Sunday, September 19, 2021

The Strategic Importance of Linux

By Dennis E. Powell

One of my favorite political thinkers, the late James Burnham,
famously noted that it is impossible to do just one thing. Any action
may bring about the intended consequences, but it will certainly bring
about some unplanned ones, too.

His observation came to mind over the weekend when I learned while
on a trip to the Washington D.C. area that the terrorist attack on the
World Trade Center will probably cause the shareholder lawsuits
against Linux distributors to come to a screeching halt.

The reason is this: The Securities and Exchange Commission office
in the World Trade Center complex was destroyed in the attack. It
contained the original material and evidence in the SEC’s probe of
underwriter misbehavior in initial public stock
offerings. Class-action plaintiffs lawyers, whose coat of arms is
emblazoned with the vulture, do not do their own work in most cases,
instead piggybacking on some federal investigation. This federal
investigation has now disappeared. Yes, it could probably largely be
recreated, but it’s not the top item on the SEC’s stack right now, for
a number of reasons.

As it happens, it’s unlikely that much would have come of the
lawsuits, anyway. Lawyers are having increasing difficulty getting
classes certified, and recent appellate rulings will make litigious
fishing expeditions far more difficult.

While we naturally recoil from deriving benefit from atrocious
acts, we gain nothing by ignoring the law of unintended consequences
— especially in this case, where reaping the benefits can improve the
lot of the entire free world.

I’m talking about Linux, which has suddenly become of strategic
importance.

There are three reasons for the sudden added importance of Linux:
It is good. It is relatively secure and can be made very secure. And
it’s out there. All three are important, but most important is the
last one.

Single Source vs. Open Source

There are problems with any system in which there is a single
source for a critical commodity. These involve quality and
vulnerability. When there is a single source, the quality needn’t be
high. When there is a single source, that source, if cut off,
eliminates access to the commodity. Both of these apply in connection
with the products of Microsoft Corporation. Indeed, Microsoft has
managed to combine them. Look at this from the Gartner Group, from
just last week:

“Gartner recommends that enterprises hit by both Code Red and
Nimda immediately investigate alternatives to IIS, including moving
Web applications to Web server software from other vendors, such as
iPlanet and Apache. Although these Web servers have required some
security patches, they have much better security records than IIS and
are not under active attack by the vast number of virus and worm
writers. Gartner remains concerned that viruses and worms will
continue to attack IIS until Microsoft has released a completely
rewritten, thoroughly and publicly tested, new release of
IIS.”

Want to guess how long it will be before Microsoft rewrites IIS?
And if they announce that they have, how will we know they’re
telling the truth?
Very few people know what’s in Microsoft’s
code. Even if it were very good, this fact alone would represent a
tremendous vulnerability. The fact that it’s not very good allows us
to see time and again the quality aspects of single source. In the few
days since Gartner’s report, there has been yet another Outlook
macro virus. If one downloads signature files that are added to a
program that is added to Windows so as to eliminate some of that
system’s obvious shortcomings, one can be relatively safe from this
new infection. But nowhere do we see an outcry that the underlying
system itself be fixed. It has been, what, two years since Outlook’s
vast and expensive security problem was first exploited, yet the
single source company that publishes it still has not fixed it. As
I’ve said before, nothing as important as computing has become can be
entrusted to a company that behaves so irresponsibly toward its own
customers. But it goes beyond that: nothing as important as computing
can be entrusted to a single company, period.

With Linux, though, fixes are quick, high security is possible,
and bad programs simply aren’t used — they’re cast aside in favor of
something better. There is very little that cannot be done nowadays on
a Linux machine, the lone serious exception being interchanging
documents with boxen running Microsoft Office applications — which
merely underlines my point about the dangers of single
source.

Linux is not entrusted to any small group of people. It is
available in source code to anyone who cares to have it. Its contents
are well known, and there are hundreds of thousands of people capable
of maintaining it. Tens of thousands, all over the world, do just
that. Security holes are found and fixed. New applications are
developed, hacked, released again, hacked some more, released some
more. Quality is the only driving issue. And it cannot be eliminated
by the elimination of any one company (or country, for that
matter).

This has been increasingly obvious for some time, never more so
than when the U.S. government’s clandestine services let it be known
early this year that Microsoft code has been invaded so many times and
so thoroughly while sitting on Microsoft’s own corporate machines that
it not only cannot be thought of as secure, it cannot be made
secure. Hence, the National Security Agency has undertaken Secure
Linux, a startling demonstration of the strength of open
source.

Computer security, we all knew, was important, but now it is
important as never before. Single source software cannot provide that
security, especially as relates to Microsoft, which seems to have no
particular interest in security anyway. Open source can provide
security; indeed, there is no way that it won’t unless the entire
Linux community suddenly takes leave of its senses, which is
unlikely.

But there is more to security than locking up our machines. The
most important fundamental is that our machines keep working, that our
information systems remain intact and uncorrupted. Linux is, of
course, not utterly invulnerable in this regard, but as we have seen,
exploits are far more quickly found and fixed when Linux is involved
than they are when Windows is involved — again, Microsoft seldom
fixes the problem, leading to the existence of an entire industry
devoted to putting a bandaid on Microsoft’s problems. Though the
majority of websites are non-Microsoft, it is Microsoft’s products
that have come closest to bringing down the web.

This is not Microsoft bashing, because it would apply equally to
any single source system. It is inevitable. A single source system is
capable of holding hostage, and it is capable of being held
hostage. Open source isn’t.

I mentioned the hard times that have befallen the carrion beetles
of the plaintiffs bar in part because it is a good thing, and we’re in
desperate need of good news; in part because it illustrates the
unintended consequences of a reprehensible action; and in part because
it cuts Linux businesses a little slack at a time when they very much
need it. This is important because of the tremendous contributions
that those businesses make to Linux and because it is crucial that
Linux not become a de facto single source system.

As to the first point, Linux distributors have contributed a
number of ease-of-use features that do not fit easily into the
scratch-an-itch model of open source programming. A lot of the work
done by distributions is not what the excited young programmer diving
into Linux would undertake. Many people enjoy cooking, but few like to
do the dishes. For this reason it is a very good thing that we have
distributions producing installation and configuration
utilities.

The second point is more important. I’ve heard it argued by very
intelligent people that we might as well simply surrender to Red Hat,
whereupon all issues of incompatibility, file hierarchy standards, and
so on would disappear. And I have argued in response that these issues
must be resolved outside any one distribution, to avoid any one
distribution becoming so dominant that the others really don’t
matter. (It’s worth noting that corporations are recognizing this as
well, which is why IBM, for instance, has working relationships with
multiple Linux distributors. They were the first to fall victim to the
perilous nature of single source software.)

The powers that be have been making very slow progress in adopting
a definition of standard Linux. To avoid pre-emption by a dominant
distribution — and by this I mean Red Hat, which produces an
excellent distribution but one that must not become the only
distribution — these bodies would have to do a little less meeting
and hemming and hawing and a little more producing. Here’s hoping that
they do just that. Standards are necessary in any operating system,
and they are likely to be far better, as we’ve learned with Microsoft,
if they’re established by a standards body and not a corporation
which, quite rightly, has its own interests chiefly in
mind.

Linux has become sufficiently sophisticated and widely used that
now is time for all of us, not just distributors but those involved in
projects connected with Linux, to consider what is rapidly becoming an
important concern: backward compatibility. This was underlined in a
perceptive email posted yesterday to the KDE developers mailing list
by Jason Stephenson.

“Don’t forget that many corporations, particularly in
America, are stuck in a software release mindset,” he
wrote. “That is, they want to use the latest stable versions from
the official maintainers. They don’t want to hack the libraries that
they get. They just want to write the software that they need to run
their business.” Preservation of binary compatibility should,
wherever possible, be a goal. This was not so much the case when Linux was a hobbyist operating system. There is merit now in making its
adoption more attractive to the enterprise.

Indeed, the vast consortium that now makes up the Linux
development and distribution community is perfectly positioned to
maintain and extend the information structure throughout the
world. Microsoft, though it owns the majority of desktops, is in the
odd position of playing catch up, and it cannot succeed in doing
so. Instead, it is releasing a new version of its operating system
that fails to anticipate any of the recent unhappy events. Linux has
built-in redundancy right down to its means of development and
distribution. It is robust right across the board. It does not expose
our computing infrastructure to the vulnerabilities that any single
source system does.

Which puts us in the odd position of adding to the list of reasons
for using Linux one that none of us would have expected a month ago:
Because it’s the patriotic thing to do.

This article first appeared on LinuxPlanet, in internet.com site.

Similar articles

Latest Articles