Back to article
.comment: Strategic Linux
September 26, 2001
One of my favorite political thinkers, the late James Burnham, famously noted that it is impossible to do just one thing. Any action may bring about the intended consequences, but it will certainly bring about some unplanned ones, too.
His observation came to mind over the weekend when I learned while on a trip to the Washington D.C. area that the terrorist attack on the World Trade Center will probably cause the shareholder lawsuits against Linux distributors to come to a screeching halt.
The reason is this: The Securities and Exchange Commission office in the World Trade Center complex was destroyed in the attack. It contained the original material and evidence in the SEC's probe of underwriter misbehavior in initial public stock offerings. Class-action plaintiffs lawyers, whose coat of arms is emblazoned with the vulture, do not do their own work in most cases, instead piggybacking on some federal investigation. This federal investigation has now disappeared. Yes, it could probably largely be recreated, but it's not the top item on the SEC's stack right now, for a number of reasons. One is that securities manipulations having to do with the attack itself are suddenly consuming a huge part of the SEC's investigative resources. Another is that improprieties in IPOs scarcely constitute a burning problem right now, in that nobody is currently going public.
As it happens, it's unlikely that much would have come of the lawsuits, anyway. Lawyers are having increasing difficulty getting classes certified, and recent appellate rulings will make litigious fishing expeditions far more difficult.
While we naturally recoil from deriving benefit from atrocious acts, we gain nothing by ignoring the law of unintended consequences -- especially in this case, where reaping the benefits can improve the lot of the entire free world.
I'm talking about Linux, which has suddenly become of strategic importance.
There are three reasons for the sudden added importance of Linux: It is good. It is relatively secure and can be made very secure. And it's out there. All three are important, but most important is the last one.
Single Source vs. Open Source
There are problems with any system in which there is a single source for a critical commodity. These involve quality and vulnerability. When there is a single source, the quality needn't be high. When there is a single source, that source, if cut off, eliminates access to the commodity. Both of these apply in connection with the products of Microsoft Corporation. Indeed, Microsoft has managed to combine them. Look at this from the Gartner Group, from just last week:
"Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS."
Want to guess how long it will be before Microsoft rewrites IIS? And if they announce that they have, how will we know they're telling the truth? Very few people know what's in Microsoft's code. Even if it were very good, this fact alone would represent a tremendous vulnerability. The fact that it's not very good allows us to see time and again the quality aspects of single source. In the few days since Gartner's report, there has been yet another Outlook macro virus. If one downloads signature files that are added to a program that is added to Windows so as to eliminate some of that system's obvious shortcomings, one can be relatively safe from this new infection. But nowhere do we see an outcry that the underlying system itself be fixed. It has been, what, two years since Outlook's vast and expensive security problem was first exploited, yet the single source company that publishes it still has not fixed it. As I've said before, nothing as important as computing has become can be entrusted to a company that behaves so irresponsibly toward its own customers. But it goes beyond that: nothing as important as computing can be entrusted to a single company, period.
With Linux, though, fixes are quick, high security is possible, and bad programs simply aren't used -- they're cast aside in favor of something better. There is very little that cannot be done nowadays on a Linux machine, the lone serious exception being interchanging documents with boxen running Microsoft Office applications -- which merely underlines my point about the dangers of single source.
Linux is not entrusted to any small group of people. It is available in source code to anyone who cares to have it. Its contents are well known, and there are hundreds of thousands of people capable of maintaining it. Tens of thousands, all over the world, do just that. Security holes are found and fixed. New applications are developed, hacked, released again, hacked some more, released some more. Quality is the only driving issue. And it cannot be eliminated by the elimination of any one company (or country, for that matter).
This has been increasingly obvious for some time, never more so than when the U.S. government's clandestine services let it be known early this year that Microsoft code has been invaded so many times and so thoroughly while sitting on Microsoft's own corporate machines that it not only cannot be thought of as secure, it cannot be made secure. Hence, the National Security Agency has undertaken Secure Linux, a startling demonstration of the strength of open source.
Computer security, we all knew, was important, but now it is important as never before. Single source software cannot provide that security, especially as relates to Microsoft, which seems to have no particular interest in security anyway. Open source can provide security; indeed, there is no way that it won't unless the entire Linux community suddenly takes leave of its senses, which is unlikely.
But there is more to security than locking up our machines. The most important fundamental is that our machines keep working, that our information systems remain intact and uncorrupted. Linux is, of course, not utterly invulnerable in this regard, but as we have seen, exploits are far more quickly found and fixed when Linux is involved than they are when Windows is involved -- again, Microsoft seldom fixes the problem, leading to the existence of an entire industry devoted to putting a bandaid on Microsoft's problems. Though the majority of websites are non-Microsoft, it is Microsoft's products that have come closest to bringing down the web.
This is not Microsoft bashing, because it would apply equally to any single source system. It is inevitable. A single source system is capable of holding hostage, and it is capable of being held hostage. Open source isn't.