Linux Speak: Separating Facts From Fiction

by Hinesh Jethwani    Apr 13, 2004

Linux Security - A cause for growing concern, or a much ado about nothing? Seeking to dispel all the recent scandalous attacks against Linux, Javed Tapia, Director, Red Hat India, drives the point home in a candid interview with CXOtoday.

Linux has been in the firing line recently, with surging reports floating in the market from Â’so-called’ intellectual experts and research agencies, all taking shots at two of the strongest known virtues of the Operating System: Its low TCO and unmatched security.

Dan O’Dowd, CEO of Green Hills Software, claimed that the proliferation of Linux through a growing number of U.S. defense systems, poses a ’serious and urgent security threat’.

Starting off with an honest confession Tapia admitted, “All Operating Systems are vulnerable to attacks, no matter what security measures are used. The issue is how vulnerable the system is, and how these vulnerabilities can be addressed.”

“Some CEOs and CIOs wonder if open source is secure enough to run their critical business applications. Open Source is a new development paradigm and will take some time to be understood and appreciated. Just as an open mind does not mean a hole in the head, the Â’open’ in open source does not mean Â’insecure.’ On the contrary, Linux’s openness gives enterprises greater control over the security of their computing infrastructure. The availability of the source code means that organizations can modify the software to suit their needs; this flexibility is simply not available with closed/proprietary operating systems,” added Tapia.

Recently, proprietary software vendors have taken limited steps by allowing governments to view the source code in response to pressure from governments that raised issues of national security. Such limited steps can barely come close to matching the power of the open source paradigm, where anyone, anywhere can view the code anytime and post their own bug fixes and patches, reasoned Tapia. Even code that has been submitted for inclusion in future releases is available online for comments and criticism, making the open source development an extraordinarily transparent process.

“In contrast, the closed nature of proprietary operating systems means that CEOs and CIOs have to rely on their vendor’s word and their licensing terms and conditions for securing their enterprises,” claimed Tapia.

Now that Linux is emerging as an alternative operating system for enterprises, the issue of security is coming to the fore. A common question in the minds of some CEOs and CIOs is, “If it is open, how can it be secure?”

Echoing a similar beat, V.K. Ramani, president-IT, UTI Bank Ltd., said, “Financial institutions in general have an extremely insecure IT mindset, and the panic button is pressed immediately when the word ‘open’ is used.”

Dismissing the notion that Open source is not secure, Ramani added, “We were only able to fully comprehend the reliability of Linux, after the Code Red and Nimda era.”

A majority of the bank’s Intranet has already gone the Open Source way, and more than 70 applications today are running on Linux.

“With open source software like Linux, people from across the world collaborate over the Internet to build software. Talented programmers write code for Linux, which is released under the General Public License (GPL) that allows an application and source code to be used and modified freely, as long as the resulting code is distributed under the same terms. The GPL ensures that the source code can be audited by anyone thus minimizing security risks,” detailed Tapia.

Eric Raymond, author of the famous document, “The Cathedral and the Bazaar” that compares the centralized software development processes in the proprietary software world with the decentralized world of open source says that, “Given enough eyeballs, all bugs are shallow.”

Explaining the open source development methodology, the Open Source Developer Labs (www.osdl.org) says that, “Since it was created in 1991, developers have freely contributed to the Linux system by organizing themselves into specific subsystems defined by interests and technical expertise. Each of these developer subsystems has a domain expert developer (called the subsystem maintainer) who oversees the work of others. Subsystem maintainers review the code submitted to them and orchestrate broader peer review of code to ensure its quality.”

This decentralized process subjects open source programs to a lot more scrutiny by processes that are similar to peer review in academic journals. In comparison, a centralized process can never discover all the security risks in a software program because the unconventional strategies adopted by malicious crackers are difficult to replicate. The decentralized process also ensures that security flaws and bugs are quickly fixed because the bug fixes need not flow through the bureaucratic processes of typical “command and control” organizations.

The fact that the Linux community takes security issues seriously can be seen from groups like the Sardonix Audit Portal (www.sardonix.org) - funded by the America’s Defense Advanced Research Projects Agency (DARPA) Â- that proactively examines the Linux code from an information security standpoint. Countless resources like Linux Security (www.linuxsecurity.com) also help keep users updated on the latest security issues reported in Linux.

Driving the final word on the issue, Tapia concluded, “Open Source means ’open to scrutiny, open to customization, open to improvement but not open to risk.”

A report released recently by the Yankee Group claimed that in large enterprises, a significant Linux deployment or total switch from Windows to Linux, would be three to four times more expensive than an upgrade from one version of Windows to newer Windows releases.

According to Australia’s Open Source industry body OSIA, the 1,000 strong survey respondents who took part in the Yankee Group study, were drawn from the Win2Knews mailing list, which is constituted predominantly of and designed for pro-Windows NT/2000 system admins. Further, the list is operated by Sunbelt Software, which describes itself as “a Microsoft Gold Certified Partner and the first and one of the largest providers of best-of-breed Windows NT, 2000/2003 utilities.”

“While Win2Knews and Sunbelt software may be a great resource for Windows users, they would obviously be a poor pool from which to draw any un-biased opinion on Linux and Open Source software,” stated OSIA spokesperson Con Zymaris.

OSIA has released an alert on its website, warning organizations - that are considering migrating to, or adopting Linux Â- to thoroughly research any claims made by analysts with respect to the attributes of Linux.

Tags: Linux