1,227 Posts served
5,082 Conversations started
- Atom
- Bit Stories
- Cool Software
- Customer Support
- Events
- Financial Software Industry
- Gaming
- Graphics
- Intel SW Partner Program
- Intel® Software Network 2.0
- Manageability
- Mobility
- Multicore
- Open Source
- Social Media & Virtual Worlds
- Software Engineering
- Threading Building Blocks
- University Curriculum
- Virtualization
- What If Software
- XML Software
Rubbing my eyes - open source is allegedly the cause for malware?
By Dirk Hohndel (Intel) (20 posts) on July 21, 2006 at 2:58 am
Sometimes I wonder. Right now I am in Ottawa at the Ottawa Linux Symposium where more than 800 Linux and open source developers are coming together to discuss their latest ideas and to celebrate the success of open source (and let's just say, they know how to celebrate). Earlier this week I was here at the Linux Kernel Summit where about 70 of the top kernel developers get together once a year to address some of the more difficult (or more hotly debated) topics of the kernel community.
Both events are showcases for the strength of innovation in open source and for the amazing software that is being created.
And while here I see McAfee's Dave Marcus is quoted somehow drawing a connection between open source and malware authors. Some of the headlines are pretty mind boggling, implying that open source is to blame for the increase in root-kit and malware-bot development. That's tough talk. Of course, reading a bit more you quickly find that the journalists and bloggers are a bit loose in their interpretation of Dave's words. What he apparently said is that the bad guys are using open source like methodology to develop their software. One might add that researchers have used "open source like methodology" for hundreds of years. Publishing papers about their results, and basing their research on previously released research from others.
While I don't think it is fair to say that "Development of Penicillin was caused by the open source movement", neither is it really honest to try to draw connections between open source developers and malware authors. I much more would see all of these comparisons as yet another example for why open source is a well established way to innovate (for the good or the bad) - and I am puzzled why people are upset about it.
Categories: Open Source
Comments (25) 
By Dawn Foster on July 21st, 2006 at 5:14 am
I could not agree more. I also read a number of different articles on this topic growing more puzzled by the conclusions that people were drawing. The real story is that people are collaborating online for social networking, wikis, blogging, other web 2.0 sites, and now for creating malware. Developing malware is just another way to use collaboration with a less desirable outcome for most of us.
Open source has been the poster child for online collaboration, so naturally open source is to blame for malware. Applying a similar logic, one could say that open source is to blame for collaboration on MySpace; therefore, open source is also to blame for anything bad that comes out of MySpace.
(Please note the heavy sarcasm in the above paragraph)
Really though, people need to think through the logic when drawing conclusions about these types of relationships.
By orestilla@gmail.com on August 17th, 2006 at 7:19 pm
testing
By jan@ixiacom.com on August 22nd, 2006 at 8:08 pm
The obvious reason for this propaganda is that McAfee has a lot to lose if Linux's market share on the desktop rises. None of those systems would need virus scanners or any other McAfee questionableware.
By sboire@hotmail.com on August 22nd, 2006 at 8:25 pm
I couldn't agree more with you
Open source software is an efficient way to share/access building blocks to create higher value solution. Why would it be different for malware?
The same kind of people will blame computers for being tools used by hackers to make our life miserable. Let's get rid of computers!
Although we can partly blame some of open-source community that are on an evangelical mission to convice us that open-source is "all good" and commercial software "all evil". Their emotional discourse is not helping being rational about the subject.
By jlchavez@enguate.com on August 22nd, 2006 at 9:02 pm
Please don't say that linux developers are perfect, viruses exist and while you can block all operations that a virus can do, people created linux, people can crack into it, we build it, we can destroy it.
Cracks, keygens and pirated softwre are modified and malware is inserted into it, the user runs it or installs it, and there you go, one PC infected. Not just viruses are malware.
We will have to keep on working on more secure software, and making people don't install malware or handle it in secure sandboxes that won't even permit any software make some operations if they aren't secure, but in an easy way that any common user (not developers) can be sure what is he running on their machines, and grant access if he is sure that the operation should be done or not.
By jose.a.nunez@gmail.com on August 22nd, 2006 at 9:05 pm
Open Source is a very interesting phenomena.
From a Business Opportunity point of view to the alturistic attitude of sharing Open source is here to stay and to ensure market is balanced.
There are still some bad things such as dual licensing and so forth, but I personally think those are misinterpretations that will go out some day.
By culvere@acm.org on August 22nd, 2006 at 9:06 pm
Without languages (VB, C#, C++, etc), malware would be impossible, so the real culprit is the availability of programming languages. Of course, without programming languages, computers are not even good boat anchors.
Tools have risks.
By greg@minerva.com on August 22nd, 2006 at 11:01 pm
The code either contains or does not contain bugs which may be exploited. If anything, it is easier for someone who *cares* about security to determine whether or not to trust a given piece of code when it is right there in front of God and everyone to read. If a piece of code's security is compromised by allowing people to see the source, then the piece of code is junk and is not secure in the first place - in my humble opinion as a systems programmer since 1964. (That is not to say that a good number of bugs such as the ubiquitous buffer overflows do not exist in the open source code - but where did Microsoft learn to have buffer flows other than by copying that code? lol!)
By rob.scott@nokia.com on August 22nd, 2006 at 11:07 pm
Well said.
When the title line reached my e-mail I was expecting the worst; ready to loudly comment to disabuse you of the notion implied. Good thing I read the whole note!
The fact that open-source methodolgy works for destructive purposes certainly does not invalidate the approach. When a better tool or technology is created it can be expected that someone, somewhere will find a way to use it to increase their "productivity" in the creation of end-products harmful to the public good. It is hard to envision any general-pupose tool or methodolgy that has some intrinsic "holy water" characteristic that would prevent this.
Perhaps we need to concentrate on educating the bloggers/reporters who intentionally or accidentally spin a relatively pure (academic) statement into a proprietary one.
By mpotter28@sympatico.ca on August 23rd, 2006 at 12:24 am
THis is as stupid as GWB. It took me about 15 sec. to fiqure out how to write virus,wroms etc. .All it took was one reading of "Shockwave Rider" by john brunner and it was obvious the approaches that would work to disrubt security. It was also obvious that you couldn;t make near the amount of money you'd get by working for a living.we're dealing with the terminally stupid. To say that certain business models create the problem is to ignore the true stupidity of certain people. We're not going to see secure systems in my life time. THe secret is to reach out to these underachievers and give them something important to. Quick somebody call a sociologisdt(lol)
By mpotter28@sympatico.ca on August 23rd, 2006 at 12:27 am
THis is as stupid as GWB. It took me about 15 sec. to fiqure out how to write virus,wroms etc. .All it took was one reading of "Shockwave Rider" by john brunner and it was obvious the approaches that would work to disrubt security. It was also obvious that you couldn;t make near the amount of money you'd get by working for a living.we're dealing with the terminally stupid. To say that certain business models create the problem is to ignore the true stupidity of certain people. We're not going to see secure systems in my life time. THe secret is to reach out to these underachievers and give them something important to. Quick somebody call a sociologisdt(lol)
By pcomitz@gmail.com on August 23rd, 2006 at 1:51 am
<snip>
The obvious reason for this propaganda is that McAfee has a lot to lose if Linux's market share on the desktop rises. None of those systems would need virus scanners or any other McAfee questionableware.
</snip>
Wrong- We'll just see more viruses for whatever product is the "New York Yankees" of OSes. It's human nature to diss others who are sucessful.
By vee.srinivas@gmail.com on August 23rd, 2006 at 3:10 am
Malware occours in all software - both open source and closed source (read windows). You cannot single out open source for this.
I feel that open source community will make it easier for bugs, malware and security breaches to be addressed faster. As stated by pcomitz and others, there are also vested intersts who are in this game
By johnreeder@optonline.net on August 23rd, 2006 at 11:25 am
It's an interesting thought but unfortunately reflects the ever more commonly held concept that the object produces the behavior, e.g. guns cause crime. Bad behavior is the result of warped thinking, any tool can be used with evil intent. If you take away the object something else will be used. Look at the ingenious methods terrorists are using to propagate their schemes. If you take away the nail clippers and tweezers they use water bottles. The benefits of open source development far outweigh the results of misuse and in fact has in and of itself been a factor in reducing the severity of threats on open source platforms due to the relatively fast (when compared to closed platforms) availability of fixes. Market share and visibility is a huge factor when selecting a target for a virus, trojan, etc. and if open source platforms held a greater market share and visibility there would undoubtedly be more attacks against them. Nevertheless, there is significant market share, especially in commercial markets, and the lack of commentary from the paper mill on successful threats seems to indicate a significant advantage in that quarter.
By piyush_431@hotmail.com on August 23rd, 2006 at 1:08 pm
I feel that open source community will make it easier for bugs, malware and security breaches to be addressed faster
By rblauter@cs.com on August 23rd, 2006 at 2:26 pm
Reporters are mindless, whether reporting for technical stuff or political stuff. Their job, and their editor's job, is to produce copy and controversy. Truth, well reasoned ideas, and integrity are not part of the job description. Malware authors are much worse. They pride themselves on doing the tough work of making the thing they are vandalizing more robust. They are actually pathalogically anti-social morons, trying to boost their own rotten self respect. Too bad both types of personalities persist.
By tigsantoz@hotmail.com on August 23rd, 2006 at 6:29 pm
When I first start to read this head-line, I was a bit upset. But reading all the article, made me think.
Open-source is not the origin of malware or virus, or any other, look-a-like stuff. Malware developers are mostly kid's that read something on the internet and figured out how to to write a vrius, or something like that. I do develop software under GNU GPL, but I dont develop malware. The internet was maded to share ideias not to make virus, for me the triky part on this is that "malware creators" evaluate the efect of their "software" my the impact it causes on the media. Giving malware to much "impact" on the news gives motive for other malware developer's to develop.
In my humble opinion open-source has nothing to do with malware.
By joe@pixolut.com on August 24th, 2006 at 6:45 am
Flawed logic was the origin of these misquotes from Dave... And the original comparison was flawed too... Here's the thing; Open Source is driven by a fundamental premise of collaboration - the sum of the parts is greater than that of the whole. Whilst this noble premise is a premise of Open Source it is not EXCLUSIVE to open source and further to that; Open Source is not purely defined by this premise either.
The reason root kits, virus technology and malware proliferate is that the subculture of developers collaborate. The method of collaboration is funamentally DIFFERENT to open source - as a lot of the collaboration is done using ADA! (Disassembler)
All the same - there exists for malware a community which shares ideas, supports each other and examines each other's work. This community-centric focus is what propels ALL HUMAN INVENTIVENESS - not just the Open Source community. Look at painters of the renaissance, or jazz musicians of the 50's. They form a community and have a collaborative process for development and ingenuity.
Its also important to look at the flipside - what makes Open Source is not just collaboration - its also a specific organizational structure, a peer reviewed development process and most importantly a specific licensing structure (of which there are many dialects - but the premise is the same).
So, yeah - flawed logic does annoy me. People need to spend some time looking at the deeper truth instead of going for buzzwords to make a headline.
By al_gun@ncable.net.au on August 24th, 2006 at 8:21 am
What a bullshit is this, I cannot believe someone told everyone that open source causes problem and butters malware authors bread... Well, let me think??? Is this really about malware authors or the big boys loosing some percent of the software market because of open source. I am an open source author. I've written few for comrade programmers, I never think for one second to charge anyone because my open source snippets helped them to create alternative software for the big boys. It's like McDonalds blaming small kebab business (this happened in Sydney - Australia) and telling everyone kebabs are no good for people????
Long live open source...
Happy coding
Al - Australia
By al_gun@ncable.net.au on August 25th, 2006 at 9:06 am
I am still so pissed off with this comment from McAffee's Dave Marcus, that the open source is the source of malware... If I may say what the f***. Instead he sould give some credit those open source programmers they've done and doing great job for the big boys software and their profit.
( Little sarcasm here )
I am not saying that they are stealing our open source and using their ridiculously priced software - by the way they (their software) never work the way they promote.
I don't believe if ever they say they don't use open source snippets in their software development. So that mean, they are creating malware to be able to sell their software to cure those malware created/developed with using open source...
(Catch 22 eh!)
Plus when the time come to beta test their software, why they turn to the open source programmers (mainly) and ask their help to test these software.
I wish I had a chance to talk face to face those who believe open source is a source for malicious software (malware)
Curse on you who believes that...
Angry again
but then again
Happy coding
Al
By tigsantoz@hotmail.com on August 25th, 2006 at 1:30 pm
Well, no one belives that open source is related to malware, and that is for shure, but the "big boys" keep using open-source resources, to develop "priced software". I work 6 month in a software company, and one of the first thing's i notice is that most of the code is based in open-source, also most of the technology aplied is based on open-source. Anyway they charge a lot for the software they "produce". they say it took moth to develop, as i saw it took just a few days. and by the way all the software that company develop's is compiled with GNU GCC, and other open-source compilers. Funny this...
Open-source giant's are a bit scared of, but they will have to fear more as the time passes by and open-source becomes more easy to use.
Open source has nothing to do with malware, but priced software "mostly has". If the big boys tell the truth "they software has bugs" malware programers woldn't have a point to prove by making malware.
By LCMesquita3206@hotmail.com on August 29th, 2006 at 5:54 pm
There is no denying the fact that a lot of Malware is distibuted to unsuspecting Internet Users when they download Free Software, supposedly doing some usefull task. When one purchases software on a CD, there is less chance of a virus infection, as the company producing the CD has the financial wherewithal to hire enough technical hands to ensure quality.
By maxim.osipov@gmail.com on August 29th, 2006 at 8:26 pm
Well, you know it is not true :) And anyone who had a chance to work with commersial software development knows. Sometime big commersial products are influenced by tight schedules, situation-driven decisions, resulting in overcomplicated and ugly implementations. Nobody understands how it works.
Major open source products are deferent - it is a joy for software engineer to work with it because of consistent design. You really need just source code to understand how it works! People try hard to have pleasure working with it and they succeed :)
Bugs and malware - it just comes unnoticed for commercial products, for years probably.
By culvere@acm.org on October 4th, 2006 at 7:54 pm
I've relatively little respect for McAfee's products in any case: on the Windows XP-pro machine I use at home, McAfee's 'anti-virus' software had some fairly severe bugs, which made it difficult to send email or surf the web. It's general performance was so horrid that I had to remove all traces of McAfee, which took far too long.
There are also reports of quite serious bugs in some commercial products, as in big-iron O/S: VM was reported (check comp.risks) to have a serious security related flaw; VM and MVS had a utility program (the name of which I don't recall) which bypassed all system security. Potential buffer overflows are pandemic in C code.
Dave Marcus of McAfee has a vested interest in both bashing Linux (and FreeBSD, OpenBSD, and NetBSD): his company's market is basically Windows machines (especially those where IE is the primary web browser and Outlook the primary email application).
In response to pcomitz@gmail.com:
Yes, some of the relative invulnerability of Linux and *BSD to malware is relatively low penetration in the marketplace. Quite a bit is due to Windows' flawed security model, where normal desktop use requires write access to some fairly critical system files, such as the registry (this is were most apps keep information such as the last few files opened, default folders, etc), and installing any kind of software requires write access to the equivalent of /usr/bin.
By David Schwartz on December 28th, 2006 at 8:14 pm
When you're dealing with something you're not totally comfortable with and don't really grasp at a fundamental and visceral level, it's easy to say something as stupid as, "shoes are the best thing ever invented for terrorists".