Discuss open source vs. closed source and security.
Another ridiculous week leads to another late discussion post, feeling like a real slacker. Luckily things settle down next week, so I should be back on track. Apologies to my peers for my late post, yet again, all I could do this week to avoid a mental breakdown was accept a late discussion post.
Before we get started discussing the facts (or opinions of others) associated with open source vs. closed source I wanted to share some personal thoughts on this topic. I remember installing Slackware Linux (Slackware, 2018) back in 1993, from 20+ floppies, the access to the source code, the ability to tweak or modify the kernel had me convinced that open source would eventually eclipse closed source. After running Slackware for a few years, like many early Linux adopters I tried other early distributions like Yggdrasil (Yggdrasil, 2018) and Debian (Debian, 2018). In or around 1998 I read Eric Raymond’s essay, “The Cathedral and the Bazaar” (Raymond & Young, 2001), it was around this time that commercial distributions like RedHat (RedHat, 2018) and Caldera (Caldera OpenLinux, 2018) were beginning to take hold in the enterprise. During this period, I worked in big pharma, and I had traded shell scripting, sed, and awk for a cross-platform interpreted open source language called Perl developed by a guy named Larry Wall. I can remember how fast we were moving now that we were building web applications with open source tech like Apache, CGI, and Perl. Security was for people who didn’t want to go fast, just hit CPAN, grab the library and go. (Perl, 2018). I highly recommend reading “The Cathedral and the Bazaar”, if not, watch the documentary called “Revolution OS”. (Revolution OS, 2012) IMO Raymond’s essay was on the money, but a little early to the market. Raymond outlined the open source model perfectly, but we were in the age of the innovation, rapid change and resistance; today the open source, agile and the DevOps movements have allowed Raymond’s vision of the Bazaar to be fully realized, and the benefits to agility and velocity are unparalleled. As we all know from Clayton M. Christensen’s book “The Innovator’s Dilemma” (Christensen, 2016), innovators struggle to retain market leading positions, the open source world has many examples of this, first movers like Slackware and VA Linux (Tozzi, 2016) are today either niche players or gone from the market. I provide this detailed background because IMO the paradigm shifts brought about by the movement from the cathedral (closed source, rigid release cycles, etc.) to the bazaar model (open source, continuous integration, etc.) has some real and some perceived implications on security.
I’d like to point out an observation regarding security and social behavior. People tend to watch their possessions in a cathedral with less vigilance than they would in a bazaar. This behavior is human nature; when we feel safe we relax, when we feel unsafe we keep a watchful eye, I believe it’s this human behavior that is very impactful.
No matter how much research you do, the answer is almost always that open source vs. closed source in the context of security is a matter of preference rather than one model being more secure than the other. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) Vulnerabilities exist, and there will always be those who seek to exploit them. My personal opinion is that OSS (open source software) has a perceived attack surface by the user which is broader than that of closed source software; thus the community is more vigilant. Those who willing adopt OSS know they are moving into a neighborhood with a high crime rate, so they are more likely to lock the door. The alternative opinion is that closed source is less vulnerable because the source code is not “readily” available (Lettice, 2004), but the “security through obscurity” paradigm has been proven to be a poor one. There are comparable examples of both open source, and closed source exploits such as Heartbleed the OpenSSL vulnerability and WannaCry the ransomware attack that targeted Microsoft Windows users. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) With this said there are not many closed source operating systems or applications which do not contain some piece of open source code. OpenSSL exists everywhere, and Microsoft Windows has had a package called SFU (Services For Unix) as an operating system option since 1999, today it allows Windows 10 users to run a full Linux distro in user mode on top of the Windows kernel and as we all know Linux is open source. While closed source software is not going away, open source code integrated into closed source by almost every closed source provider today making the perceived closed source controls are just that, perception, not reality.
To close out my thoughts here, open source vs. closed source is merely a matter of preference and perception. I believe that the danger lies in the perception that closed source is somehow less vulnerable than open source, this perception relaxes the security posture, and the best way to prevent a breach is to be vigilant. Linux, the open-source operating system which powers greater than sixty-seven percent of the internet along with open source applications like Apache, Nginx, etc. may be the most prominent targets, but they also may be the most well-defended targets. (Open Source vs Closed Source – Which Is More Secure?, 2017) The inability to obscure open source should remove the sense of “security through obscurity” and foster a sense of vigilance, does this always happen, no, but the premise is sound.
Caldera OpenLinux. (2018, May 15). Retrieved from https://en.wikipedia.org/wiki/Caldera_OpenLinux
Christensen, C. M., & Christensen, C. M. (2011). The innovator’s dilemma: The revolutionary book that will change the way you do business. Harper Business.
Debian. (2018, May 18). Retrieved from https://en.wikipedia.org/wiki/Debian
Lettice, J. (2004, Feb 13). MS Windows source code escapes onto Internet. Retrieved from https://www.theregister.co.uk/2004/02/13/ms_windows_source_code_escapes/
Open Source vs Closed Source – Which Is More Secure? (2017, June 13). Retrieved from http://www.franklinfitch.com/blog/2017/06/13/open-source-vs-closed-source-secure/
Perl. (2018). Retrieved from https://www.perl.org/
Raymond, E. S. (1999). The cathedral and the bazaar: Musings on Linux and Open Source by an accidental revolutionary. O’Reilly.
Red Hat. (2018, May 17). Retrieved from https://en.wikipedia.org/wiki/Red_Hat
Revolution OS. (2012, January 25). Retrieved from https://youtu.be/jw8K460vx1c
Security Showdown: The Open Source vs. Closed Source Debate. (2017, April 04). Retrieved from https://www.veracode.com/blog/security-showdown-open-source-vs-closed-source-debate
Tozzi, C. (2016, July 29). Open Source History: The Spectacular Rise and Fall of VA Linux. Retrieved from http://www.channelfutures.com/open-source/open-source-history-spectacular-rise-and-fall-va-linux
Yggdrasil. (2018, May 12). Retrieved from https://en.wikipedia.org/wiki/Yggdrasil
Discussion Response 1
Nicely done, good read. Open Source can be a confusing topic, even to those who live it daily. The guttural instinct is to assume that open source is free, like “freeware” but this would be incorrect. There is a quote from Richard Stallman the founder of the GNU (GNU’s Not UNIX!) movement that perfectly describes the freedoms of Open Source; the quote reads “Think ‘free speech’, not ‘free beer.'” The challenge with the word “free” is it does not distinguish between “free of charge” and “liberty.” The other things that further complicates open source are the number of license agreements which can be applied to open source works, they differ slightly, and the author has to know what he or she is trying to accomplish when applying these licenses to their work. Popular open source licenses include the GPL (General Public Licenses) for which there are multiple versions and controversy over each (Watch Revolution OS, Bruce Perens discusses the GPL at length, and Eric Raymond explains the cathedral and the bazaar at length), the MIT license, the Apache license, etc.
I agree that perspective plays a significant role in regards to security and open source vs. closed source. With regards to the attack surface, I think we have to be careful to distinguish vulnerabilities from exploits (i.e. – a piece of malware targeted at a specific vulnerability is written and released into the wild). I like your thought on hackers wanting to disassemble compiled source code to hack it, not sure if they are looking for that kind of challenge, but it’s possible. I think the reality is that today hackers target the user as much as they do the system. When you think about Linux, you think a user that understands the system, unlikely they bought their computer loaded with Debian at Best Buy, this user harder to social engineer and deliver a malicious payload. When you think about the average Windows, sure some people understand the system, but then there are my parents who click on every link they get emailed. Systems like Windows understand their demographics; they attempt to balance security and user experience, but features like “autorun” naturally make these systems more vulnerable. The user demographics and attack surface (adoption rate, number of versions that can be impacted, etc.) matter.
AutoRun. (2018, May 10). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/AutoRun
Bruce Perens. (2018, May 19). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/Bruce_Perens
Hash, V. (2012, January 25). Revolution OS. Retrieved May 20, 2018, from https://youtu.be/jw8K460vx1c
N, A. (2014, July 23). The Code: Story of Linux documentary (MULTiSUB). Retrieved May 20, 2018, from https://youtu.be/XMm0HsmOTFI
Open Source Licenses & Standards. (n.d.). Retrieved May 20, 2018, from https://opensource.org/licenses
RobinGood. (2006, October 19). Richard Stallman – What is free software? Retrieved May 20, 2018, from https://www.youtube.com/watch?v=uJi2rkHiNqg
Discussion Response 2
excellent post, I would like to point out a few thoughts that I think are important aspects of open source. First, remember open source is about freedom and liberties and has nothing to do with dollars and cents. If you were to look at the market today, and all the attributed open source software I think you would be surprised by the amount of revenue that is being generated by open source software and its derivatives. It is also important to realize that while the community of open source subject matter experts dwarfs that of closed source, open source has a robust support paradigm. Let’s look at an example; I’ll use Amazon Web Services as a cloud company built almost entirely on open source. Let’s look at a prominent AWS’ service like EC2 (Elastic Cloud Compute) which is built using Linux and the Xen hypervisor, both open source projects. EC2 is just one of the dozens of AWS services built using open source, that is packaged and delivered to customers with support in a business model (the cloud) that will drive north of 20 billion in revenue in 2018. How about Nvidia and the machine learning craze? Nvidia has been a GPU (Graphics Processing Unit) leader for years, their primary customers were gamers, but the use of GPUs for AI, machine learning, and cryptocurrency mining has propelled Nvidia to new heights. Nvidia capitalized on the machine learning craze and their hardware platform by packaging their hardware with open source software; they called this the DGX-1, a turnkey platform for machine learning. What is the secret to the DGX-1? It’s packaged open source. The challenge with open source, especially in complex applications like machine learning is compatibility, what version of Nvidia CUDA code do I need to pair with my required version of TensorFlow, MXNet, etc., etc. Those who don’t need commercial support, like me, build systems that closely parallel what Nvidia did in the DGX-1, and we will turn to the community for help (e.g., Gitter, StackOverflow), an example of a packaged machine learning system is Deepo, almost identical to how the DGX-1 is constructed. For the average enterprise where the tech is context, they may prefer to turn to Nvidia for support. Does AWS buy open source support, the answer is no, they employ people capable of debugging the source code and self-support; alternatively the Kalamazoo Credit Union may have a machine learning project, but they don’t want to be debugging the framework source code, they are likely to purchase a Nvidia DGX-1.
I don’t think I can agree with the open source training and usability hypothesis. Conduct a Google search for “learn R”, then conduct one for “learn Matlab” and see if you see a difference in the number of resources for R (open source) vs. Matlab (closed source).
On the topic of security, this is a pretty close to a religious argument, what I believe is that the weakest link in the system is the user. I also think that there is a link between the user and exploitation. All systems have vulnerabilities, the Linux kernel has more vulnerabilities than the Windows 10 by nearly a factor of 2x, but if you leave the door open and no one robs you there is an unrealized impact. Windows is a target because there is social engineering required to deliver a malicious payload, the link between the user, system usability and ability to exploit a vulnerability is a subjective measure (because I have not done the research), but I believe empirical data would support it.
Amazon EC2. (n.d.). Retrieved May 20, 2018, from https://aws.amazon.com/ec2/
CUDA Zone. (2017, September 30). Retrieved May 20, 2018, from https://developer.nvidia.com/cuda-zone
Dignan, L. (2018, May 17). Nvidia continues to ride AI, gaming, machine learning, crypto waves. Retrieved May 20, 2018, from https://www.zdnet.com/article/nvidia-continues-to-ride-ai-gaming-machine-learning-crypto-waves/
Gitter. (n.d.). Retrieved May 20, 2018, from https://gitter.im/
MXNet: A Scalable Deep Learning Framework. (n.d.). Retrieved May 20, 2018, from https://mxnet.incubator.apache.org/
NVIDIA DGX-1: Essential Instrument of AI Research. (n.d.). Retrieved May 20, 2018, from https://www.nvidia.com/en-us/data-center/dgx-1/
TensorFlow. (n.d.). Retrieved May 20, 2018, from https://www.tensorflow.org/
The Linux Kernel documentation. (n.d.). Retrieved May 20, 2018, from https://www.kernel.org/doc/html/latest/
Top 50 Products By Total Number Of “Distinct” Vulnerabilities in 2017. (n.d.). Retrieved May 20, 2018, from https://www.cvedetails.com/top-50-products.php?year=2017
Ufoym. (n.d.). Ufoym/deepo. Retrieved May 20, 2018, from https://github.com/ufoym/deepo
Where Developers Learn, Share, & Build Careers. (n.d.). Retrieved May 20, 2018, from https://stackoverflow.com/
Xen Project. (n.d.). Retrieved May 20, 2018, from https://www.xenproject.org/
Discussion Response 3
I think you hit on an excellent point here with the IKEA furniture analogy.
IKEA produces closed source furniture that requires assembly, and they provide subpar documentation. It’s been a while since I bought something from IKEA (kids not off to college yet), but given the price point, I can only imagine what the dial-in support experience is.
Let’s contrast this with the Norm Abrams and the New Yankee Workshop, what I would consider open source furniture. Norm delivers high-quality plans to a consumer who possesses a certain skill level, is willing and capable of reading the plans, acquiring the raw material, etc. If you are this individual, you get a higher quality deliverable, but it requires a generally higher level of skill as a starting point. If you don’t possess this starting level of expertise, you might lose a finger. Many people will buy from IKEA because they are afraid of losing a finger.
Microsoft is to IKEA what Linux Torvalds is to Norm Abrams, closed source vs. open source in the context of self-assembled furniture; I love it!
As a developer I read release notes, I make sure a patch won’t render a library I am using inoperable, well actually not so much anymore because I pretty much microservice everything and use containers to avoid this dependency pitfall, but the anecdote serves a purpose. Your wife is a smart Windows user, she’s the anomaly though, kudos to here for developing here own test and QA department :), the reality is most windows users upgrade with no idea what is happening, then they scramble when something stops working.
Enough has been said on the religious argument of the security of open source vs. closed source so I will leave this alone at this point. 🙂
Thanks for the IKEA idea, I will definitely be using it in the future! 🙂
Write an essay contrasting the security models of Linux, iOS, and Windows. Which is more secure and why?
OS Security Module Assignment