Contact us  :   Sitemap  :   Our benefactors  :   Help    *
Search
*
BA logoConnecting science with people
*
*
*
*
<Home
<News
<Reports and Publications
<Science & Public Affairs
<SPA Archive
June 2007
Utafiti in Coastal Kenya
SPATalk
A knowledge economy with science at its core
Bringing the human factor into climate models
Nanotechnology risks must be examined
Effective software needs engagement
Connecting for heath?
What is happiness?
Sir Gareth Roberts
The most devastating diseases of plants
Understanding the real world
Experimentation on animals
Do your homework!
How public engagement came down from the mountain
Combating climate change
Doping in sport
Linnaeus's collections go online
New help for women in SET
Divided we stand
The ice protein cometh?
Bring back Haldane!
Action on climate change
Carbon reduction in the UK: is there any point?
Festival publicity helped change fishing policy
Effective software needs engagement
Open source: engagement benefits the users

Adam Laurie celebrates Open Source

Earlier this year, I had the honour of being invited to give evidence to the House of Lords Science and Technology Select Committee on personal internet security.(1)

I was speaking for the Open Source community alongside Alan Cox, who helped develop the programme that constitutes the central core of the Linux computer operating system. We were opposite Microsoft who were representing commercial software in general and themselves in particular.

It was a fascinating experience, and a great opportunity for a layman to see a small part of the inner workings of government and to hear what kind of issues get their attention.

Little consultation

The most meaningful discussion came at the end when Alan and I started to describe the kind of attacks that could be applied by the technically proficient against the unwitting consumer, if the technology they were provided with didn’t adequately protect itself. It was all very ‘James Bond’, talking about fooling electronic fingerprint readers and the like, but it elicited a very meaningful response from Lord O’Neill of Clackmannan, who said: ‘You guys are great at telling us what is wrong but you never give us any solutions because it seems that one of your other colleagues is trying to work out how to rip off the next generation. I am not associating you with them but people in your line of country. What do we do then, just give up?’

Whilst I can sympathise with his viewpoint, it is, in my opinion, a question of engagement, and I think this exchange is a good illustration of that whole issue.

There is a huge community of Open Source security experts out there, able and willing not only to look at security problems that already exist or may be found in new products, but also to advise and help design protocols and systems that solve these kinds of problems before they hit the streets. They bring with them a wealth of experience working in probably the most hostile environment known to man: the internet, where pretty much every security problem one could possibly think of has already been tested or theorised, and valuable lessons learned on how (and how not) to do things.

However, this group is rarely consulted in the early stages of consumer or government projects, and only tend to get involved after the fact when they take it upon themselves to do so, often by pointing out serious issues, to the discomfiture of the affected parties.

Commercial world lags behind

This engagement usually takes the form of ‘Full Disclosure’, in which the manufacturer or vendor is privately informed of the issue and given time to produce a fix before it is made completely public. Interestingly, Lord Mitchell assumed that Microsoft were ahead of this game. As someone who has lived through the evolution of the internet and witnessed first hand Microsoft’s gradual engagement with the wider community, it is fairly amusing to see them being hailed as the leaders in this field, when they are, in internet timeline terms, very much ‘the new kids on the block’.

It’s worth remembering that it was fully five years after the internet became a practical reality that Microsoft finally caved in and added the internet standard networking protocol (TCP/IP) to its default stack in Windows 95. It wasn’t until the Windows Millennium Edition release in 2000 that they included automatic updates, two years after the Open Source community provided them for Linux.

They are currently promoting ‘Responsible Disclosure’ (their version of ‘Full Disclosure’) as a means of engaging with the Open Source security research community, but again, they are many years behind, as this has been standard practice in the Open Source community itself for over 10 years. However, this is not to say that Microsoft aren’t trying, and I don’t want to come across as particularly anti-Microsoft.

Consumers benefit

The Lords Committee is expected to publish its report this summer, and one of the things I hope will come out of it is the realisation that the commercial world does not always have all the answers (and even when it does, they may have simply adopted what for the rest of us has been commonplace for some time).

Open Source has a lot to offer. At the end of the day, Open Source software only exists because it does what it sets out to do, does it well, and does it primarily for the benefit of its user base which is, increasingly, all of us – the consumers.

Reference

1. See the transcript of evidence (PDF) given to the House of Lords Science and Technology Select Committee

Adam Laurie is a freelance security researcher. His latest work can be found here.
search this section
Search
*
Contact us  |  Sitemap  |  Our benefactors  |  Help  |  Search   
Festival of Science | National Science and Engineering Week | Clubs, CREST Awards and Fairs (5-19 yrs) | Science in Society | In Your Area | Events | News | Press Office | Support the BA | About the BA
Privacy & terms of use