Government // Enterprise Architecture
Commentary
8/29/2008
12:28 PM
Serdar Yegulalp
Serdar Yegulalp
Commentary
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Open Source Culture Needs To Be Security Culture, Too

How to react to the news that an earlier flaw in Debian's random-number generator has been used to fuel an honest-to-Linus exploit, especially after yesterday's post? Welcome to the tip of the iceberg.

How to react to the news that an earlier flaw in Debian's random-number generator has been used to fuel an honest-to-Linus exploit, especially after yesterday's post? Welcome to the tip of the iceberg.

It's been said, somewhat cynically, that one possible good reason we don't see more Linux exploits scurrying around in the wild is because Linux doesn't represent the same kind of attack surface for criminal hackers as Windows does. True, Linux still doesn't have the desktop market share of even the Macintosh -- but it's become that much more interesting as a target because of the number of server and infrastructure systems that use it.

That doesn't so much replace the malign opportunities provided by Windows malware as it augments them. Now instead of just turning Windows desktops into zombies, you can attack Linux servers and maybe have the two of them work hand-in-hand to wreak havoc. What we have now is bad enough, but the idea of adding compromised Linux servers to the mix makes me blanch.

For these reasons it's becoming all the more crucial that open source in general, and Linux in particular, think as proactively as possible about what can go wrong and in what contexts. This means a culture of security consciousness that is at least as pervasive as the culture of open source itself -- a conscientiousness about security by everyone involved, on the order of the existing conscientiousness about licensing.

Maybe asking for such a thing is unrealistic. I don't think it's unrealistic to ask for it -- it's unrealistic to expect everyone to become security-conscious overnight, but in my opinion absolutely not unrealistic to keep a steady and resolute pressure on the community. People need to become conscious of the fact that the code they write can be reused in places they might never have anticipated -- and that the people doing the recycling might not be savvy about security. (And shame on them if they aren't.)

We need to start doing this now. Not after some major disaster, not as PR spin or a post facto damage-control measure. If the folks in the open source world can be as morally conscientious about security as they are the freedoms associated with their code, I'd say they'd be prepared for just about anything.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.