08.03.10
British Computer Society (BCS) Distances Itself From Controversial Article Belittling Free/Libre Software Security
Summary: BCS escapes bad publicity by clarifying that an article it (re)posted does not represent its views; Katherine Noyes explains what makes GNU/Linux particularly secure
LAST WEEK we responded to FUD from the British Computer Society (BCS) Web site. David Evans from BCS replied to our post and politely explained the situation. It turns out that many other sites — not just Techrights — were upset by the article which BCS had published. The article basically claimed that Free/open source software is fundamentally less secure than non-Free software. This whole thing started a “flame war” and The Register (UK) explains how so:
BCS Linux-baiting sparks flame war
[...]
Meanwhile, other readers criticised the article as being a “disappointing and unnecessarily biased article, to the point of being misleading” and worse. Part of the problem is that the article was not properly distinguished from being either an analysis or an opinion piece.
[...]
Mark Elkins, chair of the OSSG confirmed it had not been contacted and expressed regret at this oversight. Elkins told The Register that his main regret was that BCS members might go away from the article in the mistaken belief it ought to be read as the professional organisation’s considered view on the subject of open source security, instead of an opinion.
There are complaints there about the BCS deleting opinions. If true, that’s truly shameful.
Speaking of Free software and GNU/Linux security, Katherine Noyes began writing some nice articles for IDG rather than ECT. One of her very latest is an article titled “Why Linux Is More Secure Than Windows” (this extends to Free software in general). One line of argument goes like this:
“Linus’ Law”–named for Linus Torvalds, the creator of Linux–holds that, “given enough eyeballs, all bugs are shallow.” What that means is that the larger the group of developers and testers working on a set of code, the more likely any flaws will be caught and fixed quickly. This, in other words, is essentially the polar opposite of the “security through obscurity” argument.
With Windows, it’s a limited set of paid developers who are trying to find problems in the code. They adhere to their own set timetables, and they don’t generally tell anyone about the problems until they’ve already created a solution, leaving the door open to exploits until that happens. Not a very comforting thought for the businesses that depend on that technology.
In the Linux world, on the other hand, countless users can see the code at any time, making it more likely that someone will find a flaw sooner rather than later. Not only that, but users can even fix problems themselves. Microsoft may tout its large team of paid developers, but it’s unlikely that team can compare with a global base of Linux user-developers around the globe. Security can only benefit through all those extra “eyeballs.”
Visibility does make code more secure. To suggest otherwise is to assume that obfuscation trumps peer review. The BCS ought to understand the importance of peer review, as well as having research be published along with open data for replication/verification by independent parties. GNU/Linux development follows the scientific paradigm, which usually makes it more fault tolerant. █