to see how this is more than a myth of perception. Really, the objective remains to have systems solid enough to not require a scape goat.

apotheon
apotheon

"[i]I want to thank you for riffing on my piece. (Next time, send me a note and I'll get here sooner.)[/i]" I tried using the trackback feature of the Weblog software to ping you, but it doesn't appear to have worked. I'm not sure if the problem is at TR's end, at ZDNet's end, or both. "[i]I was not thinking only of "certain open source projects" in what I wrote, but of detailed studies by Palamida of how seldom many open source installations are patched and how out-of-date (thus vulnerable to known bugs) enterprises using open source actually are. This is a real problem in the enterprise space.[/i]" That sounds more like a problem with enterprise software management policy than a problem with open source software per se -- especially in the use of open source operating systems, which actually provide better software management systems than (most?) closed source OSes. Do you have a link to the source?

morgancoxuk
morgancoxuk

You are wrong on the ease at which yo can update the latest security updates. It really depend on distribution. If you run a rolling release distro like arch / gentoo you will always be get this latest software (arch is very very good at keeping up to date). Opensuse has a (similar to windows) automatic update tool - where (IF YOU WANT) if will search for updates and install them automatically - you can if disable updates that will require update. Also if you run the binary version of firefox (i.e download direcly from mozilla.org) then firefox also updates itself ....

apotheon
apotheon

"[i]You are wrong on the ease at which yo can update the latest security updates.[/i]" You say that -- then go on to talk about how easy it is on various Linux distributions. I think you have completely failed to support this statement.

hlhowell
hlhowell

Need I say more? What does it read on your system? Where does it go? Suppose 10million users have package xyz. Do you really think Microsoft's marketing group doesn't know it? Just my own take on things. But I only have three Linux systems, none of which has gond down so far to an update (over 5 years) Couldn't say that of the same systems on Microsoft. Regards,

TripleII-21189418044173169409978279405827
TripleII-21189418044173169409978279405827

He replied once in a vague way about "enterprise" stuff and was never heard from again. I posted a valid question, silence. Anyway, the talkbacks tell the story. My conclusion, as I wrote on the story is valid. http://talkback.zdnet.com/5208-10535-0.html?forumID=1&threadID=55958&messageID=1058116 [B]It should be noted though that many many many Windows applications don't have the same update mechanisms, so in effect, the story boils down to beware of outdated applications of any and all kinds on Windows.[/B] TripleII

CharlieSpencer
CharlieSpencer

"Where are the examples of closed source applications that provide such update management as he describes, where the MS Windows compatible open source alternative does not ??? thus justifying his singling out of open source software as somehow more notably vulnerable?" Don't you love a double standard?

apotheon
apotheon

"[i]Don't you love a double standard?[/i]" Without double standards, I'd have less inspiration for new articles.

Sterling chip Camden
Sterling chip Camden

I run into a lot of folks who are uncomfortable with non-MS systems because they think that "MS is so big, of course they'll cover all the bases for us." The perception is that managing a *nix system requires them to be more responsible for making sure everything is in order. As long as they can't see the man behind the Windows curtain, they're willing to trust the Wizard to give them a brain (heart and courage optional). There's no place like /home, there's no place like /home...

Claptrap1
Claptrap1

MS is so big, of course they'll cover all the bases for us....As long as they can't see the man behind the Windows curtain, they're willing to trust the Wizard to give them a brain" A slightly simple aquaintance, lets call him Mark, bought a Dell laptop and asked me to help him register Windows and three-month licence of Anti-virus that program. I told Mark that whatever he does, as soon as he goes on internet he MUST download a firewall and at least one spyware remover, which he has to update and run regularly. I wrote a list of websites on word pad, where he can get each of the free free security software, including anti-virus program when the trial period is over. Four months later in badmington club Mark started yelling at me in loud voice that his computer is not working and made it was my fault somehow. I asked him how often he updated his security programs and told that he most likely has spyware in his computer, if not viruses (the kind of sites he was visiting). Mark had assumed that because he has an anti-virus program - even though it would not update itself any more - that he was protected. He even claimed that I had not told him about the other threats and he was really furious that he should have all those utilities as well as anti-virus program - houses don't have more than locks on the door do they? I told him that houses DO have burgalar alarms and firewalls and locks in windows as well as on the door and some have even security cameras, cars have alarms, immobilisers and steering wheel locks as well as locks on the door and boot... If he doesn't want to bother with so much security, he can get himself a bike and install linux in his laptop. After Mark calmed down and had apologised, I cleaned his laptop, installed all the security software - he had deleted to list so I had to hunt down the web addresses again as I don't remember things like that by heart - that's what bookmarks are for stressed several times that although Avast was free (it was the only free program that time which would have automatic updates), he has to re-register every year... 15 months year later Mark came to me and told he cannot get updates for Avast: it turned out he hadn't renewed his licence, despite the reminders Avast had given. Some people just never learn! I refused to touch his computer again: I told him it's time he paid some hard cash for his stupidity. Unfortunately my mate offered to clean his computer, for free... Mark is still coming round every time he gets a virus from some dodgy site, even though my friend has also got fed up wasting his time on Mark. If he carries on, I'm in good mind on telling all his p**n pics and other documents are infected and I have to do a complete OS install - and then install linux. I doubt Mark would even know the difference, not as long as it's GUI and he can carry on downloading naughty pictures from dodgy sites. :P

chris
chris

I've seen the no place like 127.0.0.1 shirt, but this is even better. sorry for being off topic

CharlieSpencer
CharlieSpencer

"I run into a lot of folks who ... think that 'MS is so big, of course they'll cover all the bases for us.' " Unfortunately, most of those folks don't realize that Windows / MS Update only updates Microsoft's OS and apps. It doesn't update anything from other vendor, open or closed.

Dumphrey
Dumphrey

of Big Brother Fixes All that gives Windows Admins a bad name. Anyone that Admins server should try to understand, to the best of their ability, how to secure that server. Any thing else is like expecting the locks on your car to prevent a crook from breaking the window...

apotheon
apotheon

"[i]There's no place like /home, there's no place like /home...[/i]" Actually, /usr/home on FreeBSD is very much like /home on Debian GNU/Linux. I just thought I'd mention that. As for the meat of your comment: "[i]The perception is that managing a *nix system requires them to be more responsible for making sure everything is in order. As long as they can't see the man behind the Windows curtain, they're willing to trust the Wizard to give them a brain (heart and courage optional).[/i]" You're absolutely right about that, of course. Too bad people can't see that the responsibility is still there -- just hidden, where it's not as obvious. As a result, with MS Windows systems, responsibility often gets shirked with the end result that MS Windows systems end up significantly less well-managed in most cases. That's one of the things I like about a traditional Unix-like approach to system design: it seems specifically organized to make one's responsibilities more obvious, so that one will realize the importance of taking care of them. Thus, important parts of the system administration process won't be forgotten and neglected as easily. It's not so much "I don't have to do that on Windows!" as so many people think; it's more "I can't believe I didn't think to do that on Windows! I've been vulnerable for years! No wonder I have to reinstall the system every six months!"

Jaqui
Jaqui

the smallest threat is misinformation being spread by people, such as the author you talk about in the article. The biggest threat, inertia. The lack of interest in people to even look at alternatives that could lower their costs. [ down time, licensing, utilities, labour ... ] Mandriva's urpmi, if using the cli tool: as root type urpmi --auto-update [option for this switch that is a good idea: --force-key this option forces and update of gpg key ] Red Hat, same option available slak, gentoo.. all of the software management tools have the option, and will put security, bugfix and normal new version updates in, for the entire distro package list. There is one item you missed, the "push updates" does exist on Linux systems for most distros. Not sure about the BSDs, but Linux has an applet that will monitor the repository for updates and alert you when there are some.

TripleII-21189418044173169409978279405827
TripleII-21189418044173169409978279405827

http://talkback.zdnet.com/5208-10535-0.html?forumID=1&threadID=55958&messageID=1057282 [B]urpmi --parallel pushes updates to machines in your network This chapter applies only to Mandriva Linux Corporate Server Updates are downloaded to one of the machines and from there pushed to the others on your network (see: http://archives.mandrivalinux.com/expert/2006-03/msg00001.php ) urpmi --parallel will update all machines you specify. See man urpmi for more and man urpmi.files, as well as: ... [/B] TripleII

apotheon
apotheon

MS Windows isn't really supposed to involve "pushed" updates, either. Unless Blankenhorn is talking about Microsoft actually targeting machines with some kind of remote access capability (which is a chilling thought), he's probably mistaking automated local requests -- i.e., automated "pull" requests -- for "pushes". One can automate pull requests on a client with a Unix-like OS, too, y'know. Of course, Microsoft Windows Automatic Update is the source of a lot of security issues, so that's an idea to avoid anyway. What one should [b]really[/b] want is automatic notification -- not pushed updates. Otherwise, an unwanted update being pushed (or automatically pulled without admin intervention) can be effectively indistinguishable from an attack by a malicious security cracker. "[i]Not sure about the BSDs, but Linux has an applet that will monitor the repository for updates and alert you when there are some.[/i]" . . . which illustrates my point pretty well.

Neon Samurai
Neon Samurai

Well, all three really. I've seen some flakey osX updates though it seems to smooth out after a reboot or two. Windows updates breaking systems is a good reason why all those businesses with WSUS or other update managers vett updates rather than dumping them directly to workstations without review. On the Mandriva side, I had a machine running automatic updates daily. It had a fit when the phpBB v3 package came out thinking it was just an update. The result was the package install eating the phpBB v2 existing install. That machine is long past getting automatic updates and the point where manually recreating the phpBB setup would be possible if v4 ate v3 for some reason. Automatic updates on any system is a poor idea unless the source is your management appliance.

Neon Samurai
Neon Samurai

Even when I've tested the updates on a separate machine, I still pause to read the list before accepting on the production box. It has been rare that an update broken any of my platforms but I've seen it happen on all of them.

Jaqui
Jaqui

an older Mandrake box, an update to apache broke it. This is why the unix and unix-like operating systems don't default to automatic updates.

Tony Hopkinson
Tony Hopkinson

from? Gartner ? Aside from the fact that it's wholly untrue, not forcing updates is a benefit to a competent administrator. My SimplyMepis box is a joy on the update front. Despite my relative ignorance, it's never boogered my system. FF which he mentions as good example, I personally consider a bit crap to say the least. The last thing any competent admimistrator wants is forced updates. I'll admit to just doing them on my home desktop, I wouldn't even consider it if it was business related. I got one suggested XP update and it took me ages to figure out subsequent problems were down to it. That's not even considering windows architecture and trying to figure out why a network card driver update would take out my sound!

apotheon
apotheon

What do you think of the state of software management in open source software versus that in closed source software? What do you think is the [b]biggest[/b] threat to open source software in 2009?

chris
chris

I have a mandriva 2008.1 64 bit system and still have no FF3. some forums speak of it, but I cannot seem to find it and it definitely is not updated automatically. While my system does update lots of things, this major thing lags behind. While maybe not systemic per se, all people using winders sure have access to 3

Neon Samurai
Neon Samurai

Mandriva 2008.1 64bit installed here also mozilla-firefox = 2.0.0.19 firefox = 3.0.1 version 2 does not update into version 3. I have them both installed on the same workstation since some things require the mozilla-firefox package while I use the v3 package primarily. The point of grief I've found is getting Flash 32bit to work on Mandriva 64bit. The official fix is "go install 32bit firefox kid and stop bugging us" but I'm not yet ready to taint my 64bit install with unnecessary 32bit packages. the NS plugin wrapper is supposed to manage 32bit flash under 64bit firefox but no luck so far.

apotheon
apotheon

Maybe someone with more recent experience of Mandriva than me can help you with that. This is the first I've heard of a major open source Unix-like OS failing to have Firefox 3.

ahw
ahw

Chad made the vital point that Dana only cited 1 piece of software - Firefox - as the exception to his argument. All arguments, once stated, need substantiating. This is a point that recurs again and again in my work of evaluating colleagues' translations: make a judgement, but back it with facts. This is especially true when discussing open-source software. Its aims should be kept in mind when critising it, and should provide a critial benchmark. I felt that some of the criticisms Dana levelled at it could also be fired at the proprietary brands: obscurity, and even obscurantism. An example of this is clothing the term "problems" in a euphemism, "issues": I have a problem in accepting such misuse of English, and I am at issue with its progenitors. I hope that provides an example of chapter and verse.

Tony Hopkinson
Tony Hopkinson

well not specific to 2009. The big closed source boys are just as violently against it this year as they were last. Even if you took that blithering idiot's point about update, why is pushing updates more critical now, than it was last year? Corporate inertia and myopia, have been a problem since day one. That has continually got better. The rise of the FOSS fanatic GPL 3 say could have been a problem, but that's old news now, and largely ignored by main stream open sourcers. Looks to be more about manufacturing threats, to disguise the ones to closed source to me.

Sterling chip Camden
Sterling chip Camden

Is institutional lag -- sticking with Windows-based systems only because "that's what we've always done, and we know what we're doing" (theoretically). Maybe Dana is misled on this topic because he's only been writing about tech for all these years, not doing it (at least, that's what I gather from his profile).

CharlieSpencer
CharlieSpencer

Sure, it's a hinderance to deployment but is it actually a threat to open source development? After all, people will continue to write and release apps whether institutions adopt them or not.

chris
chris

we're talking about making sales people's lives easier. :-P

daileyml
daileyml

I'm an IT consultant as well, and I work with several large enterprises in my area. Security is always a concern, but I do not believe a client is going to say "we're not going to adopt that Open Source app because it lacks an auto-update feature, which we feel is a security threat." Case-in-point: MS Windows has had an auto-update feature for how long now?? How many "critical" security updates does MS release a year? How many new hacks/holes are found each year? All of this in spite of the fact that MS has an Auto Update feature. The security threat comes from the coding practices used to develop the app; not from the OS platform you run it on. As many have pointed out here already, no Admin in their right mind would want to auto-deploy updates across an enterprise. The majority of updates need to be tested in the lab and then piloted before enterprise-wide deployment. Anything less is irresponsible management. -Mike http://www.daileymuse.com

apotheon
apotheon

. . . the biggest threat to both adoption [b]and existence[/b] of open source software right now is anticompetitive actions on the part of market dominating corporations -- mostly in the form of legal action (lawsuits and threats thereof, lobbying for greater market interventions to destroy the competitiveness of open source software by law, et cetera). That's one of the reasons I think advocating for concepts like a [url=http://copyfree.org][b]copyfree[/b][/url] licensing model is so important. Ironically, despite the largely anti-corporate motivations behind its inception and advocacy, [url=http://sob.apotheon.org/?p=622][b]copyleft licensing is becoming an anticompetitive tool of corporate market dominance[/b][/url] that can be used to suppress certain types of open source development.

Sterling chip Camden
Sterling chip Camden

I'm thinking "threat to further adoption" here. But I do see that threat eroding, at least among my clients.

apotheon
apotheon

That's a good point, of course. I guess the "threat" in the case of Sterling's example is to the continuation of growing market share.

apotheon
apotheon

You have to keep your hand in it to really know what you're talking about -- even if you only keep your hand in it in a limited capacity. Of course, the more limited the capacity, the more limited the scope of the subjects you should be addressing with your writing: there's more than one reason that one should write what one knows. . . . and not just what one thinks one knows. I don't think it would take much attention to open source software goings-on to grasp the fact that what he said is somewhere out in left field, though. It smacks of laziness, and not [url=http://sob.apotheon.org/?p=734]the good kind of laziness[/url].

apotheon
apotheon

The ports system on FreeBSD (hinted at in the article) is a unified software management system, similar to APT -- except that it manages building from source by default, rather than binary packages. There is, however, a binary package management system as well, and it is essentially unified with the port system so you don't have to worry about whether something was installed from ports or packages later on. Actually, the ports system is more like dpkg on Debian. APT is the front end to dpkg. For a closer equivalent to APT -- well, I guess as APT is to dpkg, so Portupgrade and Portmaster are to the ports system (pick one). Portupgrade is kinda the more "official" of the two, and as such it's the one I use, but both of them are great tools by all accounts. If you want to manage everything from binary packages on FreeBSD, you should know that the packages tend to lag behind FreeBSD in versions just slightly. The lag, though, is probably only about equivalent to how much Debian Testing lags behind FreeBSD RELEASE, and of course security updates tend to be released without the lag (I can't swear they always are, since I usually don't even use the binary packages).

Sterling chip Camden
Sterling chip Camden

One of the hardest things to keep up with, IMO, is all the different update programs for each proprietary vendor on Windows systems. APT on Linux is far easier to cover most everything. I'm assuming FreeBSD has something similar, though I haven't researched it yet.

Editor's Picks