Governments, Beyond the Open Source Hype

An anonymous reader writes "ForeignPolicy.com takes a look at Open Source as it applies to governments and some of the reasons that a governing body may or may not like OSS. From the article: 'Governments around the world are enchanted by open-source software. Unlike proprietary software, for which the code is kept secret, the open-source variety can be copied, modified, and shared. [...] Trouble is, the benefits of open source are not always so clear-cut. Software is too complicated a creation to be captured in rhetoric, and assertions about some of the technical benefits of open source fail to tell the whole story.'"

Written by an ex-Microsoft employee.

This article is written by a Ms. Caroline Benner.

And if we look her up, we find...

Caroline Benner previously worked as policy researcher for Microsoft's Geopolitical Policy and Strategy Group

...as her only listed non-media job on at least one version of her bio.

Just saying.

Curiously contradictory article summary?

[Angostura]

On the one hand the article summary claims:

"Trouble is, the benefits of open source are not always so clear-cut. Software is too complicated a creation to be captured in rhetoric"

While at the same time giving us a splendidly succinct piece of rhetoric:

Unlike proprietary software, for which the code is kept secret, the open-source variety can be copied, modified, and shared. [...]

A response for the non-techie

[grcumb]

Benner's article states:

'In a 2002 letter to Microsoft, Peruvian Congressman Edgar David Villanueva Núñez noted that, "Relative to the security of the software itself, it is well known that all software (whether proprietary or free) contains 'errors' or 'bugs' (in programmers' slang). But it is also well-known that the bugs in free software are fewer." Yet, ask computer security experts and they'll tell you that's not necessarily true. Software, with its millions of lines of code, is so complicated that experts don't know for sure that open source has fewer bugs, nor can they say with certainty that having fewer bugs makes open source more secure.'

This statement is true, as far as it goes. But it ignores something that's far more important than the opinion of a computer scientist: empirical evidence. No matter how you measure it, FOSS software is successfully exploited far less often than proprietary software. In many cases, the differences are striking. There are, for example, effectively no Linux viruses in the wild.

Even in cases where FOSS is the dominant application (like the Apache web server, for example) the number of successful attacks are so much lower that there is no effective competition from the alternatives.

So the key here is not whether software is provably secure (i.e. auditable) but that it's effectively secure. The difference here is subtle, especially to those who don't understand software. It's something crucially important, however.

There's another issue here that's at the core of the Free Software philosophy: process. The FOSS software development process is based entirely delivering quality software. In fact, development cycles and processes often sacrifice convenience for IT folks in favour of solid code. Proprietary software is almost always driven by business priorities which sometimes - but not always - put a low priority on software quality.

Another quotation from the article:

'There are really two reasons that it is very difficult to know whether software is secure [....] The first reason is that even the simplest software program consists of hundreds of thousands to millions of parts, and potentially all of these have to be correct, or the system may have security vulnerabilities. The second reason is that we have no technology for systematically checking that the parts are correct and fit together in a way that ensures security."'

Both of these points (that even simple software is hopelessly complex, and that there is no systematic way to test intereactions between software) are inaccurate. It's like saying that human bodies are composed of billions of cells, so we'll never be able to measure a person's health.

Unix-inspired systems usually use a 'toolkit' approach, in which a number of small, special-purpose tools are brought together to perform complex tasks. The result is that each individual part is very well understood and performs its task(s) in a clear fashion. So, while it may be true that it's hard to document every possible interaction between software elememts, that's not nearly the problem the writer makes it out to be.

The article concludes:

'Software becomes more interesting--indeed, rhetoric-worthy--when it promises a better future. Open source may well deliver that promise, but computer science is too young a discipline, and there is too much we do not yet know about software to be so sure.'

This is a silly argument, especially in an article that claims to compare two alternative approaches to software. Computer science is not a young discipline, even if you compare it to physics and mathematics. The fundamentals of computing were understood even before we had computers to test with. The assertion that we just don't know enough is just plain wrong-headed.

Furthermore, even if it is true that we don't know enough, shouldn't that be an argument in favour of open source, where at least nothing is deliberately hidden?

Because it works

[porkThreeWays]

I work in municipal gov't in Florida. We use a lot of open source software in our organization. Why? Because it works. It has little to do with money. I've never been denied money for software if I can justify it.

"Enterprise" software has never really impressed me. A great deal of the time, the guy on the other end of support is no more knowledgable than me of the product. That is when you are lucky enough to get someone who speaks english natively. So what's the point for lackluster support? (Hardware is the exception. Many service plans can guarantee you a new server in less than 4 hours).

Highly specialized software generally has an unreasonable amount of bugs. We have one dept that has "enterprise level software", that I'm in the process of rewriting its so buggy. It's almost as if this company has no regression testing procedures in place.

And it's always a lot of fun paying 2,000k a pop for marginal glue code between applications. God-forbid that gluecode break one side. You'll get thorwn into a fun blame game of each company blaming the other. You need complex glue code? That'll be $10,000 and 6 months. You'll also recieve a windows front end in tk with extremely complex install directions. Minor versions are incompatible. You can never patch that box because xp sp2 will break the very customized non-standard registry settings.

People can spread all the FUD they want about open source, but I use it on a daily basis whenever I can. I have control over it and things just work. It's comical to see some of the rediculous things that go on in the closed source community. I like being able to change the ip address of a server if I have to. I don't need a license holding me back from doing that.

Get the Facts, She's a Shill.

[twitter]

From the fine Article:

Caroline Benner is a fellow at the University of Washingtons Institute for International Policy. From 2001 to 2003, Ms. Benner was a consultant with the geopolitical policy and strategy group at Microsoft.

Just what does a software company need a Geopolitical Policy and Strategy Group for anyway? Gobal FUD? Creepy, and she's got a long history of M$ apologies and FUD to her name. Let's review,

• Not embarrassed by M$ virus penetration of Pentagon systems or disruption of NASA communications endagering the Space Shuttle and five months before the 9/11 attacks she tells us not to worry about cyber terrorists because the mighty M$ can deal with such unskilled attackers through patches., " time and access one needs to create a devastating attack, like crashing an airplane. In "Six Nightmares," Lake doesn't consider the checks that protect infrastructure from such threats. He also fails to ask an obvious question: If there are so many malicious hackers at work (19 million, by Lake's count), why have their attacks been, by and large, fairly innocuous?" M$ forsight. Let's review what happened next:
  • 9/11 demonstrated to the world that there were indeed many well organized terrorists wanting to harm US citizens and how venerable rescue efforts were to disruption of communications.
  • US Government drafts defense plan
  • Chinese attack plans are revealed by the CIA
  • Still M$ languishes and languishes working on DRM and other lock out crap.
  • M$ incompetence contributes to the biggest US blackout ever by disrupting critical company communications and overloading network. The whole thing could have been prevented.
  • North Korea launches cracker schools.
  • The US Air force Mission is updated to include net dominance
  • US Government turns to superior Free Software
  • Home and business users lag, causing havoc in hospitals, threatening medical and accounting records and creating a hotbed of exploitable computers for spam and spam and spam and denial of service attacks used against EVERYONE.
• 2004 apologies, security is too hard! Duhhhhh, if M$ is not up to task no one is, right? Wrong.
• The FUD rolls on to this day check out Her new Blog! as she spews forth Pressing Questions.
  • Get the facts about how expensive and non free software is helping India and other developing coun