Friday, January 26, 2007

Open Source Security

According to an article in the Oregonian on Tuesday, January 23, 2007, written by Mike Rogoway, the merger between the Free Standards Group in San Francisco with the Beaverton-based Open Source Development Laboratory marks a major milestone for the Linux operating system.

The new organization, dubbed "The Linux Foundation", will face some difficult challenges. The article briefly mentions standards between different Linux distributions as one possible challenge and patent infringement alleged by Microsoft. However, one particular issue that the article did not address is security.

Last night, I attended a BarCampPortland meeting. I met several interesting and extremely successful people, including Sioux Fleming, who is a computer security specialist. She said something that made me think about future security issues in Linux. There seems to be a lot of hesitation for businesses to switch to Linux because it is open source; naturally, this means that a hacker who wants to exploit a security vulnerability could simply look at the source code and determine how to exploit the system.

However, Sioux stepped up to defend open source by using Microsoft security as an example. She said that Microsoft constantly issues patches to plug holes in Windows security, yet hackers are still able to exploit and find new holes. Now, I'm no security expert and don't know the details of how this works, but it seems that Linux has a lot less issues in terms of security vulnerabilities, yet unlike Windows, the source code is easily available for anyone to examine. Personally, I don't know anyone who has had to completely reinstall his or her Linux system as a result of a security vulnerabilty, but I have personally reinstalled several Windows systems as a result of trojans, worms, and other security related disasters.

One of the possible reasons for Windows users being the target of more security threats than Linux users is that -- in terms of desktop computers -- there are more Windows users than there are Linux users. Therefore, if Linux does begin to gain a significant market share in the desktop PC market, what should we expect to see in terms of security as Linux users? Will we see more security exploits in Linux? Will I end up helping someone recover lost data on his or her Linux box?

Of course, Linux and UNIX-based platforms are still used primarily as servers in many businesses, yet the uptimes for these servers are significantly higher than for Windows servers. From looking at the past-performance of the Linux operating system, can we assume that it will still perform as well in the future?

These are questions that will be answered as the Linux operating system and open source gains more market share.