Emerging Technology

[Note: this rebuttal was written in response to Jeron's post of May 20 (and its subsequent edit). It does not explicitly address his post of May 21st, which essentially concurs with my analysis of the CERT advisories from 2002 & 2003.]

First, let me make clear that this discussion is focusing on the issue of security. I dispute Jeron's claims that Microsoft has advantages in "customer support, installed base and ongoing innovation," but that's a whole 'nother argument.

That said, Jeron's speculation about security in Microsoft software is based on a flawed premise. I admit that common sense seems to suggest that "security through obscurity," as it's commonly called, is stronger than open-source security. The most important lesson I learned in college, though, was to reject common sense when it is contradicted by evidence.

Before I explain why I believe that Linux will win the security wars (or at least, why Microsoft won't), I need to clear away Jeron's flawed analogies. First, Jeron claims that gaurding source code is like the US Government's restrictions on DES exports. Jeron assumes, without support, that the government made the right decision, even though they have since greatly relaxed the restrictions after DES's shortcomings were demonstrated by white-hat crackers (without the source code). Second, Jeron compares sharing source code to publishing missle defense plans on the Internet. Personally, I don't think that's such a bad idea. The system doesn't work, and maybe the Europeans can help us fix it.

With the analogies (somewhat summarily) dismissed, let's look at the facts. While this is an admittedly unscientific study, I spent a little time last night surfing the website of CERT--one of the largest computer security incident response teams. Since January 2002, CERT has issued 50 advisories. Of those 50 advisories, 12 affect significant Microsoft software components and 13 affect standard Linux systems. (These numbers do not include holes in MS's services, such as the well publicized holes in Passport and Hotmail.) So, Microsoft and Linux have had an essentially equal number of vulnerabilities discovered in the past year and a half. If Jeron suggests that Microsoft's numbers are high due to their supposed greater adoption, he must also conceed that Linux's open source code should generate more reports from benign inspectors.

Let's discuss that for a minute. There's a famous, and reasonably accurate, statement that in open source systems, "with many eyes, all bugs are shallow." The idea is that the more people who look at your source code, the more likely they are to find the errors in it. With a closed source development model, like Microsoft's, the only eyes are the original developers and perhaps an internal auditing team. In the open source development model, all users are potential eyes. Of course, Jeron agrees with the "potential eyes" idea; it's a core component of his argument, since among those potential eyes are those seeking to do ill.

And so, the argument between security through openness and security through obscurity becomes one of optimism vs pessimism. Let's take an imaginary product with 10 developers, 100,000 users and 500 crackers--people who will try to break the system. Let's say, furthermore, that if the system is open source, 1% of the legitimate users will actually read the source code (or hire someone to read it). So, in the closed source model the system has 10 "good eyes," the developers, and 500 "bad eyes," the crackers. The "bad eyes" don't have access to the source code, but they have access to the Internet, to packet sniffers, to hex editors, and to reverse compilers. In the open source model the system has 1000 "good eyes," the developers and 1% of the users, for those 500 "bad eyes." The two key variables in this model are the number of crackers and the percentage of users who will actually read the code. If you believe that there are more benign code readers than malicious ones, open source seems to make sense. If you're paranoid that the world is out to get you, then maybe it is best that you keep your secrets close to your chest.

Another benefit of OSS is speed of repair. I don't have statistics, but very often the person who finds an exploit in OSS will also submit a patch fixing the problem. Microsoft actually has a bug in NT that they have publicly stated they will not fix, and at least one of the CERT advisories from last year still contained the message that Microsoft would reply when they'd finished a security audit.

Jeron argues that "[OSS security benefits are] largely relevant to small and medium-sized enterprises." I don't understand this statement. Does he mean to suggest that large corporations are not susceptible to "worms, etc?" I think that the IT departments of most Fortune 500 companies wouldn't brush off the cost and effort involved in fighting the Code Red worm. If instead, he means that Microsoft is less susceptible to carefully planned and directed attacks, such as from corporate espionage, I rebut with two points. First, the computers of large corporations run the same services as small--web servers, remote login, virtual private networks, etc--and those web services are the doors through which all Internet-based attacks must come. That's just the way computers work. Second, it ignores statements by many professional (ex-)crackers that the weakest link for a targeted attack is user error and poor user training: misconfiguration, improper updating of compromised code, users with poor passwords or the improper control of passwords and security information.

I've neglected four aspects to this argument, but in the interest of space I'll only touch on them briefly. First, I've left untouched the ethical questions of open vs closed source. I'm not a huge proponent of the so-called moral argument for open source, but I do believe OSS is morally preferable in security applications. Second, Jeron argues that Microsoft is a common target for crackers because "such a large portion of the installed base runs on MSFT." What installed base it that? While MS has a strong grip on the desktop market, it's claim to the server market is relatively weak. In Netcraft's Web Server Survey for April 2003, they found that over twice as many web sites run the open source Apache than MS's IIS. While we can't assume that all Apache servers are running on an open source operating system, Apache itself is OSS; it is clear that neither Microsoft nor any other closed-source competitor dominates this market. Third, I've set aside Jeron's argument (since removed) that "as open source becomes more established much of the entrepreneurial spirit of the contributors will be dampened." I think this is another argument for another day. It can be included in my model above, though, by decreasing over time the percentage of users who read the code. How fast should it decrease? I don't know; are you an optimist or a pessimist?

For another look at open- vs closed-source development, see "The Cathedral and the Bazaar".

MSFT vs. Linux Security

I must amend my earlier argument. I ran some interesting numbers based on some information that I found on the Internet. According to a survey performed by Attrition (www.attrition.org/mirror/attrition/os.html) over a 1 year 4 month period it tracked 8071 separate incidents of web site hacking and defacement. The OS percentages for these incidents were 56.57% Windows, 12.59% Linux, and 8.25% Solaris. According to my own extrapolation from IDC growth estimates of the Windows, Linux and Unix installed bases, I calculated the installed base of Windows over that same period to be about 60-61%, Linux to be 13-16%, and Unix to be 27-34%. This means that the frequency of web site hackings were slightly disproportionately small for _both_ Windows and Linux--though not much. This analysis basically supports the thesis that security breaches occur in Windows and Linux OS environments according to roughly the same proportion of the size of their respective installed bases. Hence from this analysis, it is not possible to demonstrate that either Linux or Microsoft has a clear security advantage.

iTunes--Finally Somebody Does it Right

A quick question for my fellow bloggers. Is the iTunes business model sustainable? Finally somebody has narrowed the wedge between costs / benefits of getting free music at places like KaZaa and Morpheus and the costs / benefits of getting Big 5 music company-sanctioned music legitimately over the Internet. Generally, I view the value proposition of iTunes as: pay $0.99, no monthly fee, download as much as you want and make a few copies. The other companies trying to do something similar like rhapsody.com, pressplay, etc., have a very similar value proposition except most of them charge a monthly fee close to $20.00. So you pay $0.99 / song plus a monthly fee. This is simply too expensive for the typical user especially when there is a "free" alternative around the corner--KaZaa and Morpheus, etc.--and the only cost of these services is the guilt that the downloader feels. I think we sometimes underestimate this guilt factor. I imagine that Apple's model will appeal to a very large crowd of people--many of whom just don't feel quite right about downloading music for free. My big question is: Is this model sustainable? What is to prevent other competitors from doing the exact same thing? In fact, even worse, do pressplay, rhapsody.com and others even have a choice but to eliminate the monthly fee now? Is this just going to lead to a price war that will continue to erode the Big 5 music producers margins (which is bound to happen)? Just a few days ago, Roxio announced that it is considering launching a business under the Napster name that will essentially copy Apple's business model.

As usual, Apple innovated and is first to this party. Can they sustain their current advantage over competitors and new entrants?

Why Open Source OSes (like Linux) Will Never Overtake Microsoft

Most of the arguments that I have heard on this subject contrast the constant improvement, adaptability, and low-cost advantages of open source with the customer support, installed base and ongoing innovation advantages of Microsoft. I want to add a dimension that I believe has not been fully fleshed out: security. Despite its recent security blunders, including the recent discovery of a major security fault in Microsoft's Passport product (originally released in 1999 and performing quite poorly) by a Lebanese programmer, Microsoft products will always be more secure for mission critical functions than open-source products. I know this is an oversimplification but I think we could make an analogy to DES encryption technology originally developed in 1976 in the US. The US banned the export of this technology. From a security perspective, open source is like inviting the EU to help the US develop a missile defense system. "Let's post the plans to the net and see if any helpful scientists find any flaws." Here are the two major security threats that I see: 1) making it easier for cybercriminals to find weak spots in the OS or disable existing security features and 2) creating the potential for cybercriminals to bake in malicious code.

Granted until now, the open source movement has generated net benefits for security. However, the type of security benefits that it has generated remain largely relevant to small and medium-sized enterprises and protect against some of the more common forms of malicious code--internet worms, etc. Some malicious code appears to be directly targeted at the Microsoft OS thus making it more common for MSFT failures to occur. This, however, is not a function of inherently poorer security on the MSFT platform but rather a quality of the numbers of attacks targeted directly at MSFT rather than at Unix or Linux, etc. This, in turn, is a function of the fact that such a large portion of the installed base runs on MSFT. If Linux gets that big--which it won't in its current form--then there I imagine that it will fare the same or worse than MSFT. Also, though small companies can benefit from the low cost of Linux and the relatively high level of security for simple attackes, I believe that large companies will have the capabilities to protect against the lower level security threats and will want the additional piece of mind of knowing that their OS cannot be thoroughly examined by more professional hackers. Thoughts?

Meet the Founders

Ayr Muir-Harmony (of MIT, Harvard Business School, and McKinsey fame) and Thom Goodsell (of Charles River Analytics), two of the smartest, opinionated, and occassionally "downright ornery" technology people I know, have agreed to co-found the emerging tech blog with me. In some discussions we realized that we wanted to be clear that this blog will focus on topics of debate and interest for us. We do not intend to compete with some of the larger magazines that focus on emerging technology. Instead, we hope to bring a business focus, a sense of humor, and an emphasis on making good arguments about the potential and impact of emerging technologies to our blog.

Welcome

Welcome to the inauguration of the emerging tech blog. I am trying to do something a bit different here than some of the other technology blogs like corante.com. In this blog I would like to slow down the timing of posts and instead focus on creating more integrative, well-reasoned assessments of early technologies. I will draw on insights from the best technological and entrepreneurial business theorists, insightful venture capitalists, and friends and entrepreneurs. I will hopefully have some guest writers as well as I post more material. Enjoy, and please feel free to let me know what you think of the material.