Open Source Culture Needs To Be Security Culture, Too

How to react to the news that an earlier flaw in Debian's random-number generator has been used to fuel an honest-to-Linus exploit, especially after yesterday's post? Welcome to the tip of the iceberg.

It's been said, somewhat cynically, that one possible good reason we don't see more Linux exploits scurrying around in the wild is because Linux doesn't represent the same kind of attack surface for criminal hackers as Windows does. True, Linux still doesn't have the desktop market share of even the Macintosh -- but it's become that much more interesting as a target because of the number of server and infrastructure systems that use it.

That doesn't so much replace the malign opportunities provided by Windows malware as it augments them. Now instead of just turning Windows desktops into zombies, you can attack Linux servers and maybe have the two of them work hand-in-hand to wreak havoc. What we have now is bad enough, but the idea of adding compromised Linux servers to the mix makes me blanch.

For these reasons it's becoming all the more crucial that open source in general, and Linux in particular, think as proactively as possible about what can go wrong and in what contexts. This means a culture of security consciousness that is at least as pervasive as the culture of open source itself -- a conscientiousness about security by everyone involved, on the order of the existing conscientiousness about licensing.

Maybe asking for such a thing is unrealistic. I don't think it's unrealistic to ask for it -- it's unrealistic to expect everyone to become security-conscious overnight, but in my opinion absolutely not unrealistic to keep a steady and resolute pressure on the community. People need to become conscious of the fact that the code they write can be reused in places they might never have anticipated -- and that the people doing the recycling might not be savvy about security. (And shame on them if they aren't.)

We need to start doing this now. Not after some major disaster, not as PR spin or a post facto damage-control measure. If the folks in the open source world can be as morally conscientious about security as they are the freedoms associated with their code, I'd say they'd be prepared for just about anything.