McAfee cries wolf on open source

According to the editor’s letter in last week’s inaugural edition of Sage, a magazine produced by anti-malware vendor McAfee, “Open source is not to blame for current security trends.” Maybe not, but apparently it’s still expected to take the fall.

That issue's cover feature, under the headline “Paying a price for the open source advantage,” devotes some 30 pages to the assertion that malware authors are using “open source methods” to build better botnets, worms, and viruses. But this is nothing more than a gross and self-serving distortion of the facts.

I know something about malware development. In 1990, as a teenager, I wrote and distributed a primitive MS-DOS virus called Leprosy. It’s not my proudest moment, but it is significant, because Leprosy was unique in one important way. Long before I had ever heard of open source, I shipped my software complete with its accompanying source code and full documentation explaining how it worked.

At that time, this was virtually unheard-of. Working virus code was a prized possession, one that catapulted the owner into the ranks of the so-called elite. To simply give it away, along with all its secrets, ran contrary to every principle of the status-centric hacker culture.

My fellow tinkerers jumped at the opportunity, however, and so the Leprosy source code traveled far and wide. Within a few years, hundreds of new, derivative viruses had appeared. The upside? My open code made it easy for other developers to build on my foundation, but its transparency also made it trivial to defeat. In the wild, the threat of Leprosy and its descendents was virtually nonexistent.

The techniques Leprosy employed in that pre-Windows world aren’t much use to virus writers today. Nor have today’s malware authors followed my lead toward open source. Although it’s true that much public code is available and malware authors have built on one another’s successes, this baseline of collaboration is inevitable in any field of endeavor. The really sophisticated techniques, however, are still hoarded as if they were secret weapons, and necessarily so.

If social status is no longer a driver for malware development, in its place is an equally ignoble motive: old-fashioned financial gain. In fact, as McAfee’s Sage points out, some malware authors even sell value-added versions of their code in a “mixed-source” model. In a sense, they are proprietary software vendors like any others, and they’ll remain that.

“Open source was supposed to hinder malware,” pleads one Sage article. “So what happened?” What happened, of course, was Apache, Firefox, Linux, and the numerous other open source projects that remain remarkably resilient to malware. Meanwhile, the closed-source software community hasn’t fared as well. As recent news has shown, even security vendors such as McAfee can fall prey to exploits in their proprietary code.

Clearly, open source methods are not the problem. Rather, as the shared body of knowledge around malware techniques has evolved, it is no longer sufficient for companies such as McAfee to act as gatekeepers of that knowledge for the security community. Share the code. Expose the threats. Make the solutions known. What we need is more openness, not less.