November 17, 2011, 11:11 AM — There seems to be a bit of confusion out there about what open source means in terms of security: specifically, there's a pervasive notion that because software is open source, it's inherently insecure.
Seriously?
Apparently these folks have completely forgotten about software like sendmail, Apache, MySQL, SSH, and oh, what's that platform called… the one with the penguin… oh yeah: Linux. The applications and platforms are regarded in the industry has highly secure and generally free of malware in the wild.
And yet, when Google Open Source Programs Manager Chris DiBona recently quoted an article that said that "critics have been pounding the table for years about open source being inherently insecure," I decided to locate that article... I found myself running smack into what I believe is a serious error.
The article diBona quotes was not hard to find, and I was dismayed to see that my colleague Dana Blankenhorn had written it. Here's the context of the quote:
"After [Google's] acquisition of Motorola Mobility, smart phones are expected to represent just under half the company's revenues.
"This is an important marker because critics have been pounding the table for years about open source being inherently insecure. That's one (of many) reasons why Linux never made it on the desktop, with proprietary Microsoft and Apple dominating operating systems. But now, at a stroke, Linux dominates the hand-held market, because Android is, at heart, a Linux."
I wanted to give Blankenhorn a little credit and assume he was being sarcastic, but that second sentence in the second 'graph pretty much convinced me that he was serious: apparently, lack of security was one of the reasons Linux never made it to the desktop.
With all due respect to my colleague, in what world was insecurity ever an obstacle for Linux? I can thinking of several other reasons why Linux never caught on the desktop: a low number of apps, interfaces that were challenging for new users, a lack of coherent support. All of these are valid concerns (and all could be argued) but the only people who ever tried to make a case that desktop Linux was an insecure environment are the antivirus vendors.
There are, as I indicated above, real and legitimate challenges to Linux on the desktop, both within and from without the Linux ecosystem. I get that, and there's a lot of great projects out there that are working on these problems.
But I'm pretty sure that the threat of malware in Linux is not one of them.
On an absolute scale, and most definitely on a relative scale compared to the other operating systems held in such high regard, the threat of Linux malware is low: OS X malware is enough a problem to warrant caution on that platform, and Windows' security has been a joke until (depending on who you ask) very recently, with some improvements in Windows 7.
I am not trying to take shots at a fellow journalist, and I am certainly not trying to come off as perfect myself. Maintaining an accurate perception of what's really going on can be hard. I know that--just recently I goofed and falsely reported that One Laptop Per Child once shipped Windows CE-loaded devices. My error was quickly and kindly pointed out, and I made the correction as soon as I could, though I felt chagrined. I had fallen into what XKCD artist Randall Munroe so brilliantly calls the process of "citogenesis".
So, while I feel obligated to point out what I believe to be an error on Blankenhorn's part, I certainly understand how such an error can occur. I've done it, too.
Mistakes on the part of journalists like myself are only part of the misinformation problem. Linux is enjoying an unprecedented level of respect in the IT community at this part of its history--gone are the days where IT managers would look at you as if you were crazy to suggest a Linux deployment in their server rooms. People get Linux and understand what it can and can't do.
That doesn't stop competitors of Linux from continuing to try to derail Linux' success with misinformation and FUD. In fact, it has only made those competitors try harder. All of us--community leaders, members, and even independent observers--need to step up our collective game and parse through the noise to find which elements within the criticisms are true and which are false.
Success for Linux--and indeed, much of FLOSS--is here, or soon to come. Now the community needs to make sure the reality of that success is accurately portrayed--warts and all.
Read more of Brian Proffitt's Open for Discussion blog and follow the latest IT news at ITworld. Drop Brian a line or follow Brian on Twitter at @TheTechScribe. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.
Follow Brian on Google+
