06 Nov 2004

Security

One thing that can be confidently predicted in the wake of the US presidential election is that we’re going to hear more about “cyber-terrorism” in the near future. The politics of fear that re-elected George W. Bush has other instrumental uses. And, as Henry Kissinger famously pointed out, even a paranoid can have enemies: the need for a more secure network, though overhyped, is real.


Except in Redmond, there’s a pretty solid worldwide smart-money consensus that the single greatest contributor to network insecurity is the Windows monoculture. It is not impossible, as Apple has shown, to produce as proprietary software a secure client-side OS for naive users. Economic theory explains why monopolies produce low-quality goods at high prices, however, and Windows is not only a monopoly product but one designed by a Chief Software Architect with notable blind spots. Having missed the importance of the Internet until well into his product’s life cycle, Mr Gates naturally missed the importance of designing security in. The bizarre attempt to retrofit fundamental security principles without changing basic design called Windows XP SP2, which thus occupies a unique place in the history of technology, has not changed the basic problem an iota. The monopoly has spread throughout the world a still-dominant roundheeled OS that lies down for every spambot creator, prank malware distributor, and script-kiddy safe-cracker above age six on Earth.

Security is therefore our issue, and the time has come to press it hard. Firefox has shown this in the middleware wars. In a true Tolkein ending, the agile little cousin of Mozilla has penetrated deep into enemy territory and—precisely because the security problems with the monopoly’s browser have become intolerable—is currently tossing IE into the Cracks of Doom. In another elegant demonstration of the principle that proprietary software engineering is inherently less flexible than free software engineering, Microsoft cannot even attempt to retrofit security into IE in the absurd XP SP2 mode, because it does not have the agility to release a new IE in the form of a patch before the release of Longhorn. These problems are the wages of sin: integrating the browser tightly into the OS in order to evade competition law was One Very Bad Idea. The very strategy designed to flout the law and destroy Netscape now allows Netscape’s free software descendant to destroy IE and shed some light on the land where shadows lie.

But the effect of security issues on the browser wars is slight compared to the effect they should have on the overall OS market. Microsoft has never produced a product that came within miles of the security free software can presently deliver. The “security-enhanced” SELinux kernel, for example, demonstrates the importance of public/private cooperation in hardening network infrastructure: for the US National Security Administration to distribute under GPL a high-security version of the Linux kernel it contracted for was an extraordinary step, and one which produced extraordinary levels of retaliatory rhetoric from Microsoft around Washington, DC.

SELinux and OpenBSD show the free software OS development approach achieving both security by design and superior security auditing. But we have even more to offer. The world of Linux microdistributions takes advantage of free software’s high modularity to build systems in configurations that bloated monolithware like Windows cannot reach. The “Linux From Scratch” approach gives rise to distributions like “Devil-Linux”: ultra-slim live-CD, USB key, or compact-flash distributions that run read-only, with configuration on removeable read-only media and only transient data or application files on writeable storage. A system with a hardened kernel and security-audited web-, mail-, or file-server software running in such an inherently read-only environment approaches ideal security. That’s our product claim to the world’s system administrators: “Ideal security for the things you really do; Available today under GPL from SourceForge.” The monopoly can’t do better. No one can do better. And it’s free as in freedom, free as in beer. When it comes to server security, we win.

The same is true on our client side. Free software’s crucial components from the point of view of the migrating Windows user, including Firefox, OpenOffice, Evolution, KDE and Gnome, are the outcome of projects and meta-projects whose designers cared about security from the ground up. When joined to security enhancing compilation and other improvements to the platform, we are now prepared to offer free software’s traditional genetic diversity with a gene pool already evolved to improve the immunity of all organisms. Just leave a Windows PC and a cutting-edge free software PC out on the public Internet for a couple of weeks and see which pet has caught how many diseases from that walk in the park.

In these and in other ways, the fervor for heightened security (both the part that is justified and the part that emerges from fear-mongering) can be turned to our lasting advantage. When it comes to cyber-security, make sure everyone knows that Free Software Matters.

This column was first published in the UK in Linux User. It is also available in PostScript and PDF formats.

permalink | columns/lu | 2004.11.06-00:00.00

Comments are closed for this story.

Trackbacks are closed for this story.