Two weeks ago, I wondered out loud about the top 10 worst IT business decisions ever made and nominated HP’s decision to follow DEC down the road to oblivion for top spot. Today I’d like to suggest that the U.S. Defense Department’s continued use of Microsoft’s software is likely to top a future list of this kind.
The equation here is simple. First, recognize that Microsoft’s software security depends crucially on keeping its source code secret. That’s not a comment from an anti-Microsoft bigot — it’s the testimony given under oath by Microsoft vice president Jim Allchin. Even limited release of Microsoft’s code, Allchin told judge Colleen Kollar-Kotelly’s federal court in May 2002, would threaten national security because the code is both seriously flawed and widely used in the Defense Department.
But consider that only nine months later, in February 2003, Microsoft announced an agreement giving communist China full access to the source code for Windows and related tools.
You don’t negotiate any kind of agreement with communist China in a few days or weeks; it usually takes months or years to get even simple agreements approved. Remember, theirs is a command economy in which nothing happens without government approval. This particular agreement included a personal briefing given to the chairman of the Chinese Communist Party by Bill Gates himself.
Does Not Compute
Think about that for a moment. Here we have a senior Microsoft vice president telling a U.S. court that releasing the code to American companies would threaten national security at about the same time some of his colleagues were negotiating a hand-over of that same code to communist China — a country that supports North Korea, maintains the largest standing army in the world, and continues to publicize its idealogical commitment to the replacement of American democracy with a socialist dictatorship.
The question now is what China might do with its access to Microsoft’s source code. Most people would agree, I think, that a few thousand really bright programmers with lots of time and full access to the code could accumulate enough information about its weaknessesto develop viruses and other exploits for use as economic weapons against the United States and key democratic allies like Taiwan.
The question, therefore, isn’t whether this could happen but whether it will happen.
The Military Mandate
Business, like law enforcement, reacts in arrears — i.e., after the event. As a result, no American businessman is going to face criminal charges for failing to react to a threat that may or may not materialize.
The military, however, has a proactive mandate and is required to react to potential threats as if they are real threats. Thus, any officer now in a decision-making role who fails to react effectively to the threat posed by the combination of Microsoft’s reliance on obscurity for its operating-system security and communist China’s access to the codeeventually could be charged with dereliction of duty.
To make such a charge stick, two elements would have to be proved: first, that the officers responsible for the decision to continue using Microsoft’s products were aware of the potential security problem; and second, that that they had a better alternative open to them.
Reasonable Belief
It’s impossible to believe that anyone now working in military IT could reasonably claim competence while denying knowledge of either the general vulnerability of Microsoft’s software or communist China’s access to the source code. What any future congressional inquiry would focus on, therefore, is whether or not there was a reasonable basis, in the 2003-2004 time frame, for believing that open source offered a better alternative.
In other words, the question would be whether or not there was compelling reason to believe, in 2003 and 2004, that open-source software could be as secure as, or more secure than, proprietary software whose source code is too flawed to be revealed to the public but is available to a foreign power.
Security vs. Obscurity
Consider, on this, what Bruce Schneier says in the introduction to the second edition of his book Applied Cryptography about the difference between security and obscurity:
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world’s best safecrackers can study the locking mechanism — and you still can’t open the safe and read the letter — that’s security.
Open-Source No-Brainer
There’s no possibility of obscurity in open source. That’s one of itsgreat values and part of what Eric Raymond meant with his comment that”given enough eyeballs, all bugs are shallow.” In this sense, opensource is a continuation of the academic process of peer review, inwhich the feedback loop between those who originate new ideas andcolleagues who review the work generates a Darwinian competition ofideas in which the fittest survive.
That’s the difference: Microsoft relies on obscurity but sells the safe to communist China, while open source subjects both the code and the design ideas behind it to intensive peer review and so evolves increasingly secure systems.
As choices go, this pretty much defines the no-brainer category, with open source winning every time — and establishes the consequence that some future congressional inquiry may nominate the Pentagon’s current failure to replace every Microsoft product with an open-source equivalent as the worst IT decision ever made.
Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.
Clearly, Mr. Murphy’s grandiose ruminations of absolute knowledge, mixed with his political beliefs have turned this into nothing more than an emotional tantrum. If no one in Mr. Murphy’s immediate circle of influence has pointed out the numerous flaws in his argument, perhaps someone should. Perhaps someone should sit him down and attempt to remove the emotion from what is clearly a technical matter.
Security is measurable. Every single OS has issues and when exposed to 90% of all attacks, any OS is going to break. Windows has issues, and this is being compounded by it’s tremendous market share. For some reason, Mr. Murphy hates Microsoft for this market share, seemingly more than anything.
His argument that Open Source is more secure, using the definitions of security vs. obscurity is really kind of silly. In some ways, Linux IS obscure at the moment. Problems with the OS, even the kernel over the last year, have only been able to be downplayed becuase of that obscurity. I’m speaking of market share. Linux doesn’t have significant market share and it doesn’t have a significant role to play in battling viruses. Let loose the number of viruses and the firepower that has been release against Windows on Linux and we’ll see who’s been hiding in obscurity.
Another respondant mentioned that "schools shouldn’t have to pay for software" and implied that no one should "have to" pay for software. In a world where no one gets paid for software, I’ll certainly be a proponent of outsourcing – send the slave labor somewhere else. But what this person should look at is how much money schools generate for the $ they receive. I work for a school and we generate over $16 for every $1 we receive from government funding.
Ignorance and emotion will never substitute logic and reality. I love Red Hat, Knoppix (maybe the best recovery solution out there), OS 10.3 and Windows 2003 Server. And they all have issues. I develop for Windows not just because the largest user base is the Windows market, but because Microsoft offers the best tools. Virtual Machines (like the JVM and .Net), coupled with increasing processing speed will render many OS distinctions irrelevant. And when they do, I’ll still choose an OS based on facts, not emotion.
"Market economy for more than 20 years" really. And the Cultural Revolution was about what sort of market. And why was it necessary to remove all signs of death from Tiennamen Square? Why is China buying the sk’val from the Russians?
It is unfortuante that too many Americans in government do not study Sun T’su or Musashi the way the Chinese and Japanese do.
The worse fear was spoken of by a Roman, but applies in America today no matter which party is in the White House.
"A nation can survive its fools, and even the ambitious. But it cannot survive treason from within."
– Marcus Tullius Cicero, Roman Statesman, Philosopher and Orator, 106-43 B.C.
The article was well thought out. Linux makes no pretense about security, but I’ll put my trust in what I can do with Linux over M$ as I am, at least, given some options.
The comment, "You Stupid" shows rather great arrogance, IMHO. I respect the Chinese people, but have no delusions about the Chinese Communist government. It is unfortunate that Capitalists are willing to deal with anyone.
There are many experts in the West, who live globalization as FDR lived Keynes. There are those of us, who know Keyenes had an agenda.
Who said, "First try, then trust." General Ghi, I believe, said that China would fight a war with the United States within twenty years. That was said, perhaps, five years ago. Information warfare is certainly part of that.
I wonder why the U.S. Army switched form PCs to MACs?
Some people just don’t get it… This commentary is just sooo right on that I couldn’t have done a better job myself.
I can’t stand the fact that my tax dollars are being wasted on making M$ rich and most nations around the world are saving billions moving to Open Source. I use it everyday any I know for a fact that my systems are way more secure and way more stable than they ever were using M$. There was some software that I just couldn’t do without (Adobe and Macromedia stuff) so I had to get a Mac just to have some stability and security to do my work.
This really worries me about US security and the tremendous amounts of government waste. The government shouldn’t have to pay to use software, neither should students or schools for that matter. They should do everything possible to conserve that dollar we trust them with. Just an example, Brazil saved 200 million each year plus created 5000 high tech jobs just by switching away from M$ and they don’t miss it. There is no way to argue with the facts… Think about the US government, states, counties and cities. We could save billions each year and create tens of thousands of high tech jobs… No more stability problems, no more incompatability issuess and even more important, no more security problems. Heck the NSA has done some Linux kernel work already and contributed it to the community (Security-Enhanced Linux – http://www.nsa.gov/selinux). Like everything else (medicine, etc.) the US government is always the last one to figure it out and adjust their thinking to modern ideas. Lets get out of the stone age and explore the new frontier…
Steve Ackerman
This article is hogwash. Open Source software is completely GIVING technology away to communist countries for free, in fact Linux is the *official* operating system of China, yet that little detail isn’t even mentioned. There’s no export controls on open source like proprietary software, and Microsoft is only giving "peeks" to the windows code, only in Redmond, and often only to third party intermediaries. And obviously to anyone but the author, the only reason those were allowed were IN RESPONSE to the growing use of Linux in communist countries.
<p>
You’d think on an issue as important as national security, the author would look at the issues a little more carefully and in whole, and not try to push dangerous one-sided articles like this on their readers. Guess not, when Linux is your religion.
Don’t put technique question with political question, you stupid Paul!! In China we are proposing Market economy for more than 20 years. Please be caution with your words before saying those words.
All code contains flaws, Linux, UNIX, BeOS and Mac OS it doesnt matter how secure you try to make it. Flaws will always be with us. It always seems that when you try to fix one problem, another pops up. I do agree with Paul Murphy tho, Open Source software is not any more or less secure than proprietary software
Good article, and a great way to look at it. You should do a follow-up article talking about how code from any OS in the wild has exactly the same dangers associated with it. I think too many folks seem to miss the concept that open code is a greater risk to security than controlled code.