The Strategic Importance of Linux

Friday Sep 28th 2001 by Datamation.com Staff
Share:

In the wake of another week of worm madness, experts wonder: Is Linux the best solution for protecting your information infrastructure?

By Dennis E. Powell

One of my favorite political thinkers, the late James Burnham, famously noted that it is impossible to do just one thing. Any action may bring about the intended consequences, but it will certainly bring about some unplanned ones, too.

His observation came to mind over the weekend when I learned while on a trip to the Washington D.C. area that the terrorist attack on the World Trade Center will probably cause the shareholder lawsuits against Linux distributors to come to a screeching halt.

The reason is this: The Securities and Exchange Commission office in the World Trade Center complex was destroyed in the attack. It contained the original material and evidence in the SEC's probe of underwriter misbehavior in initial public stock offerings. Class-action plaintiffs lawyers, whose coat of arms is emblazoned with the vulture, do not do their own work in most cases, instead piggybacking on some federal investigation. This federal investigation has now disappeared. Yes, it could probably largely be recreated, but it's not the top item on the SEC's stack right now, for a number of reasons.

As it happens, it's unlikely that much would have come of the lawsuits, anyway. Lawyers are having increasing difficulty getting classes certified, and recent appellate rulings will make litigious fishing expeditions far more difficult.

While we naturally recoil from deriving benefit from atrocious acts, we gain nothing by ignoring the law of unintended consequences -- especially in this case, where reaping the benefits can improve the lot of the entire free world.

I'm talking about Linux, which has suddenly become of strategic importance.

There are three reasons for the sudden added importance of Linux: It is good. It is relatively secure and can be made very secure. And it's out there. All three are important, but most important is the last one.

Single Source vs. Open Source

There are problems with any system in which there is a single source for a critical commodity. These involve quality and vulnerability. When there is a single source, the quality needn't be high. When there is a single source, that source, if cut off, eliminates access to the commodity. Both of these apply in connection with the products of Microsoft Corporation. Indeed, Microsoft has managed to combine them. Look at this from the Gartner Group, from just last week:

"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS."

Want to guess how long it will be before Microsoft rewrites IIS? And if they announce that they have, how will we know they're telling the truth? Very few people know what's in Microsoft's code. Even if it were very good, this fact alone would represent a tremendous vulnerability. The fact that it's not very good allows us to see time and again the quality aspects of single source. In the few days since Gartner's report, there has been yet another Outlook macro virus. If one downloads signature files that are added to a program that is added to Windows so as to eliminate some of that system's obvious shortcomings, one can be relatively safe from this new infection. But nowhere do we see an outcry that the underlying system itself be fixed. It has been, what, two years since Outlook's vast and expensive security problem was first exploited, yet the single source company that publishes it still has not fixed it. As I've said before, nothing as important as computing has become can be entrusted to a company that behaves so irresponsibly toward its own customers. But it goes beyond that: nothing as important as computing can be entrusted to a single company, period.

With Linux, though, fixes are quick, high security is possible, and bad programs simply aren't used -- they're cast aside in favor of something better. There is very little that cannot be done nowadays on a Linux machine, the lone serious exception being interchanging documents with boxen running Microsoft Office applications -- which merely underlines my point about the dangers of single source.

Linux is not entrusted to any small group of people. It is available in source code to anyone who cares to have it. Its contents are well known, and there are hundreds of thousands of people capable of maintaining it. Tens of thousands, all over the world, do just that. Security holes are found and fixed. New applications are developed, hacked, released again, hacked some more, released some more. Quality is the only driving issue. And it cannot be eliminated by the elimination of any one company (or country, for that matter).

This has been increasingly obvious for some time, never more so than when the U.S. government's clandestine services let it be known early this year that Microsoft code has been invaded so many times and so thoroughly while sitting on Microsoft's own corporate machines that it not only cannot be thought of as secure, it cannot be made secure. Hence, the National Security Agency has undertaken Secure Linux, a startling demonstration of the strength of open source.

Computer security, we all knew, was important, but now it is important as never before. Single source software cannot provide that security, especially as relates to Microsoft, which seems to have no particular interest in security anyway. Open source can provide security; indeed, there is no way that it won't unless the entire Linux community suddenly takes leave of its senses, which is unlikely.

But there is more to security than locking up our machines. The most important fundamental is that our machines keep working, that our information systems remain intact and uncorrupted. Linux is, of course, not utterly invulnerable in this regard, but as we have seen, exploits are far more quickly found and fixed when Linux is involved than they are when Windows is involved -- again, Microsoft seldom fixes the problem, leading to the existence of an entire industry devoted to putting a bandaid on Microsoft's problems. Though the majority of websites are non-Microsoft, it is Microsoft's products that have come closest to bringing down the web.

This is not Microsoft bashing, because it would apply equally to any single source system. It is inevitable. A single source system is capable of holding hostage, and it is capable of being held hostage. Open source isn't.

I mentioned the hard times that have befallen the carrion beetles of the plaintiffs bar in part because it is a good thing, and we're in desperate need of good news; in part because it illustrates the unintended consequences of a reprehensible action; and in part because it cuts Linux businesses a little slack at a time when they very much need it. This is important because of the tremendous contributions that those businesses make to Linux and because it is crucial that Linux not become a de facto single source system.

As to the first point, Linux distributors have contributed a number of ease-of-use features that do not fit easily into the scratch-an-itch model of open source programming. A lot of the work done by distributions is not what the excited young programmer diving into Linux would undertake. Many people enjoy cooking, but few like to do the dishes. For this reason it is a very good thing that we have distributions producing installation and configuration utilities.

The second point is more important. I've heard it argued by very intelligent people that we might as well simply surrender to Red Hat, whereupon all issues of incompatibility, file hierarchy standards, and so on would disappear. And I have argued in response that these issues must be resolved outside any one distribution, to avoid any one distribution becoming so dominant that the others really don't matter. (It's worth noting that corporations are recognizing this as well, which is why IBM, for instance, has working relationships with multiple Linux distributors. They were the first to fall victim to the perilous nature of single source software.)

The powers that be have been making very slow progress in adopting a definition of standard Linux. To avoid pre-emption by a dominant distribution -- and by this I mean Red Hat, which produces an excellent distribution but one that must not become the only distribution -- these bodies would have to do a little less meeting and hemming and hawing and a little more producing. Here's hoping that they do just that. Standards are necessary in any operating system, and they are likely to be far better, as we've learned with Microsoft, if they're established by a standards body and not a corporation which, quite rightly, has its own interests chiefly in mind.

Linux has become sufficiently sophisticated and widely used that now is time for all of us, not just distributors but those involved in projects connected with Linux, to consider what is rapidly becoming an important concern: backward compatibility. This was underlined in a perceptive email posted yesterday to the KDE developers mailing list by Jason Stephenson.

"Don't forget that many corporations, particularly in America, are stuck in a software release mindset," he wrote. "That is, they want to use the latest stable versions from the official maintainers. They don't want to hack the libraries that they get. They just want to write the software that they need to run their business." Preservation of binary compatibility should, wherever possible, be a goal. This was not so much the case when Linux was a hobbyist operating system. There is merit now in making its adoption more attractive to the enterprise.

Indeed, the vast consortium that now makes up the Linux development and distribution community is perfectly positioned to maintain and extend the information structure throughout the world. Microsoft, though it owns the majority of desktops, is in the odd position of playing catch up, and it cannot succeed in doing so. Instead, it is releasing a new version of its operating system that fails to anticipate any of the recent unhappy events. Linux has built-in redundancy right down to its means of development and distribution. It is robust right across the board. It does not expose our computing infrastructure to the vulnerabilities that any single source system does.

Which puts us in the odd position of adding to the list of reasons for using Linux one that none of us would have expected a month ago: Because it's the patriotic thing to do.

This article first appeared on LinuxPlanet, in internet.com site.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved