• United States



The Open Source (Non-) Debate

Jun 20, 20023 mins
CSO and CISOData and Information Security

By now you probably have heard about the white paper Kenneth Brown wrote. He is president of the Alexis de Tocqueville Institution (ADTI). The paper, Opening the Open Source Debate, asserts that open source, particularly software under the GPL license, can and in fact is anxious to ruin the software industrys growth. It also suggests that open source is a security disaster waiting to happen, since so many bad guys would have access to the source code of a program.

My first reaction to Browns work was that it is a monumentally stupid paper, rife with tenuous logic and reckless innuendo. (For a fine dismantling of ADTIs arguments, see The Register.) Then it was discovered that ADTI receives funding from Microsoft. Brown and Microsoft acknowledged this fact as a result of a flurry of negative publicity. So its not surprising that many people assume this work is thinly veiled propaganda. And after talking to Brown, I realize that he seems to have a hard time defending the paper himself.

“Ken Brown is not saying proprietary is safer because its closed, Ken Brown says to me, even though thats exactly what the paper tacitly suggests by questioning open sources security but never acknowledging arguments against proprietary softwares security. His reason for leaving out evaluations of security risks around proprietary code? Its been around for 40 years; everyone knows about it. But ask 100 people what open source is and maybe one or two people know.

We are open to debating this topic, he adds, maybe sensing what a terrible argument that is, and retreating from the white paper a little more. His voice is laced with defensiveness, but also a little fatigue. Hes experiencing his first public castigation from the notoriously relentless open source community. He says, I will talk to anyone about this. Ask anybody who has talked to me and theyll say, You know what, Kens making points I disagree with, but Ken is talking through the issues. All were saying in the white paper is [exposing source code] has some costs. Its a tradeoff. Proprietary code has tradeoffs, too.

There. A stunning admission. If it had found its way into his white paper, Brown wouldnt now be erecting what he calls a wall of shame, consisting of rebuttals and responses to flames from open source advocates.

Brown should have come to the debate table with something more than fear, uncertainty and doubt. Offer some proof, or at least a reasoned argument. Or he should have acknowledged that proprietary source code is also often shared with the wrong parties (sometimes its stolen, and decompilers make any source code relatively accessible for a motivated person). When challenged with this, he again backs down. In my view, hackers arent innocent, and I feel like the open source community is a little too light on these topics. Ive gotten e-mails that say Im wrong because open source code is so good and secure. I think thats naive hubris. But people linked us to saying, in effect, al-Quaida is going to use open source. You are 100 percent right to disapprove of that. Its not what I intended to say.

A couple of centuries ago, some guy said, In the United States, the majority undertakes to supply a multitude of ready-made opinions for the use of individuals, who are thus relieved from the necessity of forming opinions of their own.

The guy who said it was Alexis de Tocqueville, the namesake of Kenneth Browns think tank, and a man no doubt nauseated from rolling over in his grave.