If there's one criticism of open source you can count on -- one that comes back like crabgrass in the lawn of life, to paraphrase Peanuts's Linus -- it's the line that goes something like this: "Open source means everyone can see your code. Therefore anyone with Bad Things in mind can hack you all the more easily." Here is, I hope, another bullet to the forehead of that myth.
The myth here revolves not so much around what is said about open source as what is not said, or presumed, about proprietary software. To wit:
- With open source, everyone can see the code. Therefore anyone can use it maliciously to hack you.
- With proprietary software, very few people can see the code. Therefore the number of people who can use it maliciously to hack you is that much smaller.
As it turns out, this corollary isn't true at all.
Over the weekend I spoke to a friend of mine who does computer security, and talks about many of his experiences only with the caveat that the be sanitized heavily for public consumption. He made it clear that the folks who create malware -- the criminal enterprises that use it for plunder -- do have access to the source code for many of the things they hack.
Windows is one of them, since the source for Windows is available legitimately under Microsoft's licensing programs to (among other things) educational institutions. My friend pointed out, without being able to cite specific examples, that this is one of the easier ways to get to the source code. If you know someone in a university with a copy, you steal it from them (or bribe them for it, or what have you). Problem solved. The last thing an international criminal gang is going to care about are the binding terms of some piddly licensing agreement.
Criminals don't care how a given piece of software is developed, open source or closed. They care about what's popular and how they can exploit it. If there was money to be made from a zero-day exploit in Firefox or Chrome, they'd use it the same as they use zero-day IE or Windows exploits. I couldn't tell you if there's a perception on their part of commercial software being more inherently valuable than open source software (e.g., "it's only worth something if you paid for it in the first place"), but it probably isn't relevant here.
So in the end, it doesn't really matter to these guys whether the source is available freely. If it exists, they can probably get it anyway. The general availability of the code isn't what matters; it's how useful it is to the exploiters.
Keep in mind, I still think this is a lousy argument for the "Here Comes Everybody" or "crowdsourcing" security model, where the very fact that your code is available for inspection is in itself a security model. It's not. Security is, as my friend argued, not something you can apply from the top down but something that has to be baked into what you're doing from the bottom up (or inside out, as it were).
But the idea that open source poses an inherent security risk because it attracts Bad Dudes? Please. Let's go after the real criminals instead.
2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.