According to the editor’s letter in last week’s inaugural edition of Sage, a magazine produced by anti-malware vendor McAfee, “Open source is not to blame for current security trends.” Maybe not, but apparently it’s still expected to take the fall.
That issue's cover feature, under the headline “Paying a price for the open source advantage,” devotes some 30 pages to the assertion that malware authors are using “open source methods” to build better botnets, worms, and viruses. But this is nothing more than a gross and self-serving distortion of the facts.
I know something about malware development. In 1990, as a teenager, I wrote and distributed a primitive MS-DOS virus called Leprosy. It’s not my proudest moment, but it is significant, because Leprosy was unique in one important way. Long before I had ever heard of open source, I shipped my software complete with its accompanying source code and full documentation explaining how it worked.
At that time, this was virtually unheard-of. Working virus code was a prized possession, one that catapulted the owner into the ranks of the so-called elite. To simply give it away, along with all its secrets, ran contrary to every principle of the status-centric hacker culture.
My fellow tinkerers jumped at the opportunity, however, and so the Leprosy source code traveled far and wide. Within a few years, hundreds of new, derivative viruses had appeared. The upside? My open code made it easy for other developers to build on my foundation, but its transparency also made it trivial to defeat. In the wild, the threat of Leprosy and its descendents was virtually nonexistent.
The techniques Leprosy employed in that pre-Windows world aren’t much use to virus writers today. Nor have today’s malware authors followed my lead toward open source. Although it’s true that much public code is available and malware authors have built on one another’s successes, this baseline of collaboration is inevitable in any field of endeavor. The really sophisticated techniques, however, are still hoarded as if they were secret weapons, and necessarily so.
If social status is no longer a driver for malware development, in its place is an equally ignoble motive: old-fashioned financial gain. In fact, as McAfee’s Sage points out, some malware authors even sell value-added versions of their code in a “mixed-source” model. In a sense, they are proprietary software vendors like any others, and they’ll remain that.
“Open source was supposed to hinder malware,” pleads one Sage article. “So what happened?” What happened, of course, was Apache, Firefox, Linux, and the numerous other open source projects that remain remarkably resilient to malware. Meanwhile, the closed-source software community hasn’t fared as well. As recent news has shown, even security vendors such as McAfee can fall prey to exploits in their proprietary code.
Clearly, open source methods are not the problem. Rather, as the shared body of knowledge around malware techniques has evolved, it is no longer sufficient for companies such as McAfee to act as gatekeepers of that knowledge for the security community. Share the code. Expose the threats. Make the solutions known. What we need is more openness, not less.
Read more about security in InfoWorld's Security Central Channel.
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
1 Recommendation
