📰 News

Dear The Sun: we need to talk about your understanding of open source

Since you won't answer our emails, here's an open letter

By Jessica Rose September 22, 2016
pexels-photo-109998

Dear The Sun,

I want to talk to you about this article, and the claims it makes about open source software. I would have liked to chat to your cited expert, whom you’ve listed only as Neil Doyle. Sadly, the article fails to specify his area of expertise and both messages and emails to author Ryan Sabey asking for further information have gone unanswered. So I’m responding to it here, supported by some brilliant, contactable experts in security and open source.

After sitting open-mouthed at the misinformation in this article for some time, I began to reach out to fellow tech experts to see if they felt the same. I first contacted Dr. Jessica Barker, the independent cybersecurity authority behind cyber.uk. I asked if she could address the concerns you raised that use of open source software in the public sector would pose security risks. Specifically, that:

Spies would have a “field day” if given access to all publicly-funded software and hardware under the proposals, one expert said.

“That [use of open source in government contexts] could also mean giving the keys to spies and copycat outfits in Russia, North Korea and China.”

He said it would also be easier for hackers to inspect software and hardware to identify vulnerabilities and steal sensitive data.”

He said: “Cyber-criminals and foreign intelligence agencies would have a field day.”

Dr Barker responded:

“The Sun seems to be implying that open source software is more vulnerable to attack than closed source, which is a sweeping misunderstanding that fails to take the complex nature of cybersecurity into account.

Both open source and closed source software can be vulnerable to exploit, however these vulnerabilities are arguably more likely to be discovered in open source rather than closed source software as more people (including security researchers) are able to look at it. By its nature, it is publicly available and so it’s harder to hide malicious vulnerabilities”.

This web has some vulnerabilities. We can tell, because we can actually see it. Image: Pexels
This web has some vulnerabilities. We can tell, because we can actually see it. Image: Pexels

Next, we asked Eileen M. Uchitelle, a security and open source-focused programmer at Basecamp, what she made of the claims in the article – and this one in particular:

MP Nigel Adams said Mr Corbyn’s manifesto “ignores the issue of internet abuse”.
He said: “His shambolic policies could leave us open to malicious attack and put our national security at risk.”

She said:

“Nigel Adams and others who oppose Corbyn’s plans appear to have little understanding how the open source community works. A main point of the Sun’s article that is completely off base is the notion that by using open source software, private sector companies won’t want to get involved in working with the government. Many private companies are already using open source software and to that point many private sector jobs wouldn’t even exist without open source languages like Ruby, Python, and Node.

While it’s true that open source means anyone can look at the code, that also means that you’re getting a lot more eyes and expertise than private source code ever will. The benefit of this is that everyone using your code is invested in ensuring it’s safe and secure.”

Look, it's a security metaphor! Image: Pexels
Look, it's a security metaphor! Image: Pexels

And how about those expert claims that untenable risks are attached to code visibility in open source? Specifically, that:

“Open source means code and plans can be accessed and potentially altered and re-packaged by anyone.”

I asked Senior Editor of PHPDeveloper.org and PHP security expert Chris Cornutt:

“The use of open source software isn’t a “free pass” to attackers. Open source software is the sharing of the code driving the application for public consumption, allowing for open contribution, discussion and community around it. While it does make it easier to locate issues directly, without it attackers would just refocus their energies towards other more ‘brute force’ attack methods. Open source software doesn’t make you any more or less safe – the key is in how you implement it and how you harden your systems.”

Not all of the concerns raised in the article were linked to security. I asked Harry Metcalfe, Founder and MD of dxw for an opinion on this assertion:

“…private firms or individuals would be reluctant to get involved in public sector projects, claimed Neil Doyle.”

He said:

“It’s not remotely true to say that private firms are reluctant to work with open source technology. In fact, it’s now government policy to use open source technologies where appropriate – and there are many companies, mine included, that only use open source projects.”

Open sauce. Image: Mark Skipper via Flickr Creative Commons
Open sauce. Image: Mark Skipper via Flickr Creative Commons

“In fact, open source projects are usually more secure than their proprietary counterparts, because they’ve had the benefit of peer review. And, unlike proprietary software, organisations can easily get independent help to find out what problems exist, and fix or work around them.”

Of all the claims in the article, this was the most confusing:

“Labour chief Mr Corbyn’s manifesto would probably cover MoD and security service computers under an open source licence, said Mr Doyle.”

I took it to Gary Hockin, developer advocate and contributing open source expert. After checking several times if he could swear in his response, Gary said:

“These words in this order just make no sense to me. Computers themselves never would be under any kind of license. I’m not sure if Mr Doyle is implying that everything that is produced on that computer would be covered by an open source license — it’s one of the interpretations of this gibberish, I suppose.

“I have an open source project open in another window as I’m writing this piece, but that doesn’t mean I need to release this scathing quote under an MIT license and invite contributions (although I might).”

He has in fact released this comment under the MIT license, available here.

I could continue, but I feel the point is fairly conclusively proven. In closing, might I politely suggest The Sun enlists experts with an understanding of technology when working on tech content in the future. We’d be happy to help.

Yours,

Jessica Rose

PS: Your website, like ours, runs on WordPress. Which is open source.


Main image: Pexels