This open-source software was just a little too open

By Hiawatha Bray, Globe Staff, 8/18/2003

You can learn a lot about a system by watching it fail. You probably know more this morning than you ever wanted to know about the nation's electrical power grid, for instance. You're also becoming an expert on Microsoft Corp.'s seeming inability to make reasonably secure software -- a lesson that came in the form of last week's attack of the Blaster bug. But if you weren't paying attention last week, you might have missed a far less spectacular but equally interesting failure right in the neighborhood -- Cambridge, to be exact. That's the headquarters of the Free Software Foundation, the dedicated band of computer programmers whose GNU Project produced most of the code found in the vaunted Linux operating system.

For years, the partisans of free software have asserted that their products are more secure and reliable than those made by Microsoft and other traditional software firms. They say that's because with free software -- also known as open-source software -- the raw source code is given to the user, along with the binary machine-readable version.

Programmers all over the world can read GNU/Linux code, spot problems, and fix them. Commercial software makers like Microsoft use a closed-source system. Only Microsoft has access to the raw code. When something goes wrong, everyone in the world must wait for Microsoft to fix it. If the Microsoft fix doesn't work, we must all wait until they get it right. That can take awhile; earlier this year, Microsoft issued a security patch for its Web browser that caused malfunctions on some computer systems. So the company had to issue a patch for the patch.

Free software does it better, say its advocates. The fact that the code is developed by hundreds of programmers from around the world makes it far less likely that serious bugs will ever see the light of day.

It's a comforting vision, but reality turns out to be rather more messy. Last week, the foundation announced that the main server where it stores GNU Project code had been compromised. An unknown party broke in sometime in March, thanks to a previously unknown security flaw in Linux. Not long thereafter, foundation programmers found and closed the security hole, but didn't spot the intruder already inside. He stayed until July, merrily attempting to break into other computers on the foundation network, before the intrusion was discovered.

The GNU computer contained the official versions of the project's software, including programs used by software developers worldwide. GNU produces one of the most popular compilers for the C programming language, for example, as well as a powerful editing and development tool called Emacs. People around the world rely on these tools. An intruder could use his access to sabotage the GNU programs, perhaps by concealing dangerous "Trojan horse" programs amid the code.

Bradley Kuhn, the foundation's executive director, says there's no sign that the cracker did any such thing. Foundation programmers are checking their code line by line to ensure its purity. In addition, they're going to start adding digital signatures to all GNU files. That way, nobody will be able to tamper with them and get away with it.

The foundation's response illustrates the strengths of the free software movement. When Microsoft discovers a problem in one of its products, we must simply wait for the company to issue a patch and trust that it will solve the problem.

The free software people, by contrast, have published on their website (www.gnu.org) a detailed explanation of what went wrong and what they're doing about it. Independent experts in software and network security can read the plan, identify flaws, and suggest something better. As for the possibility that the raider damaged some GNU software, any user who is nervous about it can get the raw source code and test it himself.

But the incident should also sober up the giddier partisans of open-source software. A Free Software Foundation server was not just cracked, it stayed cracked for more than four months. Free software, it seems, can be just as buggy as anything served up by Microsoft, and don't you forget it.

And one more thing: Neither the free software nor the kind made by Microsoft will compensate you for any losses suffered as a result of software bugs. "The code is as is," said Free Software Foundation attorney Eben Moglen. "Use at your own risk."

Perhaps that's the most important lesson from last week's software failures. In the end, we users are on our own.

Hiawatha Bray can be reached at bray@globe.com.