A Question of Security

eLABorations: In moving to open-source software, are governments opening the door to vulnerabilities or hack-proof code?

Its been a big buzz week for open-source software in government. First, there was Mondays announcement from the German government of its plans to standardize on Linux and open source across that nations entire IT organization with help from IBM. And yesterday, Ralph Naders Consumer Project on Technology issued an open letter to the US Office of Management and Budget requesting that that agency begin an exploration of open-source software, as a means of reducing government IT costs, improving security and encouraging competition in the software market.

At the same time, tech news sites around the Web have been picking up on this announcement of a yet-unreleased white paper from the Alexis de Tocqueville Institution on the boon that government open-source software implementations could provide for electronic saboteurs and evil-doers.

Open or closed? Its a question of platforms. Judging from its press release, the ADTI report will apparently focus on the assertion that the ready availability of code for open-source platforms results in more discoverable vulnerabilities and, in turn, a simpler life for the worlds malicious coders.

While theres certainly some truth to this, theres no reason to believe that more discoverable vulnerabilities wont result in software thats much better audited--and therefore much more secure.

Beyond the benefits of more eyes for vulnerability auditing, open platforms can provide government IT organizations with the opportunity to implement the fixes and feature extensions on their own timetables and with their own priorities in mind.

Theres a limited amount of resources that Microsoft, the undisputed champ among closed platform providers, will ever be willing or able to devote to its products. No matter how diligently Microsoft applies itself to its Trusted Computing initiatives, the fact remains that Windows is marketed to a very wide swath of the computing public. As a result, a great deal of Microsofts development efforts will continue to go toward improving the computing experiences of their most common customers--individual computer users.

Even though Windows XP is inherently much more secure than Windows 9x was, Microsofts tendency to stress convenience over security remains clear, particularly in the implementation of XPs user permissions schemes.

If a government entity, such as the National Security Agency, set out to acquire a hardened version of Windows to better suit its very specific and rigorous security needs, itd have to convince Microsoft to make those changes. And who knows where a government agency request would rank in a development calendar already bursting with the Xbox Mark Deux or the Tablet PC or the latest Internet Explorer vulnerability?

No such limitations exist for Linux, which is why it was Linux that the NSA selected to develop its Security-Enhanced Linux.

The ADTI press release suggests that open-source software "inherently requires that its blueprints, source code and architecture [be] made widely available to any person interested--without discretion," but this is not the case. A government or any other organization is completely free to radically alter a piece of open-source software, and simply not release the modified source code or binaries to the public.

However, in the case of Security-Enhanced Linux, the NSA has chosen to release the source for what theyve produced. This is a good thing, and not only for the benefits of a wider peer review than would otherwise be possible. Its also a good thing because, through open source software, our governments taxpayer-funded development efforts generate a technology dividend from which any of us may profit.

How should we spend our government IT dollars? Let me know where you stand at jason_brooks@ziffdavis.com.