Does Linux Have a Dark Secret?

By Alex Salkever In his sci-fi western tale The Dark Tower, Stephen King's gloomy hero Roland the Gunslinger utters the sage observation, "Only enemies speak the truth. Friends and lovers lie endlessly, caught in the web of duty."

So, people who hate you are far more likely to level with you. It's a message the open-source community might want to heed as it prepares for what could be a nasty battle against SCO Group (SCOX). This Lindon (Utah) software concern claims it holds key rights to the Unix operating system. More importantly, SCO has sued IBM (IBM) for allegedly lifting key software code from Unix and dropping that code lock, stock, and barrel into Linux. That, the $1 billion suit claims, is proscribed by the agreement SCO has with IBM. Big Blue says it has done no such thing.

NAGGING WORRY. While SCO has emphasized it's suing IBM for breach of contract and not copyright violations, the legal move and its allegations imply SCO suspects a broad breach of Unix copyrights in the Linux community (see BW Online, 5/23/03, "Meet Linux's New Public Enemy No. 1"). And it's so concerned that it may throw sand into the gears of open sourcing, which looks set to roll up bigger and bigger shares of the enterprise-computing market.

In essence, SCO is challenging the entire Linux community: "Prove you wrote this code." That's a challenge only an open-source foe would make. And while Wall Street and Main Street have embraced the Penguin tribe, the SCO litigation has brought to the fore a nagging worry about open-source software: What are the exact origins of the code going into popular open-source programs? Could the code have been stolen or lifted?

The conflict has confronted corporate information technology buyers with what they hate most: legal uncertainty, particularly when it comes to multimillion-dollar investments in technology. Worse, the very nature of open source means users of this type of software could be more vulnerable to copyright or intellectual-property enforcement than users of proprietary code. That's because, under the law, even unwitting users of unauthorized software code are liable for damages. "If copyrighted code has infected Linux, then users by running and programming with that code are themselves violating copyright," argues Jonathan Band, an intellectual-property lawyer and partner at Morrison & Foerster. "Even if you had no realization that you were infringing, you still could be liable. That raises the stakes significantly."

According to Band, who represents neither SCO nor IBM in this case, a crucial vulnerability with the open-source model is too much trust. "Open source relies on the fact that everyone is going to behave appropriately. You assume no one would inject anything they shouldn't inject into the code. That's not a legal problem, but it trusts people perhaps more than you should," he argues.

NO END IN SIGHT. A key illustration of that vulnerability came in August, 2002, when someone hacked the download servers for OpenSSH. This popular open-source security module enables system administrators to encrypt remote communications with a server. The malicious hackers placed a "Trojan horse" into the download version of OpenSSH. These small but destructive programs are surreptitiously loaded onto computers of unsuspecting users so that cyber scofflaws can later use them to take control of the compromised machines.

Even though it was the digital equivalent of cutting a tunnel into a police holding cell, the bogus download version went unnoticed for five days. Had it not been discovered -- something that's entirely conceivable -- numerous other open-source products in the future would likely have used OpenSSH and built upon the flawed code base.

In the same way, if a programmer working on open-source projects put proprietary code into the mix and no one found out, millions of people could download that software and use that code unknowingly. Thus, any subsequent projects that are built upon this proprietary code could be a legal liability for many years in the future.

This broad and disturbing potential liability is why Gartner software analyst George Weiss issued a research note dated Apr. 16 stating: "System administrators must be admonished to submit open-source code to inspection for potential violation of patents. An open-source quality-assurance process should determine and approve allowable code for production systems. Such efforts may slow adoption of Linux in high-end production systems of critical applications."

RISKY BUSINESS. In other words, before anyone starts to use open-source software to run their business, they better check twice to make sure they're comfortable that the code isn't filched or even inadvertently copied -- something that open-source software companies generally refuse to warrant themselves. Who can blame them? Considering the millions of lines of code involved in most big open-source software-distribution packages, proving code origins beyond doubt remains a tall order.

Still, key open-source leaders say the movement must enhance the security around their code building. How? Better processes for checking code in and out of programming systems wouldn't hurt. It also might mean better enforcement of security policies such as checking encryption key signatures to ensure the person making an upload to an open-source project's databases is in fact who they claim to be.

Some open-source leaders say accepting contributions from unfamiliar developers is a risky practice. Bruce Perens, a leader of the Debian GNU/Linux project and a prominent open-source advocate, says he and other Debian leaders make sure to meet developers face-to-face before allowing them to contribute code. Marten Mickos, CEO of open-source database company MySQL, says the vast majority of code contributions to the MySQL product that he both sells and distributes for free come from his own staff. For the few outside contributors, "...we require the donor to warrant that he or she owns the code," says Mickos.

A FAVOR? Yes, most of the big-open source projects with wide commercial use such as Apache's Web server and Red Hat's (RHAT) version of Linux already go through very strict vetting processes. Open-source software construction is quite deliberative, with code contributions filtered through a few key trusted persons (such as Linus Torvalds, who still oversees code development for the main Linux kernel).

All it would take, however, is one rogue uploader flying under the radar to open a whole project with millions of users to significant legal repercussions. So in that respect, SCO has done the Linux community a favor by pointing out a chink in the armor. Not that any of the Penguinheads would thank SCO CEO Darl McBride. But this code shakeup will likely result in a stronger open-source movement precisely because code origin is now a front-burner issue. Salkever is technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column

The Good Business Issue
blog comments powered by Disqus